Go Back  PPRuNe Forums > Flight Deck Forums > Rumours & News
Reload this Page >

Ethiopian airliner down in Africa

Rumours & News Reporting Points that may affect our jobs or lives as professional pilots. Also, items that may be of interest to professional pilots.

Ethiopian airliner down in Africa

Old 31st Mar 2019, 11:19
  #2821 (permalink)  
 
Join Date: Jan 2008
Location: Irvine, CA
Posts: 94
Originally Posted by GordonR_Cape View Post
...Nor am I trying to discount the disastrous nature of MCAS, but pointing out that adding a 3rd AOA to an old airframe does not solve anything.
As far as I understand logic, a 3rd AoA would have allowed the system to run a software algorithm that votes an erroneous AoA sensor input out against the other two. That would have solved EVERYTHING in those two crashes, no?
It would have prevented MCAS from activating in the first place. 346 people would still live. Two airplanes would still fly. And all the other 737 MAX would not have been grounded.
How can you come to the conclusion that it wouldn't have solved anything?
We know by now why Boeing did use only one sensor input: to save money, and keeping the reckless promise, that crews would need no expensive training to fly the plane except minutes with some slideshow on the iPad. In order to do so, they had to downgrade the risk as in case of malfunction not potentially catastrophic, and apparently they did so intentionally, and the FAA was partner in crime.
Interflug is offline  
Old 31st Mar 2019, 11:31
  #2822 (permalink)  
 
Join Date: Dec 2015
Location: Cape Town, ZA
Age: 58
Posts: 419
Originally Posted by Interflug View Post
As far as I understand logic, a 3rd AoA would have allowed the system to run a software algorithm that votes an erroneous AoA sensor input out against the other two. That would have solved EVERYTHING in those two crashes, no?
It would have prevented MCAS from activating in the first place. 346 people would still live. Two airplanes would still fly. And all the other 737 MAX would not have been grounded.
How can you come to the conclusion that it wouldn't have solved anything?
We know by now why Boeing did use only one sensor input: to save money, and keeping the reckless promise, that crews would need no expensive training to fly the plane except minutes with some slideshow on the iPad. In order to do so, they had to downgrade the risk as in case of malfunction not potentially catastrophic, and apparently they did so intentionally, and the FAA was partner in crime.
A third AOA would only have worked if the Boeing 737 MAX had new flight control computers like other models (including Airbus). That was never going to happen, due to the huge cost, certification and training issues. I never implied that 3 AOA sensors have no function, but unless the system architecture can process and vote on them, the third one has no purpose.
GordonR_Cape is offline  
Old 31st Mar 2019, 11:52
  #2823 (permalink)  
 
Join Date: Oct 2007
Location: London
Age: 75
Posts: 333
Originally Posted by Interflug View Post
As far as I understand logic, a 3rd AoA would have allowed the system to run a software algorithm that votes an erroneous AoA sensor input out against the other two. That would have solved EVERYTHING in those two crashes, no?
It would have prevented MCAS from activating in the first place. 346 people would still live. Two airplanes would still fly. And all the other 737 MAX would not have been grounded.
How can you come to the conclusion that it wouldn't have solved anything?
We know by now why Boeing did use only one sensor input: to save money, and keeping the reckless promise, that crews would need no expensive training to fly the plane except minutes with some slideshow on the iPad. In order to do so, they had to downgrade the risk as in case of malfunction not potentially catastrophic, and apparently they did so intentionally, and the FAA was partner in crime.
Triplexing of the A of A vanes could, should have prevented the MCAS system from erroneous operation.
However a DUAL system, with a comparitor could well be the fix. If the AoA sensors disagree the MCAS is disabled and there is a flight deck warning of lack of stall warning, fly the airplane normally to destination then fix it ! Loss of stall warning is, frankly, no big deal for continuing the sector, as there has been an infinitely small number of stalls on commercial airliners.

A Boeing precedent was the rudder ratio system on the 75 and 76, my last aircraft. If we got a rudder ratio failure warning, we flew the airplane normally, being aware that coarse rudder inputs at high speed were to be avoided as fin overload could occur, ( they were never used anyway ! ) No sim training required to deal with that, just knowledge of the system.

