Go Back  PPRuNe Forums > Flight Deck Forums > Rumours & News
Reload this Page >

Ethiopian airliner down in Africa

Rumours & News Reporting Points that may affect our jobs or lives as professional pilots. Also, items that may be of interest to professional pilots.

Ethiopian airliner down in Africa

Old 8th Apr 2019, 21:04
  #3661 (permalink)  
 
Join Date: Aug 2007
Location: Alabama
Age: 55
Posts: 366
Originally Posted by Water pilot View Post
Not particularly remote since it was the left side that the shaker was active on. We don't really know how the thumb switches operate, at first I thought that they were just switches to a solenoid but it seems more likely that they are just inputs to the fancy two computer/four processor 'black box' that is part of the flight control system. At that point, anything is possible since it is software.
I am not a pilot, but it happens I can understand electrical schematics, the stab one is messy, clearly has been patched and subject to additions over the years with a mix of relays logic, analog and digital. The thumb switches are inputs to a fancy block, but they are hardware interlocked by column swtiches, cutout, etc. MCAS does not even compute the cutout switches...i do not believe the SW has any major control on thumb switches, Imcannot post the circuit from mobile, but,was posted earlier on this thread
FrequentSLF is offline  
Old 8th Apr 2019, 21:09
  #3662 (permalink)  
 
Join Date: Jun 2009
Location: Dorset
Posts: 30
Originally Posted by bsieker View Post
As we now know, MCAS is just such a system. So, as others have pointed out repeatedly, at least in hindsight, anything less than Level A is not appropriate.
It did not need loss of an aircraft to decide MCAS should be Level A, any software that has direct control of a piece of equipment, which if erroneously controlled could lead to a fatality, IMO must be Level A. So, MCAS should have been Level A from its original conception, if nothing else, in order to reduce the risk that the software will get “stuck in a loop” and just drive the stabiliser straight to its physical limit as fast as it will go! And I’m not too keen on the idea of putting non-Level A software in the same box as Level A software (assuming that the rest of the FCC software is Level A). Proving isolation and non-interference is very difficult.


Originally Posted by bsieker View Post
Objectives that need to be demonstrated include things like
  • High-level requirements are accurate and consistent.
  • Low-level requirements are verifiable.
  • Software architecture is verifiable.
  • Source Code is verifiable.
  • Source Code is traceable to low-level requirements.
  • Source Code is accurate and consistent.
  • High-level requirements are accurate and consistent.
  • Low-level requirements are traceable to high-level requirements.
And many more. That is "the cheapest fix possible". It's not cheap, but it's doable in significantly less than 8 years for a company which has the procedures in place, which Boeing does.

Bernd
Boeing must realise that if there is another software “event” involving a 737 MAX, even if it has nothing to do the AoA, they will lose the public’s confidence completely. They really need to do an over-the-top job here, MCAS (and possibly other systems) need to be upgraded to A+. This should include (at least):-
a) fully independent (i.e. not another department of Boeing) verification of the items in the “objectives” list.
b) verification of robustness of code, preferably using tools to check for such things as poorly defined end condition of loops, depth of subroutine calling to prevent stack corruption, full timing analysis to prove there is no “timing overloaded” path etc., etc.
c) asking “what ifs” involving pilots, hardware team and experienced assessors, e.g. what information would pilots need to know to deal with a fault, what hardware idiosyncrasies need to be considered, what else could go wrong.
d) ensuring that every input is either from another Level A system, or validated by the new MCAS software
e) storing important status (e.g. flaps up) as a code and its complement, not as a single bit.
f) making MCAS an integral part of FCC i.e runs in both channels, if the outputs disagree the controller (could be the pilot, which would be a bit radical!) decides what to do
g) upgrading other systems to make them more robust e.g. ADIRU.

Redoing MCAS as Level A ready for submitting to the certification process should be relatively straight forward, I'd estimate 1 to 2 years; how long to ensure that supporting systems are brought up to an appropriate level (ADIRU to Level A?), 2 to 4 years perhaps. Achieving global certification, no idea.


