News

Ethiopian 737-8 MAX down. No survivors.

Discussion in 'AviatorChat.com' started by RWatters, Mar 10, 2019.

  1. SVCalifornia

    SVCalifornia Formula 3

    Mar 28, 2011
    1,667
    Silicon Valley
    Full Name:
    Keith
    Zowie. I think I would have. A hundred questions a bout this!

    Any system that would blindly drive itself into the ground isn’t worthy of using!

    I’m a computer design engineer, manager, director and I can’t imagine how this system would be empowered to do what it did!

    However, I’m not trying to bash Boeing. These kinds of systems are difficult. But human factors engineering dictate trying to help, not hinder and to be transparent, which this is glaringly, not.

    Can someone enlighten me on why an AOA sensor needs to be located outside the airframe?? There are not just a bird strike to worry about but flocks of them, no?

    SV


    Sent from my iPad using Tapatalk
     
  2. BMW.SauberF1Team

    BMW.SauberF1Team F1 World Champ

    Dec 4, 2004
    11,770
    AOA is relative to airflow so it needs to be outside. Pitot tube is also dependent on condition external to the planes. Someone please correct me if I'm wrong.
     
  3. Bob Parks

    Bob Parks F1 Veteran
    Consultant

    Nov 29, 2003
    6,117
    Shoreline,Washington
    Full Name:
    Robert Parks
    The AOA vanes operate from the airstream attacking the aircraft and measures the angle between the horizontal reference line of the airframe and the airstream. You have a good point, however, maybe an internally mounted gyro would be a better choice. I'm no instrument or cyber wonkie but it might be something to look at.
     
  4. tazandjan

    tazandjan Two Time F1 World Champ
    Owner Lifetime Rossa

    Jul 19, 2008
    29,603
    Albuquerque, NM
    Full Name:
    Terry H Phillips
    Bob- Internal gyros or INS/GPS are too slow reacting to use as anything except a back-up to the AOA sensor. Ones that we put on fighters are a lot tougher than those vane sensors on airliners. They are basically a pretty solid piece of aluminum or steel with small slots/holes. Would take a pretty good bird strike to damage one of those since they have to survive Mach 2.5 and 2000+ psf Q loads. We had a yaw sensor that looked just like the AOA sensors. You can see the difference here. We started out with one AOA sensor and no yaw sensor, but one of each was added as we learned we needed them.

    Image Unavailable, Please Login
     
    thecarreaper and KKSBA like this.
  5. Bob Parks

    Bob Parks F1 Veteran
    Consultant

    Nov 29, 2003
    6,117
    Shoreline,Washington
    Full Name:
    Robert Parks
    Thanks for the input, Taz.
     
  6. solofast

    solofast Formula 3

    Oct 8, 2007
    1,771
    Indianapolis
    furmano, MCAS was employed to "enhance" the handling characteristics not as a safety related system. It was employed to make the Max handle similar to the existing 737. Because of the engine location on the Max, there is an additional nose up pitching moment under certain conditions. The MCAS is supposed to adjust trim so that the Max feels the same as the existing 737 under those conditions. This allows type rated pilots to transition to the Max with a minimum of sim time and training. This was not considered to be critical, assuming that if it failed, the aircraft would not handle the same only under the specific flight conditions (low speed, nose up) but it would still be manageable. What Boeing missed is that erroneous inputs to the MCAS software would cause a runaway trim condition and that this could become unmanageable as it did in these two cases. This goes back to my post earlier where the FAA doesn't understand that the failure of a sensor doesn't just make a computer go dead and not function. What happens in the real world is that failure of a sensor can cause the computer to do things that are not desired. If the system stopped functioning that would have in these cases been fine. But what it did was cause the system to repeatedly invoke a nose down trim command that proved to be deadly. The reality of computers in aircraft are that the computers themselves are dual redundant, but these are very reliable anyway and seldom are an issue. The reality is that sensors are the weak link and they are notoriously unreliable. Also typically, both flight control computers share sensors. This means that both computers get the same information, do the same processing with identical software, and then they both make the same bad decision. This is why you need a higher level of redundancy than is currently mandated by the FAA reg's. The FAA mandates at least 2 inputs for flight critical systems. But if one sensor fails and returns a bad input how do you determine which sensor is correct? Airbus uses 3 airspeed inputs and this assumes that more than one can't be bad. Which worked until it didn't and an airplane crashed. In the Airbus case a sensor was declared "bad", and then not utilized again even though the error wasn't real and sensors input was only an erroneous for a few seconds. The bottom line is that the levels of redundancy that the FAA requires is not consistent with what modern systems look like and how they work in the real world.
     
