Volume

Once aircraft were designed to meet the certification requirements, now authorities struggle to keep their rules current with all the new inventions of industry incompatible with existing regulation...

Ian W

What is described is actually classic 'Automation Surprise' (What's it doing now?) that is followed by attentional (cognitive) tunneling as the human's mind grasps at straws to try to understand what is going on.
The suggestion that the machine tells the pilot what is happening is good- except that if there is not sufficient thought a small subsystem like AoA used by a LOT of systems can result in alert messages scrolling on displays all sorts of sounds and alerts and haptics like stick shakers and pushers -- all for just an AoA disagree. I think that there is a major human factors failure in modern aircraft where not sufficient thought has been given to the multiplicity of warnings that can come from a small event - and the warnings themselves create problems rather than assistance. There needs to be something like an Failure Modes Effects Analysis that flags up that at this point there are multiple separate warnings being displayed in various ways that will consume the entire cognitive resource of the pilot and not allow his primary AVIATE task any resource. This effect is often seen where something VERY obvious is disregarded as the pilot's cognitive resources are completely saturated.
Another aspect of the automation surprise is that the workload can literally explode from routine to overload in a second. This takes a lot of training to cope with and an MPL with less than 100 hours live flying is not going to be of any use in one of these incidents and indeed may panic and make extra work for the experienced pilot - effectively the aircraft is being flown by one pilot,

There will be a raft of lessons to be learned from these incidents. Let's hope that the beancounters learn them too. .

Alchad

New York Times has an article saying that Ethiopian Airways had a Max 8 simulator but the pilot of ET302 hadn't trained on it.

(not enough posts to past link)

safetypee

Tunkurman

Have you seen this 737 runaway stabilizer training on YouTube? OMG when that stab wheel is running there is not much time to react. Very scary. Look at the first officer trainee's reaction when the warning signals turn on and the plane dips. After seeing this I am so sad to see that these easy to access STAB TRIM switches could have saved both planes.

www.youtube.com/watch?v=3pPRuFHR1co

HarryMann

Another excellent post...
It horrifies me that this area has not been addressed more intelligently (cognitive overload) although QRMs and their glass screen equivalents do prioritise and stack incoming errors in (pre-ordained) importance
The serious incident of the Qantas A380 engine explosion damaging many systems, requiring up to 3 extra buddying crew (?) to work successively (and tirelessly) through many pages to get that back on the ground safely is a case in point, and perhaps it's incidents like these that should not only be studied more widely but become industry exemplars of CRM.

However, we must not forget Company Communication and Systems Training which will almost certainly here to be found wanting?

deltafox44

Ethiopian also said their 737 MAX full flight simulator is NOT designed to simulate MCAS problems. So it would not have changes anything if the pilot of ET302 had trained on it.

Maninthebar

That would be even worse then! You could train for x failure after take off and then when you ACTUALLY encounter x something quite different happens and the procedure you used successfully in the SIM winds up killing you.

Whose responsibility would the sim software be?

AndyJS

In some ways it reminds me of the way that the crew of Air France flight 447 ignored 75 stall warnings.

https://risk-engineering.org/concept/AF447-Rio-Paris

Ian W

While I understand the concern 'all' MCAS does is trim down - yes successively and yes intermittently. But the net effect is that the aircraft automatics for some reason are giving me aggressive nose down trim when I am VMC and can see I am at a reasonable speed with engines at normal power and reasonable pitch. NNC for 'runaway' trim says switch off Stab Trim with cut out switches. So do that. ALL I want to do is stop the (&(#%Q!!! trimming down the cut out switches do that - do I really say ahh but it isn't _runaway_ its just trimming down every few seconds??

It is obvious that the designers believed that any pilot with stab trim repeatedly trimming in a way that was hazardous would switch it off. It is apparent that some (even some on here) will not switch the stab trim off as the NNC says runaway and that's not runa.... etc etc. All the way to the ground. Perhaps if the NNC had said (for the pedants) "repeated or continuous uncommanded trimming in one direction" then the Max8 may still have been flying.

GarageYears

Ethiopian absolutely do NOT have a 737 MAX simulator. They may have access to one via Boeing Flight Services, who have four (4), and there is one other owned by Air Canada, but as far as Level D FFS that's it. There are no others currently certified and in operation.

- GY

infrequentflyer789

One wonders if this means that:

a) the sim doesn't include an erroneous MCAS failure scenario
b) the sim doesn't include any failure scenario that would trigger MCAS
c) the sim does not correctly model MCAS activation given e.g. an ADIRU failure or AOA failure
or
d) the sim does not implement MCAS at all, and therefore does not correctly model handling at high AOA

Is there actually any sim anywhere that you could train on for MCAS failures/ erroneous activation (outside of Boeing engineering sims) ?

GarageYears

I cannot say definitively, but the latest simulators generally use the SAME software load, delivered as a binary, as the aircraft.

Since MCAS is 'contained' within the FMC, I have no reason to doubt that MCAS would be implemented within the binary and therefore available to be trained.

However, whether there is a specific malfunction for "AOA sensor failed high" is another question. Somewhere I may have a malfunction list from a recent simulator, but that would take some time and effort to dig up.

However, be aware, there are only five (5) 737MAX FFS simulators in the world operating currently (4 with Boeing Flight Services and 1 with Air Canada).

