Originally Posted by Notanatp
(Post 10562734)
The AoA indicator in JT610 was north of 20 degrees when sitting on the ground at zero airspeed. Surely that was enough to trigger a sanity check of inputs. Even in flight, something more than 20 degrees (particularly when it had never been less than 20 degrees, much less in a valid range) would have been an unambiguous indication of bad input (I assume the 737 will stall well below 20 degrees AoA).
The exact parameters of the optimal input checking for MCAS (i.e., rejecting a many invalid conditions as possible while minimizing the rejection of valid conditions) could be subject to some discussion and judgment. But AoA of 20 degrees seems like a no-brainer. At most, it might have required that the FCC "remember" a period of AoA history so it could determine, at the point where the algorithm became active (A/P disengaged, flaps retracted) that the AoA had never been in a valid range. The bigger issue seems to be that the programmers never questioned the absence of any input validation requirement at all. I fully expect someone to quibble with my assertion that >20 degrees is clearly invalid, but what about 75 degrees? What about readings that are pegged at exactly the same number for a period of time (e.g., frozen or jammed sensor)? Or that suddenly jump from a reasonable number to an out-of-range number? I just think somebody forgot to ask the question: what is the valid range of inputs and what are the error cases? It wouldn't have taken any time at all to include some kind of basic sanity checks. 1:AoA sensor is not active until enough airflow to move the vane, so position with zero airspeed is meaningless. This complicates any input validation since it would require airspeed to turn on any checks. 2: Introducing state (history) can greatly complicate verification since the code must be exercised to reach and respond at to least a subset of all possible states. It also complicates the code which of course adds to risk of bugs. 3: It would have taken some time to code and significantly more time to verify. The greatest schedule impact however might have been getting agreement on valid/invalid values, keeping in mind that MCAS is supposed to respond to somewhat extreme conditions. Even then the checking would not cover all cases, had the Lion AIr sensor chain had less offset it could have triggered MCAS with a totally valid input. What is shocking is that the second sensor was not used as a cross check, "both must be within x%" is much more robust than any attempt to filter a single input. As a final note one possible factor in the Air france tragedy was that due to reasonableness checking the stall warning was disabled at low airspeeds only to trigger as the crew lowered the nose, increasing airspeed (while still stalled). This at a minimum would cause confusion and likely discourage lowering the nose; it yells at me when I do this == don't do that. |
BBC reporting today that EASA will not accept FAA certification and will do own tests
"Patrick Ky, Easa's chief executive, revealed a list of four conditions given to the US authorities in a presentation to the European Parliament's committee on transport and tourism on Monday". I can't see the aircraft returning in the US while Europe will not certify it. The insurers would never accept that, and unlikely the US pilot unions would either. |
Originally Posted by MurphyWasRight
(Post 10562898)
My bold in quote, main point is things are not necessarily as simple as it seems;
Originally Posted by MurphyWasRight
(Post 10562898)
1:AoA sensor is not active until enough airflow to move the vane, so position with zero airspeed is meaningless. This complicates any input validation since it would require airspeed to turn on any checks.
Originally Posted by MurphyWasRight
(Post 10562898)
2: Introducing state (history) can greatly complicate verification since the code must be exercised to reach and respond at to least a subset of all possible states. It also complicates the code which of course adds to risk of bugs.
Originally Posted by MurphyWasRight
(Post 10562898)
3: It would have taken some time to code and significantly more time to verify. The greatest schedule impact however might have been getting agreement on valid/invalid values, keeping in mind that MCAS is supposed to respond to somewhat extreme conditions. Even then the checking would not cover all cases, had the Lion AIr sensor chain had less offset it could have triggered MCAS with a totally valid input.
