Automation In Aircraft Can Kill, When It’s Not Saving Your Life, That Is
There are life-saving lessons for us light airplane flyers from the recent crash of a Boeing 737 Max. What they are and why we need to learn them, now.
In the aftermath of the crash in Indonesia of Lion Air Flight 610, pilots have been rightly concerned about what role a new and previously little-understood automated safety system might have played in the tragedy. The plane that crashed in late October was a brand-new Boeing 737 Max, and in preliminary reports, investigators pointed to failed sensors as a likely contributing cause of the crash. The pilots of the 737 seemed baffled by the behavior of the plane, which had experienced malfunctions on previous flights. In fact, airline mechanics had replaced sensor equipment the very day before the accident.
The outcome was horrific. After the pilots were unable to gain control of the jet after fighting for their lives for nearly the duration of the 11-minute flight, the jetliner crashed into the ocean from a clear blue sky. All 189 occupants perished in an accident that never should have happened.
Subscribe todayto Plane & Pilot magazine for industry news, reviews and much more delivered straight to you!
The leading theory behind why failed sensors could wreak such havoc is perhaps even more frightening. Unlike older 737s, the Max is equipped with a system called maneuvering characteristics augmentation system (MCAS), which is a form of envelope protection. Envelope protection is automation designed to prevent pilots from maneuvering the plane outside the normal operating envelope. With MCAS, the system will prevent loss of control of various kinds, including heading off aerodynamic stalls before they happen, pushing the nose down. It sounds simple enough, right?
But with malfunctioning sensors, the MCAS in the accident plane may have been working with bad information, and instead of preventing an accident, critics of the system say, it might have precipitated one.
How so? This is how the theory goes. If the MCAS, getting data from compromised sensors, thought the plane was slow, it would have attempted to lower the nose to prevent a stall, a stall that it was not really entering. While doing this, the plane descended ever lower and built speed---it was already going plenty fast enough---while the pilots continually attempted to override the system. That system, experts say, would have reengaged after a short delay every time, repeatedly lowering the nose and building speed.
On previous models of 737, pulling back on the control column, the most natural of reactions, would interrupt what surely seemed to the pilots like a runaway trim situation. With MCAS, this response would do nothing. Instead, the pilots, in order to fly the plane normally, needed to pull the MCAS circuit breakers and then retrim the control surface by using the manual stabilizer trim wheels. All signs indicate that the pilots did not do that and had had no special training in what response to make in such a dire circumstance.
Boeing says that the new procedures---to pull the MCAS breakers and then hand trim---were not specifically called out on the 737 Max because they were already contained in the aircraft's manuals and are consistent with previous techniques. I won't go into the specifics of this issue, as it is outside the scope of this piece, which is intended for pilots of Part 23 GA planes.
But suffice it to say that the pilots of Lion Air 610 were put in a tough spot, trying to fly an airplane while troubleshooting complex sensor and automation issues they were surprised by and poorly equipped to understand, let alone troubleshoot in the heat of battle.
Lessons To Learn
For all pilots who fly or will fly planes with cockpit automation, the bottom line is this: Automation can kill, when it's not saving your life, that is, so we need to know what the potential failure modes are on the airplanes we fly and how to overcome them!immediately.
Not many of us are ready to respond to such emergencies, as few of us have much training in using or managing flight control systems. Part of that is surely the fault of the system, and part of it is surely due to the rapid adoption of new, affordable and sophisticated digital avionics in light aircraft.
The FAA's practical test standards guidance for the instrument rating does a surprisingly good job of addressing automation. Pilots taking a check ride are expected to understand and be able to use the autopilot to intercept courses and conduct missed approaches. It should be noted, however, that nothing requires the use of an autopilot during the flight test or even for the examiner to ask about autopilots if one is not installed. Less is expected of pilots taking the private pilot check ride. The standards publication uses the word "autopilot" just once, and even then it is mentioned in passing when discussing systems that the pilot applicant might be tested on. The standards do require the applicant to demonstrate the use of automation, if it is installed, and it directs the examiner to cover this subject in both the ground and flight test portions of the check ride.