VicMel is offline  
Old 8th Apr 2019, 21:13
  #3663 (permalink)  
 
Join Date: Jul 2005
Location: btw SAMAR and TOSPA
Posts: 565
Originally Posted by yanrair View Post
What was the most accurate speed readout on the plane indicating, during AF447 and the recent two MAX incidents - that being the GPS?? In AF447 it was reading something like 450 kts at the time of losing IAS. It is not going to change unless you do something like change pitch or power. Which is what happened to AF447 of course. You can fly on GPS speed for a long time until you have sorted out the problem. You can fly an immaculate circuit to land using just GPS. Yet in all the posts so far I have not seen much reference to its use in sorting out conflicting IAS/Stick shaker style events. Climbing out at 15deg pitch, 200 kts IAS Full power. GPS will be reading something similar, depending on wind and altitude. All hell breaks lose ( I am ignoring MCAS here which is a separate matter). Indicated speed all over the place. IAS disagree messages. Stick Shaker going off (one side failure) - what to believe?? Your GPS PITCH AND POWER. They are real, they are going to work and are unaffected by the ADIRU which relies among other things such as AOA and Indicated Airspeed.
There is a THIRD and independant IAS speed tape on the flight deck, right above the gear announciators.

​​​​GPS delivers ground speed and is of little value, unless you are close to MSL in calm air.
threemiles is offline  
Old 8th Apr 2019, 21:23
  #3664 (permalink)  
 
Join Date: Apr 2019
Location: USA
Posts: 217
Originally Posted by sycamore View Post
Anyone care to say what the aircraft trim change is at 350kts if you pop the speedbrales...?
That maneuver is above Vmo, so unlikely anyone here could say. However, just below Vmo I seem to recall that there is a very mild pitch up and completely manageable.
737 Driver is offline  
Old 8th Apr 2019, 21:24
  #3665 (permalink)  
njc
 
Join Date: Jan 2008
Location: Oxford
Posts: 1
Originally Posted by Derfred View Post
Furthermore, it is apparent that MCAS is unaware of the position of the stab cutout switches, because it still tried to trim while the switches were in cutout.
Well yeah, it tried to trim, but only once. Does that mean that it figured out it was having no effect or that it only activates once and then waits until the pilots hit the trim switches again before having another go?
I can't understand how the latter would make any sense or indeed how it could have satisfied the requirement for which MCAS was invented. The former doesn't make a lot of sense either though.
njc is offline  
Old 8th Apr 2019, 21:34
  #3666 (permalink)  
 
Join Date: Dec 2014
Location: USA
Posts: 35
Originally Posted by TryingToLearn View Post
I fully agree, as an example the automotive functional safety process has the following steps:
-> Hazard & Risk analysis
-> Functional safety concept
-> Technical system safety concept
-> System achitecture
-> Technical Software Safety concept
-> Software architecture
-> fine design
-> implementation (code writing)
-> Module test
-> SW integration test
-> System integration test
-> System test
-> Vehicle Integration test
It is recommended to write technical safety documents in formal language to exclude misinterpretation. Implementation is less than 10% of the work. Toolchain qualification is also an important part of the process. Even the best compiler may cause errors if the memory module within the programmer's laptop has defective bits... (Yes, it already happened).
All documents are to be reviewed, accessed, there are walkthrough meetings and so on. All requirements need to have verification criteria specified together with the requirement and test cases are later based on there criteria... Within accessments, certain levels of safety require a certain independence between accessor and author (other team, department, division, company...).

Safe code can be done and if this was skipped just because one feared a diagnosis (AoA disagree), reaction (deactivate MCAS) and pilot teaching (continue flying, you probably never need MCAS anyway), this is a violation of safety culture beyond my imagination.
Fun fact: Emission standards for cars (onboard diagnosis 2) require 2 out of 2 for every sensor which may cause the violation of emission standards (ULEV, EU6...) and the engine control light on disagree. Seems like this is more important than a few hundred airplane passengers...
And yet Tesla, an automotive company which presumably follows this process, still has an "auto pilot" software function that on more than one occasion drove a car into a stationary object at 70mph.

