Two Boeing 737 Max 8 jets crashed within 6 months.1 Several basic facts have recently emerged, which prompted authorities to ground this new variant of the popular Boeing 737 airliner. While more investigations would be needed to identify the detailed causes of the deadly crashes, the several basic facts collected so far already permit a crude mural to be drawn up for the likely events that might have taken place in the cockpits of the Boeing 737 Max 8 jets right before they went down.
In order to see how a control system typically fails, one needs to understand the way a closed-loop system works and the inevitable hazard of oscillation. In laymen terms, any closed-loop system is prone to instability when the control efforts and the feeding of sensing signals fail to work in harmony. For instance, when you're listening to music while adjusting the volume of the speakers or airpods, you're controlling a closed-loop system. If you feel the sound being too loud, you attempt to turn the volume down. This is a typical feedback action, creating a closed loop. But if you react too slow and too drastic, the volume goes too far down, and after some delay the sound becomes too soft to be heard. Then, you would turn the volume up again, and if you do it a little too drastic, the volume gets too far up after a typical delay. Attempting to turn the volume down again repeats the process, and creates an oscillation. The situation for the Boeing 737 Max 8 crashes could be made more complicated by an apparent but "unintended" two-loop control.Facts
- The satellite track data of the Boeing 737 Max 8 crash last October in Indonesia and the crash earlier this month in Ethiopia consistently show typical oscillatory transients leading to the crashes.
- The pilots of both flights had struggled to save the aircrafts for a period of time before the aircrafts crashed.
Likely Events
First, the new automatic MCAS system (Maneuvering Characteristics Augmentation System) on the 737 Max 8 works on a typical feedback principle to prevent the jet from getting into a stall2. Basically, it senses the so-called angle-of-attack (AOA) and commands the aircraft's nose to dip down to prevent a potential stall. However, the operation of this new MCAS may not be clearly known or understood by the pilots who have flown the conventional Boeing 737 jet for many years and would do the nose control in the usual way.
The problem is that the 737 Max 8 allows the pilot to intervene while its MCAS works to fix the same problem, creating a double-loop control situation. The AOA signal causes both the pilot and the MCAS to react, but with different speed and effort (technically called closed-loop bandwidth and gain).
The nose control overshoots and AOA continues to feed signals back, and always with delays of different magnitudes (even different orders of magnitude as human and machine do react quite differently). This might create an oscillatory response, as revealed by the satellite track data, in which the aircraft repeatedly climbed and descended under the two separate (pilot's and MCAS's) control actions.
The Deadly Event
The two-loop continues to work and creates an oscillatory response. In theory, this is fine as long as every parameter remains constant, and the loop gains are controlled precisely to maintain sustained oscillation within a safe range! But multiple factors may cause something to happen in a fatal way.
- The human pilot, who is the controller of one of the loops, cannot repeat his action precisely every cycle even though all other parameters are perfectly constant.
- External factors like wind speed and direction may introduce disturbances to the system that cannot be reacted precisely by the human pilot, especially since sustained oscillation normally requires irregular control effort (technically called nonlinear gain control).
- The human pilot loses control and fails to follow the oscillatory pattern. In order for the aircraft to diverge its altitude, the gain and bandwidth of either loops must have drifted to the unstable region causing the aircraft to lose stability and eventually go down under the force of gravity.
The above description is a very general control scenario, often described in elementary control engineering texts. To know the exact causes, we need to fill in a lot more technical details, likely different sets of details in the two crashes, which can only be unfolded through examining the detailed flight data.
March 16, 2019
_____________________
1 Ethiopian Airlines, Lion Air crash linked by new evidence — New York Times (March 15, 2019)2 Stall — An aircraft normally flies horizontally, and may climb up or descend at an angle within a certain limit. When the aircraft goes too steep up, its wings no longer provide the needed upthrust and the aircraft continues to move up almost vertically and surely loses speed under gravity. It soon stops as it reaches a peak altitude, which is called a "stall", and then drops rapidly under gravity. After the stall, the engines are not powerful enough to restore normal flying given the heavy weight of the aircraft, and disaster is inevitable. Modern jets usually have sophisticated control systems to prevent a potential stall.