And pilots, like me, who did check rides before the new, improved practical test standards came out are likely to be even less well prepared. I recently posted a non-scientific survey of pilots and asked them a single question: Would they be able to, without referencing a manual or reading placards, be able to very quickly disable the electric trim in their airplane? Around 30 percent of them said that they could not. Now, bear in mind that this is the type of question that lends itself to false "yes" responses or to people declining to take part in the survey if the answer is embarrassing, and no pilot likes to admit that they are in the dark over how to respond to an emergency situation. Still, around 30 percent of the respondents said that they did not know how to disable their electric trim system. And I'm guessing that at least a few of the pilots who responded "yes" were practicing wishful thinking, hoping they'd know what to do in a trim runway situation and therefore taking credit for knowing. My guess is that around half of non-commercial pilots could disconnect the electric trim in their plane quickly. That might be a charitable assessment, too. And understanding and being able to address a runway trim problem is only part of the picture.
Understanding Trim
In an automation malfunction, it's likely that a plane's electric trim will transform from convenience to extreme hazard.
Before you imagine flying a plane that's out of trim, it's important to understand what trim is, and this is widely misunderstood. Many, perhaps most, pilots think of trim as being an airfoil adjustment, and it is. On most light planes the trim adjusts the elevator trim tab or stabilator. The reason the trim tab is located so far aft is simple physics. The farther back it is, the more leverage it has over the pitch. And at its greatest throw, the pitch trim has a powerful effect on the plane's attitude, so much so that it may be difficult or impossible to control the airplane at full trim deflection.
It's also important to understand the relationship between trim and airspeed. We think of trim as being an easing or balancing of flight controls to the conditions of flight, and it is that, in a sense. But a more accurate way to think of trim is as a speed setting. For every configuration and power setting, there's an airspeed at which the trim belongs, called, sensibly enough, the trim airspeed.
Most autopilots will automatically adjust this control surface to keep the controls trimmed up while the autopilot maneuvers the plane. Watch the trim wheel next time you go flying, and you can watch it at work. Increase the power a little while on autopilot in altitude hold mode, and watch the system trim the plane nose down. Reduce power, and it will trim nose up to maintain the selected trim speed.
This is all well and good, so long as things are working correctly. But when the airplane's trim system suddenly and without warning starts trimming nose up or nose down or if the autopilot suddenly drops a wingtip toward the ground, things aren't normal, and you need to respond.
Problem Areas
When it comes to small planes, the problems we can have with automation are chiefly from two places, the autopilot system and the trim system, and they're often closely related. They're also widely misunderstood. While this won't be an exhaustive discussion of either, I will offer some general tips on how to stay alive should you ever run up against one of these problems.
Trim issues are sometimes mechanical in nature, and they are almost always associated with electric trim. If you're flying a plane that goes into a runaway trim situation, you are in an immediate, life-threatening situation. What you need to do is immediately disable the autopilot and/or the trim. And as soon as you do, be prepared to fly an airplane that's badly out of trim. How bad will depend on how fast your system moves the trim and how fast you respond. If your airplane has manual trim in addition to the electric trim---most do---well, trim it up and go land somewhere now. If it doesn't have manual trim available, then get it back on the ground as safely as you can, but be prepared to fly an airplane that might be badly out of trim and possibly really hard to control, including to land.
There are three axes of trim, though many planes have just one, pitch trim. Many light GA planes, such as the Cessna 182, have rudder trim, as well, and some airplanes have aileron trim, too. Many high-performance planes have yaw dampers, which attempt to keep the ball centered while they're engaged and you're maneuvering. They're a form of always-on, automatic rudder trim.
A runaway trim or servo motor event can lead to trouble in any axis, though pitch trim and aileron (roll) trim departures are especially dangerous. Generally a roll departure from controlled flight happens as part of a mechanical failure of the autopilot system. An autopilot typically uses servos to control roll. To recover from a roll hardover, as it's called, the pilot needs to overpower the autopilot to maintain control while immediately disconnecting the autopilot. This has to be demonstrated within that same three-second threshold at less than 60 degrees of bank. So, in three seconds you might find yourself at just less than 60 degrees of bank---with the nose almost certainly dropping precipitously, up to 30 degrees nose up or down, by regulation. And that's within limits.
What To Do
Autopilots are designed to be able to be pushed on a bit, but while you're doing it, the automatic trim will be busy at work retrimming to try to win the battle with the human pushing---it doesn't know you're a human but thinks it's fighting against flight loads. While you can overpower most autopilots, in the end you won't win the war because you can't overpower the trim once it gets to its limit. And then, if the autopilot does kick off, you'll be left with an airplane that is borderline, if not completely unflyable, and who knows how fast or slow or at what angle of attack you'll find yourself by then. So it's important to respond quickly to keep things as well within limits as possible.
