PPRuNe Forums

PPRuNe Forums (https://www.pprune.org/)
-   Rumours & News (https://www.pprune.org/rumours-news-13/)
-   -   Boeing 737 Max Software Fixes Due to Lion Air Crash Delayed (https://www.pprune.org/rumours-news/618252-boeing-737-max-software-fixes-due-lion-air-crash-delayed.html)

gums 14th Feb 2019 20:51

Salute!

@FCeng......, and from previous post:

gums - 737MAX does not have an issue with pitch control authority. The pilot has plenty of pitch authority via the column to the elevator to initiate and recover from any pitch maneuver provided MCAS either does not function or functions with the design limited authority of 2.5 degrees stabilizer at low speed and less as speed increases.
YBSM! Seems from descriptions of MCAS that the 2.5 degree limit is "per a single MCAS trim command for "x" seconds" before a 5 second pause for Hal to catch his breath. Hal could also take a breath before the ten second application of nose down trim if the pilot beeped the trim switch, huh?
Secondly. a coupla degrees AoA change of the big horizontal stabilizer has much more authority than the small elevator that is directly controlled ( more or less if we add in STS, A/P and the "feel" system stuff) by the control column.GASP. I would preferred a full FBW system with clearly defined laws and well known limits.

The 610 crew was pulling at over 100 friggin' pounds aft to no avail. Was that an example of

plenty of pitch authority via the column to the elevator
??

I don't buy it.

The plane seems to have a serious problem at a certain critical AoA, and maybe the power setting exacerbates the problem. Otherwise we would have no need for MCAS, right?

I do not wish to get into a p!ssing contest with anyone here on the public forum thread. But I feel I have flown enough, and had enough aero courses in school, and experienced enough real life structural and system failures to comment I survived due to knowledge and "hands". And finally, as far as the 737 pitch authority goes, "I'll show you mine if you will show me yours!"

https://cimg4.ibsrv.net/gimg/pprune....a1029710b3.jpg

Note that at about 15 to 20 degrees AoA, that neutral control begins to result in uncommanded nose up pitch.
Ae would all love to see a plot such as this of the 737 at full power or idle or cruise settings.

Gums sends...

FCeng84 14th Feb 2019 23:35

gums - Peace! I am honored to be able to have these exchanges with people like you who have such a wealth of flying experience over a wide range of airplanes. The last thing I want is a pissing match. Thanks for your pitching moment vs. AOA plot that you provided above. I wish I had one to share for the 737Max. I took a quick stab (no pun intended) at Google to see if I could find anything in the public domain, but no luck so far. I will keep looking. Interestingly enough one of the search hits I got was a link back to PPRUNE to another of the forum discussions we have both been on where you had previously shared the same great plot!

The sentence from my earlier post that included "plenty of pitch authority via the column to the elevator" that you reference above is one that I struggled with to add the necessary disclaimers. Here is the full sentence: The pilot has plenty of pitch authority via the column to the elevator to initiate and recover from any pitch maneuver provided MCAS either does not function or functions with the design limited authority of 2.5 degrees stabilizer at low speed and less as speed increases. Clearly repeated activations of MCAS without having returned the stabilizer to its properly trimmed position each time can, will, and did eat up the pitch authority to the point where full aft column was not sufficient to keep the nose from dropping.

I will not claim that the MCAS design is as good as it should or could be. My main reason to post about MCAS here is to convey how it operates so that all will have a better understanding of what the pilots actually faced. A clear design assumption with MCAS was that if the pilots activated manual trim then they were taking control of the stabilizer and would return it to a properly trimmed position. We all know the breakdown of the word "ASSUME" - it makes an ASS out of U and ME. Another assumption was that if the crew were flying at a steady condition and found that the automatic stabilizer control system repeatedly moved the stabilizer away from trim that would be indication of errant control action and that the crew would take the mitigating action of disabling automatic stabilizer control via the stab cutout switches. A lot of assuming going on here.

I definitely agree with your point that a full FBW system that provides stability augmentation through the elevator rather than the slow moving stabilizer would be far superior. There are many examples of that now in both the military and commercial fleets.