I would have little doubt that the software people at Boeing know how to develop software for any level of assurance needed. The question is why was MCAS not seen as a "critical" system?
ams6110 is offline  
Old 8th Apr 2019, 21:53
  #3667 (permalink)  
 
Join Date: Jul 2008
Location: wishing to be in YPCC but stuck near EGSS
Age: 72
Posts: 15
I have followed this thread from the beginning, and read all of the posts, and some of the deleted ones, (thanks to the mods for keeping things on track and removing the abuse).

Two posts stick in my mind and I have been waiting for someone with more knowledge than me to put 2 and 2 together and make 22, so I’m ready to be shot down in flames.

Way back someone posted that in the rush to market Boeing might not have given full instructions for the installation of the wiring in the Max as was normal practice with previous builds. IF this is a fact and not hearsay or fabrication, is it possible that a wrongly routed, worn, stretched or chafed wire or faulty connection is partly to blame for the AoA readings? I link this to Post 3234 by jimjim1
If the vane had been lost the AoA sensor would become unbalanced about its usual axis of rotation. The internal balance weight** would then cause the axle to be subject to movement when the aircraft transitioned from +g to -g. +g would cause the indication of +AoA. (If I have got this the right way round).

Looking at the FDR traces it can be seen that this appears to be the case. I have drawn four green vertical lines to indicate the transitions from +g to -g and vice versa. In each case they appear to align with a change in the direction of movement of the sensor in the correct sense. Remember that the data consists of discrete samples and we do not know the sample rate and I am assuming that any small discrepancies are due to errors introduced by the sampling.

I have (rather crudely) chopped out a period in the middle of the chart so that it is a bit narrower so that the scale markings can be easily seen. The horizontal blue line in the "g" section of the chart is coincidentally exactly on 0g.

It therefore seems quite likely that the vane was lost or perhaps damaged soon after take off, perhaps by a bird strike or otherwise. Note however that if the vane had been bent back its balance would be moved in the other direction and its aerodynamic influences would still have been felt so I think that the best conclusion consistent with the data is that the vane was lost.
If the transition from +g to -g caused a wiring loom or connector to move and interrupt a current or produce an unwanted one, would this have the same effect on the instruments and controls as a faulty AoA vane?

Sadly we can never know how things were installed on the two lost aircraft, but checking of the routing and condition of cables and connectors in the grounded planes might be advisable.

Last edited by A. Muse; 8th Apr 2019 at 21:55. Reason: spacing
A. Muse is offline  
Old 8th Apr 2019, 22:06
  #3668 (permalink)  
 
Join Date: Nov 2018
Location: madrid
Posts: 47
Electrical gremlin highly unlikely in Ethiopian event, because the vane readings when the plane dives are there, and spread all over the range. The vane essentially turned into a g-meter, either by loosing the exterior part of it or the connection to the exterior part of it.

Indonesia, OTOH, it is possible, although highly unlikely. However, It is still in my eyes the most probable explanation (short signal to ground with high resistance).
ecto1 is offline  
Old 8th Apr 2019, 22:13
  #3669 (permalink)  
 
Join Date: Jul 2005
Location: btw SAMAR and TOSPA
Posts: 565
Originally Posted by weemonkey View Post
How is it sourced though?
Aux pitot & alternate static sources, no ADC/ADIRU’s.


threemiles is offline  
Old 8th Apr 2019, 22:15
  #3670 (permalink)  
 
Join Date: Jan 2008
Location: uk
Posts: 847
Originally Posted by weemonkey View Post
How is it sourced though?
Pretty sure it is from the third set of pitot/static sensors, without AOA correction - since there isn't a third AOA sensor.
infrequentflyer789 is offline  
Old 8th Apr 2019, 22:18
  #3671 (permalink)  
 
Join Date: Jul 2005
Location: btw SAMAR and TOSPA
Posts: 565
Originally Posted by infrequentflyer789 View Post
Pretty sure it is from the third set of pitot/static sensors, without AOA correction - since there isn't a third AOA sensor.
The question was about using GPS ground speed when there is IAS disagree /UAS.
threemiles is offline  
Old 8th Apr 2019, 22:40
  #3672 (permalink)  
Psychophysiological entity
 