In addition I believe the degree of travel of the stab. with MCAS, should be limited as a function of speed such that elevator input could overcome the MCAS commanded travel. After the RAF Valiant, my first 4 jet, tailplane runaway and crash in 1964 , we found we could overcome the runaway stab, just by max elevator input, just.

In addition perhaps the MCAS should be limited to one cycle ONLY. afer all, with the shaker and a single nose down push, just how much more stall warning does a trained crew require before initiating the classic recovery technique, lower the nose til the shaker, vibration and noise, or buffet stops, add power, gently roll wings level. Worked on every jet I have ever flown. Even on the T tailed VC 10 we did not have anything as aggressive as the MCAS system and a stall on a T tailed jet could be a lot more dangerous than on a 737.
Comment based on my Boeing experience of about 6000 command hours on the 737 200 and 300, inc as trainer, and 4000 on the 75 and 76, all brilliant aircraft.

Last edited by RetiredBA/BY; 31st Mar 2019 at 12:04.
RetiredBA/BY is offline  
Old 31st Mar 2019, 12:23
  #2824 (permalink)  
 
Join Date: Jan 2006
Location: Sydney Australia
Posts: 2,091
Originally Posted by GlobalNav View Post
Band-aid on a band-aid - that's the Boeing design philosophy of the Max. The AoA display makes little, if any, safety contribution to the flight deck (procedure wise) and the AOA disagree light even less. What is a pilot supposed to do when the AoA disagree light illuminates? Hit the trim switches? I wonder how often that light will illuminate, anyway. Probably often enough to get ignored.
I wonder if the whiz kids who design the interface, and the heads of their departments, ever thought it might be a good idea to at least get some input from those who actually fly the thing?

Nah, pilots! What would they know?
KRUSTY 34 is offline  
Old 31st Mar 2019, 12:52
  #2825 (permalink)  
 
Join Date: Nov 2008
Location: Somewhere
Posts: 10
Originally Posted by Interflug View Post
As far as I understand logic, a 3rd AoA would have allowed the system to run a software algorithm that votes an erroneous AoA sensor input out against the other two. That would have solved EVERYTHING in those two crashes, no?
XL Airways Germany Flight 888T, quote below is from the wiki page:
The aircraft's computers received conflicting information from the three angle of attack sensors. The aircraft computer system’s programming logic had been designed to reject one sensor value if it deviated significantly from the other two sensor values. In this specific case, this programming logic led to the rejection of the correct value from the one operative angle of attack sensor, and to the acceptance of the two consistent, but wrong, values from the two inoperative angle of attack sensors.
Triplexing/Voting works on the assumption that a single failure is unlikely, and a failure that affects two parts simultaneously is therefore extremely unlikely. It does not take into account a single root cause failure (as in the XL airways incident) that affects two parts simultaneously.
As an example, on the Space shuttle, there were four identical computers which voted against each other in the case of discrepancy. However, there was a 5th computer (limited to ascent and reentry only) which was different hardware and different software in the event of something which had the same root cause in the software / hardware.


Blythy is offline  
Old 31st Mar 2019, 14:12
  #2826 (permalink)  
 
Join Date: Jan 2008
Location: Irvine, CA
Posts: 94
Originally Posted by Blythy View Post
XL Airways Germany Flight 888T, quote below is from the wiki page:
Triplexing/Voting works on the assumption that a single failure is unlikely, and a failure that affects two parts simultaneously is therefore extremely unlikely. It does not take into account a single root cause failure (as in the XL airways incident) that affects two parts simultaneously.
True. It's never 100% safe. But the XL Airways crash really was a black swan event in comparison, for the holes in the cheese to line up that way:
Test flight with test pilots, intentionally stalling at 3,000' (instead of 10,000').
Two out of three AoA sensors frozen, due to water contamination from high pressure cleaning the aircraft for painting, two days previously.
Would it have been a flight with passengers, they wold not have stalled at 3,000' intentionally.
Interflug is offline  
Old 31st Mar 2019, 14:21
  #2827 (permalink)  
 
Join Date: Jan 2008
Location: Irvine, CA
Posts: 94
Originally Posted by weemonkey View Post
Thanks.
So the signal is NOT converted at the sensor and fed into a databus....
Apparently. Begs the question if the cables are shielded.
Airplanes are complex machines.
https://en.wikipedia.org/wiki/Qantas_Flight_72
http://www.atsb.gov.au/publications/...070_prelim.pdf
https://en.wikipedia.org/wiki/Naval_...Harold_E._Holt
Interflug is offline  
Old 31st Mar 2019, 14:21
  #2828 (permalink)  
Pegase Driver
 