The bottom line for me is that we need to understand how the 737MAX system works, what the thinking was that went into that design, and what assumptions with regard to design, operation, maintenance, etc. should be challenged to reduce the risk of a repeat event to as low as possible. I strongly believe that this is a direction that all of us on PPRUNE can rally around to move us toward a better future. On that note, a Happy Valentines Day to all. (I realize that last part is belated for those east of the Atlantic.)

pilot9250 15th Feb 2019 05:03


Originally Posted by FCeng84 (Post 10390420)
gums - Peace! I am honored to be able to have these exchanges with people like you who have such a wealth of flying experience over a wide range of airplanes. The last thing I want is a pissing match. Thanks for your pitching moment vs. AOA plot that you provided above. I wish I had one to share for the 737Max. I took a quick stab (no pun intended) at Google to see if I could find anything in the public domain, but no luck so far. I will keep looking. Interestingly enough one of the search hits I got was a link back to PPRUNE to another of the forum discussions we have both been on where you had previously shared the same great plot!

The sentence from my earlier post that included "plenty of pitch authority via the column to the elevator" that you reference above is one that I struggled with to add the necessary disclaimers. Here is the full sentence: The pilot has plenty of pitch authority via the column to the elevator to initiate and recover from any pitch maneuver provided MCAS either does not function or functions with the design limited authority of 2.5 degrees stabilizer at low speed and less as speed increases. Clearly repeated activations of MCAS without having returned the stabilizer to its properly trimmed position each time can, will, and did eat up the pitch authority to the point where full aft column was not sufficient to keep the nose from dropping.

I will not claim that the MCAS design is as good as it should or could be. My main reason to post about MCAS here is to convey how it operates so that all will have a better understanding of what the pilots actually faced. A clear design assumption with MCAS was that if the pilots activated manual trim then they were taking control of the stabilizer and would return it to a properly trimmed position. We all know the breakdown of the word "ASSUME" - it makes an ASS out of U and ME. Another assumption was that if the crew were flying at a steady condition and found that the automatic stabilizer control system repeatedly moved the stabilizer away from trim that would be indication of errant control action and that the crew would take the mitigating action of disabling automatic stabilizer control via the stab cutout switches. A lot of assuming going on here.

I definitely agree with your point that a full FBW system that provides stability augmentation through the elevator rather than the slow moving stabilizer would be far superior. There are many examples of that now in both the military and commercial fleets.

The bottom line for me is that we need to understand how the 737MAX system works, what the thinking was that went into that design, and what assumptions with regard to design, operation, maintenance, etc. should be challenged to reduce the risk of a repeat event to as low as possible. I strongly believe that this is a direction that all of us on PPRUNE can rally around to move us toward a better future. On that note, a Happy Valentines Day to all. (I realize that last part is belated for those east of the Atlantic.)

I think the main point you could be drawing out is that in the incident aircraft, MCAS appears to have provided an unadvertised and intermittent control input of complex algorithmic intensity.

Believe what we are left with is how unadvertised, intermittent and complex was also certified.

I vote with various other posters.

Give it at least two independent inputs, and let it disarm and notify where they disagree.

While superior solutions exist, I cannot see how an inferior solution should be supportable.

neville_nobody 15th Feb 2019 05:23


. The bottom line for me is that we need to understand how the 737MAX system works, what the thinking was that went into that design, and what assumptions with regard to design, operation, maintenance, etc. should be challenged to reduce the risk of a repeat event to as low as possible.
You are 100% correct however I suspect that there will be a few certificate issues that may come to light if that were to happen.

Ian W 15th Feb 2019 13:25


Originally Posted by Turbine70 (Post 10390510)
I think the main point you could be drawing out is that in the incident aircraft, MCAS appears to have provided an unadvertised and intermittent control input of complex algorithmic intensity.

Believe what we are left with is how unadvertised, intermittent and complex was also certified.
I vote with various other posters.
Give it at least two independent inputs, and let it disarm and notify where they disagree.
While superior solutions exist, I cannot see how an inferior solution should be supportable.

It doesn't seem a particularly difficult task although the avionics architecture separation may make it less simple.
  1. The ADIRUs receive mismatching AoA, instead of reporting 'Unreliable Airspeed' they should just disregard AoA inputs and report 'AoA Mismatch'.
  2. Then as AoA is mismatched it has to be assumed that MCAS is receiving the incorrect AoA, so
  3. Disable MCAS,
  4. Steps 1 - 3 can only be reset by maintenance with weight on wheels
  5. If MCAS is essential then AOG until AoA reporting is matched and test flown.