Join Date: Jun 2001
Location: Tweet Rob_Benham Famous author. Well, slightly famous.
Age: 81
Posts: 4,897
Harnesses. I watched the making of the A380 quite recently. Finding some of the harnesses were too short was a jaw-dropping moment.
Loose rivets is offline  
Old 8th Apr 2019, 23:05
  #3673 (permalink)  
 
Join Date: Nov 2018
Location: madrid
Posts: 47
GPS speed could be used to have an approximation to real airspeed in case your air data is lost. The error would be huge if you don´t program it carefully (basically wind speed=error). However, if you assume that the readings from air sensors were right to the point in which you had a disagreement, you can calculate the wind at that moment (strictly speaking, an average of the last seconds) and assume a persistent wind vector. The error in the very first moments of "GPS synthesized" airspeed would be negligible, even in a turn. As the aircraft moves and wind conditions change, error will grow, being immense in worst case scenarios and longer times.

Same applies to Inertial speeds.

It could even be possible (maybe some planes do it nowadays, I'm no expert) to compute a real airspeed without air data. At any given moment of the flight, the airspeed is the only unknown parameter of a vector F = m x a, because mass is accurate to some degree from load sheets, acceleration you can measure with the inertial platform and the force is the result of adding the trust of the engine, which is calculated out from engine conditions and tabulated air conditions from GPS altitude, and the lift + drag, which relates to air speed and air conditions with a known characteristic.

In other words, the plane knows its airspeed just by feeling how pitch and thrust translate into acceleration (longitudinal, vertical and lateral) at every moment.

Sure the error will exist (almost every part of the calculation is an estimation), but it would be tolerable (as a backup, say 20 or 30 knots) and it will valid over long periods of time.

This concept of multiple possible ways of calculation of a magnitude is valid with many others (altitude) and to me is one of the things the plane could do before just going all UAS on you.

I dream (it is free) of a dial with a very precise reading when all sensors are working that turns into a less precise reading (a sector instead of a thin needle) when errors are expected, because of alternative calculations. "250 knots with 50 knots error" is a lot better than "250 knots but do not believe it much because another sensor reads different". (And a stick shaker and overspeed clacker on top of it, just to get things interesting).





ecto1 is offline  
Old 8th Apr 2019, 23:06
  #3674 (permalink)  
 
Join Date: Sep 1999
Posts: 542
We can't see the wood for the trees.
We've got so immersed in MCAS that we're missing the point. Its not MCAS,its the UAS.
This one was just a faulty sensor(not even UAS) Captain's side.They could have engaged AP B,pulled Capt's stick shaker cb,and flown to NBO(no just kiddin).
But thats all it was.....,a failed sensor.
FO gets some disagree flags but his side is good,so is ISFD.And yet the stick shaker and the master caution and the Captain's PFD flags all conspire to make it seem dire.Only the Captain's
shaker was active so they know immediately its not a real stall.
ISFD agrees with FO ASI which agrees with IRS GS....an experienced FO would nudge the [email protected] like your side is down,shall I take it?"
We had one poster come on and say he'd climb to MSA and run the Boeing UAS NNC bla bla bla.
This was not UAS.
UAS comes in many forms and can be a nasty scenario on a dark night in IMC.If you're in cruise,I prefer the old Boeing NNC(ie do nothing).
The new NNC is there to cover the possibility you were not in stable flight prior to UAS.After takeoff,you need to make a diagnosis quickly to establish what you're facing....is it single side?is it a
sensor?is it a genuine pitot-static blockage and which one is it,pitot or static....the aeroperu crew had blocked statics so altimeter registered no climb and ASI undereads on climb out.It was night but VMC.If they had climbed to 1500' using radalt as altimeter and IRS GS as speed reference, they would have landed safely after a visual circuit but...you need to have that info and diagnosis in the memory
database.Its not something you can intuit in the moment.
The worst thing they did was climb away from Lima as they lost their altitude reference and their speed reference became less accurate the higher they climbed.
MCAS is the presumed culprit....but MCAS alone didnt bring this aircraft down.Nor the Lionair.It was the crew's inability to diagnose what type of UAS failure they were facing and failure to just simply
fly the plane.If MCAS would activate alone,any crew would simply counter-trim and cut off its electrical supply without much thought. But combine it with a "confusing" UAS scenario and shakers and
warnings and bingo..you get a smoking hole in the ground.
So these UAS scenarios have to be taught in the classroom and sims to all crews so that when the time comes they can make a diagnosis and take the right action.Boeing tell you nothing,they just give you a flight attitude and thrust setting to follow.Pilots have to be trained more on these UAS scenarios before they kill again.
Aeroperu,birgenAF447 and the 2 MAXs,and others.....
Re manual trim...have we had any engineering input as to just when manual trim no longer becomes available in the flight envelope?Is it primarily speed dependent,stabilizer positon-dependent,yoke dependent,or a combination of all 3?
Where is FCENG 84?

