Ethiopian airliner down in Africa
Join Date: Mar 2019
Location: Bavaria
Posts: 20
Likes: 0
Received 0 Likes
on
0 Posts
[QUOTE=Chronus;10452687Automation is therefore the way forward and that involves a cost for knowledge and learning from many mistakes. It was so in the past, where the process involved the misfortunes of many, so it will be in the future. This particular incident shows that until such time when machines are free from mistake, human fallibility shall remain. For reason that their fallibility is replicated in any machine they design and manufacture. Perhaps AI will resolve this weakness and we shall have machines designed by machines. Then we shall have fulfilled our pursuit for excellence. Don`t you remember when you were first instructed in Instrument Flying, I do. I was told trust your instruments.[/QUOTE]
Do we also need to learn again how tires are manufactured? Millions of cars are driving perfectly safe but still cheap chinese wheels crack because they are manufactured cheap and without x-ray check.
Hundreds of millions of cars have ESP, a system which could easily block single tires on the highway without a chance to react before hitting a tree. Still I have not heard of a single accident. Cost pressure on such systems (ESP, engine ECU, gearbox ECU...) is by orders of magnitude higher than in aviation. You're not counting fractions of cents in aviation. On the other hand lines of code are not considered cost-relevant within automotive, a programmer more or less does not really matter. It should be the same in aviation.
Almost every function within a car is single-point-fault tolerant if a defect would stop the car. Single point fault tolerance is not restricted to safety, but also extended to 'limp-home' to the garage and any other function which would be more than annoying in case of an error. So why the heck didn't they just compare 2 (already existing) sensors? Every system engineer would (if allowed to). Emission standards require such a 2oo2 to avoid abnormal emission (..of a single car in case of random HW defects).
In addition, EVERY sensor is usually range-checked. Why would you activate a 'stall-avoidance feel' if the AoA is at its mechanical limit which would mean the aircraft is flying backwards or is in free-fall?
Designing such a system in a safe way is nothing new, it is state of the art for >20 years. SW is controlling your car's engine and acceleration, brake (ESP), airbag, gearbox, there are fly-by-wire systems, trains, signals and so on. If you want to see state of the art safety:
This robot could break their necks or dump them into the ground with a fraction of it's available force. Instead it' perfectly safe.
But the process is costly and takes time. And it requires qualified engineers and a safety culture and a certain independence & priority between commercial interest and safety requirements.
To me it looks like Boeing was putting the priority on sales, not on safety.
Open any ISO/IEC on safety, you will probably find a list of sensor plausibilisation methods and how safe they are considered to be. The simple ones (range check, considered 60%) would have saved 1 aircraft, the better ones (2oo2, linearity... (90%/99%)) both.
Do we also need to learn again how tires are manufactured? Millions of cars are driving perfectly safe but still cheap chinese wheels crack because they are manufactured cheap and without x-ray check.
Hundreds of millions of cars have ESP, a system which could easily block single tires on the highway without a chance to react before hitting a tree. Still I have not heard of a single accident. Cost pressure on such systems (ESP, engine ECU, gearbox ECU...) is by orders of magnitude higher than in aviation. You're not counting fractions of cents in aviation. On the other hand lines of code are not considered cost-relevant within automotive, a programmer more or less does not really matter. It should be the same in aviation.
Almost every function within a car is single-point-fault tolerant if a defect would stop the car. Single point fault tolerance is not restricted to safety, but also extended to 'limp-home' to the garage and any other function which would be more than annoying in case of an error. So why the heck didn't they just compare 2 (already existing) sensors? Every system engineer would (if allowed to). Emission standards require such a 2oo2 to avoid abnormal emission (..of a single car in case of random HW defects).
In addition, EVERY sensor is usually range-checked. Why would you activate a 'stall-avoidance feel' if the AoA is at its mechanical limit which would mean the aircraft is flying backwards or is in free-fall?
