Ethiopian airliner down in Africa
ENTREPPRUNEUR
Join Date: Jun 2001
Location: The 60s
Posts: 567
Likes: 0
Received 0 Likes
on
0 Posts
Regardless of whether you're a pilot or not, surely the question that needs to be answered is simple: How is it remotely OK for Boeing (or any other manufacturer), to sell a passenger aircraft that needs software to correct an aerodynamic imbalance in the design of the aircraft (prone to pitching up)?
Several people have implied it's perfectly OK for fighters to be unstable but not airliners. I simply can't see the logic in this.
The ironic thing is Airbus take the opposite view - for the most part they take the model that the computers should be involved in all manoeuvring actions. As we know, a similar clash between computers and pilots on an A320 ( XL888T) caused a crash but everybody seems to accuse Boeing of inventing this kind of scenario.
It's a curious situation. There are lots of dodgy things about the Lion crash. The Ethiopian event has not yet - to my knowledge - been definitely attributed to an MCAS malfunction. I think we can all agree it would have been better if pilots had briefed about the potential failure behaviour of MCAS but this might simply have been an oversight on the part of Boeing rather than something cynical.
Join Date: Jan 2008
Location: Herts, UK
Posts: 748
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by Biseker
Even the Comet (which predates the 707) had no aerodynamically created control forces, but fully powered flight control surfaces and only a spring-loaded artificial feel system.
Bernd
Edmund
Join Date: Dec 2006
Location: Florida and wherever my laptop is
Posts: 1,350
Likes: 0
Received 0 Likes
on
0 Posts
SLF here, but with a background in experimental physics dealing with personnel and equipment safety in large-scale, hazardous experimental situations.
Assuming that both 737 MAX crashes were the result (in large part) of faulty AOA probe data, then we already know, from sad experimental evidence, that relying on one probe is unacceptable. With 2 hull losses in N (? - not a terribly large number) flights of this aircraft, the reliability statistics are hardly at the flight-safety-critical level.
Having an "AOA disagree" warning or AOA readouts for pilots is not necessarily going to help. I suggest that as a minimum, with only two AOA probes (and that should be the minimum number), that MCAS should shut itself down in an AOA disagree situation (with notification to the pilots). The principle here is "primum non nocere". The aircraft is not going to have an upset just because MCAS is not there on these rare occasions.
Furthermore, if AOA data is going to be used in this way (possibly killing people if it is wrong), further sanity checks should be applied to the probe data (e.g., AOA pre-rotation on take-off, consistency with inertial and other air data, whatever).
MCAS as currently implemented seems like a horrid kluge to a non-pilot, but I'm inclined to believe, from what I've read here, that with better engineering (and not too drastic a change) the 737 MAX could be restored to safe service.
Assuming that both 737 MAX crashes were the result (in large part) of faulty AOA probe data, then we already know, from sad experimental evidence, that relying on one probe is unacceptable. With 2 hull losses in N (? - not a terribly large number) flights of this aircraft, the reliability statistics are hardly at the flight-safety-critical level.
Having an "AOA disagree" warning or AOA readouts for pilots is not necessarily going to help. I suggest that as a minimum, with only two AOA probes (and that should be the minimum number), that MCAS should shut itself down in an AOA disagree situation (with notification to the pilots). The principle here is "primum non nocere". The aircraft is not going to have an upset just because MCAS is not there on these rare occasions.
Furthermore, if AOA data is going to be used in this way (possibly killing people if it is wrong), further sanity checks should be applied to the probe data (e.g., AOA pre-rotation on take-off, consistency with inertial and other air data, whatever).
MCAS as currently implemented seems like a horrid kluge to a non-pilot, but I'm inclined to believe, from what I've read here, that with better engineering (and not too drastic a change) the 737 MAX could be restored to safe service.
Now that it is apparent that crews are not able to cope with some things unless well trained AND airlines are unwilling to pay for the training. I would expect that first officers are about to be automated out (is flying with HAL any worse than flying with a 25hour MPL?) and in some cases aircraft will become autonomous. Note that MCAS was only there because there was a regulatory concern that human pilots could mishandle the aircraft as the control column loads got lighter. MCAS does not operate with the autopilot controlling the aircraft as that is no safety concern.