PEI_3721 15th Feb 2019 14:05

yo gums, et al,
From your wide experience, the role of an aircraft influences the stability requirements. A ‘bomb truck’ / dive bomber (SLUF) requires good speed stability, alternatively a gun aiming fighter needs the agility of less stable aerodynamics.
The quoted Voodoo is a well used example in test flying schools of how pilots are able to fly an ‘unstable’ aircraft; stick force - trim / position reversal during transonic acceleration. The alleviating context includes routine familiarity within the heart of the operating envelope, technical knowledge, awareness, and military training.
Conversely the rare - to be avoided, low speed operating envelope of a civil aircraft requiring stability ‘enhancement’ should not be considered normal in any respect.

The 737 MAX is a ‘new’ aircraft requiring low speed stability enhancement. MCAS provides this; the design concept and normal operation is not a problem, the implementation appears to be. Sensor failure can pose significant difficulties for pilots in both understanding and continued operation.

Situations involving the failure of an AoA vane in older designs are arguably safe, being dependent on pilot intervention. e.g. in legacy aircraft, AoA failure might only give a false stick shake at lift off. The alleviation is that with three independent speed displays a hazardous low speed situation could be quickly identified, deducing that the stick-shake is false.

However, with EFIS and the salient AoA derived low-speed awareness, the situation is increasingly complex - need to cross-check speeds and / or low speed awareness. Add to this several consequential ‘disagree’ alerts, then whilst the three airspeeds might agree (depending on ADC corrections - AoA input), the two low speed awareness symbols could disagree.
Stall margin is directly related to stick-shake, which with mismatched displays could be the dominant factor in concluding unreliable airspeed - yet speed could be reliable. Situation resolution takes longer, higher airspeed evaluation.

Failure of an AoA input into MCAS could be alleviated by requiring an AoA disagree alert (currently an option), and an abnormal drill requiring stab trim to be selected off before selecting flaps up. This also requires a caution about low speed handling with high thrust. Yet it is in this same situation of reduced stability safety-margin due to MCAS ‘failure’ where the low speed awareness indications are inconsistent, and with a false stick-shake and ‘disagree’ alerts, stemming from the interconnectivity of systems. The situation could be (should be) judged beyond normal piloting ability, particularly with several consequential alerts without related explanation.

This highlights the problem of the complexity of modern designs, where neither crew or maintenance can have a complete understanding of the interactions and consequences, and the need for a comprehensive checklist and maintenance guide.
In addition to the usual probability based risk assessment (future risk is always a guess), it is necessary to consider the amount of uncertainty the operator will face; to be alleviated with alerting indications and check-list / maintenance guidance, and prior knowledge and training.
The regulators and manufacturers might disagree about these aspects, but that’s being human, including hindsight.
Once bitten, ………, change the design.


infrequentflyer789 15th Feb 2019 15:50


Originally Posted by Ian W (Post 10390867)
It doesn't seem a particularly difficult task although the avionics architecture separation may make it less simple.

Or, simply require both MCAS inputs to indicate nose down trim before trimming.

That way you need similar failures both sides to trigger it incorrectly (in which case you are probably already in big trouble). And if it doesn't trigger when it should, it is because of a failure condition somewhere.

The problem is probably with the certification not the engineering, at some point I suspect someone decided that if MCAS failed to trigger when one side fails it wasn't reliable enough, so it triggers on either side (as does the stick shaker in effect, and the elevator feel system). Trying to unpick that decision may open a whole can of certification worms.

Mad (Flt) Scientist 15th Feb 2019 16:50


Originally Posted by infrequentflyer789 (Post 10390289)
This is my big question too. Although in fact I can see that a system could be needed to meet certification but not need to be explained to pilots because it isn't significant in effect or likelihood, as far as I can see the certification itself also requires such a system to be visible to pilots.

[partial quote of 672(a) ]

So where is it, what does it say? "I'm sorry Dave, something has failed, something you don't know about, it's not important really" ? Really?

Then there is 25.672(b), which says the pilot must be able to deactivate the system or override it with normal control movement. You can't deactivate something you don't know exists (except by accident by deactivating something else), and MCAS cannot be overridden by column position.

Looking at the NG speed trim description I can fit it to 25.672, despite it having a high-AOA trim-down function (which MCAS is probably the b*****d offspring off) - because that function is part of speed trim, there to enable speed trim function to work at high AOA, and therefore there is a fail-warning, and speed-trim can be overridden by the column (column cutouts). MCAS doesn't seem to fit, to me.

