|
What level of fault tolerance is needed?
Is a software fix sufficient? Is the B737M flight controllers reliable enough for the task?
The software changes to the B737M made the detection of a ’trim runaway’ failure mode much more difficult since it is behavior is changed, and masked by other faults and noises. It may also have increased the frequency of the trim runaways. If the original DFMEA/Design Risk Assessment had the conclusion that a ’trim runaway’ is something that is easy for the pilots pilots to handle, then the safety case is limited to providing reliable ’cut-out’ switches (And some training). If the conclusion in the new DFMEA/Design Risk Assessment is changed since it can’t be expected that the pilots reliable can detect and isolate the fault, then this drive a significant change to the hardware (and software) requirements. It is not enough to have redundant sensors as the voting between flight controllers can also fail. The actuator and its electronics as well as the network may also fail.To me it seems that the THS control is moving in to the realm of a software controlled primary control surface (since if can overpower the muscle strength of pilots if not isolated fast enough). In essence requiring a FBW like system with full byzantine fault tolerance. What are the capabilities of the existing THS control system: -Fail safe by means of lock-step operation? -Voting between fail-silent replicas with byzantine fault tolerance? |
I would suggest that attempting to comply with a 'feel' requirement by moving a powerful control surface is bad engineering from the start.
|
Forgive my curiosity as a complete outsider. Do pilots ever refer to the trim scale on the pedestal, other than before takeoff? Is is part of any scan, or checklist?
|
I would suggest that attempting to comply with a 'feel' requirement by moving a powerful control surface is bad engineering from the start. But, there was no other way open to them for creating a pitch-down moment, without major airframe modifications. It must have been a miserable time at Boeing when, after realising the MAX needed pitch-down moment(s) at high alpha, it was decreed that they would have to come from the stabiliser. The investigations into certification will surely reveal the opposition within Boeing to taking this route. Will be interesting! |
Salute!
Some good aero stuff being discussed. I have wondered since November if using some variation of aerodynamically loaded slats ( F-100 and others) on the nacelles or even the leading edge of the wing could have moved the center of pressure further aft at high AoA to keep the pitch moments O.K. I realize that the goal is to have the trim drag at a minimum for cruise AoA, but once up there near stall you would not be worried a lot about fuel economy, ya think? Gums wonders.... |
I realize that the goal is to have the trim drag at a minimum for cruise AoA, but once up there near stall you would not be worried a lot about fuel economy, ya think? Something that would give the pitch-down moment at high alpha, but would not add drag in the cruise. I haven't come up with anything yet. The closest I have come is the idea of some surfaces protruding from the new tail cone. Having such a long arm would mean they wouldn't have to be too big and ugly. |
If I can ask a hopefully not trivial question ... for a long time there have been not only stick shakers but, by extension, stick pushers. Was the Trident the first with this ? And how does MCAS differ in its principle to a stick pusher, apart from operating on a separate control, the trim rather than the yoke ? And if it's established, why did Boeing do it on a different control rather than push the yoke forward ?
There's an interesting account of dealing with this from 55 years ago here. Compare and contrast with what Boeing have done. "3,500 test stalls" !!! https://www.flightglobal.com/FlightP...20-%200246.PDF |
WHBM, MACS relates to stability. Stick push relates to stall, identification and initial recovery motion. The 737 stall characteristic is identifiable and has satisfactory recovery action. |
Salute!
Granted, Safety, MCAS is not stall prevention or stall recovery. But media and many folks on these very forums still feel that it is. In all honesty, having the stick get "lighter" due an aerodynamic effect at high AoA can be conducive to entering a stall. But I do not believe the 737 pitch moments would be like the VooDoo I flew 50 years ago that got a "light" stick , then went end over end, heh heh. Gums sends... |
WHBM,
safetypee and gums are absolutely correct. When we did CofA air tests on VC10s, we always had a third AoA vane mounted on a plug that replaced the glass of one of the cabin windows and an AoA indicator connected to it mounted on the pilot's instrument panel coaming. During stall tests, one crew member was required to watch it like a hawk and shout if it approached (I think) 16degs before the stick pusher pushed. |
Could anyone tell me the difference between the MCAS system and a runway horizontal trim condition.
