Go Back  PPRuNe Forums > Flight Deck Forums > Rumours & News
Reload this Page >

Ethiopian airliner down in Africa

Rumours & News Reporting Points that may affect our jobs or lives as professional pilots. Also, items that may be of interest to professional pilots.

Ethiopian airliner down in Africa

Old 31st Mar 2019, 14:21
  #2821 (permalink)  
 
Join Date: Jan 2008
Location: Irvine, CA
Posts: 94
Originally Posted by weemonkey View Post
Thanks.
So the signal is NOT converted at the sensor and fed into a databus....
Apparently. Begs the question if the cables are shielded.
Airplanes are complex machines.
https://en.wikipedia.org/wiki/Qantas_Flight_72
http://www.atsb.gov.au/publications/...070_prelim.pdf
https://en.wikipedia.org/wiki/Naval_...Harold_E._Holt
Interflug is offline  
Old 31st Mar 2019, 14:21
  #2822 (permalink)  
Pegase Driver
 
Join Date: May 1997
Location: Europe
Age: 70
Posts: 2,894
Test flight with test pilots, intentionally stalling at 3,000' (instead of 10,000').
Not quite , there were not test pilots , otherwise they would not attempted this test like they did on the approach leg .
from the accident synopsis :
The primary cause of the accident was that the crew attempted an improvised test of the AOA warning system, not knowing that it was not functioning properly due to the inoperative sensors. They also disregarded the proper speed limits for the tests they were performing, resulting in a stall
But your reasoning is correct , this cannot be compared to the 2 Max accidents, as as the aircraft been normally flown it would never have stalled, or dive/trimmed into the water.
ATC Watcher is offline  
Old 31st Mar 2019, 14:46
  #2823 (permalink)  
 
Join Date: Mar 2019
Location: Bavaria
Posts: 17
Originally Posted by Blythy View Post
Triplexing/Voting works on the assumption that a single failure is unlikely, and a failure that affects two parts simultaneously is therefore extremely unlikely. It does not take into account a single root cause failure (as in the XL airways incident) that affects two parts simultaneously.
As an example, on the Space shuttle, there were four identical computers which voted against each other in the case of discrepancy. However, there was a 5th computer (limited to ascent and reentry only) which was different hardware and different software in the event of something which had the same root cause in the software / hardware.
I think that's the point:
Redundancy is a measure against random faults. Diversity is a measure against systematic faults.
A stone-age sensor which is working perfectly on one type of aircraft (thousands of planes for decades) is now mounted on a modified type and the fault rate went up drastically (350 planes, maybe 500 flights each, 6 failures). Or does every old 737 gets new AoA sensors every year because they fail that often?
How can you explain that with statistics?
I would assume that this cannot be explained without a systematic failure (wrong design, production failure) that leads to this drastic increase in failure probability. Especially since the failure mode is always the same in time (before flight) and even magnitude (22.5°).

So how can you now prevent that by redundancy (2 out of 2)? The actual statistics lead to an error every 3000 flights, so even if both sides are independent there is a double fault at least every 850 million flights. With the airplanes ordered that's every 20 years. But since systematic faults may tamper reliability in an unknown way, this calculation is very optimistic...
Limiting the capabilities of MCAS is the bandaid (less trim only once), comparing the sensors is just a gimmick.
And claiming to fix something with a systematic failure without identifying it is...

Oh, and as a safety consultant working at ASIL D (highest automotive level safety) inductive resolvers I can only imagine 2 failure modes which cause such a deviation if usual diagnostics are in place (vector length check, range check...):
a) Electromagnetic interference 'locked' the driving coil resonator on the EMI frequency and is also received by the receiver coils, being then demodulated on the sin/cos output (maybe from the new engines / engine electrical generators...)
b) If the resolver is made with +-45 mechanical deg angle range (360° electrical equal 90° mechanical) and the software is running on a stone-age 80286 without sin/cos coprocessor, an error in table-based sin/cos calculation would exactly result in 90° electrical / 22.5° mechanical angle deviation. Such tables only contain one quadrant of sin/cos and then just switch signs to get the other three.

btw: For the highest automotive safety level you use 2oo2 with a very strict analysis of production / design common cause errors and dependent failure analysis or even 2oo2 on different sensors from different fabs. But to be fair: randomly blocking tires at 100mph is even less controllable than MCAS, therefore it is not completely comparable.
TryingToLearn is offline  
Old 31st Mar 2019, 15:07
  #2824 (permalink)  
 
Join Date: Mar 2014
Location: Toronto
Age: 66
Posts: 41
We all know about the negative effect of a strong cockpit gradient.

