Why are on-board computers allowed to change controls without notifying the pilots?
$begingroup$
Recently we've had the 737-MAX debacle, where it increasingly appears that the MAX on-board MCAS system repeatedly would issue nose-down events, leading to the Lion Air crash, and possibly another
On the Lion Air flight, when the MCAS pushed the jet’s nose down, the captain pulled it back up, using thumb switches on the control column. Still operating under the false angle-of-attack reading, MCAS kicked in each time to swivel the horizontal tail and push the nose down again.
Apparently there is a notification light for MCAS that was an optional package but will now be required.
It reminds me of two other incidents that lead to crashes
Air France 447 A330 - A frozen pitot tube caused the computer to switch to Alternate Law 2, which meant that the computer would no longer prevent dangerous flight inputs. While not the same as the MCAS issue, it lead to confusion of the cockpit crew (who had been making maximum nose-up inputs while at TOGA power), and thus the plane crashed due to stall. It was noted that there was nothing direct to alert the pilots that the switch had occurred.
Scandanavian Air 751 MD81 - Ice accumulated on the wings. When the plane took off, the ice fell off, striking the engines. The pilots noted the engines were surging and reduced the throttle, but an auto-throttle system not disclosed to the pilots kept increasing power back to full, thus causing engine failure and a crash landing.
Has anyone ever stated why aircraft systems are allowed to make changes without notifying the pilots? Is it something that just hasn't been a large enough problem to address until now?
safety avionics autopilot
asked yesterday
MachavityMachavity
2,5432936
$endgroup$
|
show 1 more comment
$begingroup$
Recently we've had the 737-MAX debacle, where it increasingly appears that the MAX on-board MCAS system repeatedly would issue nose-down events, leading to the Lion Air crash, and possibly another
On the Lion Air flight, when the MCAS pushed the jet’s nose down, the captain pulled it back up, using thumb switches on the control column. Still operating under the false angle-of-attack reading, MCAS kicked in each time to swivel the horizontal tail and push the nose down again.
Apparently there is a notification light for MCAS that was an optional package but will now be required.
It reminds me of two other incidents that lead to crashes
Air France 447 A330 - A frozen pitot tube caused the computer to switch to Alternate Law 2, which meant that the computer would no longer prevent dangerous flight inputs. While not the same as the MCAS issue, it lead to confusion of the cockpit crew (who had been making maximum nose-up inputs while at TOGA power), and thus the plane crashed due to stall. It was noted that there was nothing direct to alert the pilots that the switch had occurred.
Scandanavian Air 751 MD81 - Ice accumulated on the wings. When the plane took off, the ice fell off, striking the engines. The pilots noted the engines were surging and reduced the throttle, but an auto-throttle system not disclosed to the pilots kept increasing power back to full, thus causing engine failure and a crash landing.
Has anyone ever stated why aircraft systems are allowed to make changes without notifying the pilots? Is it something that just hasn't been a large enough problem to address until now?
safety avionics autopilot
asked yesterday
MachavityMachavity
2,5432936
$endgroup$
18
$begingroup$
The AF447 flight had an alternate law indication available to the pilots, as well as many other (too many in fact) warnings that caused further confusion. In automation systems, the key is to present the appropriate information without overwhelming the operator with too many conflicting or confusing warnings. AF447 showed that a pilot in the face of too much information will ignore everything the system is telling them and fly with how they think the aircraft should be flown.
$endgroup$
– Ron Beyer
yesterday
5
$begingroup$
For most modern aircraft, it is a design feature that some intervention is invisible to pilots. The rudder has automatically made invisible small adjustments to maintain symmetrical flight and dampen yaw oscillations for at least half a century, and more modern aircraft alleviate turbulence or other small disturbance from trimmed flight without announcing this either, as that would quite quickly become a nuisance...
$endgroup$
– Cpt Reynolds
yesterday
10
$begingroup$
I guess the question to ask is rather not “why don’t all automatic inputs get announced” (as quite often that’s actually OK) but “why would anyone design an automatic that is associated with a risky edge of the flight envelope and then not tell crew about its existence” (because that’s not OK).
$endgroup$
– Cpt Reynolds
yesterday
1
$begingroup$
The problem is computer systems designed by people with a computer science background, rather than by people with a background in aviation. Computer scientists will add safety subroutines as a matter of course, lacking the necessary judgement of an experienced pilot, ignorant of the fact that information overload is bad for the pilot when reaction time is at a premium. Excessive application of safety systems hides the crucial warnings from the pilot, who may be unable to eliminate the unimportant ones in the available time. This is a design failure, and cannot be cured by pilot training.
$endgroup$
– Ed999
11 hours ago
5
$begingroup$
@Ed999 the requirements for the MCAS system would have come from someone with experience designing aviation systems. Plus, most people working in DO-178 driven projects are quite aware of the domain in which the software is running. Whether the indication of operation is provided to the pilot is a human factors decision, not one of software.
$endgroup$
– selectstriker2
5 hours ago
|
show 1 more comment
$begingroup$
Recently we've had the 737-MAX debacle, where it increasingly appears that the MAX on-board MCAS system repeatedly would issue nose-down events, leading to the Lion Air crash, and possibly another
On the Lion Air flight, when the MCAS pushed the jet’s nose down, the captain pulled it back up, using thumb switches on the control column. Still operating under the false angle-of-attack reading, MCAS kicked in each time to swivel the horizontal tail and push the nose down again.
Apparently there is a notification light for MCAS that was an optional package but will now be required.