Several articles in the media and statements by President Trump are that aircraft are too complicated. So are aircraft getting too complicated to fly? Or should that be that aircraft are getting too complicated for humans to fly?
In a world where there are unmanned jet aircraft operating from carriers and doing air-to-air refueling, flying a 737 is seen (rightly or wrongly) as a simple task to automate - yes even a Cat II landing in an on the limits blustery cross wind to a wet runway.
And before people ask: Yes I would fly as pax in an autonomous aircraft.
Join Date: Jul 2007
Location: Germany
Posts: 556
Likes: 0
Received 0 Likes
on
0 Posts
Bernd
P.S. my post is gone, I wonder why it was deemed irrelevant or bad or inappropriate or whatever. But I guess I'll never know. Just because I don't have an ATPL I cannot talk about certification criteria and risk assessment?
Last edited by bsieker; 22nd Mar 2019 at 12:39.
Join Date: Jul 2007
Location: Germany
Posts: 556
Likes: 0
Received 0 Likes
on
0 Posts
Several people have implied it's perfectly OK for fighters to be unstable but not airliners. I simply can't see the logic in this.
For fighters, maneuverability is supremely important, and maximum maneuverability can only be obtained with relaxed aerodynamic stability. That additional safety layer has been dispensed with in fighters to increase their effectiveness as machines of war. Military transport aircraft are as stable as civil airliners. Airliners might be made a bit more efficient by relaxed stability, but that tradeoff is not appropriate when carrying passengers for whom being killed is not part of the everyday risk.
The fighters, as flown by the pilots, are completely stable, it's just all computer-assisted. Unlike airliners, most modern fighter jets would literally break apart (depending on the speed) and fall out of the sky should all flight control computers fail (as would the B2, but the reason is the stealth-shape, which is much easier to obtain with relaxed stability). So if anything you'd want them to be more reliable than in aerodynamically stable transport aircraft (civil or otherwise).
The ironic thing is Airbus take the opposite view - for the most part they take the model that the computers should be involved in all manoeuvring actions. As we know, a similar clash between computers and pilots on an A320 ( XL888T) caused a crash but everybody seems to accuse Boeing of inventing this kind of scenario.
Also, the XL Airways Crash in Perpignan was very different. Yes, two faulty AoA sensors were a causal factor, but it crashed because the pilots deliberately stalled it at very low altitude, testing the protection system which they blindly believed would save them, but which wasn't working because of the frozen AoA sensors. It was overreliance on automation (and also poor planning and execution of flight tests), but it has nothing to do with computers fighting against humans or any such nonsense. Quite the opposite. It crashed because the computers were not able to save the pilots from themselves. Which a perfectly fine airplane would have done.
Bernd
Last edited by bsieker; 22nd Mar 2019 at 14:09. Reason: Minor typo.
Guest
Join Date: Apr 2009
Location: On the Beach
Posts: 3,336
Likes: 0
Received 0 Likes
on
0 Posts
Join Date: Dec 2007
Location: CARIBE
Posts: 51
Likes: 0
Received 0 Likes
on
0 Posts
I read a lot of Airbus Boeing finger pointing but I think in both one needs to understand the systems to fly. As hopefully everybody understands now how to disconnect the horizontal stab from it’s muscle I rest my case. It looks like basic understanding of airplane fundamentals still goes a long way even today and both crews should have never flown the airplane without it, assuming the Ethiopian plane had the same problem as the Lion air of course.
Join Date: Jan 2008
Location: Herts, UK
Posts: 748
Likes: 0
Received 0 Likes
on
0 Posts
I read a lot of Airbus Boeing finger pointing but I think in both one needs to understand the systems to fly. As hopefully everybody understands now how to disconnect the horizontal stab from it’s muscle I rest my case. It looks like basic understanding of airplane fundamentals still goes a long way even today and both crews should have never flown the airplane without it, assuming the Ethiopian plane had the same problem as the Lion air of course.