    KKSBA and Bob Parks like this.
  7. furmano

    furmano F1 World Champ
    Silver Subscribed

    Jul 22, 2004
    17,472
    Colorado
    Full Name:
    furmano
    Because it wasn't considered a critical system, it didn't require the added redundancy, I get that.

    But if Boeing decided during the design phase to add redundancy to MCAS, just to go above and beyond, what would be the challenges to doing that? More lines of code? More development time? I'm just trying to figure out the technical challenges to adding redundancy, even if it wasn't required. Like if someone on the design team said, "Hey, I know we aren't required to add a secondary sensor input, but I say we should add a secondary sensor input." what would be the arguments against that? Besides just, it's not required.

    Secondly, wouldn't the design team think through all the situations that might occur and see the possibility of MCAS taking over beyond the normal circumstances of augmentation? I mean, wouldn't someone do the thought experiment and recognize, hey, if MCAS gets a faulty input, and the pilots don't disengage the MCAS (stab trim cutout) quickly, it's possible MCAS could create a runaway trim situation that would be unrecoverable? Isn't thinking through ALL possibilities part of the design/test process?

    -F
     
  8. mike01606

    mike01606 Formula Junior
    Silver Subscribed

    Feb 21, 2012
    686
    Cheshire UK
    Full Name:
    Mike M
    Speaking with 20:20 hindsight a simple FMEA on the system should have identified the risk of a sensor failure.
    I would imagine that process is being poured over and that’s where Boeing could hit rock. If it was badly deficient it becomes a systemic issue and the return to flight requirements should be far more than updating MCAS and pilot training.
     
    SVCalifornia likes this.
  9. solofast

    solofast Formula 3

    Oct 8, 2007
    1,771
    Indianapolis
    You're right, it isn't required, and they should have gone further. If they had the experience we had they would have but they didn't. The question is, where do you stop??? You can literally spend hundreds of man years making things perfect. OTOH, the FAA requirements are woefully inadequate. Going back to my experience in a similar software case, the designer of the software was happy when we figured out that the failure was actually two levels deep. She was like "hey, we did our job, it worked until it failed at 2 levels deep".... So she was all smiles until I told her that was not going to cut it and she had screwed up. But in this instance we had a pilot (me) making that decision, and not a software designer. Just because it met the FAA requirement I decided that the levels of redundancy were not adequate and I made it safe. In our case the first level of failure was a erroneous pressure signal that the ECU got often when starting, caused by low batter voltage. On startup the sensor would be declared as "bad" and the software didn't heal itself even though the sensor was giving a bad signal only for a moment. So do you go back an look at he sensor again later and if it's good do you use it again? We had a case where the sensor was failing frequently, so it really only took one other failure to have the entire system fail. It met the FAA requirements, but the system was by no means adequate because most of the time it was flying around without any redundency. Boeing is going through all of this right now and is, I am sure, looking at all of the potential failure modes and what can happen give failures or partial failures of sensors and hardware. Things like the AoA sensor are supposed to have a MTBF in the tens of thousands of hours. But the reality is that they appear not to be that reliable given that two failed in the field a couple of months apart. If you have a frequent failure you really don't have 2 levels of redundancy, you only have one. If you did a mag check at run up and failed it, you'd just go back to the hangar and park it. You'd never take off with one bad magneto. So are you willing to ground an airliner if one sensor is giving a bad signal? If your aircraft is designed to FAA criteria you couldn't launch with even one bad sensor. Obviously given sensor reliability a higher level of system redundancy is required, and a more robust system that can withstand multiple failures of less reliable components is necessary. As Boeing peels back the onion and sees this they are most likely looking at all of their FC computer systems and this could well be why they are taking longer to fix this than just implementing a quick fix to get them flying again. If it was just the MCAS issue they'd be back in the air by now. I'm guessing that they've found a lot of other things that met the FAA requirements but weren't safe and they're addressing them as quickly as possible.
     