Could a plane-to-pilot gradient be a factor in Indonesia and Ethiopia? American pilots would have no trouble treating a persistent intermittent auto-trim as a "runaway". Foreign-speaking pilots might be more respectful of a sophisticated American airplane, and more wary about breaching the conditions for a NNC.
YYZjim is offline  
Old 31st Mar 2019, 15:26
  #2825 (permalink)  
 
Join Date: Dec 2015
Location: Cape Town, ZA
Age: 59
Posts: 424
Originally Posted by YYZjim View Post
We all know about the negative effect of a strong cockpit gradient.

Could a plane-to-pilot gradient be a factor in Indonesia and Ethiopia? American pilots would have no trouble treating a persistent intermittent auto-trim as a "runaway". Foreign-speaking pilots might be more respectful of a sophisticated American airplane, and more wary about breaching the conditions for a NNC.
I would add to that the newness factor. A 20-30 year old aircraft might be expected to have some gremlins. A 6 month old one should not have, unless you treat all devices with skepticism. The trust-your-instruments not your gut perception, might add to the confusion and cockpit gradient.
GordonR_Cape is offline  
Old 31st Mar 2019, 15:38
  #2826 (permalink)  
 
Join Date: Feb 2008
Location: London
Posts: 14
SOTBO/layman speculation - Both crashes, same aircraft, same system fault, same type of sensor involved, same environment i.e. low level in the tropics. So, assuming that all national aviation and air operator rules and regs are complied with as regards operations, that's leaves 1. heat, 2. insects or 3. peculiar air pressure variation. I suspect that duplicating the sensors won't eliminate 1 & 2. The solution to 1 is design and or materials to produce more resilient sensor with a bigger envelope of operation and to 2. guards/filters and/or ramped-up servicing/cleaning regimes for same.

N
NAROBS is offline  
Old 31st Mar 2019, 15:51
  #2827 (permalink)  
 
Join Date: Sep 2006
Location: Midlands
Posts: 114
Foreign-speaking pilots might be more respectful of a sophisticated American airplane
You gotta be kidding!

I would add to that the newness factor. A 20-30 year old aircraft might be expected to have some gremlins.
Ethiopian's fleet average age is 6.2 years.Their oldest 737NGs are 15-17 years old, most under 10.
Back at NH is offline  
Old 31st Mar 2019, 15:53
  #2828 (permalink)  
 
Join Date: Nov 2018
Location: Vancouver
Posts: 67
Originally Posted by NAROBS View Post
SOTBO/layman speculation - Both crashes, same aircraft, same system fault, same type of sensor involved, same environment i.e. low level in the tropics. So, assuming that all national aviation and air operator rules and regs are complied with as regards operations, that's leaves 1. heat, 2. insects or 3. peculiar air pressure variation. I suspect that duplicating the sensors won't eliminate 1 & 2. The solution to 1 is design and or materials to produce more resilient sensor with a bigger envelope of operation and to 2. guards/filters and/or ramped-up servicing/cleaning regimes for same.

N
edited... Ethiopia is actually more continental than a typical tropical country. Addis Ababa at 7700+ ft ASL actually has more elevation than even the mile-high city of Denver. Indonesia, on the other hand, where the Lion Air's PK-LQP crashed, is an archipelago, and literally there are more than 10,000 islands there- surrounded by two oceans- and a home for hundreds of active volcanoes.

They are two completely different "tropical countries".

Last edited by patplan; 31st Mar 2019 at 16:15.
patplan is offline  
Old 31st Mar 2019, 16:42
  #2829 (permalink)  
 
Join Date: Jun 2009
Location: VA, USA
Age: 55
Posts: 561
Originally Posted by NAROBS View Post
SOTBO/layman speculation - Both crashes, same aircraft, same system fault, same type of sensor involved, same environment i.e. low level in the tropics. So, assuming that all national aviation and air operator rules and regs are complied with as regards operations, that's leaves 1. heat, 2. insects or 3. peculiar air pressure variation. I suspect that duplicating the sensors won't eliminate 1 & 2. The solution to 1 is design and or materials to produce more resilient sensor with a bigger envelope of operation and to 2. guards/filters and/or ramped-up servicing/cleaning regimes for same.