Designing such a system in a safe way is nothing new, it is state of the art for >20 years. SW is controlling your car's engine and acceleration, brake (ESP), airbag, gearbox, there are fly-by-wire systems, trains, signals and so on. If you want to see state of the art safety:
But the process is costly and takes time. And it requires qualified engineers and a safety culture and a certain independence & priority between commercial interest and safety requirements.
To me it looks like Boeing was putting the priority on sales, not on safety.
Open any ISO/IEC on safety, you will probably find a list of sensor plausibilisation methods and how safe they are considered to be. The simple ones (range check, considered 60%) would have saved 1 aircraft, the better ones (2oo2, linearity... (90%/99%)) both.
Join Date: Mar 2019
Location: Bavaria
Posts: 20
Likes: 0
Received 0 Likes
on
0 Posts
And the Million $ per aircraft promised payment, though I think that might be AA specific.
I'm still reeling from the shock of watching the subcontracting issues on the parallel thread. I was totally unaware of this. The gist I got was that the problem is so serious that no one seems able to face addressing it.
Current crews and engineers will no doubt be au fait with the issue. Just what is going on?
Rather drawn out, but so bewildering it took my mind off MCAS.
Boeing 737 Max Software Fixes Due to Lion Air Crash Delayed
I'm still reeling from the shock of watching the subcontracting issues on the parallel thread. I was totally unaware of this. The gist I got was that the problem is so serious that no one seems able to face addressing it.
Current crews and engineers will no doubt be au fait with the issue. Just what is going on?
Rather drawn out, but so bewildering it took my mind off MCAS.
Boeing 737 Max Software Fixes Due to Lion Air Crash Delayed
It seems the $1M deal was with at least the company with the largest single order of 280 aircraft - Southwest Airlines.
That seems a very high number to compensate for simulator training being a requirement - $1M is a lot of simulator hours.
https://www.forbes.com/sites/peterco.../#1dc5a8462e18
Join Date: Apr 2019
Location: USA
Posts: 217
Likes: 0
Received 0 Likes
on
0 Posts
Well, first you need to buy the simulators, and they are not cheap. And I do mean simulators, as in plural, because if you're Southwest, you cannot quickly cycle your pilots through a single sim.
Psychophysiological entity
When we moved up the ladder to more modern iterations in the old days, we did a 'Differences' course, which was about a working week in the classroom. I recall having to do performance etc., again as well. Flying was all on the real aircraft, the BAC 1-11. Yes, we stalled to the push. All in the Swinging Sixties.
"Link not working" Try direct to the Tube below.
I just don't know what to make of this, though I assume pre-MAX era.
Is it history that's faded? because it seems to be a bigger problem than the MAX. A head honcho in the FAA who admits that Boeing wrote his assessment and he signed it. Banging major fuselage parts into place that should be accurate to 1/3000" over entire production runs but turn out to be hand made.
Sully's statement. 'Unprecedented in aviation history.'
$27 billion down today. Though hey, a slight rallying.
This lurking in the background:
"Link not working" Try direct to the Tube below.
I just don't know what to make of this, though I assume pre-MAX era.
Is it history that's faded? because it seems to be a bigger problem than the MAX. A head honcho in the FAA who admits that Boeing wrote his assessment and he signed it. Banging major fuselage parts into place that should be accurate to 1/3000" over entire production runs but turn out to be hand made.
Sully's statement. 'Unprecedented in aviation history.'
$27 billion down today. Though hey, a slight rallying.
This lurking in the background:
Last edited by Loose rivets; 22nd Apr 2019 at 00:39.
So Boeing and FAA claims, of they are basically the same and do not require simulator training gets hard to swallow.
Now I can live with larger TV screens and more powerful engines as a reasonable change not requiring simulation, just look at the Toyota Hilux range - different engines and gauges but they drive similar.
But changes like that made on the MAX, to the spoilers and introduction of MCAS (flight controls) should have appropriate training. My personal opinion is a short read and sign on a iPad is not good enough.
