Ethiopian airliner down in Africa
Join Date: Oct 2007
Location: World
Posts: 496
Likes: 0
Received 0 Likes
on
0 Posts
Are you being serious? A faulty AOA vane instructs the flight control computers/stabilizer to pitch the nose down in both the Airbus and the Boeing events, overriding the pilots inputs and you fail to see the similarities. Do you work for Airbus by any chance or are you just being ignorant. In both causes software is attempting to prevent the stall.
So there is one big difference: Airbus AOA protection doesn't move the stabilizer at all: it acts on the elevators. It uses three AOA vanes with a voting system. While I am not saying at all that this implementation is the best can be built by the industry, I think it is way different from the path that Boeing has followed with MCAS
Plastic PPRuNer
Join Date: Sep 2000
Location: Cape Town
Posts: 1,899
Likes: 0
Received 0 Likes
on
0 Posts
Quote. "Totally agree, absolutely horrible placement of both AOA indicator and AOA disagree flag. Both should be adjacent to airspeed indicator."
And I can't say that having AOA DISAGREE displayed in dark-yellow (#C1994C) on khaki (#5E4300) is exactly attention-drawing...
Mac
And I can't say that having AOA DISAGREE displayed in dark-yellow (#C1994C) on khaki (#5E4300) is exactly attention-drawing...
Mac
Join Date: Dec 2015
Location: Cape Town, ZA
Age: 62
Posts: 424
Likes: 0
Received 0 Likes
on
0 Posts
If MCAS is so necessary because of the engine cowling moment in certain attitudes, wouldn't it be better to have a third AOA sensor to enable voting in the system. The bigger Boeing's and AB's have more than 2. The 737 is and is going to continue to be among the most numerous planes in the sky. Why not ensure it is as safe as them. I don't accept that saving a relatively small amount of money on a smaller airplane or quoting failures in the per billion hours is really valid when the larger planes have it, obviously for a good reason. There are far more 737's flying, far more takeoffs and landings making for just as much overall risk as the 777's and 787's (assuming more AOA's were provided for greater passenger capacity).
Trying to fix a faulty MCAS system by adding a third AOA sensor would not be a simple exercise. The necessary design, testing, certification, maintenance and type training changes could take years.
MCAS is not so vital that it justifies rewiring large parts of the aircraft. It only adresses a regulatory issue of pilot yoke elevator feedback in the high AOA part of the manual flight regime.
It is deeply ironic that the issue MCAS was designed to cater for was never flight critical, and might never have occurred during the lifetime of the aircraft. Instead the fix ended up killing hundreds of people.
Trying to fix a faulty MCAS system by adding a third AOA sensor would not be a simple exercise. The necessary design, testing, certification, maintenance and type training changes could take years.
MCAS is not so vital that it justifies rewiring large parts of the aircraft. It only adresses a regulatory issue of pilot yoke elevator feedback in the high AOA part of the manual flight regime.
It is deeply ironic that the issue MCAS was designed to cater for was never flight critical, and might never have occurred during the lifetime of the aircraft. Instead the fix ended up killing hundreds of people.
MCAS is not so vital that it justifies rewiring large parts of the aircraft. It only adresses a regulatory issue of pilot yoke elevator feedback in the high AOA part of the manual flight regime.
It is deeply ironic that the issue MCAS was designed to cater for was never flight critical, and might never have occurred during the lifetime of the aircraft. Instead the fix ended up killing hundreds of people.
Thats what the 737 MAX looks on statistics:
https://qz.com/1571820/deaths-on-the...cial-aircraft/
It is a great case for the industry to learn. And it is more about the decision making processes on all levels, than on a technical only analysis of this latent fault condition of the MCAS system. There is a reason that the FAA AIM has about 800 pages written mostly with blood.
Currently Boeing could have made the complete skin of the B737 MAX only from AoA vanes and would still be better off.
Join Date: Dec 2015
Location: Cape Town, ZA
Age: 62
Posts: 424
Likes: 0
Received 0 Likes
on
0 Posts
Are you serious? We have the year 2019 and not 1950. Customers expect a thorough analysis and solution to regain confidence and not an additional kludge.