N
Firstly, as it stands the cause of the second crash is unknown. Fingers pointing at MCAS are speculation, at least until the interim report is published. It may well be a better narrative than other options.

Notwithstanding that, the Ethiopian environment is way different than those that occurred with Lion Air. Check out the MSL altitude of both departure airfields...

Finally, the same AOA sensor is flying in several thousand 737NGs today. It doesn’t seem the sensor is likely to be to blame.

Truth is the Lion Air aircraft shouldn’t have been in service, given the maintenance log and lack of accurate documentation of issues with the aircraft on previous flights. As for Ethiopian we just don’t know any facts, other than the actual crash.

- GY
GarageYears is offline  
Old 31st Mar 2019, 16:51
  #2830 (permalink)  
 
Join Date: Feb 2015
Location: The woods
Posts: 1
AoA presentation should be a strip?



Well I don’t agree, for me AoA is an anolog value, which can be related directly to vane angle much more easily on a dial, than yet another strip display.
bill fly is offline  
Old 31st Mar 2019, 17:26
  #2831 (permalink)  
 
Join Date: Nov 2018
Location: Vancouver
Posts: 67
Originally Posted by GarageYears View Post


Firstly, as it stands the cause of the second crash is unknown. Fingers pointing at MCAS are speculation, at least until the interim report is published. It may well be a better narrative than other options.

Notwithstanding that, the Ethiopian environment is way different than those that occurred with Lion Air. Check out the MSL altitude of both departure airfields...

Finally, the same AOA sensor is flying in several thousand 737NGs today. It doesn’t seem the sensor is likely to be to blame.

Truth is the Lion Air aircraft shouldn’t have been in service, given the maintenance log and lack of accurate documentation of issues with the aircraft on previous flights. As for Ethiopian we just don’t know any facts, other than the actual crash.

- GY
Well, actually this Ethiopian investigation is almost as leaky as the Indonesian one... The main suspects are very much the same: AOA reading and MCAS.

Since MCAS, in its past iteration, after being fed by erroneous data by a single AOA vane, have a knack to drive the trim mechanism to the end of the jackscrew, essentially doing its job as programmed spectacularly "well", that will leave the AOA vane as the fall guy.

Except..., it is ALMOST IMPOSSIBLE for the vanes which had been in used since forever and thought to have been very reliable would be implicated as the cause for the two crashes within the span of 5 months. This will leave us with something else more plausible as the caused but has been largely ignored: the Max-8 flight control system or something therein...
patplan is offline  
Old 31st Mar 2019, 18:11
  #2832 (permalink)  
 
Join Date: Mar 2018
Location: UK
Posts: 2
Originally Posted by GordonR_Cape View Post
A third AOA would only have worked if the Boeing 737 MAX had new flight control computers like other models (including Airbus). That was never going to happen, due to the huge cost, certification and training issues. I never implied that 3 AOA sensors have no function, but unless the system architecture can process and vote on them, the third one has no purpose.
I bet Boeing wished that they had spent that extra cash now!
hjd10 is offline  
Old 31st Mar 2019, 18:45
  #2833 (permalink)  
 
Join Date: Aug 2005
Location: EDLB
Posts: 205
I take bets that it has something to do with the signal wiring form the AoA vane to the flight computer (ADIRU) like shorting out one half of the SIN or COS symmetric signal and creating with that something around a 45 degree/2 offset. If the Ethopian airline FDR does show a similar problem, then there is some latent harness, connector or ADIRU problem which will show up in the other 737 MAX made in a similar timeframe. So if that establishes, the investigation might look into some of the grounded planes build in similar timeframe.
EDLB is offline  
Old 31st Mar 2019, 18:57
  #2834 (permalink)  
 
Join Date: Mar 2019
Location: Usa
Posts: 1
Originally Posted by Blythy View Post
As an example, on the Space shuttle, there were four identical computers which voted against each other in the case of discrepancy. However, there was a 5th computer (limited to ascent and reentry only) which was different hardware and different software in the event of something which had the same root cause in the software / hardware.
Not entirely true. All 5 computers are AP-101. It had a different subset of functions for ascent and descent, written by Rockwell (IBM was the main contractor for the hardware and flight software). It wasn't a complete rewrite of the flight software. The reason given for not having different hardware was that is would have cost too much. The software itself was an OS written in assembly, and the main code written in HAL/S, possibly on different versions of compiler.

