Recently was asked about how this issue is going to play out re liability.
The B737 derivatives have had oddities in longitudinal stability that is required under 25.175. Early versions had issues with the flaps extended, the latest have issues with the flaps retracted. With an autopilot engaged, the issue doesn't exist, it is directly related to the acceptability of longitudinal stability (stickforce/g) which is a human in the loop problem.
The event is complicated by the cues provided and missing to the flight crew during the event. Individually, these issues would be reasonably simple to manage, however together, they would be pretty dynamic and potentially result in cognitive overload.
Stall warnings are disconcerting, but can be handled without too much effort by the crew when they are spurious. Even in a true stall, the aircraft is quite manageable, clean stall is not demanding unless the slats are rigged improperly, and event then, the roll is not particularly bad.
Adding random pitch control anomalies complicates the issue; alone, a change in stick force that is uncommanded is going to be resolved as coming from the stab trim fairly promptly, unless we believe that the elevators are undergoing random motion. Using Stab Trim Cutout is going to cure the control problem, or engaging the AP will do the same. All that takes cognitive capacity to process and action.
A momentary stall warning may not be recognised as erroneous immediately by a crew, but over some time, intermittent or continuous stall warning will be able to be determined to be erroneous by comparison to IAS, GS, ATT-PWR, AOA etc. Even background noise is an indicator of likelihood of an unaccelerated stall, as is buffet/vibration. response to control is a significant cue, and it is this that is complicated in the Lion Air event. Having stall warning and a control non linearity is going to complicate crew analysis in real time. At some point the crew needs to recognise that the aircraft is not in fact stalling, and therefore the control issue is a symptom of the underlying fault, not the result of stall dynamics. In the Lion Air event, the crew flew for some time with the problem, which would itself suggest that sensing is the problem rather than having true stall conditions. The crew however did not get to the point of achieving awareness of the sensor issue before running out of control.
In the FCOM/FCTM/QRH, Boeing provides the minimum information to operate the aircraft, not the maximum; that is a position that the industry had devolved to and with the increased complexity of aircraft, it is not unreasonable.
The FAA develops in conjunction with the manufacturer the PSCP for major changes of the design, unless the process has been derogated to an ODA. The requirements of 25.672 are not onerous, 25.255 is not limiting, and 25.203 is not demanding on the B737. 25.207 is normally covered by natural buffet and the stall warning system, but erroneous warnings are a systems failure. The 25.173 & 175 requirements are compromised by the system failure, and it is probable that the pilot is confronted with a condition similar to non compliance with 25.181, which is going to increase workload and stress markedly. Overall, a system failure presents as a complex flight condition that is high stress and high workload to the flight crew. Th certification matrix could have been more robust in the fault tree analysis, which may have resulted in better warning systems being proposed.
If the crew can break out of the control loop and think about the condition, they may get to the point of recognition, and then realise that a single sensor issue results in the warning and the flight control anomaly. To do that, it is not necessary to know how the system actually works, it is necessary to recognise that the aircraft is flying OK in the first instance, and that the rest of the problems are the result of a sensor problem. Once that is recognised, the crew will be able to look at dealing with the symptoms that are presenting, stall > sensor error, control > trim anomaly. At that point, stab trim is going to be highlighted for isolating.
Crew training remains the best solution to this family of problems, and it is not related only to Boeing or Asian operators (think AF447).
fundamental problem is flight crew are human, and subject to varying response under stress, and exhibit varying degrees of situational awareness. Operators can reinforce training if they consider that appropriate, at a cost, to give the crew an increased likelihood of dealing with dynamic events that may lead to decisions in conditions of high stress. It is improbable that every possible scenario can be taught, the value comes in conditioning the crew to cope with the conditions they have to work under, so that they can determine their condition sufficiently to apply procedures. Humans are both the weakness and the strength of dynamic systems. the fact that no manufacturer to date has achieved a sensor system that doesn't result in the occasional wild ride speaks to the current state of the art. Peter Ladkin RISKS digest would speak to the likelihood that the manufacturers and regulators are going to have a perfect solution anytime soon. Personally, I suspect that the inherent flexibility of the human with appropriate training leading to rational NDM/RPDM heuristics is a best solution. To that end, the solution needs training departments to work on:
- tactics to gain cognitive free time in dynamic events
- SA training: recognition of loss of SA, tactics to recover SA
- sufficient basic training to be able to have simplified RPDM solutions on hand to recover from events
All of the above is additional to the matrix box ticking that has resulted from the global direction of training, exacerbated by the introduction of, and hijacking of AQP. No single group is more or less at risk from this type of event, and fixing the sensor in this case doesn't fix the next vector that lurks in the darkness for the next crew.
Lion Air crew were faced with a complex set of symptoms, removing any one of these would have made a successful outcome more likely. Without dedicated training to deal with wild ride events like this, then the crew are victims of the state of the industry. Had they recognised the elevator trim involvement, then the outcome would have just been a tech log write up, but they are human, and the result of their training. Information from Boeing would not have made a difference in the event, unless it had covered stall warnings coincident with a trim issue from a sensor fault, which is unlikely, as is the FAA/ODA input into the design and compliance requirements recognising the consequences of the fault in all circumstances, it should have, but they are also human centric systems.