Here is a link to the changes.
Boeing 737 MAX - Differences
Join Date: Jan 2008
Location: Herts, UK
Posts: 748
Likes: 0
Received 0 Likes
on
0 Posts
NG / New differences
Flight Control Systems
Only the F/Os column cutout switch module is affected because it is the only module that interfaces with the FCC..
Help... think I must've missed something earlier.on that rin-down of changes.. Anyone else wondering where that jumped out of...
Flight Control Systems
Only the F/Os column cutout switch module is affected because it is the only module that interfaces with the FCC..
Help... think I must've missed something earlier.on that rin-down of changes.. Anyone else wondering where that jumped out of...
Last edited by HarryMann; 22nd Apr 2019 at 01:52.
FAA has an express statutory power to reinspect, re-examine, suspend, or revoke any certificate, including a type certificate, where "safety ... and the public interest require that action”. Read about Special Certification Reviews and examples such as MD-11 at https://scholar.smu.edu/cgi/viewcont...3&context=jalc.
Hopefully FAA led Joint Authorities Technical Review of MCAS will amount to a multi-national SCR. See https://www.faa.gov/news/updates/?newsId=93206.
Bad news for Boeing is that MAX grounding is not likely to be lifted before JATR reports in 90 days.
Hopefully FAA led Joint Authorities Technical Review of MCAS will amount to a multi-national SCR. See https://www.faa.gov/news/updates/?newsId=93206.
Bad news for Boeing is that MAX grounding is not likely to be lifted before JATR reports in 90 days.
Re: Joint Authorities Technical Review. This is a very unusual move by the FAA.
Political positioning, need for world consensus to protect FAAs standing?
Or a much needed safety initiative to look at issues arising?
‘The team will evaluate aspects of the 737 MAX automated flight control system, including its design and pilots’ interaction with the system, to determine its compliance with all applicable regulations and to identify future enhancements that might be needed.’
Is this just an ‘evaluation’. Or if aspects are not compliant with regulations (whose regulations), will change be mandated or only treated as ‘enhancements’, or aspects which should be incorporated in future (non-grandfather rights) regulations?
Previous regulatory overview Ethiopian airliner down in Africa
and technical / training areas requiring review Boeing 737 Max Software Fixes Due to Lion Air Crash Delayed
Political positioning, need for world consensus to protect FAAs standing?
Or a much needed safety initiative to look at issues arising?
‘The team will evaluate aspects of the 737 MAX automated flight control system, including its design and pilots’ interaction with the system, to determine its compliance with all applicable regulations and to identify future enhancements that might be needed.’
Is this just an ‘evaluation’. Or if aspects are not compliant with regulations (whose regulations), will change be mandated or only treated as ‘enhancements’, or aspects which should be incorporated in future (non-grandfather rights) regulations?
Previous regulatory overview Ethiopian airliner down in Africa
and technical / training areas requiring review Boeing 737 Max Software Fixes Due to Lion Air Crash Delayed
Join Date: Dec 2001
Location: Leeds, UK
Posts: 281
Likes: 0
Received 0 Likes
on
0 Posts
Re: Joint Authorities Technical Review.
‘The team will evaluate aspects of the 737 MAX automated flight control system, including its design and pilots’ interaction with the system, to determine its compliance with all applicable regulations and to identify future enhancements that might be needed.’
‘The team will evaluate aspects of the 737 MAX automated flight control system, including its design and pilots’ interaction with the system, to determine its compliance with all applicable regulations and to identify future enhancements that might be needed.’
Hopefully none of the regulators will take any notice of the commercial imperatives to getting the MAX back in the air. Trump's White House might browbeat the FAA but none of the foreign regulators..