It reminds me of two other incidents that lead to crashes
Air France 447 A330 - A frozen pitot tube caused the computer to switch to Alternate Law 2, which meant that the computer would no longer prevent dangerous flight inputs. While not the same as the MCAS issue, it lead to confusion of the cockpit crew (who had been making maximum nose-up inputs while at TOGA power), and thus the plane crashed due to stall. It was noted that there was nothing direct to alert the pilots that the switch had occurred.
Scandanavian Air 751 MD81 - Ice accumulated on the wings. When the plane took off, the ice fell off, striking the engines. The pilots noted the engines were surging and reduced the throttle, but an auto-throttle system not disclosed to the pilots kept increasing power back to full, thus causing engine failure and a crash landing.
Has anyone ever stated why aircraft systems are allowed to make changes without notifying the pilots? Is it something that just hasn't been a large enough problem to address until now?
safety avionics autopilot
asked yesterday
MachavityMachavity
2,5432936
$endgroup$
Recently we've had the 737-MAX debacle, where it increasingly appears that the MAX on-board MCAS system repeatedly would issue nose-down events, leading to the Lion Air crash, and possibly another
On the Lion Air flight, when the MCAS pushed the jet’s nose down, the captain pulled it back up, using thumb switches on the control column. Still operating under the false angle-of-attack reading, MCAS kicked in each time to swivel the horizontal tail and push the nose down again.
Apparently there is a notification light for MCAS that was an optional package but will now be required.
It reminds me of two other incidents that lead to crashes
Air France 447 A330 - A frozen pitot tube caused the computer to switch to Alternate Law 2, which meant that the computer would no longer prevent dangerous flight inputs. While not the same as the MCAS issue, it lead to confusion of the cockpit crew (who had been making maximum nose-up inputs while at TOGA power), and thus the plane crashed due to stall. It was noted that there was nothing direct to alert the pilots that the switch had occurred.
Scandanavian Air 751 MD81 - Ice accumulated on the wings. When the plane took off, the ice fell off, striking the engines. The pilots noted the engines were surging and reduced the throttle, but an auto-throttle system not disclosed to the pilots kept increasing power back to full, thus causing engine failure and a crash landing.
Has anyone ever stated why aircraft systems are allowed to make changes without notifying the pilots? Is it something that just hasn't been a large enough problem to address until now?
safety avionics autopilot
safety avionics autopilot
asked yesterday
MachavityMachavity
2,5432936
asked yesterday
MachavityMachavity
2,5432936
asked yesterday
MachavityMachavity
2,5432936
asked yesterday
MachavityMachavity
2,5432936
asked yesterday
MachavityMachavity
2,5432936
2,5432936
18
$begingroup$
The AF447 flight had an alternate law indication available to the pilots, as well as many other (too many in fact) warnings that caused further confusion. In automation systems, the key is to present the appropriate information without overwhelming the operator with too many conflicting or confusing warnings. AF447 showed that a pilot in the face of too much information will ignore everything the system is telling them and fly with how they think the aircraft should be flown.
$endgroup$
– Ron Beyer
yesterday
5
$begingroup$
For most modern aircraft, it is a design feature that some intervention is invisible to pilots. The rudder has automatically made invisible small adjustments to maintain symmetrical flight and dampen yaw oscillations for at least half a century, and more modern aircraft alleviate turbulence or other small disturbance from trimmed flight without announcing this either, as that would quite quickly become a nuisance...
$endgroup$
– Cpt Reynolds
yesterday
10
$begingroup$
I guess the question to ask is rather not “why don’t all automatic inputs get announced” (as quite often that’s actually OK) but “why would anyone design an automatic that is associated with a risky edge of the flight envelope and then not tell crew about its existence” (because that’s not OK).
$endgroup$
– Cpt Reynolds
yesterday
1
$begingroup$
The problem is computer systems designed by people with a computer science background, rather than by people with a background in aviation. Computer scientists will add safety subroutines as a matter of course, lacking the necessary judgement of an experienced pilot, ignorant of the fact that information overload is bad for the pilot when reaction time is at a premium. Excessive application of safety systems hides the crucial warnings from the pilot, who may be unable to eliminate the unimportant ones in the available time. This is a design failure, and cannot be cured by pilot training.
$endgroup$
– Ed999
11 hours ago
5
$begingroup$
@Ed999 the requirements for the MCAS system would have come from someone with experience designing aviation systems. Plus, most people working in DO-178 driven projects are quite aware of the domain in which the software is running. Whether the indication of operation is provided to the pilot is a human factors decision, not one of software.
$endgroup$
– selectstriker2
5 hours ago
|
show 1 more comment
18
$begingroup$
The AF447 flight had an alternate law indication available to the pilots, as well as many other (too many in fact) warnings that caused further confusion. In automation systems, the key is to present the appropriate information without overwhelming the operator with too many conflicting or confusing warnings. AF447 showed that a pilot in the face of too much information will ignore everything the system is telling them and fly with how they think the aircraft should be flown.
$endgroup$
– Ron Beyer
yesterday
5
$begingroup$
For most modern aircraft, it is a design feature that some intervention is invisible to pilots. The rudder has automatically made invisible small adjustments to maintain symmetrical flight and dampen yaw oscillations for at least half a century, and more modern aircraft alleviate turbulence or other small disturbance from trimmed flight without announcing this either, as that would quite quickly become a nuisance...
$endgroup$
– Cpt Reynolds
yesterday
10
$begingroup$
I guess the question to ask is rather not “why don’t all automatic inputs get announced” (as quite often that’s actually OK) but “why would anyone design an automatic that is associated with a risky edge of the flight envelope and then not tell crew about its existence” (because that’s not OK).