|
Originally Posted by Arydberg
(Post 10427200)
Could anyone tell me the difference between the MCAS system and a runway horizontal trim condition.
|
Originally Posted by flyingfalcon16
(Post 10425210)
I'm trying to respond to qualify my remarks but they won't approve many of my posts. This is very heavily curated forum. If you look on one of Nasa's sites you can find this statement: Trim controls speed and attitude.
|
In fact, I would word it this way. Trim effects the pitch of the aircraft, which, in turn, effects the speed.
|
Originally Posted by Concours77
(Post 10319961)
... AI avoids that problem. For good or evil, no? If safety is still to be no.1, then automation should only be there to relax the pilot, NOT turn him into a donkey that doesn't know how to fly anymore after so much "auto" in his head. The pilot remains a pilot, if he still wants to be called that way anymore. Regards! |
Originally Posted by MaverickSu35S
(Post 10427445)
You said it well when you said: "For good or evil". In fact we will see that it's NOT the "good" that will win in this AI (artificial intelligence) fantasy, but the evil itself. We just had 2 awful answers (the 2 accidents of the MAX) from our subject regarding how does the plane try to automatically (apparently intelligent) trim the nose down continuously until "it believes" that the stall has been eliminated. One A330 had a cruise incident while another A330 and a belly (crash) landing due to "automation gone wild" encounters! This case showed one more glimpse of what it's like to lay your belief in automation.
If safety is still to be no.1, then automation should only be there to relax the pilot, NOT turn him into a donkey that doesn't know how to fly anymore after so much "auto" in his head. The pilot remains a pilot, if he still wants to be called that way anymore. Regards! There are plenty of examples of automation in the current state of the art in commercial aviation. Many of the performance improvements we have realized over the past generation would not have been possible without automation. That ship has sailed and there is no turning back to pre-automation days in aviation. On the other hand, while I have no doubt that AI will find itself playing a greater and greater role in commercial aviation over the coming years, we need to proceed with caution down that road. It is one thing to design an AI system to drive a car where you always have the option of slowing and stopping on the side of the road if something unexpected comes up that the AI determines it is not ready to sort out. In an airplane it is quite another story when the unexpected happens. There are no pull over and stop options between takeoff and landing. |
Pax. It's been a while since I had anything to do with fault trees but presumably part of the technical evidence underpinning the design solution to MCAS would have started by the need to show that a failure outcome for the system was less than some low, and acceptable, probability threshold. This logic would have a starting event which represented the need for the system to intervene, the aircraft being in the dynamic state that challenged it's stability for which help was needed. That logic sequence must have given the right numbers even when subevents like aoa sensor failure were included.
However the next page of the analysis, and a new fault tree, would be considered, this to cover eventualities on the system intervening when it shouldn't. AOA faults would be one initiating event and would be ascribed a probability of occurrence. To my layman mind, this would be more probable than the starting event in the first tree, ie AOA failure is more likely than the aircraft finding itself in a bad dynamic state. What I can't understand is if this were true then the rest of the fault tree after AOA failure must also get to an acceptably low probability despite the fact that it is the more likely event chain to start with. Subsequent mitigations, such as the intervention of a trained crew, would have to have a correspondingly low failure rate to make up the numbers. Can't see the numbers for that working out. Would love to see the workings out but don't suppose we ever shall. |
this is certainly a heavily curated forum
One needs to accept that it can take a little while for a mod to review and pass a new post to the thread. Once again, I think I can say that we don't unduly constrain posting to this or any other thread in TL. |
Satcom Guru post 19th March
I posted this a couple of days on the Rumours thread where it was suggested it might be more relevant and of interest here, so in case it is.....