    KKSBA likes this.
  10. Rifledriver

    Rifledriver Two Time F1 World Champ

    Apr 29, 2004
    25,171
    Austin TX
    Full Name:
    Brian Crall

    Just a question from an observer. The aircraft industry for much of its history was loath to use electronics in place of mechanical systems for reliability reasons. We progressed to a point mechanical systems (controls, instrumentation etc) were no longer capable of doing what was needed or desired and are now in this spot. Doesn't t make sense to have rudimentary mechanical back up to give pilots a reality check to confirm what the gadgetry is doing or saying? You know, needle, ball and airspeed that can be counted on?


    Having to deal with these garbage systems in automobiles daily long ago convinced me that any car I'll ever own has already been built. I am pretty philosophical about air travel but it is at the point I'd rather be on a 707 than an Airbus or Max8.
     
    solofast and Bob Parks like this.
  11. furmano

    furmano F1 World Champ
    Silver Subscribed

    Jul 22, 2004
    17,472
    Colorado
    Full Name:
    furmano
    Exactly. Good FMEA (just sitting around a table and thinking through all the ways a system can fail and where that leads) would have revealed this scenario. Or I guess, maybe not, I guess it's hard to say. But the FMEA sessions I've been involved with have been very illuminating. It just required some solid logical processing along with a little thinking outside the box.

    -F
     
  12. solofast

    solofast Formula 3

    Oct 8, 2007
    1,771
    Indianapolis
    Yes, exactly. I think that for a long time Boeing was of pretty much the same opinion. In the old days you had some "assist", but it didn't fly the airplane. The military went to computerized control in the F16 and they learned a lot of painful lessons, but they spent a ton of our money to do it and they pretty much did it right. Airbus broke the mold and went to computerized control for commercial aircraft and had a number of crashes and I've always said I avoid their aircraft because I don't believe that is a safe approach. This is really Boeing's first foray into computerized "assistance" and obviously it didn't go well. The reality is that there needs to be a more robust level of redundancy for computer systems than has been assumed and if it isn't there the level of safety that we've become accustomed to isn't there either.

    As to whether or not an more rigorous FMEA would have caught it is hard to say. I am surprised that they didn't, as part of the certification require failing sensors in the sim and see what happens, but again, you have to fail it in the same way that it failed in the real world to get the right answer. I think that most likely the FMEA didn't go deep enough because it wasn't considered "flight critical", even though it actually was, and that's what led to the incomplete analysis. Boeing is going to pay for this one big time.

    We can armchair quarterback this to death, and 20/20 hindsight is always perfect, but clearly the FAA and Boeing missed it.
     
    Bob Parks likes this.
  13. Rifledriver

    Rifledriver Two Time F1 World Champ

    Apr 29, 2004
    25,171
    Austin TX
    Full Name:
    Brian Crall


    Well we could require a big red switch to turn it all off when it runs amok but then we would need real live pilots at the helm and it seems to me one of the ultimate reasons for the entire exercise is to rid ourselves of that need.
     
    Bob Parks likes this.
  14. F1tommy

    F1tommy F1 Veteran
    Silver Subscribed

    Dec 15, 2007
    7,073
    Chicago USA
    Full Name:
    Tom Tanner
  15. BMW.SauberF1Team

    BMW.SauberF1Team F1 World Champ

    Dec 4, 2004
    11,770
    Parking lot? Surely it was made to support the weight of those birds...
     
  16. max930

    max930 F1 Rookie
    Rossa Subscribed

    Apr 16, 2017
    3,477
    vancouver
    I think Boeing is going bankrupt over this...……………
     
  17. Veedub00

    Veedub00 F1 Rookie
    Silver Subscribed Owner

    Jun 30, 2006
    3,343
    Troy, Michigan
    Full Name:
    James
    There are over 600,000 parts on a new 737. I'm sure they did not do a full blown system level FMEA with the new parts. Even if they did, I am sure they used a very high failure rate for the AOA and thus the likelihood of occurrence was too low to notice.
     

Share This Page