$endgroup$
– Cpt Reynolds
yesterday
1
$begingroup$
The problem is computer systems designed by people with a computer science background, rather than by people with a background in aviation. Computer scientists will add safety subroutines as a matter of course, lacking the necessary judgement of an experienced pilot, ignorant of the fact that information overload is bad for the pilot when reaction time is at a premium. Excessive application of safety systems hides the crucial warnings from the pilot, who may be unable to eliminate the unimportant ones in the available time. This is a design failure, and cannot be cured by pilot training.
$endgroup$
– Ed999
11 hours ago
5
$begingroup$
@Ed999 the requirements for the MCAS system would have come from someone with experience designing aviation systems. Plus, most people working in DO-178 driven projects are quite aware of the domain in which the software is running. Whether the indication of operation is provided to the pilot is a human factors decision, not one of software.
$endgroup$
– selectstriker2
5 hours ago
18
18
$begingroup$
The AF447 flight had an alternate law indication available to the pilots, as well as many other (too many in fact) warnings that caused further confusion. In automation systems, the key is to present the appropriate information without overwhelming the operator with too many conflicting or confusing warnings. AF447 showed that a pilot in the face of too much information will ignore everything the system is telling them and fly with how they think the aircraft should be flown.
$endgroup$
– Ron Beyer
yesterday
$begingroup$
The AF447 flight had an alternate law indication available to the pilots, as well as many other (too many in fact) warnings that caused further confusion. In automation systems, the key is to present the appropriate information without overwhelming the operator with too many conflicting or confusing warnings. AF447 showed that a pilot in the face of too much information will ignore everything the system is telling them and fly with how they think the aircraft should be flown.
$endgroup$
– Ron Beyer
yesterday
5
5
$begingroup$
For most modern aircraft, it is a design feature that some intervention is invisible to pilots. The rudder has automatically made invisible small adjustments to maintain symmetrical flight and dampen yaw oscillations for at least half a century, and more modern aircraft alleviate turbulence or other small disturbance from trimmed flight without announcing this either, as that would quite quickly become a nuisance...
$endgroup$
– Cpt Reynolds
yesterday
$begingroup$
For most modern aircraft, it is a design feature that some intervention is invisible to pilots. The rudder has automatically made invisible small adjustments to maintain symmetrical flight and dampen yaw oscillations for at least half a century, and more modern aircraft alleviate turbulence or other small disturbance from trimmed flight without announcing this either, as that would quite quickly become a nuisance...
$endgroup$
– Cpt Reynolds
yesterday
10
10
$begingroup$
I guess the question to ask is rather not “why don’t all automatic inputs get announced” (as quite often that’s actually OK) but “why would anyone design an automatic that is associated with a risky edge of the flight envelope and then not tell crew about its existence” (because that’s not OK).
$endgroup$
– Cpt Reynolds
yesterday
$begingroup$
I guess the question to ask is rather not “why don’t all automatic inputs get announced” (as quite often that’s actually OK) but “why would anyone design an automatic that is associated with a risky edge of the flight envelope and then not tell crew about its existence” (because that’s not OK).
$endgroup$
– Cpt Reynolds
yesterday
1
1
$begingroup$
The problem is computer systems designed by people with a computer science background, rather than by people with a background in aviation. Computer scientists will add safety subroutines as a matter of course, lacking the necessary judgement of an experienced pilot, ignorant of the fact that information overload is bad for the pilot when reaction time is at a premium. Excessive application of safety systems hides the crucial warnings from the pilot, who may be unable to eliminate the unimportant ones in the available time. This is a design failure, and cannot be cured by pilot training.
$endgroup$
– Ed999
11 hours ago
$begingroup$
The problem is computer systems designed by people with a computer science background, rather than by people with a background in aviation. Computer scientists will add safety subroutines as a matter of course, lacking the necessary judgement of an experienced pilot, ignorant of the fact that information overload is bad for the pilot when reaction time is at a premium. Excessive application of safety systems hides the crucial warnings from the pilot, who may be unable to eliminate the unimportant ones in the available time. This is a design failure, and cannot be cured by pilot training.
$endgroup$
– Ed999
11 hours ago
5
5
$begingroup$
@Ed999 the requirements for the MCAS system would have come from someone with experience designing aviation systems. Plus, most people working in DO-178 driven projects are quite aware of the domain in which the software is running. Whether the indication of operation is provided to the pilot is a human factors decision, not one of software.
$endgroup$
– selectstriker2
5 hours ago
$begingroup$
@Ed999 the requirements for the MCAS system would have come from someone with experience designing aviation systems. Plus, most people working in DO-178 driven projects are quite aware of the domain in which the software is running. Whether the indication of operation is provided to the pilot is a human factors decision, not one of software.
$endgroup$
– selectstriker2
5 hours ago
|
show 1 more comment
3 Answers
3
active
oldest
votes
$begingroup$
There is a general design principle, that some, but not all, of the behavior of the flight guidance system or autopilot should be visible to the pilot. Usually automatic engagement or disengagement of a control system is indicated, but sub-modes of these controls or manual changes might be unindicated. That sounds simple and logical, but in reality it's a complex and tricky human factors issue. Displaying too much information to the pilots is just as bad as displaying too little, as too much information can cause them to ignore the most important indicators, like a stick shaker warning about a impending stall.
I know this isn't a very satisfying answer, but it's hard for anyone other than a human factors expert to answer a very general question like this with hard-and-fast rules.
For example, many autopilots will skip the aural warning about disengagement if the disengagement was directly caused by a pilot action. The pilot in this situation only gets a visual indication that AP has changed behavior. This sounds perfect, but on Aeroflot Flight 593 a pilot let his child into the cockpit, who then applied enough pressure on the yoke to disengage the automatic aileron control. There was no warning chime because the disengagement was considered intentional by the autopilot. This was unlike previous planes the pilot had flown, which contributed to the pilot's confusion when the plane began to turn and then go into a sharp bank.