You're right, Harry, Boeing should have told the crews. "If you're out doing flaps up stalls in your MAX, you will get an intervention from MCAS. Also, if you get a continuous stick shaker on take off rotation & are stupid enough to accelerate, clean up the flaps, & try to continue the flight with the stick shaker, you MAY get a repeated intervention from MCAS 'cause it thinks the airplane is stalling".
Regardless of what manufacturer or operator is involved, the question for me is whether the fault tree analysis (or whatever process was used) and the subsequent sentencing of risk regarding 'system X' during its design and checkout provided sufficient evidence to the regulator that system X was safe to be fielded. And IF the regulator falls into the trap of regulatory capture (still to be determined...) or does not have the necessary resources to satisfy itself that the manufacturer's claims are accurate, then the regulator could and should be held to account. In a safety-critical environment it should never be possible for a manufacturer in any country to mark its own homework.
If you would like an example of how this situation can occur anywhere, take a look at the airworthiness failure that killed 14 UK servicemen in Afghanistan in 2006 - you can read the lawyer's analysis of the process failings here
Join Date: Dec 2006
Location: Florida and wherever my laptop is
Posts: 1,350
Likes: 0
Received 0 Likes
on
0 Posts
The FOC/Command Center/Network Manager would deal with that in the same way it currently does. If the UA was flying completely autonomously, then that kind of major weather system would be one of the use cases that it was designed to meet. There is research in hand with Decision Support Tools to provide just that kind of assistance to self-dispatching operators. Aircraft these days fly in a sea of usually discarded/disregarded information.
As we know, a similar clash between computers and pilots on an A320 ( XL888T) caused a crash but everybody seems to accuse Boeing of inventing this kind of scenario
Join Date: Nov 2007
Location: dublin
Posts: 2
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by twistedenginestarter 
I was trained to fly over 50 years ago. That involved the Trident. It had a yaw damper - a computer system to counter the basic instability of the aeroplane. Aircraft that require computers are nothing new.
Yes indeed Twisted! But there is a massive difference between " needing" an augmentation system like a yaw damper or even MCAS (see below) , and having one to improve the handling. Yaw dampers and Stick pushers and perhaps even MCAS and things like that are usually put in to make the plane fly better in certain situations, but they are often not required for flight. To find out your consult the MEL (Min Equipment List) for the plane and see if it is allowed or not.
There are literally hundreds of systems and items on every plane that you are allowed to fly without depending on circumstances.
On most Boeings the yaw damper is fitted but not required. Even the 707 right up to the 747. You can dispatch with no yaw damper and continue to fly if it fails in flight. It just makes flying a bit easier if is working.
Don't know if MCAS is permitted by then 737-MAX MEL/DDM (permitted dispatch items) and that will come out. I wouldn't be surprised if it is permitted to be unserviceable at dispatch (prior to flight) if it is considered an enhancement rather than essential.
Can any MAX pilot out t here state whether the MEL covers MCAS please?
Yanrair
I was trained to fly over 50 years ago. That involved the Trident. It had a yaw damper - a computer system to counter the basic instability of the aeroplane. Aircraft that require computers are nothing new.
Yes indeed Twisted! But there is a massive difference between " needing" an augmentation system like a yaw damper or even MCAS (see below) , and having one to improve the handling. Yaw dampers and Stick pushers and perhaps even MCAS and things like that are usually put in to make the plane fly better in certain situations, but they are often not required for flight. To find out your consult the MEL (Min Equipment List) for the plane and see if it is allowed or not.
There are literally hundreds of systems and items on every plane that you are allowed to fly without depending on circumstances.
On most Boeings the yaw damper is fitted but not required. Even the 707 right up to the 747. You can dispatch with no yaw damper and continue to fly if it fails in flight. It just makes flying a bit easier if is working.