G
Join Date: Jan 2008
Location: uk
Posts: 857
Likes: 0
Received 0 Likes
on
0 Posts
MCAS could have been done with two AOA sources in the first place, it wasn't (allegedly - see whistleblower quotes further up thread) because that would require an MCAS-fail warning light and sim-training. This now appears to be being done in a half-arsed way by using AOA-disagree as a de-facto MCAS-fail warning, which means operators who don't currently have AOA-disagree option will presumably need to implement extra training (or get blamed for future MCAS prangs) but the US operators with the no-sim-training penalty clauses will not because they already have the AOA disagree option. Funny that...
Join Date: Oct 2011
Location: Lower Skunk Cabbageland, WA
Age: 74
Posts: 354
Likes: 0
Received 0 Likes
on
0 Posts
Pretty sure cross FCC bus is already there, not absolutely sure AOA is on it, but if not, adding it would be a lot different to creating entirely new bus.
MCAS could have been done with two AOA sources in the first place, it wasn't (allegedly - see whistleblower quotes further up thread) because that would require an MCAS-fail warning light and sim-training. This now appears to be being done in a half-arsed way by using AOA-disagree as a de-facto MCAS-fail warning, which means operators who don't currently have AOA-disagree option will presumably need to implement extra training (or get blamed for future MCAS prangs) but the US operators with the no-sim-training penalty clauses will not because they already have the AOA disagree option. Funny that...
MCAS could have been done with two AOA sources in the first place, it wasn't (allegedly - see whistleblower quotes further up thread) because that would require an MCAS-fail warning light and sim-training. This now appears to be being done in a half-arsed way by using AOA-disagree as a de-facto MCAS-fail warning, which means operators who don't currently have AOA-disagree option will presumably need to implement extra training (or get blamed for future MCAS prangs) but the US operators with the no-sim-training penalty clauses will not because they already have the AOA disagree option. Funny that...
Join Date: Mar 2015
Location: Washington state
Posts: 209
Likes: 0
Received 0 Likes
on
0 Posts
They say that it is a software only fix which raises the uncomfortable question of why it was not implemented to read both sensors in the first place. I am still not onboard with the idea that any engineer would make such a decision simply to hide the feature from the regulatory process but it makes one wonder. If so then manslaughter charges are appropriate and I am not kidding, that would be like designing a commercial kitchen without fire suppression because you did not want to involve the fire department in the permit. (And then blaming the cook for starting a fire!)
Join Date: Mar 2019
Location: Bavaria
Posts: 20
Likes: 0
Received 0 Likes
on
0 Posts
They say that it is a software only fix which raises the uncomfortable question of why it was not implemented to read both sensors in the first place. I am still not onboard with the idea that any engineer would make such a decision simply to hide the feature from the regulatory process but it makes one wonder. If so then manslaughter charges are appropriate and I am not kidding,
They may have a few things to explain...
Join Date: Jul 2011
Location: Canada
Posts: 55
Likes: 0
Received 0 Likes
on
0 Posts
If you need to buy new simulators to train for the MAX fleet, then the aircraft is different to other 737's.
So Boeing and FAA claims, of they are basically the same and do not require simulator training gets hard to swallow.
Now I can live with larger TV screens and more powerful engines as a reasonable change not requiring simulation, just look at the Toyota Hilux range - different engines and gauges but they drive similar.
But changes like that made on the MAX, to the spoilers and introduction of MCAS (flight controls) should have appropriate training. My personal opinion is a short read and sign on a iPad is not good enough.
Here is a link to the changes.
Boeing 737 MAX - Differences
So Boeing and FAA claims, of they are basically the same and do not require simulator training gets hard to swallow.
Now I can live with larger TV screens and more powerful engines as a reasonable change not requiring simulation, just look at the Toyota Hilux range - different engines and gauges but they drive similar.
But changes like that made on the MAX, to the spoilers and introduction of MCAS (flight controls) should have appropriate training. My personal opinion is a short read and sign on a iPad is not good enough.
Here is a link to the changes.