The indicator light you mention for the 737 Max Lion Air crash is for "AoA disagreement", not MCAS engagment as you suggest. While these kinds of AoA indicators are generally considered good ideas, it's still an area of debate how much they'd help confused pilots like in the Lion Air crash or the Air France 447 crash.
Similarly, the quality of indication was not the biggest cause to the accidents you've listed. For example, the Scandinavian Airlines Flight 751 could probably have returned to the airport successfully, but a compressor stall due to ice striking both engines at low altitudes is a bad situation no matter the auto-thrust behavior. Bad sensors and confused pilots can crash a plane with perfectly designed indicators.
Edit: since this answer is getting a lot of attention, I think it's important to note that I don't really cover any special considerations for the edge of the flight envelope, auto-trim vs auto-disengagement vs changing sub-modes, or idiot-proofing of flight systems. I'd love to see this covered in more detail by people with experience.
answered yesterday
Cody PCody P
4,4391442
$endgroup$
1
$begingroup$
That's a good point. Information overload is a very real problem.
$endgroup$
– Machavity
yesterday
3
$begingroup$
I seem to recall a deluge of contradictory and confusing system messages being an issue in Qantas 32. Thankfully, the pilots were able to work through that one and get the plane in the ground mostly in tact (aside from the bits that had blown off the engine and wing when the turbine disc exploded,) but I seem to recall hearing the pilots talk about how many superfluous system messages they had to wade through in order to get to the important information of "an engine blew up, another is uncontrollable, and there's a hole in the wing."
$endgroup$
– reirab
23 hours ago
6
$begingroup$
There’s an argument to be made for a flight engineer to wade through all of that stuff, but that stuff is there to replace the flight engineer in the first place. Go figure.
$endgroup$
– MikeY
21 hours ago
add a comment |
$begingroup$
There are two types of autopilots, one for the behaviour around the CoG and one for control of the CoG, as mentioned in this answer. Also sometimes called Inner Loop and Outer Loop. In short:
The F-16 is aerodynamically unstable and has a rapid control system that applies control surface deflections to provide artificial stability. This is done to make the aircraft extremely manoeuvrable. The pilot is deliberately kept unaware of all these rapid control deflections, to them it just appears as if the aircraft is stable. Inner Loop autopilots provide no feedback to the pilots, by design.
The automatic pilots that can be set in order to fly to a certain setpoint are Outer Loop control systems. By design, they do provide feedback to the pilot as to what they are doing, so that the pilot can feel and see what sort of inputs are given and can override them if they deem them to be incorrect. The A320 has no means to move the stick, so this feedback cue is unavailable and attention is demanded by alerts.
This article explains the design philosophy of the MCAS system: it was meant as an auto-stabilising feature in a flight state outside the normal envelope - the circumstances Inner Loop control is normally applied in.
So to answer your question: yes, some flight computers do change control surface deflection without notifying the pilots.
answered 12 hours ago
KoyovisKoyovis
28k675148
$endgroup$
add a comment |
$begingroup$
In the case of MCAS and the stabilizer control, there is "notification" that the stabilizers are being automatically adjusted in the form of the two wheels on either side of the thrust controls. They spin, have markings, and are very noisy, so the pilots could not have been unaware of them acting. The problem was that the pilots were (apparently) unaware of the possibility of turning off the automatic stabilizer inputs from MCAS and kept trying to manual override the MCAS/stabilizer adjustments. The switches to turn off the stabilizer inputs are right in front of the thrust controls on the co-pilot side.
answered yesterday
42-42-
1312
New contributor
42- is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
1
$begingroup$
They were also unaware of that specific trim function sponsored by MCAS which probably wasn’t particularly helpful in fault diagnosis.
$endgroup$
– Cpt Reynolds
yesterday
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
return StackExchange.using("mathjaxEditing", function () {
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
});
});
}, "mathjax-editing");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "528"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faviation.stackexchange.com%2fquestions%2f61605%2fwhy-are-on-board-computers-allowed-to-change-controls-without-notifying-the-pilo%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
There is a general design principle, that some, but not all, of the behavior of the flight guidance system or autopilot should be visible to the pilot. Usually automatic engagement or disengagement of a control system is indicated, but sub-modes of these controls or manual changes might be unindicated. That sounds simple and logical, but in reality it's a complex and tricky human factors issue. Displaying too much information to the pilots is just as bad as displaying too little, as too much information can cause them to ignore the most important indicators, like a stick shaker warning about a impending stall.
I know this isn't a very satisfying answer, but it's hard for anyone other than a human factors expert to answer a very general question like this with hard-and-fast rules.
For example, many autopilots will skip the aural warning about disengagement if the disengagement was directly caused by a pilot action. The pilot in this situation only gets a visual indication that AP has changed behavior. This sounds perfect, but on Aeroflot Flight 593 a pilot let his child into the cockpit, who then applied enough pressure on the yoke to disengage the automatic aileron control. There was no warning chime because the disengagement was considered intentional by the autopilot. This was unlike previous planes the pilot had flown, which contributed to the pilot's confusion when the plane began to turn and then go into a sharp bank.
The indicator light you mention for the 737 Max Lion Air crash is for "AoA disagreement", not MCAS engagment as you suggest. While these kinds of AoA indicators are generally considered good ideas, it's still an area of debate how much they'd help confused pilots like in the Lion Air crash or the Air France 447 crash.