That's a somewhat selective quote from 25.672(a). The text in full (current issue, it is not unlikely that the aircraft cert basis is in fact different) is:

(a) A warning which is clearly distinguishable to the pilot under expected flight conditions without requiring his attention must be provided for any failure in the stability augmentation system or in any other automatic or power-operated system which could result in an unsafe condition if the pilot were not aware of the failure. Warning systems must not activate the control systems.
the requirement to provide a warning is conditional not absolute. The "unsafe condition" statement is important here. (And the fact that we're talking about an accident does not necessarily mean it was an "unsafe condition" in the intended use of that terminology here)

Further, its normal to have to refer to other guidance material to clarify the precise intent of a regulation, and "failures" have a wealth of such material; simply reading even the regulation as a whole is not a guarantee of a complete understanding.

Regarding 672(b), that the pilots even in the accident flight were able to maintain control for many minutes after the failure (which was apparently pre-existing at takeoff) very strongly suggests that the required ability to initially counter the failure was plainly present.

gums 15th Feb 2019 17:12

Thanks, PEI

Could not agree more than with this:

the rare - to be avoided, low speed operating envelope of a civil aircraft requiring stability ‘enhancement’ should not be considered normal in any respect.
I sure hope that any 737 Max troops are reading all this. After all, most of us here simply want to learn from the incidents/accidents and improve training plus ensure the operators are aware of new systems with associated new quirks.

Gums sends...

safetypee 15th Feb 2019 17:53

MFS,
Re the pilots even in the accident flight were able to maintain control for many minutes after the failure (which was apparently pre-existing at takeoff) very strongly suggests that the required ability to initially counter the failure was plainly present.

From a pilots viewpoint there could have been two unrelated failures.
First, from take off, indications that airspeed was unreliable, and given the concerns identified in #66 the crew managed to fly the aircraft; although there may have been some expectation from the preceding flight / tech log.

Second, after selecting flaps up, aircraft control was increasingly difficult due to incorrect MACS trim input. The crew might have related this to unreliable airspeed, non indicated change in speed felt as a change in trim, and / or need to change speed; alternatively they might have related this to STS as did the previous crew, but elected not to disable the trim because STS (trim) should have been overridden by back stick cutout.
The crew were having to managing two separate failures; unreliable airspeed and a trim malfunction.

In certification terms the single initiating factor appears to be AoA. In the first instance immediately after takeoff the situation would be similar to previous certifications - crew intervention based on instrument indications and tactile alerting. However, in the second instance there was no clear indication of the nature of the failure, the consequences, or action required.

Thus the crew’s ability after take off should not be taken as the ability to manage the second scenario, even if the initiator was the same - the indications and effects were completely different and should have been assessed so in the certification process.



Mad (Flt) Scientist 15th Feb 2019 19:50

safetypee But even after they got into "MCAS difficulties" they seem to have retained a reasonable degree of control initially. It wasn't a case of "the MCAS thing happened and there was immediate loss of control". More "the MCAS thing happened, some time passed while the crew maintained a degree of control but were unable to resolve the problem, then (possibly due to a change in circumstances) they then lost control". The initally part of 672(b) usually addresses things like using the flight controls to initially counter an AP runaway, long enough to hit a disconnect of some kind. It's usually only a period of seconds.

With 20/20 hindsight, they had control long enough to have disabled the stab system had they decided to so - so I would expect that aspect of 672(b) to be passed. That text is really there to require an AUTOMATIC corrective measure of some kind if the crew can't at least initially maintain control. I would not say such was needed here.

Loose rivets 15th Feb 2019 21:16


. . . More "the MCAS thing happened, some time passed while the crew maintained a degree of control but were unable to resolve the problem, then (possibly due to a change in circumstances) they then lost control" . . .
Has there been any clue as to why they applied a huge handful of power just before the final dramatic climb?

safetypee 15th Feb 2019 21:26

MFS,
Our views diverge; possible via my supposition of ‘elected not to disable the trim’, and similarly your ‘disabled the stab trim had they decided to’, which both involve hindsight and without knowledge of crew thoughts.
The issue is that there was no alerting indication that MACS trim was malfunctioning, thus the failure depended on crew deduction via the feel of the aircraft / control system, a situation which also included a ‘feel diff pressure” alert.