Boeing 737 MAX - Differences
Not having the exact simulator for training has loads and loads of precedents - I can guarantee that the simulator configurations at a non-airline specific training facility (Flight Safety, CAE, Boeing, Airbus) would be different than what one would find on the aircraft of a particular airline. And even airline specific training facilities often don't have simulators that match their fleet as the fleet may have many configurations. As an example, where I work we have B767-300's with GE and Pratt engines, those engines start and behave completely differently (GE uses N1 as the reference power, Pratt uses EPR). Or an A340 simulator that is used for both the -300 and -500 which have entirely different fuel systems, different engines (CFM vs Rolls Royce), B787 simulators where the -800 and -900 are different (the -900 has more flaps settings for example).
The point is is that is both impractical and unrealistic to have "perfect" simulators; instead one has relied upon professional and experienced pilots to deal with differences between the simulator and the aircraft and also deal with different aircraft within a fleet.
Join Date: Dec 2018
Posts: 48
Likes: 0
Received 0 Likes
on
0 Posts
So what simulator exercises would you incorporate to reflect the differences in the MAX, specifically the MCAS? How about an uncommanded nose down trimming? That is already incorporated in a conventional stab trim runaway, a basic requirement of getting a type rating on any B737. Or how about an unreliable airspeed including stick shaker? An unreliable airspeed exercise is also part of a type rating on any B737. In other words, there is nothing so uniquely different with the MAX that justifies a new simulator let alone MAX (MCAS) specific training. And even if you were to provide this (redundant) training, there is no guarantee that the crews would do the drill anyways as we have tragically witnessed with these accidents.
Not having the exact simulator for training has loads and loads of precedents - I can guarantee that the simulator configurations at a non-airline specific training facility (Flight Safety, CAE, Boeing, Airbus) would be different than what one would find on the aircraft of a particular airline. And even airline specific training facilities often don't have simulators that match their fleet as the fleet may have many configurations. As an example, where I work we have B767-300's with GE and Pratt engines, those engines start and behave completely differently (GE uses N1 as the reference power, Pratt uses EPR). Or an A340 simulator that is used for both the -300 and -500 which have entirely different fuel systems, different engines (CFM vs Rolls Royce), B787 simulators where the -800 and -900 are different (the -900 has more flaps settings for example).
The point is is that is both impractical and unrealistic to have "perfect" simulators; instead one has relied upon professional and experienced pilots to deal with differences between the simulator and the aircraft and also deal with different aircraft within a fleet.
Not having the exact simulator for training has loads and loads of precedents - I can guarantee that the simulator configurations at a non-airline specific training facility (Flight Safety, CAE, Boeing, Airbus) would be different than what one would find on the aircraft of a particular airline. And even airline specific training facilities often don't have simulators that match their fleet as the fleet may have many configurations. As an example, where I work we have B767-300's with GE and Pratt engines, those engines start and behave completely differently (GE uses N1 as the reference power, Pratt uses EPR). Or an A340 simulator that is used for both the -300 and -500 which have entirely different fuel systems, different engines (CFM vs Rolls Royce), B787 simulators where the -800 and -900 are different (the -900 has more flaps settings for example).
The point is is that is both impractical and unrealistic to have "perfect" simulators; instead one has relied upon professional and experienced pilots to deal with differences between the simulator and the aircraft and also deal with different aircraft within a fleet.
You can't argue what about this, or that.
They didn't have this, or that.
They had all of it.
What you are arguing is that because individual elements of the failure were trained independently, that there was no combination of trained failures that could be expected to overcome the flight crew.
That no matter what the automation did and no matter how many failure modes were presented concurrently, that the flight crew should be expected to compensate regardless.
This just doesn't make sense.
The problem here is precisely that the combination of so many individually trained and for that matter untrained failures was too numerous to encourage and support successful and timely diagnosis by a typical crew.
Last edited by pilot9250; 22nd Apr 2019 at 23:41.