Similarly, the quality of indication was not the biggest cause to the accidents you've listed. For example, the Scandinavian Airlines Flight 751 could probably have returned to the airport successfully, but a compressor stall due to ice striking both engines at low altitudes is a bad situation no matter the auto-thrust behavior. Bad sensors and confused pilots can crash a plane with perfectly designed indicators.
Edit: since this answer is getting a lot of attention, I think it's important to note that I don't really cover any special considerations for the edge of the flight envelope, auto-trim vs auto-disengagement vs changing sub-modes, or idiot-proofing of flight systems. I'd love to see this covered in more detail by people with experience.
answered yesterday
Cody PCody P
4,4391442
$endgroup$
1
$begingroup$
That's a good point. Information overload is a very real problem.
$endgroup$
– Machavity
yesterday
3
$begingroup$
I seem to recall a deluge of contradictory and confusing system messages being an issue in Qantas 32. Thankfully, the pilots were able to work through that one and get the plane in the ground mostly in tact (aside from the bits that had blown off the engine and wing when the turbine disc exploded,) but I seem to recall hearing the pilots talk about how many superfluous system messages they had to wade through in order to get to the important information of "an engine blew up, another is uncontrollable, and there's a hole in the wing."
$endgroup$
– reirab
23 hours ago
6
$begingroup$
There’s an argument to be made for a flight engineer to wade through all of that stuff, but that stuff is there to replace the flight engineer in the first place. Go figure.
$endgroup$
– MikeY
21 hours ago
add a comment |
$begingroup$
There is a general design principle, that some, but not all, of the behavior of the flight guidance system or autopilot should be visible to the pilot. Usually automatic engagement or disengagement of a control system is indicated, but sub-modes of these controls or manual changes might be unindicated. That sounds simple and logical, but in reality it's a complex and tricky human factors issue. Displaying too much information to the pilots is just as bad as displaying too little, as too much information can cause them to ignore the most important indicators, like a stick shaker warning about a impending stall.
I know this isn't a very satisfying answer, but it's hard for anyone other than a human factors expert to answer a very general question like this with hard-and-fast rules.
For example, many autopilots will skip the aural warning about disengagement if the disengagement was directly caused by a pilot action. The pilot in this situation only gets a visual indication that AP has changed behavior. This sounds perfect, but on Aeroflot Flight 593 a pilot let his child into the cockpit, who then applied enough pressure on the yoke to disengage the automatic aileron control. There was no warning chime because the disengagement was considered intentional by the autopilot. This was unlike previous planes the pilot had flown, which contributed to the pilot's confusion when the plane began to turn and then go into a sharp bank.
The indicator light you mention for the 737 Max Lion Air crash is for "AoA disagreement", not MCAS engagment as you suggest. While these kinds of AoA indicators are generally considered good ideas, it's still an area of debate how much they'd help confused pilots like in the Lion Air crash or the Air France 447 crash.
Similarly, the quality of indication was not the biggest cause to the accidents you've listed. For example, the Scandinavian Airlines Flight 751 could probably have returned to the airport successfully, but a compressor stall due to ice striking both engines at low altitudes is a bad situation no matter the auto-thrust behavior. Bad sensors and confused pilots can crash a plane with perfectly designed indicators.
Edit: since this answer is getting a lot of attention, I think it's important to note that I don't really cover any special considerations for the edge of the flight envelope, auto-trim vs auto-disengagement vs changing sub-modes, or idiot-proofing of flight systems. I'd love to see this covered in more detail by people with experience.
answered yesterday
Cody PCody P
4,4391442
$endgroup$
1
$begingroup$
That's a good point. Information overload is a very real problem.
$endgroup$
– Machavity
yesterday
3
$begingroup$
I seem to recall a deluge of contradictory and confusing system messages being an issue in Qantas 32. Thankfully, the pilots were able to work through that one and get the plane in the ground mostly in tact (aside from the bits that had blown off the engine and wing when the turbine disc exploded,) but I seem to recall hearing the pilots talk about how many superfluous system messages they had to wade through in order to get to the important information of "an engine blew up, another is uncontrollable, and there's a hole in the wing."
$endgroup$
– reirab
23 hours ago
6
$begingroup$
There’s an argument to be made for a flight engineer to wade through all of that stuff, but that stuff is there to replace the flight engineer in the first place. Go figure.
$endgroup$
– MikeY
21 hours ago
add a comment |
$begingroup$
There is a general design principle, that some, but not all, of the behavior of the flight guidance system or autopilot should be visible to the pilot. Usually automatic engagement or disengagement of a control system is indicated, but sub-modes of these controls or manual changes might be unindicated. That sounds simple and logical, but in reality it's a complex and tricky human factors issue. Displaying too much information to the pilots is just as bad as displaying too little, as too much information can cause them to ignore the most important indicators, like a stick shaker warning about a impending stall.
I know this isn't a very satisfying answer, but it's hard for anyone other than a human factors expert to answer a very general question like this with hard-and-fast rules.
For example, many autopilots will skip the aural warning about disengagement if the disengagement was directly caused by a pilot action. The pilot in this situation only gets a visual indication that AP has changed behavior. This sounds perfect, but on Aeroflot Flight 593 a pilot let his child into the cockpit, who then applied enough pressure on the yoke to disengage the automatic aileron control. There was no warning chime because the disengagement was considered intentional by the autopilot. This was unlike previous planes the pilot had flown, which contributed to the pilot's confusion when the plane began to turn and then go into a sharp bank.
The indicator light you mention for the 737 Max Lion Air crash is for "AoA disagreement", not MCAS engagment as you suggest. While these kinds of AoA indicators are generally considered good ideas, it's still an area of debate how much they'd help confused pilots like in the Lion Air crash or the Air France 447 crash.