Join Date: May 1997
Location: Europe
Age: 69
Posts: 2,650
Test flight with test pilots, intentionally stalling at 3,000' (instead of 10,000').
Not quite , there were not test pilots , otherwise they would not attempted this test like they did on the approach leg .
from the accident synopsis :
The primary cause of the accident was that the crew attempted an improvised test of the AOA warning system, not knowing that it was not functioning properly due to the inoperative sensors. They also disregarded the proper speed limits for the tests they were performing, resulting in a stall
But your reasoning is correct , this cannot be compared to the 2 Max accidents, as as the aircraft been normally flown it would never have stalled, or dive/trimmed into the water.
ATC Watcher is offline  
Old 31st Mar 2019, 14:46
  #2829 (permalink)  
 
Join Date: Mar 2019
Location: Bavaria
Posts: 17
Originally Posted by Blythy View Post
Triplexing/Voting works on the assumption that a single failure is unlikely, and a failure that affects two parts simultaneously is therefore extremely unlikely. It does not take into account a single root cause failure (as in the XL airways incident) that affects two parts simultaneously.
As an example, on the Space shuttle, there were four identical computers which voted against each other in the case of discrepancy. However, there was a 5th computer (limited to ascent and reentry only) which was different hardware and different software in the event of something which had the same root cause in the software / hardware.
I think that's the point:
Redundancy is a measure against random faults. Diversity is a measure against systematic faults.
A stone-age sensor which is working perfectly on one type of aircraft (thousands of planes for decades) is now mounted on a modified type and the fault rate went up drastically (350 planes, maybe 500 flights each, 6 failures). Or does every old 737 gets new AoA sensors every year because they fail that often?
How can you explain that with statistics?
I would assume that this cannot be explained without a systematic failure (wrong design, production failure) that leads to this drastic increase in failure probability. Especially since the failure mode is always the same in time (before flight) and even magnitude (22.5°).

So how can you now prevent that by redundancy (2 out of 2)? The actual statistics lead to an error every 3000 flights, so even if both sides are independent there is a double fault at least every 850 million flights. With the airplanes ordered that's every 20 years. But since systematic faults may tamper reliability in an unknown way, this calculation is very optimistic...
Limiting the capabilities of MCAS is the bandaid (less trim only once), comparing the sensors is just a gimmick.
And claiming to fix something with a systematic failure without identifying it is...

Oh, and as a safety consultant working at ASIL D (highest automotive level safety) inductive resolvers I can only imagine 2 failure modes which cause such a deviation if usual diagnostics are in place (vector length check, range check...):
a) Electromagnetic interference 'locked' the driving coil resonator on the EMI frequency and is also received by the receiver coils, being then demodulated on the sin/cos output (maybe from the new engines / engine electrical generators...)
b) If the resolver is made with +-45 mechanical deg angle range (360° electrical equal 90° mechanical) and the software is running on a stone-age 80286 without sin/cos coprocessor, an error in table-based sin/cos calculation would exactly result in 90° electrical / 22.5° mechanical angle deviation. Such tables only contain one quadrant of sin/cos and then just switch signs to get the other three.

btw: For the highest automotive safety level you use 2oo2 with a very strict analysis of production / design common cause errors and dependent failure analysis or even 2oo2 on different sensors from different fabs. But to be fair: randomly blocking tires at 100mph is even less controllable than MCAS, therefore it is not completely comparable.
TryingToLearn is offline  
Old 31st Mar 2019, 15:07
  #2830 (permalink)  
 
Join Date: Mar 2014
Location: Toronto
Age: 65
Posts: 38
We all know about the negative effect of a strong cockpit gradient.

Could a plane-to-pilot gradient be a factor in Indonesia and Ethiopia? American pilots would have no trouble treating a persistent intermittent auto-trim as a "runaway". Foreign-speaking pilots might be more respectful of a sophisticated American airplane, and more wary about breaching the conditions for a NNC.
YYZjim is offline  
Old 31st Mar 2019, 15:26
  #2831 (permalink)  
 
Join Date: Dec 2015
Location: Cape Town, ZA
Age: 58
Posts: 419
Originally Posted by YYZjim View Post
We all know about the negative effect of a strong cockpit gradient.