- GY

P.S. And to be clear, Ethiopian DOES NOT own a 737MAX FFS simulator. See: https://www.ethiopianairlines.com/EA...aining-Schools

Ian W

It is precisely the same human factors problem. Overload a flight crew with a lot of warnings a real cognitive overload, and go from understimulated to overstimulated in a second a startle effect, followed by 'automation surprise' "what's it doing??"
I know that there are considerable efforts to check the warning systems that the crew have to deal with. However, if you start doing a parallel cognitive walkthrough of each set of task requirements for example following an NNC while aviating and reading the various instruments and hearing the alarms voice and sounds and dealing with the haptics like stick shakers and loads on control columns, while being shouted at by the other crew member, then it will immediately be apparent that some cognitive channels are overloaded. For example a simple non-stress test for you - read this post and at the same time recite a well known set of memory items and have someone tell you something. You will not be able to do all three because they all use the same 'verbal' reasoning 'cognitive channel' - it's why you have a sanitized flight deck on approach.

As with AF447, these two Max crashes should inform the future cockpit human factors and alarm development

BrandonSoMD

I think it's generally safe to assume that a full-flight Level D simulator uses at least a direct derivation from the FMC load. There are quite a few different 737 simulator models out there, built by numerous companies, and you would need to know the specifics of the simulator in question.

Some simulator manufacturers design "hardware in the loop" simulators running the actual flight-qualified aircraft FMC hardware (and hence the actual software binaries, loaded using aircraft-representative methdos). Some start with the binary software load, and run it through a software conversion to make it compatible with the simulator host computer. Some create simulations from scratch based upon the known operation of the aircraft, although that's uncommon on commercial full-flight simulators; it's much more common in the military simulation world.

Using flight-qualified software and hardware in a simulator can present some challenges, by the way. Aircraft FMC and navigation software generally doesn't like simulator freezes, resets, and repositions, which are common in training. If the FMC software doesn't provide "hooks" for telling it to play nice in a simulator, it can be necessary to simulate the software instead of implementing it directly. I've seen some pretty odd simulator behavior because the FMC didn't understand why it was suddenly 28,000 feet higher and 400 miles away from its last known position.

1_of_600

See earlier post: #1419 on this thread.

The (few) MAX simulators in existence have the capability to train for events that are defined in the QRH. If it ain't in the QRH, it ain't in the sim's list of malfunctions / trainable events. Period. This was by deliberate choice.

Does MCAS fault appear in the QRH? Fair bet that stab runaway does, but that's a different thing from successive 2.5 degree increments isn't it?

The software in the simulators comes from the same source as the QRH.
The simulator industry has also changed A LOT in the past several years.

GarageYears

Generally you are spot on here, except some considerable work has been done to support the use of aircraft code directly within flight simulators - particularly with the adoption of ARINC standard 610 (currently at RevC) "GUIDANCE FOR DESIGN OF AIRCRAFT EQUIPMENT AND SOFTWARE FOR USE IN TRAINING DEVICES"

The latest commercial simulators for 'new' aircraft all use the aircraft binaries - this is for multiple reasons including accuracy (but I also suspect protection of IP rights is high on the list, as is being able to charge $8 million for a data package from Boeing or Airbus, but that's a different discussion).

- GY

Smythe

The original MCAS was designed for 0.5 degree changes. Test pilots found out this did not work, and it was changed to the 2 cycles of 2.5 degrees.

5 degrees nose down, repeatedly, at lower altitudes is far more significant than stab runaway, and look at those effects. Wonder what the trim wheel revolution speeds are under MCAS...that has to be inspiring!

So, the flight testing showed the ac was inherently unstable in the test conditions. It would be very helpful to see what the conditions are that trigger the MCAS.

1_of_600

Also spot on, BUT. ...
These days, and for simulators representing Brand-B aircraft, starting with the MAX, it's not just the "aircraft binaries", it's the ENTIRE vehicle simulation INCLUDING malfunctions that is delivered to the sim manufacturers (essentially just integrators now) as a binary. To be fair, both Big Brands are now operating this way, Brand-A has been for several years already.

The "different story" as you put it is the main reason for this. You wanna train for Brand-X airplanes, you'll do it on a Brand-X sim, using Brand-X software, Brand-X training program in a Brand-X training centre. IP protection was the excuse used to launch the approach, but it's always been about the training $$$. Smaller manufactures are being Hoovered up rapidly to gain control of those markets too... Bombardier / Embraer. Wanna place bets about bizjets and helicopters for the future?

bsieker

Again, no. The aircraft is not, by any stretch of the imagination, "unstable", let alone "inherently unstable" (in what way is that different from "unstable"). It just does not provide enough adverse stick force to satisfy a very specific certification requirement. The situations in which this becomes relevant are rare, and should not normally be encountered in regular flight. However, if such a situation develops (high angle of attack), it is almost always in a high-workload situation, which is why the aircraft should make it harder for the pilot to venture further into the undesired flight regime, by increasing stick forces. If the aircraft does not do so to a sufficient degree by aerodynamic forces alone, it is quite common to add a little electronic assistance function to bring it back in line, and make it easier to handle, especially under stress.

The solution floated here, which may be close to the truth, seems to be to use both AoA values as inputs to MCAS (they are physically available anyway), and only to act if both values consistently read high, and close to each other. If they disagree sufficiently, MCAS will disable itself. When the probability of getting into a real high-AoA situation (where MCAS would actually be required) and getting an AoA disagree event at the same time (the result of which would be that MCAS were unavailable when needed) is shown to be sufficiently low, such a solution can be certified.

Since the failure mode has now been demonstrated to be of "catastrophic" severity, "sufficiently low" would be less than 1 in 10^9 flight hours),

Bernd