Similarly, the quality of indication was not the biggest cause to the accidents you've listed. For example, the Scandinavian Airlines Flight 751 could probably have returned to the airport successfully, but a compressor stall due to ice striking both engines at low altitudes is a bad situation no matter the auto-thrust behavior. Bad sensors and confused pilots can crash a plane with perfectly designed indicators.
Edit: since this answer is getting a lot of attention, I think it's important to note that I don't really cover any special considerations for the edge of the flight envelope, auto-trim vs auto-disengagement vs changing sub-modes, or idiot-proofing of flight systems. I'd love to see this covered in more detail by people with experience.
answered yesterday
Cody PCody P
4,4391442
$endgroup$
There is a general design principle, that some, but not all, of the behavior of the flight guidance system or autopilot should be visible to the pilot. Usually automatic engagement or disengagement of a control system is indicated, but sub-modes of these controls or manual changes might be unindicated. That sounds simple and logical, but in reality it's a complex and tricky human factors issue. Displaying too much information to the pilots is just as bad as displaying too little, as too much information can cause them to ignore the most important indicators, like a stick shaker warning about a impending stall.
I know this isn't a very satisfying answer, but it's hard for anyone other than a human factors expert to answer a very general question like this with hard-and-fast rules.
For example, many autopilots will skip the aural warning about disengagement if the disengagement was directly caused by a pilot action. The pilot in this situation only gets a visual indication that AP has changed behavior. This sounds perfect, but on Aeroflot Flight 593 a pilot let his child into the cockpit, who then applied enough pressure on the yoke to disengage the automatic aileron control. There was no warning chime because the disengagement was considered intentional by the autopilot. This was unlike previous planes the pilot had flown, which contributed to the pilot's confusion when the plane began to turn and then go into a sharp bank.
The indicator light you mention for the 737 Max Lion Air crash is for "AoA disagreement", not MCAS engagment as you suggest. While these kinds of AoA indicators are generally considered good ideas, it's still an area of debate how much they'd help confused pilots like in the Lion Air crash or the Air France 447 crash.
Similarly, the quality of indication was not the biggest cause to the accidents you've listed. For example, the Scandinavian Airlines Flight 751 could probably have returned to the airport successfully, but a compressor stall due to ice striking both engines at low altitudes is a bad situation no matter the auto-thrust behavior. Bad sensors and confused pilots can crash a plane with perfectly designed indicators.
Edit: since this answer is getting a lot of attention, I think it's important to note that I don't really cover any special considerations for the edge of the flight envelope, auto-trim vs auto-disengagement vs changing sub-modes, or idiot-proofing of flight systems. I'd love to see this covered in more detail by people with experience.
answered yesterday
Cody PCody P
4,4391442
edited 19 hours ago
answered yesterday
Cody PCody P
4,4391442
answered yesterday
Cody PCody P
4,4391442
answered yesterday
Cody PCody P
4,4391442
4,4391442
1
$begingroup$
That's a good point. Information overload is a very real problem.
$endgroup$
– Machavity
yesterday
3
$begingroup$
I seem to recall a deluge of contradictory and confusing system messages being an issue in Qantas 32. Thankfully, the pilots were able to work through that one and get the plane in the ground mostly in tact (aside from the bits that had blown off the engine and wing when the turbine disc exploded,) but I seem to recall hearing the pilots talk about how many superfluous system messages they had to wade through in order to get to the important information of "an engine blew up, another is uncontrollable, and there's a hole in the wing."
$endgroup$
– reirab
23 hours ago
6
$begingroup$
There’s an argument to be made for a flight engineer to wade through all of that stuff, but that stuff is there to replace the flight engineer in the first place. Go figure.
$endgroup$
– MikeY
21 hours ago
add a comment |
1
$begingroup$
That's a good point. Information overload is a very real problem.
$endgroup$
– Machavity
yesterday
3
$begingroup$
I seem to recall a deluge of contradictory and confusing system messages being an issue in Qantas 32. Thankfully, the pilots were able to work through that one and get the plane in the ground mostly in tact (aside from the bits that had blown off the engine and wing when the turbine disc exploded,) but I seem to recall hearing the pilots talk about how many superfluous system messages they had to wade through in order to get to the important information of "an engine blew up, another is uncontrollable, and there's a hole in the wing."
$endgroup$
– reirab
23 hours ago
6
$begingroup$
There’s an argument to be made for a flight engineer to wade through all of that stuff, but that stuff is there to replace the flight engineer in the first place. Go figure.
$endgroup$
– MikeY
21 hours ago
1
1
$begingroup$
That's a good point. Information overload is a very real problem.
$endgroup$
– Machavity
yesterday
$begingroup$
That's a good point. Information overload is a very real problem.
$endgroup$
– Machavity
yesterday
3
3
$begingroup$
I seem to recall a deluge of contradictory and confusing system messages being an issue in Qantas 32. Thankfully, the pilots were able to work through that one and get the plane in the ground mostly in tact (aside from the bits that had blown off the engine and wing when the turbine disc exploded,) but I seem to recall hearing the pilots talk about how many superfluous system messages they had to wade through in order to get to the important information of "an engine blew up, another is uncontrollable, and there's a hole in the wing."
$endgroup$
– reirab
23 hours ago
$begingroup$
I seem to recall a deluge of contradictory and confusing system messages being an issue in Qantas 32. Thankfully, the pilots were able to work through that one and get the plane in the ground mostly in tact (aside from the bits that had blown off the engine and wing when the turbine disc exploded,) but I seem to recall hearing the pilots talk about how many superfluous system messages they had to wade through in order to get to the important information of "an engine blew up, another is uncontrollable, and there's a hole in the wing."