Thats what the 737 MAX looks on statistics:
https://qz.com/1571820/deaths-on-the...cial-aircraft/
It is a great case for the industry to learn. And it is more about the decision making processes on all levels, than on a technical only analysis of this latent fault condition of the MCAS system. There is a reason that the FAA AIM has about 800 pages written mostly with blood.
Currently Boeing could have made the complete skin of the B737 MAX only from AoA vanes and would still be better off.
Thats what the 737 MAX looks on statistics:
https://qz.com/1571820/deaths-on-the...cial-aircraft/
It is a great case for the industry to learn. And it is more about the decision making processes on all levels, than on a technical only analysis of this latent fault condition of the MCAS system. There is a reason that the FAA AIM has about 800 pages written mostly with blood.
Currently Boeing could have made the complete skin of the B737 MAX only from AoA vanes and would still be better off.
I concur with your other comments, which are best directed at Boeing and the FAA. Being judgemental does not help solve this specific problem.
Last edited by GordonR_Cape; 31st Mar 2019 at 11:57. Reason: Clarify wording.
Join Date: Nov 2018
Location: Somerset
Posts: 11
Likes: 0
Received 0 Likes
on
0 Posts
Another issue often missed by software teams is the fact that with analogue sensors, any erratic indications are damped by the meters or are simply ignored by the crew. Converting the outputs of the sensors to digital format doesn’t ignore the noise in the signal and, with polling if the sensor, could lead to large discrepancies in signal used for the controls.
You simply must do thorough testing of flight safety critical systems including flight trials.
Inexcusable imho.
You simply must do thorough testing of flight safety critical systems including flight trials.
Inexcusable imho.
Join Date: Jan 2008
Location: Irvine, CA
Posts: 94
Likes: 0
Received 0 Likes
on
0 Posts
It would have prevented MCAS from activating in the first place. 346 people would still live. Two airplanes would still fly. And all the other 737 MAX would not have been grounded.
How can you come to the conclusion that it wouldn't have solved anything?
We know by now why Boeing did use only one sensor input: to save money, and keeping the reckless promise, that crews would need no expensive training to fly the plane except minutes with some slideshow on the iPad. In order to do so, they had to downgrade the risk as in case of malfunction not potentially catastrophic, and apparently they did so intentionally, and the FAA was partner in crime.
Join Date: Dec 2015
Location: Cape Town, ZA
Age: 62
Posts: 424
Likes: 0
Received 0 Likes
on
0 Posts
As far as I understand logic, a 3rd AoA would have allowed the system to run a software algorithm that votes an erroneous AoA sensor input out against the other two. That would have solved EVERYTHING in those two crashes, no?
It would have prevented MCAS from activating in the first place. 346 people would still live. Two airplanes would still fly. And all the other 737 MAX would not have been grounded.
How can you come to the conclusion that it wouldn't have solved anything?
We know by now why Boeing did use only one sensor input: to save money, and keeping the reckless promise, that crews would need no expensive training to fly the plane except minutes with some slideshow on the iPad. In order to do so, they had to downgrade the risk as in case of malfunction not potentially catastrophic, and apparently they did so intentionally, and the FAA was partner in crime.
It would have prevented MCAS from activating in the first place. 346 people would still live. Two airplanes would still fly. And all the other 737 MAX would not have been grounded.
How can you come to the conclusion that it wouldn't have solved anything?
We know by now why Boeing did use only one sensor input: to save money, and keeping the reckless promise, that crews would need no expensive training to fly the plane except minutes with some slideshow on the iPad. In order to do so, they had to downgrade the risk as in case of malfunction not potentially catastrophic, and apparently they did so intentionally, and the FAA was partner in crime.
As far as I understand logic, a 3rd AoA would have allowed the system to run a software algorithm that votes an erroneous AoA sensor input out against the other two. That would have solved EVERYTHING in those two crashes, no?