What is shocking is that the second sensor was not used as a cross check, "both must be within x%" is much more robust than any attempt to filter a single input. I don't know why they didn't cross check sensors. Maybe the changes were perceived as too invasive and someone made the conscious decision that the risk of screwing that up was greater than the potential gain. Maybe the reason for not cross checking sensors will eventually come out when the full story is told. But whatever the reason was, that was not a reason to do nothing. Again, I think they did nothing because they just didn't think of it. |
Originally Posted by WHBM
(Post 10562902)
BBC reporting today that EASA will not accept FAA certification and will do own tests
"Patrick Ky, Easa's chief executive, revealed a list of four conditions given to the US authorities in a presentation to the European Parliament's committee on transport and tourism on Monday". https://www.imdb.com/title/tt0060802/ I can't see the aircraft returning in the US while Europe will not certify it. The insurers would never accept that, and unlikely the US pilot unions would either. That said, there is surely some sense of betrayal behind this, the Europeans feel deceived by the inadequate FAA supervision of the MAX. Agree fully with WHBM, this story has a long ways to go. |
I don't know why they didn't cross check sensors. Maybe the changes were perceived as too invasive and someone made the conscious decision that the risk of screwing that up was greater than the potential gain. In a nutshell, the logic was this:
Managers didn’t merely insist to employees that no designs should lead to Level D training. They also made their desires known to the FAA team in charge of 737 training requirements, which was led by Stacey Klein, who’d previously been a pilot at now-defunct Skyway Airlines for six years. “She had no engineering background, her airplane experience was very limited,” Ludtke says. “It was just an impossible scenario.” FAA spokesman Greg Martin says the position Klein occupies, “while substantial,” is primarily that of “an organizer, facilitator, and executor of the FAA policy and guidelines,” and that in her role she calls on experts from multiple organizations. Rick Ludtke, a former Boeing engineer who worked on 737 MAX cockpit features but not the MCAS system, told the Journal that midlevel managers told their staff members that Boeing had committed to paying Southwest Airlines -- which has ordered 280 MAX aircraft -- $1 million per plane if the 737 MAX ended up requiring pilots to spend more time training on simulators. |
Try this one: Europe will not accept US verdict on 737 Max safety
|
Originally Posted by Notanatp
(Post 10562959)
l feel you are nit picking here. First, the DFDR data from the two accidents suggests that the normal, stationary reading for the vanes is somewhere around zero. I'm sure someone else on the thread can comment knowledgeably, but its looks to me like a stationary reading of more than 20 degrees is a pretty strong sign of a problem. Beyond that, the AoA signal surely becomes valid at some point during the take off roll, so the FCC could mark it as invalid if it's outside a reasonable range before rotation.
AOA sensors (of the type used on the B737) have an outside vane, and an inside counterweight. Unless the aircraft is moving fast enough (and I would guess around 60-80kts) the information from the AOA is ABSOLUTELY useless. I see them pointed in every random direction during the preflight ( not on the 737, but A320 has similar). Not an engineer, but during strong crosswinds there will be substantial difference in airflow between the sides, so it might be better to wait until the aircraft is airborne and better aligned with the airflow. |
Originally Posted by Notanatp
(Post 10562734)
(i.e., rejecting a many invalid conditions as possible while minimizing the rejection of valid conditions) could be subject to some discussion and judgment. But AoA of 20 degrees seems like a no-brainer. At most, it might have required that the FCC "remember" a period of AoA history so it could determine, at the point where the algorithm became active (A/P disengaged, flaps retracted) that the AoA had never been in a valid range.
The bigger issue seems to be that the programmers never questioned the absence of any input validation requirement at all. I fully expect someone to quibble with my assertion that >20 degrees is clearly invalid, but what about 75 degrees? |
Originally Posted by SLF3
(Post 10562847)
It seems EASA are asking questions that Boeing and the FAA are going to struggle to answer.
EASA are asking Boeing to address aerodynamic stability with MCAS turned off. As I understand it, MCAS is only required because without it the Max does not meet the certification performance standard. So that will be an interesting conversation. They have further asked Boeing to demonstrate the loads on the trim wheel are acceptable, which given that the stabiliser is larger, the trim wheel smaller, and sky goddesses more common, should also be an interesting conversation. |
Originally Posted by Notanatp
(Post 10562959)
First, the DFDR data from the two accidents suggests that the normal, stationary reading for the vanes is somewhere around zero.