The certification point about immediate recovery is based on an obvious indication of malfunction (AP runaway) and thus instinctive action. Furthermore, after the recovery the crew have a normal aircraft to fly.
Whereas a MACS trim malfunction is insidious, intermittent, and accumulative unless corrected; it is a continuing failure affecting the control of the aircraft exacerbated over time.
It is this situation which might warrant ‘automatic correction’, even if only to disable the MACS with AoA failure.

fdr 16th Feb 2019 00:30

Recently was asked about how this issue is going to play out re liability.

The B737 derivatives have had oddities in longitudinal stability that is required under 25.175. Early versions had issues with the flaps extended, the latest have issues with the flaps retracted. With an autopilot engaged, the issue doesn't exist, it is directly related to the acceptability of longitudinal stability (stickforce/g) which is a human in the loop problem.

The event is complicated by the cues provided and missing to the flight crew during the event. Individually, these issues would be reasonably simple to manage, however together, they would be pretty dynamic and potentially result in cognitive overload.

Stall warnings are disconcerting, but can be handled without too much effort by the crew when they are spurious. Even in a true stall, the aircraft is quite manageable, clean stall is not demanding unless the slats are rigged improperly, and event then, the roll is not particularly bad.

Adding random pitch control anomalies complicates the issue; alone, a change in stick force that is uncommanded is going to be resolved as coming from the stab trim fairly promptly, unless we believe that the elevators are undergoing random motion. Using Stab Trim Cutout is going to cure the control problem, or engaging the AP will do the same. All that takes cognitive capacity to process and action.

A momentary stall warning may not be recognised as erroneous immediately by a crew, but over some time, intermittent or continuous stall warning will be able to be determined to be erroneous by comparison to IAS, GS, ATT-PWR, AOA etc. Even background noise is an indicator of likelihood of an unaccelerated stall, as is buffet/vibration. response to control is a significant cue, and it is this that is complicated in the Lion Air event. Having stall warning and a control non linearity is going to complicate crew analysis in real time. At some point the crew needs to recognise that the aircraft is not in fact stalling, and therefore the control issue is a symptom of the underlying fault, not the result of stall dynamics. In the Lion Air event, the crew flew for some time with the problem, which would itself suggest that sensing is the problem rather than having true stall conditions. The crew however did not get to the point of achieving awareness of the sensor issue before running out of control.

In the FCOM/FCTM/QRH, Boeing provides the minimum information to operate the aircraft, not the maximum; that is a position that the industry had devolved to and with the increased complexity of aircraft, it is not unreasonable.

The FAA develops in conjunction with the manufacturer the PSCP for major changes of the design, unless the process has been derogated to an ODA. The requirements of 25.672 are not onerous, 25.255 is not limiting, and 25.203 is not demanding on the B737. 25.207 is normally covered by natural buffet and the stall warning system, but erroneous warnings are a systems failure. The 25.173 & 175 requirements are compromised by the system failure, and it is probable that the pilot is confronted with a condition similar to non compliance with 25.181, which is going to increase workload and stress markedly. Overall, a system failure presents as a complex flight condition that is high stress and high workload to the flight crew. Th certification matrix could have been more robust in the fault tree analysis, which may have resulted in better warning systems being proposed.

If the crew can break out of the control loop and think about the condition, they may get to the point of recognition, and then realise that a single sensor issue results in the warning and the flight control anomaly. To do that, it is not necessary to know how the system actually works, it is necessary to recognise that the aircraft is flying OK in the first instance, and that the rest of the problems are the result of a sensor problem. Once that is recognised, the crew will be able to look at dealing with the symptoms that are presenting, stall > sensor error, control > trim anomaly. At that point, stab trim is going to be highlighted for isolating.