It would have prevented MCAS from activating in the first place. 346 people would still live. Two airplanes would still fly. And all the other 737 MAX would not have been grounded.
How can you come to the conclusion that it wouldn't have solved anything?
We know by now why Boeing did use only one sensor input: to save money, and keeping the reckless promise, that crews would need no expensive training to fly the plane except minutes with some slideshow on the iPad. In order to do so, they had to downgrade the risk as in case of malfunction not potentially catastrophic, and apparently they did so intentionally, and the FAA was partner in crime.
It would have prevented MCAS from activating in the first place. 346 people would still live. Two airplanes would still fly. And all the other 737 MAX would not have been grounded.
How can you come to the conclusion that it wouldn't have solved anything?
We know by now why Boeing did use only one sensor input: to save money, and keeping the reckless promise, that crews would need no expensive training to fly the plane except minutes with some slideshow on the iPad. In order to do so, they had to downgrade the risk as in case of malfunction not potentially catastrophic, and apparently they did so intentionally, and the FAA was partner in crime.
However a DUAL system, with a comparitor could well be the fix. If the AoA sensors disagree the MCAS is disabled and there is a flight deck warning of lack of stall warning, fly the airplane normally to destination then fix it ! Loss of stall warning is, frankly, no big deal for continuing the sector, as there has been an infinitely small number of stalls on commercial airliners.
A Boeing precedent was the rudder ratio system on the 75 and 76, my last aircraft. If we got a rudder ratio failure warning, we flew the airplane normally, being aware that coarse rudder inputs at high speed were to be avoided as fin overload could occur, ( they were never used anyway ! ) No sim training required to deal with that, just knowledge of the system.
In addition I believe the degree of travel of the stab. with MCAS, should be limited as a function of speed such that elevator input could overcome the MCAS commanded travel. After the RAF Valiant, my first 4 jet, tailplane runaway and crash in 1964 , we found we could overcome the runaway stab, just by max elevator input, just.
In addition perhaps the MCAS should be limited to one cycle ONLY. afer all, with the shaker and a single nose down push, just how much more stall warning does a trained crew require before initiating the classic recovery technique, lower the nose til the shaker, vibration and noise, or buffet stops, add power, gently roll wings level. Worked on every jet I have ever flown. Even on the T tailed VC 10 we did not have anything as aggressive as the MCAS system and a stall on a T tailed jet could be a lot more dangerous than on a 737.
Comment based on my Boeing experience of about 6000 command hours on the 737 200 and 300, inc as trainer, and 4000 on the 75 and 76, all brilliant aircraft.
Last edited by RetiredBA/BY; 31st Mar 2019 at 12:04.
Band-aid on a band-aid - that's the Boeing design philosophy of the Max. The AoA display makes little, if any, safety contribution to the flight deck (procedure wise) and the AOA disagree light even less. What is a pilot supposed to do when the AoA disagree light illuminates? Hit the trim switches? I wonder how often that light will illuminate, anyway. Probably often enough to get ignored.
Nah, pilots! What would they know?
Join Date: Nov 2008
Location: Somewhere
Posts: 10
Likes: 0
Received 0 Likes
on
0 Posts
The aircraft's computers received conflicting information from the three angle of attack sensors. The aircraft computer system’s programming logic had been designed to reject one sensor value if it deviated significantly from the other two sensor values. In this specific case, this programming logic led to the rejection of the correct value from the one operative angle of attack sensor, and to the acceptance of the two consistent, but wrong, values from the two inoperative angle of attack sensors.
As an example, on the Space shuttle, there were four identical computers which voted against each other in the case of discrepancy. However, there was a 5th computer (limited to ascent and reentry only) which was different hardware and different software in the event of something which had the same root cause in the software / hardware.
Join Date: Jan 2008
Location: Irvine, CA
Posts: 94
Likes: 0
Received 0 Likes
on
0 Posts
XL Airways Germany Flight 888T, quote below is from the wiki page:
Triplexing/Voting works on the assumption that a single failure is unlikely, and a failure that affects two parts simultaneously is therefore extremely unlikely. It does not take into account a single root cause failure (as in the XL airways incident) that affects two parts simultaneously.