Ethiopian ET302 similarities to Lion Air JT610 Reports from Ethiopian investigators have implicated the same Angle of Attack (AoA) sensor malfunction that was observed on Lion Air. Lion Air captain AoA sensor read about 22 degrees higher than the First Officer AoA sensor (a large bias error). Initial assessment of Lion Air AoA failure modes did not reveal any obvious electrical malfunction that could create the bias. The simplest explanation was that the AoA vane had been bent, causing a gross aerodynamic offset in the readings. If ET302 encountered the exact same offset, with the likelihood of it being bent exactly the same way not being conceivable, some other factor must be in play. For example, the ARINC 429 representation of AoA uses two's complement fraction binary notation (BNR). It is interesting to note that bit 26 represents 22.5 degrees which would be the bit "flipping" between the Captain and F/O AoA values (all other bits would match). Is it possible that the ARINC 429 word is getting corrupted (software defect)? If the ET302 offset was something like 20 or 24, this theory falls apart. Full post https://www.satcom.guru/2019/03/ethi...lion.html#more |
Bjorn's Corner article on JT610 and ET302 crash
Link..
https://leehamnews.com/2019/03/22/bj...-2/#more-29712 The article is not really relevant to the precise topic of this thread as it speculates on the possibility of elevator "blowback" being a factor in the crashes. HOWEVER, I thought the following exchange of comments on the article might be of interest, particularly the emboldened bit in the reply by poster Transworld. As someone who has nothing to do with the industry it was a fascinating piece of information, apologies if it's something professionals knew from day 1. Knuffi March 22, 2019 Does this mean that – when the FDR shows the left AoA sensor having 25deg and the right 5deg – the AoA vanes really where in this position? Or would you still consider a failure in how the data was processed by the flight computer yielding the difference? Reply TransWorld March 22, 2019 Presently there is no way to tell.If the flopped to full up on less than takeoff speed, both should be flopped the same.How these work, what portions they go to when no significant airflow is all unknown to other than ATR pilots. Possible to even have a test command drifting around in the systemThe two comput3ers are programed by two different teams (its a method of ensuring no code is written duplicated to the computer that is identical so their is not a dual failure under the same circumstances) that said, it seems the two issue were both pilot side so there may be something in that coding on that side. Swap to the other side for control and it should go away but Lion it did not, so just more questions. Alchad |
B737 Max MCAS notes from before the Ethiopian Accident
1 Attachment(s)
Attached are some notes I made in mid-Jan 2019 regarding the MCAS architecture and Lion Air crash
|
Salute!
Attention flyingfalcon! We give up. We do not know what you want to hear, but for now I feel most here will let you continue to believe that trim affects speed and attitude. We have tried to erxplain AoA and attitude and reference systems and so forth. As planes became less and less like the WWI and early WW2 planes, the AoA versus Coeff of lift plot became less steep. The tendency to return to the "trimmed" AoA decreased. But given time, the plane would return to the trimmed AoA that is normally associated with one gee level flight speed. The TRIM ON ALL BUT FBW SYSTEMS LIKE THE F-16 OR AIRBUS ATTEMPTS TO RETURN THE AIRCRAFT TO THE ANGLE OF ATTACK THAT IT IS TRIMMED FOR BEFORE AN UPSET OR CHANGE IN POWER. If that changes the pitch attitude with respect to the horizon, then BFD. So we give up and you win. So let's move on, huh? Gums sends... |
Hi Alchad, that bit error could be the problem. However the data is Serial 32bit, so how does one bit get corrupted and not all the other bits. Bit 27 is also the third MSB (Most Significant Bit.)
https://en.wikipedia.org/wiki/ARINC_429 Looking at the Lion Air FDR, did reveal that the AoA error started to build up during the taxi run, 2 minutes before take-off. |
Thanks - very nice
Originally Posted by Le Flaneur
(Post 10427602)
Attached are some notes I made in mid-Jan 2019 regarding the MCAS architecture and Lion Air crash
|
Originally Posted by john_tullamarine
(Post 10427546)
this is certainly a heavily curated forum
One needs to accept that it can take a little while for a mod to review and pass a new post to the thread. Once again, I think I can say that we don't unduly constrain posting to this or any other thread in TL. |
Originally Posted by gums
(Post 10427668)
Salute!