Has there ever really been an aircraft with 2 completely separate hardware and software teams?

Info was gotten from
Computers in Spaceflight: The NASA Experience Chapter 4-3
and The Space Shuttle Primary Computer System, Communications of the ACM September 1984 Volume 27 Issue 9
Daft01 is offline  
Old 31st Mar 2019, 19:28
  #2835 (permalink)  
 
Join Date: Jun 2009
Location: Dorset
Posts: 30
Originally Posted by safetypee View Post
Whilst all of you Tech ‘bit’ people provide valuable information and possible scenarios, could you please consider why ‘failures’ appear to be very rare and so far only relate to two aircraft / three vanes.

How something fails does not necessarily explain why (when) it failed.
Random, probabilistic, bit count, world clock ?
OK, having considered why the MCAC failures only appear on some flights, possible candidates (the holes in the cheese) that could trigger a software fault in the processing of an AoA correction table (bearing in mind that the ADIRU software was developed only to a “non -safety critical standard”) are:-
1) pin fault: How does an ADIRU recognise it is L or R? Similar sytems I’ve worked on in the past had a fixed pin in the harness connector of one box to designate it as L. If on the problem 737 Max flights the pin became a bad connection, or was bent/missing, the ADIRUs would think they are both L (or both R).
2) IAS fault: As pointed out by patplan in #2799 there was an “IAS & ALT Disagree shown after take off”. If the correction table is indexed by IAS (or has some dependency on it), the software could have used bad IAS data as an index and read garbage data for the correction items.
3) interrupt corruption: A problem that has bitten me hard on a few occasions over the years is with the software that handles interrupts. Typically, interrupt software has to save data held in registers, perform its actions, and then restore the registers to their entry values. A latent problem can exist (just waiting for the right holes to line up) that a piece of software uses another register that the spec writer of the interrupt routine was unaware was being used. Or, more likely, a software update was made (e.g. MCAS date preparation update) that used another register. So after 100s or 1000s of flight hours the holes line up, the interrupt pings off in the middle of the new software, something (could be a data value, a status flag, a jump address or ….) is corrupted. The consequential behaviour could be any of many surprises!
4) processor overload:
Originally Posted by patplan View Post
I have a suspicion that in Boeing 737 Max 8 [B38M] perhaps the LEFT/CAPT ADIRU is constantly being overwhelmed by new routines [i.e. MCAS/AOA related programmings] which may from time to time corrupt the system.
I agree, as the (old tech) processors become more and more loaded, there will reach a point where, given the right circumstance of several things needing to be computed in one cycle, a software routine will not complete. Just as an example, the start up stage will be quiet busy. I would expect the ADIRU to determine its L or R status (perhaps read a pin) and store the result for other software routines to use. So if this action does not complete the ADIRU L or R status will stay at the default value; ADIRUs would both stay as L (or R).
5) flap position: From the preliminary report (Fig. 5 on accident flight & Fig. 7 on previous flight) there is a difference in when the flap position changes. Fig 5 shows a change well after rotation, Fig 7 shows a change at the point of rotation. Could this difference have affected how MCAS subsequently behaved?
VicMel is offline  
Old 31st Mar 2019, 20:40
  #2836 (permalink)  
 
Join Date: Jan 2008
Location: Reading, UK
Posts: 12,315
Originally Posted by VicMel View Post
So after 100s or 1000s of flight hours the holes line up, the interrupt pings off in the middle of the new software, something (could be a data value, a status flag, a jump address or ….) is corrupted. The consequential behaviour could be any of many surprises!
That sounds like a description of a random failure, rather than something that would manifest itself over several consecutive flights, as was the case with Lion Air.