$endgroup$
– reirab
23 hours ago
6
6
$begingroup$
There’s an argument to be made for a flight engineer to wade through all of that stuff, but that stuff is there to replace the flight engineer in the first place. Go figure.
$endgroup$
– MikeY
21 hours ago
$begingroup$
There’s an argument to be made for a flight engineer to wade through all of that stuff, but that stuff is there to replace the flight engineer in the first place. Go figure.
$endgroup$
– MikeY
21 hours ago
add a comment |
$begingroup$
There are two types of autopilots, one for the behaviour around the CoG and one for control of the CoG, as mentioned in this answer. Also sometimes called Inner Loop and Outer Loop. In short:
The F-16 is aerodynamically unstable and has a rapid control system that applies control surface deflections to provide artificial stability. This is done to make the aircraft extremely manoeuvrable. The pilot is deliberately kept unaware of all these rapid control deflections, to them it just appears as if the aircraft is stable. Inner Loop autopilots provide no feedback to the pilots, by design.
The automatic pilots that can be set in order to fly to a certain setpoint are Outer Loop control systems. By design, they do provide feedback to the pilot as to what they are doing, so that the pilot can feel and see what sort of inputs are given and can override them if they deem them to be incorrect. The A320 has no means to move the stick, so this feedback cue is unavailable and attention is demanded by alerts.
This article explains the design philosophy of the MCAS system: it was meant as an auto-stabilising feature in a flight state outside the normal envelope - the circumstances Inner Loop control is normally applied in.
So to answer your question: yes, some flight computers do change control surface deflection without notifying the pilots.
answered 12 hours ago
KoyovisKoyovis
28k675148
$endgroup$
add a comment |
$begingroup$
There are two types of autopilots, one for the behaviour around the CoG and one for control of the CoG, as mentioned in this answer. Also sometimes called Inner Loop and Outer Loop. In short:
The F-16 is aerodynamically unstable and has a rapid control system that applies control surface deflections to provide artificial stability. This is done to make the aircraft extremely manoeuvrable. The pilot is deliberately kept unaware of all these rapid control deflections, to them it just appears as if the aircraft is stable. Inner Loop autopilots provide no feedback to the pilots, by design.
The automatic pilots that can be set in order to fly to a certain setpoint are Outer Loop control systems. By design, they do provide feedback to the pilot as to what they are doing, so that the pilot can feel and see what sort of inputs are given and can override them if they deem them to be incorrect. The A320 has no means to move the stick, so this feedback cue is unavailable and attention is demanded by alerts.
This article explains the design philosophy of the MCAS system: it was meant as an auto-stabilising feature in a flight state outside the normal envelope - the circumstances Inner Loop control is normally applied in.
So to answer your question: yes, some flight computers do change control surface deflection without notifying the pilots.
answered 12 hours ago
KoyovisKoyovis
28k675148
$endgroup$
add a comment |
$begingroup$
There are two types of autopilots, one for the behaviour around the CoG and one for control of the CoG, as mentioned in this answer. Also sometimes called Inner Loop and Outer Loop. In short:
The F-16 is aerodynamically unstable and has a rapid control system that applies control surface deflections to provide artificial stability. This is done to make the aircraft extremely manoeuvrable. The pilot is deliberately kept unaware of all these rapid control deflections, to them it just appears as if the aircraft is stable. Inner Loop autopilots provide no feedback to the pilots, by design.
The automatic pilots that can be set in order to fly to a certain setpoint are Outer Loop control systems. By design, they do provide feedback to the pilot as to what they are doing, so that the pilot can feel and see what sort of inputs are given and can override them if they deem them to be incorrect. The A320 has no means to move the stick, so this feedback cue is unavailable and attention is demanded by alerts.
This article explains the design philosophy of the MCAS system: it was meant as an auto-stabilising feature in a flight state outside the normal envelope - the circumstances Inner Loop control is normally applied in.
So to answer your question: yes, some flight computers do change control surface deflection without notifying the pilots.
answered 12 hours ago
KoyovisKoyovis
28k675148
$endgroup$
There are two types of autopilots, one for the behaviour around the CoG and one for control of the CoG, as mentioned in this answer. Also sometimes called Inner Loop and Outer Loop. In short:
The F-16 is aerodynamically unstable and has a rapid control system that applies control surface deflections to provide artificial stability. This is done to make the aircraft extremely manoeuvrable. The pilot is deliberately kept unaware of all these rapid control deflections, to them it just appears as if the aircraft is stable. Inner Loop autopilots provide no feedback to the pilots, by design.
The automatic pilots that can be set in order to fly to a certain setpoint are Outer Loop control systems. By design, they do provide feedback to the pilot as to what they are doing, so that the pilot can feel and see what sort of inputs are given and can override them if they deem them to be incorrect. The A320 has no means to move the stick, so this feedback cue is unavailable and attention is demanded by alerts.
This article explains the design philosophy of the MCAS system: it was meant as an auto-stabilising feature in a flight state outside the normal envelope - the circumstances Inner Loop control is normally applied in.
So to answer your question: yes, some flight computers do change control surface deflection without notifying the pilots.
answered 12 hours ago
KoyovisKoyovis
28k675148
answered 12 hours ago
KoyovisKoyovis
28k675148
answered 12 hours ago
KoyovisKoyovis
28k675148
answered 12 hours ago
KoyovisKoyovis
28k675148
28k675148
add a comment |
add a comment |
$begingroup$
In the case of MCAS and the stabilizer control, there is "notification" that the stabilizers are being automatically adjusted in the form of the two wheels on either side of the thrust controls. They spin, have markings, and are very noisy, so the pilots could not have been unaware of them acting. The problem was that the pilots were (apparently) unaware of the possibility of turning off the automatic stabilizer inputs from MCAS and kept trying to manual override the MCAS/stabilizer adjustments. The switches to turn off the stabilizer inputs are right in front of the thrust controls on the co-pilot side.
answered yesterday
42-42-
1312
New contributor
42- is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
1
$begingroup$
They were also unaware of that specific trim function sponsored by MCAS which probably wasn’t particularly helpful in fault diagnosis.
