PPRuNe Forums - View Single Post - Ethiopian airliner down in Africa
Thread: Ethiopian airliner down in Africa
View Single Post
Old 17th Mar 2019, 22:43
  #1823 (permalink)  
TryingToLearn
 
Join Date: Mar 2019
Location: Bavaria
Posts: 20
Likes: 0
Received 0 Likes on 0 Posts
Since I'm working on car functional safety, I'm sometimes around here just to learn from accidents in aviation.

This story here is, if true, really a deviation from good practice and established safety standards on all levels.
The only persons I don't blame are the pilots. If a possible safety hazard is evaluated, there is always the parameter of controlability by the driver / pilot... But this is not 0% or 100%, it's statistics (high, medium, low...). Put one pilot/driver 10 times in the same unexpected situation and he will miss the solution once...
So the residual hazard is always the product of an already safe system and a good estimate of the controlability and training. One cannot design a crappy system and then rely on or blame the human problem solving skill for everything that may happen. Especially of something is repeatedly doing something complete unexpected and useless without warning and gives the pilot a free bodybuilding exercise.
Since many pilots here claim this situation is quite controlable, I just ask myself: How many undocumented or disclosed events of this kind were there?

So despite the failures made in many, if not all aspects of functional safety:
-> Crappy design to avoid recertification (and therefore a flying museum on steroids instead of a state-of-the-art design in all aspects)
-> Basic aerodynamic design flaws
-> Impact analysis of all the changes done within the MAX development
-> Risk accessment for MCAS based on wrong values (0.6°)
-> Single sensor/single point fault
-> Sensor comparison sold for $$$ (wtf, imagine this in automotive: Yes for only 500$ extra a blocking rear axle on the highway would be detected by the gearbox and stopped...). Lawyers will love that one
-> Dependent failure analysis incomplete (reset, 5 seconds and there it goes again)
-> Configuration management (application boundaries, 0,6° vs. 2.5°)
-> Integration testing (was this error introduces in a test flight/sim and was the reaction controllable)? If, in automotive (ISO26262) one relies on the controlability of a situation, one has to prove it on a test track with every model / release.
-> Safety case consistency (these 2.5° never found their way back in the risk accessment / accessment)
-> Training (MCAS what?)
-> Documentation
-> Accessor independence
-> Financial and time pressure

But still there is one open point to me:
500 Airplanes shipped, maybe 250 days flying on average, 16h a day -> 2,000,000 hours in the air
And already (at least) 2 defective sensors? -> 1,000 FIT???
That's the point where a car manufacturer would consider a recall for a non-safety related part like seat heating. But such a critical part should have:
-> high coverage measure such as 1oo2 / 2oo3 selection or at least comparison and safe state (ne action/warning)
-> low coverage measures like short/open/stuck detection
-> redundancy within the sensor (two potentiometers or other rotary sensors which are compared, again resulting in a high coverage detection method and error signaling)
-> sufficient testing to do statistics that show <10 FIT, FMEDA...
-> FMEA, environmental tests, shaker... the whole program

In this case only one AoA vane was used and this one went into a critical fault without self-diagnosis. And furthermore something like 'frozen to stuck-at' can almost be excluded, or does the airplane see such high angles at startup and the sensors typically freeze just after acceleration?

Someone wrote that the sensors were a carry-over part from the old model. Are ground crews always running around with a bunch of them in their pockets because they fail all over the place or freeze every second rainy day?
Maybe someone can give me a hint on what I'm missing here. Why are we talking about a highly critical part in aviation and it shows 1000 undetected critical failures per billion hour? Even the squeeze protection of a car's power window lifter is far better!

The lives lost in these probably avoidable accidents are a shame and I feel with the relatives.
Since I consult OEM and TIER1/2 automotive companies on critical safety functions, I do my best to get as much lessons learned out of this and transfer this into automotive.
I already sent out the great seattle times article to a lot of people, helps me a lot in justifying the high effort and development costs of safety related functions. I will keep this article on my computer and any time someone is claiming cost or development time or asks for some one-eye blindness, I just need this one link, It really covers everything one should NOT do.

Thanks a lot for all the research which get's collected here, this is really the best and most up-to-date place. The effort is not wasted but read by people who may be able to do it better next time in this or even different industries.
TryingToLearn is offline