Last edited by Rananim; 8th Apr 2019 at 23:29.
Rananim is offline  
Old 8th Apr 2019, 23:06
  #3675 (permalink)  
 
Join Date: Nov 2007
Location: dublin
Posts: 2
Originally Posted by threemiles View Post
There is a THIRD and independant IAS speed tape on the flight deck, right above the gear announciators.

​​​​GPS delivers ground speed and is of little value, unless you are close to MSL in calm air.
Hi Three Miles. I don't know if you have tried the following but it works ..........

The Standby instruments are basic non corrected airspeed altitude, Horizon and ILS. You an fly a successful approach using just these with all else failed.
An additional value of these third readouts is when you get an disagree between the to main ASI or ALT readouts, the third man can be judge and jury if used carefully.
Indeed that is how you often resolve AIS disagree issues. Which two agree?

Now to Groundspeed GPS. It is a remarkably useful and I would say essential tool in cases of confusion as arose on AF477 and might have been factors in the recent MAX cases. And in many cases total hull loss with loss of airspeed over the years GPS would have got them down safely. You can easily compensate for wind and True Airspeed using simple knowledge of groundspeed at various altitudes.
From cruise altitude right down to touchdown your flight plan has the groundspeed for every leg based on your track, altitude and forecast wind,accurate to within maybe 5 kts. You just fly it using the tables provided by Boeing in the QRH which give pitch and power for every flight condition, weight related. Remember that to crash you have to be wildly out on airspeed. if AF 477 had maintained current GPS speed at time of failure (450 KTS or whatever it was) and not made adjustments to power and pitch, and not got below say 400 kts groundspeed /GPS they could have flown home to Paris, or certainly long enough to work our what was wrong. I have seen demonstrated over the years pilots practice GPS only flying from Altitude to touchdown (on simulators) with no effort whatsoever with NO other data. On 737s during initial type rating training we would put beer mats with blue tack over all the instruments except SBY and GPS and they could fly a perfect circuit even with no ALT readout using GPS and radio altimeter below 2500 feet.
The Tristar taught flying GPS G SPEED approaches in serious headwind landings - none of this is new, but it is being forgotten. So here we have big jets using this technique when it is the very opposite of still air!
Cheers
Y
yanrair is offline  
Old 8th Apr 2019, 23:11
  #3676 (permalink)  
 
Join Date: Jan 2008
Location: Wintermute
Posts: 68
Originally Posted by ams6110 View Post
And yet Tesla, an automotive company which presumably follows this process, still has an "auto pilot" software function that on more than one occasion drove a car into a stationary object at 70mph.
That is a regulatory failure (or the regulatory process lagging far behind the technology), just like the MCAS issue, neither MCAS or the Tesla autopilot should, IMHO, have the safety rating they do (ander any sane safety analysis) . . . Secondly, the automotive safety standard is nowhere near capable of dealing with this kind of technology . . . it's from the nuts and bolts save lives era . . .

This is not a software problem, the software, certainly in the case of the Boeing product, could have been specified to be compliant with a higher safety case under well established processes, but it wasn't, and so that wasn't the way it was created, that decision would have been made months or years before a single line of code was written. The code monkey writing the code has no input, whatsoever, to that process, single AOA, Dual voted AOA, Triple AOA, inverted AOA on one side, monkey holding the AOA while standing on a unicycle, it's all decided and specified at the system level, miles above the tedium of people writing code.