After you recover, at least with most light planes, you simply need to use the manual trim to set things straight. The Cessna 182, for instance, has a big, easily reachable trim wheel that many pilots use still even when their airplanes are equipped with electric trim. Even the big bad Cessna Caravan has a manual elevator trim wheel.
The Cirrus SR series airplanes, the SR22 and SR20, on the other hand, don't have manual trim at all. In fact, like some other light planes, they don't have aerodynamic trim. The trim switches activate a spring tension system. Essentially, the system is holding pressure on the control surface, and it's possible still to have the trim malfunction, and the checklist is easy. It includes the admonition to pull the breakers, but if you fly a Cirrus (or any airplane with a trim breaker), figure out exactly which one/s they are.
Turning It Off!
We know that at the first hint that you don't know what the autopilot is doing is, you need to turn it off, but in the case of Lion Air 610, it was clear the pilots were not up to that potentially lifesaving task. The good news is that the systems you fly are likely less complex and easier to manage than the one they found themselves fighting. Even so, you need to ask yourself, do you know how to do it?
There are usually several ways to accomplish this critical task, and they are specific to your plane. There's the autopilot power button on the controller, the red "autopilot disconnect" switch on the yoke or stick, the circuit breaker and possibly the trim switches, too, which in planes with autopilots and autotrim are made to disconnect the flight control system. All can do the trick, if they're functioning properly, that is. If one of those methods doesn't work, try the next one. But disconnect it and stop it from trimming against you. Right away. If in the process you bust altitude, then plead your case with the controller or even file a NASA report. But don't let the autotrim go to town on your airplane while you try to overpower it without turning it off, because that can be deadly.
In a story in Plane and Pilot more than a decade ago, our Peter Katz detailed an accident in a Beech 1900 twin turboprop commuter airliner in which the crew was on a repositioning flight just after maintenance and lost control of the plane shortly after takeoff from Barnstable Municipal Airport. It crashed into Cape Cod Bay, killing both pilots, who were the only occupants. The trim system had been installed incorrectly by the mechanics who had worked on it, the NTSB found, and the problem was exacerbated by an inaccurate drawing in the manufacturer's maintenance manual that they might have referenced. Also, the crew, the report noted, failed to run the pre-takeoff checks of the trim system. Even with all that, had the pilots deactivated the trim at the first sign of trouble, they still might have been able to save the day.
What do you do if the plane you're flying starts trimming itself? First, remember that this is a general discussion; you need to know your airplane's specific POH procedures, know them by heart, practice them and be able to do them without having to think about it. This story won't do that for you. You need to do it. Refer to your POH and ask an expert in your plane's systems if need be. But get it done.
In case of a crisis, there are some actions the pilot in command needs to take. At the first sign of a failure, you need to act. Be sure to verify that a trim runaway is really what's happening---quickly look for a movement of the indicator, which should take less than a second. Regardless, if in doubt, disconnect the trim as procedures stipulate for your plane. And remember that you need to account for the startle effect, eloquently described by many a pilot who've experienced an in-flight emergency and lived to tell about it as that one or two second yawning realization that something unexpected and possibly really unpleasant is happening.
More often than not, the cause of the problem isn't the system at all but the pilot. It's always a bad idea to try to hand-fly the plane while the autopilot is engaged, but it's also a natural mistake to make. So unlearn it. Remember: Whenever you're in doubt about what the autopilot is doing, disconnect it and hand-fly, something you should always be prepared to do during any phase of flight.
But, again, be prepared to retrim while you're recovering. The pilots in the accident airplane in the Cape Cod crash, the NTSB said in its report, were struggling against an estimated 250 pounds of control force.
While trim runaways can be deadly, for some reason the FAA has traditionally not required multiple, redundant disconnect methods for the trim, although they do for an autopilot. For small Part 23 airplanes, there's often only one way to stop a malfunctioning trim system: pulling the breaker. Turbine aircraft, in contrast, are generally outfitted with a split trim switch. The 1900D is so equipped. With such a switch, the pilot needs to activate both sides of the switch (which is actually two separate switches) at once for the trim to work. The benefit of this system is that in order to have a runaway trim, there would have to be two switches failing simultaneously, which reduces the likelihood of a runaway trim from low to extraordinarily improbable. It also allows the pilots to run a pre-takeoff check of the trim system to ensure that both sides of the switch are working as they should, including that the trim doesn't run when only one side is activated.