Don't know if MCAS is permitted by then 737-MAX MEL/DDM (permitted dispatch items) and that will come out. I wouldn't be surprised if it is permitted to be unserviceable at dispatch (prior to flight) if it is considered an enhancement rather than essential.
Can any MAX pilot out t here state whether the MEL covers MCAS please?
Yanrair
Join Date: Dec 2006
Location: Florida and wherever my laptop is
Posts: 1,350
Likes: 0
Received 0 Likes
on
0 Posts
That's fine efatnas, providing you know that those airplane fundamentals have changed... aren't we being told that communication and documentation from Boeing on MCAS was lacking or certainly insufficient .. considering this system messed in a previously unheard of way with the stabiliser trim ?
Just think if Boeing had suggested with the launch of the max that the NNC for 'Runaway Trim' was altered to 'Runaway or Repeated Trim'. The semantic specialists would have use the Cut Out switches and this thread would not be here.
SkyGod
Join Date: Aug 2000
Location: Palm Coast, Florida, USA
Age: 66
Posts: 1,534
Likes: 0
Received 0 Likes
on
0 Posts
Join Date: Jul 2007
Location: Germany
Posts: 556
Likes: 0
Received 0 Likes
on
0 Posts
I would expect that first officers are about to be automated out (is flying with HAL any worse than flying with a 25hour MPL?) and in some cases aircraft will become autonomous.
Note that MCAS was only there because there was a regulatory concern that human pilots could mishandle the aircraft as the control column loads got lighter. MCAS does not operate with the autopilot controlling the aircraft as that is no safety concern.
And before people ask: Yes I would fly as pax in an autonomous aircraft.
I don't think you've been paying much attention to (a) the abysmal state of autonomous system development. The short form is: even (or rather: especially) the best experts in the field (the safety engineering field, i. e., not the deep learning hubris field) don't know how to assure safety for those to any reasonable degree. We have no clue. To quote a presenter on a recent international system safety conference:
Developers: "Our autonomous system is 99% reliable!"
Safety Engineer: "Great! That's two nines. Only seven more to go!"
Safety Engineer: "Great! That's two nines. Only seven more to go!"
Bernd
That article is a complete load of rubbish. There is another article, even worse written by another American expert. The consensus is that all non American pilots are inexperienced and simply flying the plane solves the problem. Also, the second article goes on to say that the control column stab trim cut out is inhibited by MCAS but conveniently and lazily omits to mention that Boeing never gave any info to pilots how MCAS functions and ergo they would not know. Apparently there have been no incidents of MCAS malfunctioning in continental North America, anecdotally untrue. The inference that superior American piloting skills would have saved the day is objectionable and untrue. I have flown globally on 737s with American pilots and they are as good or the converse as any other nationality. I am fed up with reading drivel from presumably vested interests. This will be my only post on this matter. RIP to those on Ethiopian and Lionair.
olster, 10,000 hours cap / instructor etc on B737 variants if anyone is interested.
olster, 10,000 hours cap / instructor etc on B737 variants if anyone is interested.
Join Date: Nov 2007
Location: dublin
Posts: 2
Likes: 0
Received 0 Likes
on
0 Posts
Could not agree more IanW. Once we get into semantics it is game over for safety.
eg " I was beaten by the attacker continuously for 10 minutes". Doesn't matter whether the attacker paused for breath every now and again to beat me harder, it was still a continuous beating for 10 minutes and that is how for the last 40 years I have understood STAB activity that is not as expected or undesirable. If it moves and you don't know why OFF she goes. You can always turn it back on if you like.
eg " I was beaten by the attacker continuously for 10 minutes". Doesn't matter whether the attacker paused for breath every now and again to beat me harder, it was still a continuous beating for 10 minutes and that is how for the last 40 years I have understood STAB activity that is not as expected or undesirable. If it moves and you don't know why OFF she goes. You can always turn it back on if you like.
Join Date: Jan 2008
Location: uk
Posts: 861
Likes: 0
Received 0 Likes
on
0 Posts
I can't find any mention of MCAS or anything that might be MCAS renamed. Speed trim you can go without, mach trim, yaw damper, but not MCAS.