As noted above, on a parked aircraft you can expect to see the vanes oriented at pretty well any angle, in the absence of airflow. |
Originally Posted by WHBM
(Post 10562902)
BBC reporting today that EASA will not accept FAA certification and will do own tests
"Patrick Ky, Easa's chief executive, revealed a list of four conditions given to the US authorities in a presentation to the European Parliament's committee on transport and tourism on Monday". I can't see the aircraft returning in the US while Europe will not certify it. The insurers would never accept that, and unlikely the US pilot unions would either. Mr Ky's presentation showed a refusal to accept delegation was the first of the four conditions that had to be met before flights in Europe could resume. The other three were: - an "additional and broader independent design review" by Easa - that the two fatal crashes were "deemed sufficiently understood" - and that flight crews had been adequately trained in any changes to the plane. |
Originally Posted by etudiant
(Post 10562981)
Quite interesting development. I'd expected the Chinese to be the most recalcitrant regulators, rather than the Europeans. Or it could be as a result of the ongoing discussions between EASA/Boeing/FAA. If EASA are raising issues which are being marginalised by Boeing who are then backed by the FAA then I can see them taking a more ‘independent’ stance. It would be best for everyone if all parties sat down together and resolved this like adults, putting commercial/national/economic concerns aside and looking at this as a purely engineering and flight safety matter. My gut feeling however, based on some of the statements made by both Boeing and the FAA, is that the FAA is still putting the economic well-being of US aviation on a par with safety and are expecting EASA to collude with them in this. EASA also know that they have considerable influence here. I don’t think that anyone seriously thinks that a ‘US-only’ ungrounding will fly, so to speak. That would eventually cause more problems than it would solve. Looking at things more globally, it is not outside the bounds of possibility that EASA are taking up the cause on behalf of China. It is almost certain that there have been discussions between EASA and the CAAC about the ungrounding and with the ongoing bunfight between Trump and Beijing, EASA taking the lead on this depoliticises the whole thing. |
I must be getting slow after a long day flying, but I remain rather befuddled as to what basis the latest issues by EASA arise under. I was apparently mistaken in my belief that EASA is a signatory to the TIP:
TECHNICAL IMPLEMENTATION PROCEDURES FOR AIRWORTHINESS and ENVIRONMENTAL CERTIFICATION between the Federal Aviation Administration of the United States of America and the European Aviation Safety Agency of the European Union Revision 6, dated September 22, 2017 And Amendment 1 dated June 22, 2018 Amendment 2 dated April 2, 2019. Used to be that some regulatory protocols existed, Para 1.6 was the protocol for addressing concerns, and that seems at odds with the current state of affairs. TRUMPing it all, EASA products would be subject to some level of quid pro quo, which would be an unfortunate state of affairs for euro products, which have their own oddities that come to pass from time to time. In these strange times of "fake news", EASA products acceptance by the FAA are subject to the mutual recognition under the TIP, so there is room for this to blow back into EASAland. Why on earth would the king with no clothes not beat up on what can be characterised by politicians as an unfair market. Do I think it is unfair? doesn't matter, it only matters what the Mad Hatter thinks in Fort Fumble. Curious. |
EASAs 4 conditions!
It is great to see that EASA is finally doing a proper job assuring a safe and sound Certification of the Max.
The drawback being that I and thousand of pilots in Europe are still in limbo with regards to when we get our hand on the Beast. I can live with, some might struggle as different companys might not make it trough the wait this winter. That is the cost of Safety, and I hope this debacle is soon over and have a successful end. This is a purely Technical and Operational Training issue and need proper objective attention. The fact that we live in a Politically rather challenging time will , hopefully, not influence the outcome. Good luck to all. Regards Cpt B |
Originally Posted by fdr
(Post 10563274)
EASA products would be subject to some level of quid pro quo, which would be an unfortunate state of affairs for euro products, which have their own oddities that come to pass from time to time. |
EASA presentation
Google has the slides when you search for "european parliament easa 737 ky". Sorry I can't post links yet.
|
|
Originally Posted by thf
(Post 10563404)
https://cimg0.ibsrv.net/gimg/pprune....1329898fbd.png
Complete: https://www.europarl.europa.eu/cmsda...y-original.pdf ”No delegation to FAA” That is harsh! The FAA must be feeling like Boris Johnson after his brother resigned, to put the national interest above friendship with his brother. I can only assume that this stance has been taken after EASA failed to reach a unified approach to the recertification. Something tells me that Boeing and the FAA are going to have to compromise on the sim time requirements at the very least.That will pose some contractual difficulties for Boeing as I assume that the ‘iPad only’ conversion was written into the purchasing agreements. And condition #2 is so open ended as to be meaningless. |
Originally Posted by Speed of Sound
(Post 10563346)
Have any of these oddities cost 346 lives? |
Originally Posted by Ian W
(Post 10563461)
AF 447 did not recover mainly because stall warnings were disabled And let’s not forget that these guys had way more time and altitude to troubleshoot the situation and rectify it than the crews of LI 610 and ET 302. |
All times are GMT. The time now is 14:41. |
Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.