Tesla (and the automotive industry) actually have a more difficult problem, their autopilot software uses deep learning AI which by its very nature produces indeterministic outputs, so the standard safety approaches and mitigations do not work (indeterminism in a safety critical system is not really allowed), this is another regulatory failure and the safety industry is struggling to understand how to approve these kinds of systems . . . I would not let one drive me.

Fd
fergusd is offline  
Old 8th Apr 2019, 23:20
  #3677 (permalink)  
 
Join Date: Feb 2009
Location: Virginia
Posts: 526
Whatever you might think about Boeing's assumption that a MCAS malfunction could be treated as a species of runaway trim (apart from the fact that this was beyond at least two crews), I wonder if it fully analyzed all implications of a single failure (of an AOA probe).

Unless I'm missing something, if that happened in IMC, the crew would be faced with a stick shaker (on one side), a UAS warning, and a display showing the horizon moving above the flight path. Would they recognize that they had to ignore the first two indications and act immediately on the third? If they refrained from significant control (never mind trim!) inputs until they'd worked through the obvious indication problems, they'd have to deal with a flight path upset on top of everything else.

Perhaps recovering from that situation wouldn't be as challenging as it seems to this SLF. But sure seems a lot tougher than anything the accident crews faced. . .
Chu Chu is online now  
Old 9th Apr 2019, 00:43
  #3678 (permalink)  
 
Join Date: May 2016
Location: Nantes
Posts: 63
Originally Posted by TeachMe View Post
Hello all,

My understanding from these situations is one contributing factor may be that a pilot may ultimately get into a situation where he or she has little to no ability to correct a badly out of trim Max manually or electrically due to aerodynamic loads in certain flight situations. What I have not seen is anyone noting is if this inability, irregardless of how it came about, is the same in other aircraft from Boeing or Airbus. From a 320 to a 380 or a 737 NG or 747 to a 787 would a pilot have the ability to re-trim from the same situation these two flights faced?

TME
737s are fly-by-cable, from the pre-electronics era. 320, 380 and 787s are fly-by-wire, therefore their stabilizers do not have the same limitations

Last edited by deltafox44; 9th Apr 2019 at 00:43. Reason: duplicate
deltafox44 is offline  
Old 9th Apr 2019, 02:07
  #3679 (permalink)  
 
Join Date: Mar 2002
Location: Seat 0A
Posts: 8,030
Originally Posted by Rananim
Only the Captain's shaker was active so they know immediately its not a real stall.
The control columns are connected. I therefore assume that the sticks will both shake (an old 737 800 FCOM I have says "Either stick shaker vibrates both columns through column interconnects"). In the heat of the moment, how could you easily tell which shaker was going off?
Capn Bloggs is offline  
Old 9th Apr 2019, 02:08
  #3680 (permalink)  
 
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 707
New NY Times Article

Almost all the coverage continues to clobber Boeing. Notably, Tajer is popping up in multiple articles, and providing quotes on the record. Also, more ex-Boeing folks are speaking for attribution, and saying things Boeing won't like.

Boeing’s 737 Max: 1960s Design, 1990s Computing Power and Paper Manuals

[Snip]

But the strategy has now left the company in crisis, following two deadly crashes in less than five months. The Max stretched the 737 design, creating a patchwork plane that left pilots without some safety features that could be important in a crisis — ones that have been offered for years on other planes. It is the only modern Boeing jet without an electronic alert system that explains what is malfunctioning and how to resolve it. Instead pilots have to check a manual.

The Max also required makeshift solutions to keep the plane flying like its ancestors, workarounds that may have compromised safety. While the findings aren’t final, investigators suspect that one workaround, an anti-stall system designed to compensate for the larger engines, was central to the crash last month in Ethiopia and an earlier one in Indonesia.

The Max “ain’t your father’s Buick,” said Dennis Tajer, a spokesman for the American Airlines pilots’ union who has flown the 737 for a decade. He added that “it’s not lost on us that the foundation of this aircraft is from the ’60s.”

More

Last edited by OldnGrounded; 9th Apr 2019 at 02:20. Reason: Submitted too fast.
OldnGrounded is offline  

Thread Tools
Search this Thread

Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information -

Copyright © 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.