Triplexing/Voting works on the assumption that a single failure is unlikely, and a failure that affects two parts simultaneously is therefore extremely unlikely. It does not take into account a single root cause failure (as in the XL airways incident) that affects two parts simultaneously.
Test flight with test pilots, intentionally stalling at 3,000' (instead of 10,000').
Two out of three AoA sensors frozen, due to water contamination from high pressure cleaning the aircraft for painting, two days previously.
Would it have been a flight with passengers, they wold not have stalled at 3,000' intentionally.
Join Date: Jan 2008
Location: Irvine, CA
Posts: 94
Likes: 0
Received 0 Likes
on
0 Posts
Airplanes are complex machines.
https://en.wikipedia.org/wiki/Qantas_Flight_72
http://www.atsb.gov.au/publications/...070_prelim.pdf
https://en.wikipedia.org/wiki/Naval_...Harold_E._Holt
Pegase Driver
Join Date: May 1997
Location: Europe
Age: 73
Posts: 3,556
Likes: 0
Received 0 Likes
on
0 Posts
Test flight with test pilots, intentionally stalling at 3,000' (instead of 10,000').
from the accident synopsis :
The primary cause of the accident was that the crew attempted an improvised test of the AOA warning system, not knowing that it was not functioning properly due to the inoperative sensors. They also disregarded the proper speed limits for the tests they were performing, resulting in a stall
Join Date: Mar 2019
Location: Bavaria
Posts: 17
Likes: 0
Received 0 Likes
on
0 Posts
Triplexing/Voting works on the assumption that a single failure is unlikely, and a failure that affects two parts simultaneously is therefore extremely unlikely. It does not take into account a single root cause failure (as in the XL airways incident) that affects two parts simultaneously.
As an example, on the Space shuttle, there were four identical computers which voted against each other in the case of discrepancy. However, there was a 5th computer (limited to ascent and reentry only) which was different hardware and different software in the event of something which had the same root cause in the software / hardware.
As an example, on the Space shuttle, there were four identical computers which voted against each other in the case of discrepancy. However, there was a 5th computer (limited to ascent and reentry only) which was different hardware and different software in the event of something which had the same root cause in the software / hardware.
Redundancy is a measure against random faults. Diversity is a measure against systematic faults.
A stone-age sensor which is working perfectly on one type of aircraft (thousands of planes for decades) is now mounted on a modified type and the fault rate went up drastically (350 planes, maybe 500 flights each, 6 failures). Or does every old 737 gets new AoA sensors every year because they fail that often?
How can you explain that with statistics?
I would assume that this cannot be explained without a systematic failure (wrong design, production failure) that leads to this drastic increase in failure probability. Especially since the failure mode is always the same in time (before flight) and even magnitude (22.5°).
So how can you now prevent that by redundancy (2 out of 2)? The actual statistics lead to an error every 3000 flights, so even if both sides are independent there is a double fault at least every 850 million flights. With the airplanes ordered that's every 20 years. But since systematic faults may tamper reliability in an unknown way, this calculation is very optimistic...
Limiting the capabilities of MCAS is the bandaid (less trim only once), comparing the sensors is just a gimmick.
And claiming to fix something with a systematic failure without identifying it is...
Oh, and as a safety consultant working at ASIL D (highest automotive level safety) inductive resolvers I can only imagine 2 failure modes which cause such a deviation if usual diagnostics are in place (vector length check, range check...):
a) Electromagnetic interference 'locked' the driving coil resonator on the EMI frequency and is also received by the receiver coils, being then demodulated on the sin/cos output (maybe from the new engines / engine electrical generators...)
b) If the resolver is made with +-45 mechanical deg angle range (360° electrical equal 90° mechanical) and the software is running on a stone-age 80286 without sin/cos coprocessor, an error in table-based sin/cos calculation would exactly result in 90° electrical / 22.5° mechanical angle deviation. Such tables only contain one quadrant of sin/cos and then just switch signs to get the other three.
btw: For the highest automotive safety level you use 2oo2 with a very strict analysis of production / design common cause errors and dependent failure analysis or even 2oo2 on different sensors from different fabs. But to be fair: randomly blocking tires at 100mph is even less controllable than MCAS, therefore it is not completely comparable.