The second sentence here is only true if Boeing had realised that this could be the outcome of a single AOA source failure. If they had that knowledge and did nothing about it, then the courts will no doubt take that into account in due course because the failure to communicate it or manage the risk would indeed be seen as cynical. Please don't construe this as Boeing bashing - that would be as unhelpful as trying to shift responsibility to the perceived shortcomings of the two operators concerned. Play the ball rather than the man.
The Gulfstream IV, designed in the late 1980’s, has a stall warning and protection system called the “Stall Barrier”. A stick shaker that activates when sensed alpha is approaching the stall regime, and a stick pusher that activates when alpha increases even further. The pusher is required due to the dangers of deep stall in a t-tailed aircraft.
But - the stall computer does have provisions to anticipate sensor failure. The shaker can activate based on a high alpha reading from only one of the two AOA sensors, but the pusher will not activate unless BOTH AOA sensors are in agreement.
The stall warning system on the (relatively ancient) CRJ-200 is even more conservative when it comes to sensor-data sanity checking. The CRJ stall warning computer monitors the position of both AOA vanes. If there is any significant disagreement as to position, the stall warning system will deactivate with “STALL FAIL” amber CAS warning to alert the crew. In addition, the stall warning computer monitors airspeed from no fewer than FOUR discrete sources: the left and right primary air data computers, and two additional Mach/airspeed transducers. If any one of the four airspeed data sources differs from the other three by more than a few knots, the stall warning system will again vote itself out of service with the same “STALL FAIL” CAS message.
I assume that Bombardier engineers figured it was better to deactivate the stall warning system (after alerting the flight crew), than to have a situation where a false stall warning might be issued due to faulty air data when no stall actually exists.
This in an aircraft that first entered service over 20 years ago.
Though MCAS is not a stall warning/stall protection system per se, if it activates at the wrong point in the flight envelope, the results can be disastrous as the two crashes prove. Yet, unlike the conservative engineering principles shown by Gulfstream and Bombardier engineers, Boeing chose to make the system dependent on a single sensor - with no apparent thought as to the negative consequences that could ensue if that single sensor provided incorrect data. Even more appalling is the fact that in the original design, the MCAS would repeatedly reset and reactivate, winding in more and more nose-down trim, with no apparent knowledge of the current position of the HSTAB, or the number of previous activations.
These issues are allegedly addressed in the software update for the MCAS system, but how could such a flawed design have ever passed muster in the first place?
Join Date: Feb 2019
Location: shiny side up
Posts: 431
Likes: 0
Received 0 Likes
on
0 Posts
From the article regarding ASRS:
Below are all of the reports I could find that are related to possible runaway-trim problems with the new 737 Max
https://www.theatlantic.com/notes/20...amp;yptr=yahoo
also:
The MCAS function becomes active when the airplane Angle of Attack exceeds a threshold based on airspeed and altitude. Stabilizer incremental commands are limited to 2.5 degrees and are provided at a rate of 0.27 degrees per second. The magnitude of the stabilizer input is lower at high Mach number and greater at low Mach numbers. The function is reset once angle of attack falls below the Angle of Attack threshold or if manual stabilizer commands are provided by the flight crew. If the original elevated AOA condition persists, the MCAS function commands another incremental stabilizer nose down command according to current aircraft Mach number at actuation.
Below are all of the reports I could find that are related to possible runaway-trim problems with the new 737 Max
https://www.theatlantic.com/notes/20...amp;yptr=yahoo
also:
The MCAS function becomes active when the airplane Angle of Attack exceeds a threshold based on airspeed and altitude. Stabilizer incremental commands are limited to 2.5 degrees and are provided at a rate of 0.27 degrees per second. The magnitude of the stabilizer input is lower at high Mach number and greater at low Mach numbers. The function is reset once angle of attack falls below the Angle of Attack threshold or if manual stabilizer commands are provided by the flight crew. If the original elevated AOA condition persists, the MCAS function commands another incremental stabilizer nose down command according to current aircraft Mach number at actuation.