Crew training remains the best solution to this family of problems, and it is not related only to Boeing or Asian operators (think AF447).

fundamental problem is flight crew are human, and subject to varying response under stress, and exhibit varying degrees of situational awareness. Operators can reinforce training if they consider that appropriate, at a cost, to give the crew an increased likelihood of dealing with dynamic events that may lead to decisions in conditions of high stress. It is improbable that every possible scenario can be taught, the value comes in conditioning the crew to cope with the conditions they have to work under, so that they can determine their condition sufficiently to apply procedures. Humans are both the weakness and the strength of dynamic systems. the fact that no manufacturer to date has achieved a sensor system that doesn't result in the occasional wild ride speaks to the current state of the art. Peter Ladkin RISKS digest would speak to the likelihood that the manufacturers and regulators are going to have a perfect solution anytime soon. Personally, I suspect that the inherent flexibility of the human with appropriate training leading to rational NDM/RPDM heuristics is a best solution. To that end, the solution needs training departments to work on:
  • tactics to gain cognitive free time in dynamic events
  • SA training: recognition of loss of SA, tactics to recover SA
  • sufficient basic training to be able to have simplified RPDM solutions on hand to recover from events ​​​​​​
All of the above is additional to the matrix box ticking that has resulted from the global direction of training, exacerbated by the introduction of, and hijacking of AQP. No single group is more or less at risk from this type of event, and fixing the sensor in this case doesn't fix the next vector that lurks in the darkness for the next crew.

Lion Air crew were faced with a complex set of symptoms, removing any one of these would have made a successful outcome more likely. Without dedicated training to deal with wild ride events like this, then the crew are victims of the state of the industry. Had they recognised the elevator trim involvement, then the outcome would have just been a tech log write up, but they are human, and the result of their training. Information from Boeing would not have made a difference in the event, unless it had covered stall warnings coincident with a trim issue from a sensor fault, which is unlikely, as is the FAA/ODA input into the design and compliance requirements recognising the consequences of the fault in all circumstances, it should have, but they are also human centric systems.



jimtx 16th Feb 2019 00:44


Originally Posted by fdr (Post 10391324)
Recently was asked about how this issue is going to play out re liability.

The B737 derivatives have had oddities in longitudinal stability that is required under 25.175. Early versions had issues with the flaps extended, the latest have issues with the flaps retracted. With an autopilot engaged, the issue doesn't exist, it is directly related to the acceptability of longitudinal stability (stickforce/g) which is a human in the loop problem.

The event is complicated by the cues provided and missing to the flight crew during the event. Individually, these issues would be reasonably simple to manage, however together, they would be pretty dynamic and potentially result in cognitive overload.

Stall warnings are disconcerting, but can be handled without too much effort by the crew when they are spurious. Even in a true stall, the aircraft is quite manageable, clean stall is not demanding unless the slats are rigged improperly, and event then, the roll is not particularly bad.

Adding random pitch control anomalies complicates the issue; alone, a change in stick force that is uncommanded is going to be resolved as coming from the stab trim fairly promptly, unless we believe that the elevators are undergoing random motion. Using Stab Trim Cutout is going to cure the control problem, or engaging the AP will do the same. All that takes cognitive capacity to process and action.

A momentary stall warning may not be recognised as erroneous immediately by a crew, but over some time, intermittent or continuous stall warning will be able to be determined to be erroneous by comparison to IAS, GS, ATT-PWR, AOA etc. Even background noise is an indicator of likelihood of an unaccelerated stall, as is buffet/vibration. response to control is a significant cue, and it is this that is complicated in the Lion Air event. Having stall warning and a control non linearity is going to complicate crew analysis in real time. At some point the crew needs to recognise that the aircraft is not in fact stalling, and therefore the control issue is a symptom of the underlying fault, not the result of stall dynamics. In the Lion Air event, the crew flew for some time with the problem, which would itself suggest that sensing is the problem rather than having true stall conditions. The crew however did not get to the point of achieving awareness of the sensor issue before running out of control.

In the FCOM/FCTM/QRH, Boeing provides the minimum information to operate the aircraft, not the maximum; that is a position that the industry had devolved to and with the increased complexity of aircraft, it is not unreasonable.

The FAA develops in conjunction with the manufacturer the PSCP for major changes of the design, unless the process has been derogated to an ODA. The requirements of 25.672 are not onerous, 25.255 is not limiting, and 25.203 is not demanding on the B737. 25.207 is normally covered by natural buffet and the stall warning system, but erroneous warnings are a systems failure. The 25.173 & 175 requirements are compromised by the system failure, and it is probable that the pilot is confronted with a condition similar to non compliance with 25.181, which is going to increase workload and stress markedly. Overall, a system failure presents as a complex flight condition that is high stress and high workload to the flight crew. Th certification matrix could have been more robust in the fault tree analysis, which may have resulted in better warning systems being proposed.