DaveReidUK is offline  
Old 31st Mar 2019, 20:46
  #2837 (permalink)  
 
Join Date: Aug 2013
Location: Washington.
Age: 70
Posts: 571
Originally Posted by bill fly View Post


Well I don’t agree, for me AoA is an anolog value, which can be related directly to vane angle much more easily on a dial, than yet another strip display.
The AoA display should be designed to support the pilot’s proper and effective use of it (whatever that is). It should be considered, not in isolation, but in the context of the rest of the flight display(s) and the instrument scan which the pilots are expected to conduct. Does any airline which has aircraft equipped with the AoA display have approved pilot procedures for its use? If a check ride was conducted, in which phases of flight would a pilot be faulted for failure to maintain awareness of the AoA display? If one were to evaluate the AoA display design, what measure of performance would be used? Considering the approved Boeing EFIS with the AoA in the upper right corner, how does that fit Basic T flight display philosophy? Of course it doesn’t, because AoA was never part of the Basic T. But if there was a logical, task performance-based purpose for the AoA display, why would it be placed above the altitude display, about as far from the airspeed and attitude indications as it could be? Yet, we suppose it enhances safety?
GlobalNav is offline  
Old 31st Mar 2019, 20:58
  #2838 (permalink)  
 
Join Date: Nov 2018
Location: madrid
Posts: 47
Originally Posted by EDLB View Post
I take bets that it has something to do with the signal wiring form the AoA vane to the flight computer (ADIRU) like shorting out one half of the SIN or COS symmetric signal and creating with that something around a 45 degree/2 offset. If the Ethopian airline FDR does show a similar problem, then there is some latent harness, connector or ADIRU problem which will show up in the other 737 MAX made in a similar timeframe. So if that establishes, the investigation might look into some of the grounded planes build in similar timeframe.
In theory, (older 737s) each computer takes the three wires (the two analog signals) and amplify them, then demodulates them (turns them into DC) using the reference AC current that powers the vane, then filters them and finally go to an A/D converter. The values are stored at a memory block, and then a software block reads them, and translate them into a AOA (degrees (atan(sin/cos)), which is once more filtered (so two AOA are available, raw and filtered).

I would be really surprised if the software block did not, at that point, perform the plausibility check (sin^2+cos^2=vmax). (for instance, it shows a warning if the vane didn't move more than 3 degrees for a period of time).

But even if it didn't, shorting one of the signals to vref would produce 9 degrees offset at the vane. Does that translate to 22 degrees airplane AOA?
ecto1 is offline  
Old 31st Mar 2019, 22:01
  #2839 (permalink)  
 
Join Date: Feb 2017
Location: Adelaide
Posts: 3
Originally Posted by patplan View Post
Well, actually this Ethiopian investigation is almost as leaky as the Indonesian one... The main suspects are very much the same: AOA reading and MCAS.

Since MCAS, in its past iteration, after being fed by erroneous data by a single AOA vane, have a knack to drive the trim mechanism to the end of the jackscrew, essentially doing its job as programmed spectacularly "well", that will leave the AOA vane as the fall guy.

Except..., it is ALMOST IMPOSSIBLE for the vanes which had been in used since forever and thought to have been very reliable would be implicated as the cause for the two crashes within the span of 5 months. This will leave us with something else more plausible as the caused but has been largely ignored: the Max-8 flight control system or something therein...
Except the AOA is not hooked up to MCAS on the NG
Wilderone is offline  
Old 31st Mar 2019, 22:32
  #2840 (permalink)  
 
Join Date: Dec 2002
Location: UK
Posts: 2,075
VicMel, #2858, thanks for the reply.

So with my simplistic view the problem appears to be random, chance. Alternatively, as a sceptic, why 2 aircraft in 4 months, whereas the remaining fleet …
OK, so this is the nature of probability, together with the ever-increasing fleet size.

Thus the next question is where a ‘good’ AoA software fix could - should be made, but if not … at least the output of MCAS should be limited.
And if AoA is not fixed (still probability), there could still be problems with speed pressure error correction, air-data disagree, feel, and low speed awareness, but will these events be no more than experience in previous 737s, or if it still is an issue with the Max (inadequate software / FGC ADIRU overloaded) then there will be an increase in disagree alerts due to ‘corrupt’ AoA.

I may be dancing around the same tree as in my post in the other thread - #485 Boeing 737 Max Software Fixes Due to Lion Air Crash Delayed
Where is the value of AoA sampled by the FDR; would this clarify current understanding.



safetypee is offline  

Thread Tools
Search this Thread

Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information -

Copyright © 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.