Join Date: Mar 2014
Location: Toronto
Age: 69
Posts: 41
Likes: 0
Received 0 Likes
on
0 Posts
We all know about the negative effect of a strong cockpit gradient.
Could a plane-to-pilot gradient be a factor in Indonesia and Ethiopia? American pilots would have no trouble treating a persistent intermittent auto-trim as a "runaway". Foreign-speaking pilots might be more respectful of a sophisticated American airplane, and more wary about breaching the conditions for a NNC.
Could a plane-to-pilot gradient be a factor in Indonesia and Ethiopia? American pilots would have no trouble treating a persistent intermittent auto-trim as a "runaway". Foreign-speaking pilots might be more respectful of a sophisticated American airplane, and more wary about breaching the conditions for a NNC.
Join Date: Dec 2015
Location: Cape Town, ZA
Age: 62
Posts: 424
Likes: 0
Received 0 Likes
on
0 Posts
We all know about the negative effect of a strong cockpit gradient.
Could a plane-to-pilot gradient be a factor in Indonesia and Ethiopia? American pilots would have no trouble treating a persistent intermittent auto-trim as a "runaway". Foreign-speaking pilots might be more respectful of a sophisticated American airplane, and more wary about breaching the conditions for a NNC.
Could a plane-to-pilot gradient be a factor in Indonesia and Ethiopia? American pilots would have no trouble treating a persistent intermittent auto-trim as a "runaway". Foreign-speaking pilots might be more respectful of a sophisticated American airplane, and more wary about breaching the conditions for a NNC.
Join Date: Sep 2006
Location: Midlands
Posts: 128
Likes: 0
Received 0 Likes
on
0 Posts
Foreign-speaking pilots might be more respectful of a sophisticated American airplane
I would add to that the newness factor. A 20-30 year old aircraft might be expected to have some gremlins.
Join Date: Nov 2018
Location: Vancouver
Posts: 68
Likes: 0
Received 0 Likes
on
0 Posts
SOTBO/layman speculation - Both crashes, same aircraft, same system fault, same type of sensor involved, same environment i.e. low level in the tropics. So, assuming that all national aviation and air operator rules and regs are complied with as regards operations, that's leaves 1. heat, 2. insects or 3. peculiar air pressure variation. I suspect that duplicating the sensors won't eliminate 1 & 2. The solution to 1 is design and or materials to produce more resilient sensor with a bigger envelope of operation and to 2. guards/filters and/or ramped-up servicing/cleaning regimes for same.
N
N
They are two completely different "tropical countries".
Last edited by patplan; 31st Mar 2019 at 16:15.
SOTBO/layman speculation - Both crashes, same aircraft, same system fault, same type of sensor involved, same environment i.e. low level in the tropics. So, assuming that all national aviation and air operator rules and regs are complied with as regards operations, that's leaves 1. heat, 2. insects or 3. peculiar air pressure variation. I suspect that duplicating the sensors won't eliminate 1 & 2. The solution to 1 is design and or materials to produce more resilient sensor with a bigger envelope of operation and to 2. guards/filters and/or ramped-up servicing/cleaning regimes for same.
N
N
Notwithstanding that, the Ethiopian environment is way different than those that occurred with Lion Air. Check out the MSL altitude of both departure airfields...
Finally, the same AOA sensor is flying in several thousand 737NGs today. It doesn’t seem the sensor is likely to be to blame.
Truth is the Lion Air aircraft shouldn’t have been in service, given the maintenance log and lack of accurate documentation of issues with the aircraft on previous flights. As for Ethiopian we just don’t know any facts, other than the actual crash.
- GY