Could a plane-to-pilot gradient be a factor in Indonesia and Ethiopia? American pilots would have no trouble treating a persistent intermittent auto-trim as a "runaway". Foreign-speaking pilots might be more respectful of a sophisticated American airplane, and more wary about breaching the conditions for a NNC.
I would add to that the newness factor. A 20-30 year old aircraft might be expected to have some gremlins. A 6 month old one should not have, unless you treat all devices with skepticism. The trust-your-instruments not your gut perception, might add to the confusion and cockpit gradient.
GordonR_Cape is offline  
Old 31st Mar 2019, 15:38
  #2832 (permalink)  
 
Join Date: Feb 2008
Location: London
Posts: 6
SOTBO/layman speculation - Both crashes, same aircraft, same system fault, same type of sensor involved, same environment i.e. low level in the tropics. So, assuming that all national aviation and air operator rules and regs are complied with as regards operations, that's leaves 1. heat, 2. insects or 3. peculiar air pressure variation. I suspect that duplicating the sensors won't eliminate 1 & 2. The solution to 1 is design and or materials to produce more resilient sensor with a bigger envelope of operation and to 2. guards/filters and/or ramped-up servicing/cleaning regimes for same.

N
NAROBS is offline  
Old 31st Mar 2019, 15:51
  #2833 (permalink)  
 
Join Date: Sep 2006
Location: Midlands
Posts: 113
Foreign-speaking pilots might be more respectful of a sophisticated American airplane
You gotta be kidding!

I would add to that the newness factor. A 20-30 year old aircraft might be expected to have some gremlins.
Ethiopian's fleet average age is 6.2 years.Their oldest 737NGs are 15-17 years old, most under 10.
Back at NH is offline  
Old 31st Mar 2019, 15:53
  #2834 (permalink)  
 
Join Date: Nov 2018
Location: Vancouver
Posts: 66
Originally Posted by NAROBS View Post
SOTBO/layman speculation - Both crashes, same aircraft, same system fault, same type of sensor involved, same environment i.e. low level in the tropics. So, assuming that all national aviation and air operator rules and regs are complied with as regards operations, that's leaves 1. heat, 2. insects or 3. peculiar air pressure variation. I suspect that duplicating the sensors won't eliminate 1 & 2. The solution to 1 is design and or materials to produce more resilient sensor with a bigger envelope of operation and to 2. guards/filters and/or ramped-up servicing/cleaning regimes for same.

N
edited... Ethiopia is actually more continental than a typical tropical country. Addis Ababa at 7700+ ft ASL actually has more elevation than even the mile-high city of Denver. Indonesia, on the other hand, where the Lion Air's PK-LQP crashed, is an archipelago, and literally there are more than 10,000 islands there- surrounded by two oceans- and a home for hundreds of active volcanoes.

They are two completely different "tropical countries".

Last edited by patplan; 31st Mar 2019 at 16:15.
patplan is offline  
Old 31st Mar 2019, 16:42
  #2835 (permalink)  
 
Join Date: Jun 2009
Location: VA, USA
Age: 54
Posts: 559
Originally Posted by NAROBS View Post
SOTBO/layman speculation - Both crashes, same aircraft, same system fault, same type of sensor involved, same environment i.e. low level in the tropics. So, assuming that all national aviation and air operator rules and regs are complied with as regards operations, that's leaves 1. heat, 2. insects or 3. peculiar air pressure variation. I suspect that duplicating the sensors won't eliminate 1 & 2. The solution to 1 is design and or materials to produce more resilient sensor with a bigger envelope of operation and to 2. guards/filters and/or ramped-up servicing/cleaning regimes for same.

N
Firstly, as it stands the cause of the second crash is unknown. Fingers pointing at MCAS are speculation, at least until the interim report is published. It may well be a better narrative than other options.

Notwithstanding that, the Ethiopian environment is way different than those that occurred with Lion Air. Check out the MSL altitude of both departure airfields...

Finally, the same AOA sensor is flying in several thousand 737NGs today. It doesn’t seem the sensor is likely to be to blame.