Attention flyingfalcon! We give up. We do not know what you want to hear, but for now I feel most here will let you continue to believe that trim affects speed and attitude. We have tried to erxplain AoA and attitude and reference systems and so forth. As planes became less and less like the WWI and early WW2 planes, the AoA versus Coeff of lift plot became less steep. The tendency to return to the "trimmed" AoA decreased. But given time, the plane would return to the trimmed AoA that is normally associated with one gee level flight speed. The TRIM ON ALL BUT FBW SYSTEMS LIKE THE F-16 OR AIRBUS ATTEMPTS TO RETURN THE AIRCRAFT TO THE ANGLE OF ATTACK THAT IT IS TRIMMED FOR BEFORE AN UPSET OR CHANGE IN POWER. If that changes the pitch attitude with respect to the horizon, then BFD. So we give up and you win. So let's move on, huh? Gums sends... I have a separate question: Does anyone familiar with test piloting these crafts know that, before there is testing in the sims with airliner pilots. Is there actually a phase of testing that involves a pilot going up in the Max with the exact knowledge and training the airliner pilots will have (such that they wouldn't get any briefing on the MCAS)? Possibly with simulated load factors / weight of real cargo and passengers, ideally with even simulated changes in CoG from moving passengers throughout flight? |
I gotta tell ya, John, this is the most exasperating forum I have ever tried to participate on.
For those who have concerns with the moderating, the following is the basic story - (a) new posters are subject to draft post review for a number of posts before they get a direct post ability - that is site wide policy as far as I am aware (b) while I am the main mod for this forum, there are others who have mod rights. Sometimes it is a case that mods are just not able to keep all the people happy all the time and, unfortunately, you are just going to have to accept that. (c) my approach (which doesn't have any necessary influence on that adopted by my colleagues) is minimal editing/deleting and, where I delete (other than for obvious spam) I will let the poster know what's going on. (d) if you have a post which you consider to be very important and it appears to have been deleted, by all means send me a copy by PM and, if I concur with your thoughts, I will endeavour to track down the reason for which it was deleted. Be aware, though, there will need to be a good reason for me to argue the case with my brother mods. |
Would you happen to know the max nose down trim angle on the 737 NG and MAX?
|
Originally Posted by jimjim1
(Post 10428037)
I am converted - we need a Like button.
Also, don't know if it is possible, but for threads like this and others which can get quite long, it would be very useful if posts like Le Flanneur's could be "stickied" at the top of he thread. Quite often some very useful pieces of information - Flight Data Recordings, instrument block diagrams etc etc are posted but then get lost. It would also be a reference for new posters to look before asking questions posted several times over. As I said, don't know if it's possible, but would be nice to have.... Regards |
ff16, #148, in my days (a long time ago), after the initial exploratory test flying, subsequent flights were jointly crewed with tps and training captains. This involved systems evaluation, normal and emergency procedures and handling, performance, cg range, auto-flight, instruments, etc. Some flights would have been to collect data specific to the design and manufacture of training simulators. Later, training captains could captain production test flights depending on experience and the aircraft’s certification status. In addition to CAA tp validation tests, operations inspectors and training staff flew on flights to evaluate workload, and practicality in service. |
Originally Posted by flyingfalcon16
(Post 10428194)
Would you happen to know the max nose down trim angle on the 737 NG and MAX?
|
.
Perhaps the only way to get these airplanes certified is to ditch the 'Hot-rod' engines and revert to the original engine type. Vintage Model T Fords with Supercharged Chevy engines might be Ok for the Drag-Strip, but not for commercial transportation. .. |
Stab Trim Cut-out switches relabelled on Max - why?
"Slacktide" posted a question (post 1337) on the Indonesian 610 thread asking why stabiliser cut out switches had been relabelled. As far as I could see, nobody had any views, just though I'd ask again as I'm also curious!
Regards Post below: It appears that the two trim systems which were labeled "Main Elect" and "Autopilot" on the NG are now labeled "Pri" and "B/U" on the Max. One would ASSume that this means Primary and Backup. It would be useful to know if there are any operational changes to the system besides the labels. It is unlikely that they would have made have made a change to the labels without a reason. 737 NG https://cimg5.ibsrv.net/gimg/pprune....b7978fc4da.jpg 737 MAX https://cimg7.ibsrv.net/gimg/pprune....4ae6cdebb5.jpg |
Originally Posted by Alchad
(Post 10429289)
"Slacktide" posted a question (post 1337) on the Indonesian 610 thread asking why stabiliser cut out switches had been relabelled. As far as I could see, nobody had any views, just though I'd ask again as I'm also curious!