$endgroup$
– Cpt Reynolds
yesterday
add a comment |
$begingroup$
In the case of MCAS and the stabilizer control, there is "notification" that the stabilizers are being automatically adjusted in the form of the two wheels on either side of the thrust controls. They spin, have markings, and are very noisy, so the pilots could not have been unaware of them acting. The problem was that the pilots were (apparently) unaware of the possibility of turning off the automatic stabilizer inputs from MCAS and kept trying to manual override the MCAS/stabilizer adjustments. The switches to turn off the stabilizer inputs are right in front of the thrust controls on the co-pilot side.
answered yesterday
42-42-
1312
New contributor
42- is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
1
$begingroup$
They were also unaware of that specific trim function sponsored by MCAS which probably wasn’t particularly helpful in fault diagnosis.
$endgroup$
– Cpt Reynolds
yesterday
add a comment |
$begingroup$
In the case of MCAS and the stabilizer control, there is "notification" that the stabilizers are being automatically adjusted in the form of the two wheels on either side of the thrust controls. They spin, have markings, and are very noisy, so the pilots could not have been unaware of them acting. The problem was that the pilots were (apparently) unaware of the possibility of turning off the automatic stabilizer inputs from MCAS and kept trying to manual override the MCAS/stabilizer adjustments. The switches to turn off the stabilizer inputs are right in front of the thrust controls on the co-pilot side.
answered yesterday
42-42-
1312
New contributor
42- is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
In the case of MCAS and the stabilizer control, there is "notification" that the stabilizers are being automatically adjusted in the form of the two wheels on either side of the thrust controls. They spin, have markings, and are very noisy, so the pilots could not have been unaware of them acting. The problem was that the pilots were (apparently) unaware of the possibility of turning off the automatic stabilizer inputs from MCAS and kept trying to manual override the MCAS/stabilizer adjustments. The switches to turn off the stabilizer inputs are right in front of the thrust controls on the co-pilot side.
answered yesterday
42-42-
1312
New contributor
42- is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
42-42-
1312
New contributor
42- is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered yesterday
42-42-
1312
answered yesterday
42-42-
1312
1312
New contributor
42- is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
42- is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
42- is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
1
$begingroup$
They were also unaware of that specific trim function sponsored by MCAS which probably wasn’t particularly helpful in fault diagnosis.
$endgroup$
– Cpt Reynolds
yesterday
add a comment |
1
$begingroup$
They were also unaware of that specific trim function sponsored by MCAS which probably wasn’t particularly helpful in fault diagnosis.
$endgroup$
– Cpt Reynolds
yesterday
1
1
$begingroup$
They were also unaware of that specific trim function sponsored by MCAS which probably wasn’t particularly helpful in fault diagnosis.
$endgroup$
– Cpt Reynolds
yesterday
$begingroup$
They were also unaware of that specific trim function sponsored by MCAS which probably wasn’t particularly helpful in fault diagnosis.
$endgroup$
– Cpt Reynolds
yesterday
add a comment |
Thanks for contributing an answer to Aviation Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faviation.stackexchange.com%2fquestions%2f61605%2fwhy-are-on-board-computers-allowed-to-change-controls-without-notifying-the-pilo%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
18
$begingroup$
The AF447 flight had an alternate law indication available to the pilots, as well as many other (too many in fact) warnings that caused further confusion. In automation systems, the key is to present the appropriate information without overwhelming the operator with too many conflicting or confusing warnings. AF447 showed that a pilot in the face of too much information will ignore everything the system is telling them and fly with how they think the aircraft should be flown.
$endgroup$
– Ron Beyer
yesterday
5
$begingroup$
For most modern aircraft, it is a design feature that some intervention is invisible to pilots. The rudder has automatically made invisible small adjustments to maintain symmetrical flight and dampen yaw oscillations for at least half a century, and more modern aircraft alleviate turbulence or other small disturbance from trimmed flight without announcing this either, as that would quite quickly become a nuisance...
$endgroup$
– Cpt Reynolds
yesterday
10
$begingroup$
I guess the question to ask is rather not “why don’t all automatic inputs get announced” (as quite often that’s actually OK) but “why would anyone design an automatic that is associated with a risky edge of the flight envelope and then not tell crew about its existence” (because that’s not OK).
$endgroup$
– Cpt Reynolds
yesterday
1
$begingroup$
The problem is computer systems designed by people with a computer science background, rather than by people with a background in aviation. Computer scientists will add safety subroutines as a matter of course, lacking the necessary judgement of an experienced pilot, ignorant of the fact that information overload is bad for the pilot when reaction time is at a premium. Excessive application of safety systems hides the crucial warnings from the pilot, who may be unable to eliminate the unimportant ones in the available time. This is a design failure, and cannot be cured by pilot training.
$endgroup$
– Ed999
11 hours ago
5
$begingroup$
@Ed999 the requirements for the MCAS system would have come from someone with experience designing aviation systems. Plus, most people working in DO-178 driven projects are quite aware of the domain in which the software is running. Whether the indication of operation is provided to the pilot is a human factors decision, not one of software.
$endgroup$
– selectstriker2
5 hours ago