If the crew can break out of the control loop and think about the condition, they may get to the point of recognition, and then realise that a single sensor issue results in the warning and the flight control anomaly. To do that, it is not necessary to know how the system actually works, it is necessary to recognise that the aircraft is flying OK in the first instance, and that the rest of the problems are the result of a sensor problem. Once that is recognised, the crew will be able to look at dealing with the symptoms that are presenting, stall > sensor error, control > trim anomaly. At that point, stab trim is going to be highlighted for isolating.

Crew training remains the best solution to this family of problems, and it is not related only to Boeing or Asian operators (think AF447).

fundamental problem is flight crew are human, and subject to varying response under stress, and exhibit varying degrees of situational awareness. Operators can reinforce training if they consider that appropriate, at a cost, to give the crew an increased likelihood of dealing with dynamic events that may lead to decisions in conditions of high stress. It is improbable that every possible scenario can be taught, the value comes in conditioning the crew to cope with the conditions they have to work under, so that they can determine their condition sufficiently to apply procedures. Humans are both the weakness and the strength of dynamic systems. the fact that no manufacturer to date has achieved a sensor system that doesn't result in the occasional wild ride speaks to the current state of the art. Peter Ladkin RISKS digest would speak to the likelihood that the manufacturers and regulators are going to have a perfect solution anytime soon. Personally, I suspect that the inherent flexibility of the human with appropriate training leading to rational NDM/RPDM heuristics is a best solution. To that end, the solution needs training departments to work on:
  • tactics to gain cognitive free time in dynamic events
  • SA training: recognition of loss of SA, tactics to recover SA
  • sufficient basic training to be able to have simplified RPDM solutions on hand to recover from events ​​​​​​
All of the above is additional to the matrix box ticking that has resulted from the global direction of training, exacerbated by the introduction of, and hijacking of AQP. No single group is more or less at risk from this type of event, and fixing the sensor in this case doesn't fix the next vector that lurks in the darkness for the next crew.

Lion Air crew were faced with a complex set of symptoms, removing any one of these would have made a successful outcome more likely. Without dedicated training to deal with wild ride events like this, then the crew are victims of the state of the industry. Had they recognised the elevator trim involvement, then the outcome would have just been a tech log write up, but they are human, and the result of their training. Information from Boeing would not have made a difference in the event, unless it had covered stall warnings coincident with a trim issue from a sensor fault, which is unlikely, as is the FAA/ODA input into the design and compliance requirements recognising the consequences of the fault in all circumstances, it should have, but they are also human centric systems.

The Brazilian Certifying authority did, with Boeing's involvement, require MCAS training. What that training was would be interesting. I would assume somebody from GOL, a Max operator, would know what that was. If we find out we might know whether that type of training would have helped the Lion Air crew.

skykingpilot 16th Feb 2019 02:58

What about installing a great big button on the instrument panel that says " MAKE THIS AIRPLANE A CESSNA 150 RIGHT NOW" ?

PJ2 16th Feb 2019 18:50

skykingpilot, you really need to do a lot of reading in this and the other threads dealing with this accident and it wouldn't hurt your comprehension of how complicated all this is if you read the AF447 accident thread as well.
PJ2

phylosocopter 16th Feb 2019 19:22


Originally Posted by PJ2 (Post 10392007)
skykingpilot, you really need to do a lot of reading in this and the other threads dealing with this accident and it wouldn't hurt your comprehension of how complicated all this is if you read the AF447 accident thread as well.
PJ2

Notwithstanding that I do feel that there does need to more focus on the gyro attitude indicator and that in any case where instruments or automation becomes unreliable the changes in display and warnings (and training) should all be working to move PIC towards flying the gyro

Icarus2001 17th Feb 2019 01:08


What about installing a great big button on the instrument panel that says " MAKE THIS AIRPLANE A CESSNA 150 RIGHT NOW" ?
Or train the crew to turn of the stab trim?

jimtx 17th Feb 2019 02:30


Originally Posted by Icarus2001 (Post 10392257)
Or train the crew to turn of the stab trim?

If you train the crew to turn off the stab trim then what do you tell them to do when they are are now handling an aircraft that required MCAS to be certified and now they don’t have it? Why don’t they just disable MCAS for every flight and tell pilots to be careful in the unlikely encountered regimes that MCAS was pencil whipped to satisfy.


All times are GMT. The time now is 10:54.


Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.