Take this quote from a MAX ASRS report: confusion regarding switch function [...] related to ‘poor training and even poorer documentation The First Officer offered to hit the SEL function in flight, to test it out, but I thought something irreversible or undesirable might happen (not knowing what we were actually selecting), so we did not try it out in flight. I should stop there (or earlier) since I'm only an engineer flying an armchair, but this smells too much like the times in my career when development/sales/delivery/training have all blamed the end user for a ****up, yet when I have been the one to sit down with the end users I have found that between development/sales/delivery/training we have produced a system that an average user was inevitably going to ****up at some point. I'm lucky, those times have not been in aviation, the worst consequence was data loss (and maybe contract loss, bonus loss...), but nobody died - but it shouldn't happen in aviation, it should be caught before it gets in front of an "average end user" with a plane load of pax behind them. |
Alchad
I am quoting from memory, but the explanation somewhere on this forum is: 1. On the NG there are only two inputs for electrical trim, the 2. On the MAX there are three inputs, if you add MCAS. Since adding a third switch is complicated, they wired the switches in series. This provides an extra level of inhibition of runaway trim, since one of the two could theoretically get stuck in the on position (due to short circuits). I hope this is correct and helpful. The implications of these changes are beyond my scope. Edit: I posted simultaneously with infrequentflyer789 whose comment overlaps with and supports my recollection. |
Originally Posted by GordonR_Cape
(Post 10429470)
Alchad
I am quoting from memory, but the explanation somewhere on this forum is: 1. On the NG there are only two inputs for electrical trim, the autopilot and the yokes. Each has their own switch, wired in parallel. 2. On the MAX there are three inputs, if you add MCAS. Since adding a third switch is complicated, they wired the switches in series. This provides an extra level of inhibition of runaway trim, since one of the two could theoretically get stuck in the on position (due to short circuits). I hope this is correct and helpful. The implications of these changes are beyond my scope. Edit: I posted simultaneously with infrequentflyer789 whose comment overlaps with and supports my recollection. @RUTUS, Since there are no other electrical connections in that diagram, the logical conclusion is that indeed on the NG any kind of automatic trim changes can be disabled by the AP cutout switch, and also by the column cutout switch connected in series with it. I can't find a similar diagram for the MAX, but I remember reading that the cutout system has been redesigned. For example the two cutout switches have been renamed, from MAIN ELECT and AUTO PILOT, to PRI and B/U (primary and backup). And, if I remember correctly, those two switches don't longer have independent functionality on the MAX, because they are connected together in series. If one of them gets stuck or fails shorted, the other can act a backup for it, so on the MAX both manual cutout switches would disable any kind of electric trim, manual or automatic. I don't have further details about that, and I wouldn't want to speculate about exactly how it works on the MAX in combination with the column cutout switches, but this has been discussed previously in the Lion Air thread, you may try to look there for more details. |
Alchad
Thanks for copying the original post. I hope my comment helped track that down, and was not too creative an interpretation. It seems nobody is 100% sure? In any case the action for runaway trim is always both off, regardless of cause or model type. Edit: Amended my earlier comment. |
Originally Posted by GordonR_
1. On the NG there are only two inputs for electrical trim, the autopilot and the yokes. Each has their own switch, wired in parallel..
|
Originally Posted by BobM2
(Post 10430424)
Where does STS come from?
Edit: Reading that detailed reference suggests two points. 1. STS and MCAS run on a single FCC at a time, which alternates between flights. 2. AFAIK the autopilot runs on both FCCs, but either is crew selectable while inflight. The autopilot can be disabled, but STS and MCAS are used in manual flight, and cannot be disabled. How this all fits together raises many more questions (completely outside my scope). |
One thought regarding the pedestal cut out switches.
I find it lacking in functionality that you can not disconnect all automatic trim like STS, Mach trim and MCAS and still continue to have manual electric trim available. The two switches should have been configured so that one cut only the automatic trim functions and the other cut all electric trim. That would in my opinion have given more alternatives for the crew as I am sure any crew would very much like to have manual electric trim available after any run away automatic trim had been cut out. If I was FAA this would be (the) one physical item/functionality to change before lifting the grounding of the Max. |
| All times are GMT. The time now is 21:52. |
Copyright © 2026 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.