Truth is the Lion Air aircraft shouldn’t have been in service, given the maintenance log and lack of accurate documentation of issues with the aircraft on previous flights. As for Ethiopian we just don’t know any facts, other than the actual crash.

- GY
GarageYears is offline  
Old 31st Mar 2019, 16:51
  #2836 (permalink)  
 
Join Date: Feb 2015
Location: The woods
Posts: 1
AoA presentation should be a strip?



Well I don’t agree, for me AoA is an anolog value, which can be related directly to vane angle much more easily on a dial, than yet another strip display.
bill fly is offline  
Old 31st Mar 2019, 17:26
  #2837 (permalink)  
 
Join Date: Nov 2018
Location: Vancouver
Posts: 66
Originally Posted by GarageYears View Post


Firstly, as it stands the cause of the second crash is unknown. Fingers pointing at MCAS are speculation, at least until the interim report is published. It may well be a better narrative than other options.

Notwithstanding that, the Ethiopian environment is way different than those that occurred with Lion Air. Check out the MSL altitude of both departure airfields...

Finally, the same AOA sensor is flying in several thousand 737NGs today. It doesn’t seem the sensor is likely to be to blame.

Truth is the Lion Air aircraft shouldn’t have been in service, given the maintenance log and lack of accurate documentation of issues with the aircraft on previous flights. As for Ethiopian we just don’t know any facts, other than the actual crash.

- GY
Well, actually this Ethiopian investigation is almost as leaky as the Indonesian one... The main suspects are very much the same: AOA reading and MCAS.

Since MCAS, in its past iteration, after being fed by erroneous data by a single AOA vane, have a knack to drive the trim mechanism to the end of the jackscrew, essentially doing its job as programmed spectacularly "well", that will leave the AOA vane as the fall guy.

Except..., it is ALMOST IMPOSSIBLE for the vanes which had been in used since forever and thought to have been very reliable would be implicated as the cause for the two crashes within the span of 5 months. This will leave us with something else more plausible as the caused but has been largely ignored: the Max-8 flight control system or something therein...
patplan is offline  
Old 31st Mar 2019, 18:11
  #2838 (permalink)  
 
Join Date: Mar 2018
Location: UK
Posts: 2
Originally Posted by GordonR_Cape View Post
A third AOA would only have worked if the Boeing 737 MAX had new flight control computers like other models (including Airbus). That was never going to happen, due to the huge cost, certification and training issues. I never implied that 3 AOA sensors have no function, but unless the system architecture can process and vote on them, the third one has no purpose.
I bet Boeing wished that they had spent that extra cash now!
hjd10 is offline  
Old 31st Mar 2019, 18:45
  #2839 (permalink)  
 
Join Date: Aug 2005
Location: EDLB
Posts: 173
I take bets that it has something to do with the signal wiring form the AoA vane to the flight computer (ADIRU) like shorting out one half of the SIN or COS symmetric signal and creating with that something around a 45 degree/2 offset. If the Ethopian airline FDR does show a similar problem, then there is some latent harness, connector or ADIRU problem which will show up in the other 737 MAX made in a similar timeframe. So if that establishes, the investigation might look into some of the grounded planes build in similar timeframe.
EDLB is offline  
Old 31st Mar 2019, 18:57
  #2840 (permalink)  
 
Join Date: Mar 2019
Location: Usa
Posts: 1
Originally Posted by Blythy View Post
As an example, on the Space shuttle, there were four identical computers which voted against each other in the case of discrepancy. However, there was a 5th computer (limited to ascent and reentry only) which was different hardware and different software in the event of something which had the same root cause in the software / hardware.
Not entirely true. All 5 computers are AP-101. It had a different subset of functions for ascent and descent, written by Rockwell (IBM was the main contractor for the hardware and flight software). It wasn't a complete rewrite of the flight software. The reason given for not having different hardware was that is would have cost too much. The software itself was an OS written in assembly, and the main code written in HAL/S, possibly on different versions of compiler.

Has there ever really been an aircraft with 2 completely separate hardware and software teams?

Info was gotten from
Computers in Spaceflight: The NASA Experience Chapter 4-3
and The Space Shuttle Primary Computer System, Communications of the ACM September 1984 Volume 27 Issue 9
Daft01 is offline  

Thread Tools
Search this Thread

Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright © 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.