For most of the rest of us, pulling the breaker is the solution. Do you know which breaker you'd need to pull in your plane? If not, figure it out. Many owners use a colored circuit breaker identification collar to ease the task, something we recommend.
How Fast Is Acting Fast?
The question is, in the case of an accidental runaway trim, how much harm could it do in each configuration and phase of flight were it to run to the stop, and how long can we expect it to take for a properly training pilot to respond and recover from the event before it gets to the point of no return?
With some problems in the air, you might have a little time to think them through. These are not those problems. Diagnosing uncommanded control input problems and responding to them is not something you can afford to do at your leisure. For every second the problem persists, the less likely it is that you'll be able to recover from it.
With certificated airplanes, the calculus for how long you have to respond before it's too late has been done for you by the factory flight test engineers when the plane was going through FAA certification. Those test pilots precisely determined how much time the electric trim could run before it would put the plane in dire circumstances. Be aware that the threshold for a successful recovery is slim---the length of time granted the pilot to recognize the runaway and disable the trim motor is a mere 3 seconds. If that sounds like a long time, then consider that by around the time you've finished reading this sentence, time is up, and the trim runaway might be catastrophic.
Just in case, it's a good idea for pilots to get a feel for how their airplane behaves when it's out of trim in various flight configurations, so long as the flying is done with plenty of altitude to spare and while staying well within the flight envelope, so that if you find yourself flying an airplane out of trim, at least you've been there before.
Safer Through Design
Many homebuilders, regardless of what the kit designer calls for, choose to add a switch on the yoke to disconnect both the autopilot and the electric trim (or just the electric trim if the plane is not autopilot equipped). Many add a dedicated circuit breaker, as well. As with the use of multiple ways to disconnect an autopilot, having multiple, easy-to-get-at ways to cut power to the electrical trim makes sense, too. The idea is to make responding to these emergencies easy and quick.
And that seems be the thinking behind the design of Garmin's new GFC 500 and GFC 600 retrofit autopilots, the former of which I flight tested recently. The system design, I saw, makes recovery from trim or autopilot malfunctions simple, so long as you know what to do and what order to do it in. In the unlikely event that there's a trim or autopilot malfunction, the display that's linked with the system will annunciate the failure. The checklist, a memory item in the POH, calls for the pilot to grip the yoke firmly, press and hold the autopilot disconnect/trim interrupt button on the yoke, and then to pull the autopilot circuit breaker, keeping the disconnect button pressed until after the breaker is pulled. The procedure on the GFC600 is even simpler.
It was Garmin's GFC700 autopilot, part of thousands of factory-installed G1000 avionics suites, that inspired the creation of these two new retrofit autopilots. These innovations include built-in attitude sensors, self-check fault logic and the use of brushless motors, which because of their more sophisticated design compared to previous generation servo-motors, are immune to the major mechanical causes of hardover failures.
The new STEC 3100 retrofit autopilot system from Genesys Aerosystems also monitors autopilot malfunctions and will annunciate the failure and automatically disengage the autopilot, letting you know with visual and audible annunciations that it has done just that.
See more about these systems' envelope protection functions and learn about how difficult it is to disengaging them, in the accompanying story, How Safe Is Light Plane Envelope Protection?
As much convenience and safety as an autopilot can bring to our flying, it also also adds an element of risk that we need to understand thoroughly. The same is true for electric trim systems, which have been around for many decades. For you in your specific model of plane, the process for stopping trouble should it happen might be different from those we've described here, and if so, it might be more complicated and/or less intuitive.
Regardless, the underlying principles are the same, so understand them. Runaway trim or malfunctioning autopilots, or errors from their associated sensors, can kill. And the longer we wait to get things under control, the more dangerous our situation will become. So whatever the solution is for you in your airplane, know it by heart and be able to perform those lifesaving actions immediately. Such fast action might be the only thing that will save your life and the lives of everyone on board.
Subscribe to Our Newsletter
Get the latest Plane & Pilot Magazine stories delivered directly to your inbox