Eng-Tips is the largest engineering community on the Internet

Intelligent Work Forums for Engineering Professionals

  • Congratulations waross on being selected by the Eng-Tips community for having the most helpful posts in the forums last week. Way to Go!

Boeing 737 Max8 Aircraft Crashes and Investigations [Part 1] 20

Status
Not open for further replies.
Replies continue below

Recommended for you

Alistair_Heaton said:
using the old certification grandfather rights

That's the "changed product rule". It gives a lot of leeway to make modifications and upgrades.
If you want to dig deep, check out the link below and follow the rabbit hole down to Appendix page A-48 (just for one example; there are more).
AC 21.101-1B

No one believes the theory except the one who developed it. Everyone believes the experiment except the one who ran it.
STF
 
it gives way to much leeway for piss taking. I am more than aware of what goes on stretching and modifying.

its started out as a 80 seater 1000 NM airliner.

The 737 max is 230 pax and 3300 NM



they are all at it as well.



 
In my wife's new car when I push the off button on the radio, it gets quiet and the driver information display shows a message;
"SOUND MUTED, PUSH AGAIN TO TURN OFF"
That's a lot more effective than an e-mail or a short paragraph in the owner's manual.
I wonder if a similar system could be used to turn off a malfunctioning system?
I can't understand how a system with the capability to fly an aircraft into the ground can be designed and installed without any self checks for bad inputs.
Money I guess.
I have no sympathy for Boeing whatsoever.


Bill
--------------------
"Why not the best?"
Jimmy Carter
 
Generally, there isn't anywhere to put a "friendly message" like that in a down-to-business aircraft flight deck.
It reminds me of Arthur, arriving on the Heart of Gold. He pushes a button at random, and a sign lights up, saying "Please to not push this button again". (You either get the reference or you don't.)

Since pilots train using checklists, flight manuals, and operating procedures, you can expect most pilots to be familiar with nearly all of the switches and their functions before crewing with passengers. When things go wrong, or things start working in strange ways that the pilots didn't train for, that's when the experience and personality make the difference. There have been pilots (I can name a few such crashes) unable to diagnose a problem that another pilot would have recognized and adapted to quickly.

I downloaded the preliminary report, and I've studied the sequence of events plots. I personally think that the faults happening were strange in the extreme, and it would be unfair to expect "any" crew to handle this well, or succeed in troubleshooting it, even if I also believe that this crew had enough time to figure out that the problem was not going away, threatening them, and should have turned back. The runaway trim problem (or so it would have appeared to the crew) was preventing them from climbing, thereby eliminating any margin of altitude to deal with any OTHER problem that might come. With all the trouble they'd had with previous flights, they should have expected a problem #2 to come. Flight crews should be able to distinguish between problems that go away when dealt with, and problems persist to erode safety margins leaving no room to handle any other distraction. This is basic flight planning and crew resource management stuff.

So here we have the "swiss cheese" model of failure prevention. The possible barriers were:
1) system design to prevent single causes leading to catastrophes,
2) maintenance procedures to test & assure equipment functions when replaced,
3) flight procedures to follow when equipment malfunctions,
4) training to teach crews the procedure to follow and to build experience and judgement.

Holes formed in all of these barriers, letting this fault through.

No one believes the theory except the one who developed it. Everyone believes the experiment except the one who ran it.
STF
 
Agree with spar.

In general crew can deal with 2 issues at the same time, as soon as three crop up either interrelated or separate then the chances of a successful landing become greatly reduce and also luck starts playing a part.

Electrical faults tend to give an over abundance of lights to sort out and knowing which one to deal with first out of the 20-30 lights that are active can be a challenge. Its not unknown for situation that requires a generator to be taken off line and bus tie opened for a crew to head off in the wrong direction and end up on emergency instruments and an engine shut down. When the correct solution would have only resulted in the galley power being cut and no hot tea for the remaining flight without diversion.


When things go wrong, or things start working in strange ways that the pilots didn't train for, that's when the experience and personality make the difference. There have been pilots (I can name a few such crashes) unable to diagnose a problem that another pilot would have recognized and adapted to quickly.

This is very correct. And I also agree that your average crew which ever nationality they are or carrier would be emptying their bag of luck rapidly during this type of failure. Its the sort of thing the sim examiners throw at you when they have decided that your checks are getting too easy. Murder the FO and start failing systems until your eventually over loaded. I can tell you hand flying the aircraft single engine while manually pumping down the gear is hard work.... and you just know the weather is going to go down as soon as you have committed to putting the drag out with the gear with no way of getting it up so you won;t have enough fuel to get to your diversion.






 
I assume there is an alarm or message to the crew that there is a discrepancy between primary and backup sensors. I set up controls this way when 2 sensors for the same parameter are available. Maybe it's an oversimplification of the actual subsystem, but it seems that this should alert the pilots that a sensor is malfunctioning and then they should have the option to select the one which seems to be correct.

Brad Waybright

It's all okay as long as it's okay.
 
Not that I have heard of with the AoA sensor...


mismatch_dgls1y.jpg



That's what I have for sensor errors. Your not given AoA data in the cockpit as a raw value. You can see it changing by the red stall indicator at the bottom of the speed tape so I suppose if the pilots compared the red zone on the speed tapes you could spot a problem. But its not something you are currently trained to do. To be honest I wouldn't like to say how many pilots might not make the link between the red tape and it indicating angle of attack. And mid struggle trying to keep the nose up it would be hard. Must admit I give the AoA vanes a waggle every turn round and only once found something not feeling right, it was swapped out before the next flight. But a lot of aircraft you can't reach them from the ground so would require a cherry picker or set of steps.

Was thinking today about it. Maybe a pair of backup AoA vanes up on the fin would work but they would catch vortex off the flaps possibly.
 
I never realized that these AoA things were these little wing like things sticking outside of the aircraft - the NYT has a good description of them
From the traces supplied it almost looks like the instruments are being read differently, i.e. the 0 reading on one is somehow seen as +20 by the other. That implies somewhere the setting of the readings by the system wasn't properly zeroed?

Are these things handed somehow? or are there two one above the other on a 737? I can't imagine that they aren't somehow physically fixed in the same way so that zero degrees is the same and you can't rotate the thing one bolt hole by accident? Could you?

This photo purports to be two B737 AoA sensors and I can't see any fitting which wouldn't stop it being rotated incorrectly.

AoA_B737_reucry.png



Remember - More details = better answers
Also: If you get a response it's polite to respond to it.
 
LittleInch said:
This photo purports to be two B737 AoA sensors and I can't see any fitting which wouldn't stop it being rotated incorrectly.

I doubt very highly that they need mechanical clocking.

Dollars to doughnuts, that body contains an incremental rotary encoder which is re-zeroed whenever the system is powered up.
 
Are the two AoA sensors considered to be redundant, or do they somehow work together in concert? If redundant, it seems prudent that there should be an alarm to report a discrepancy or 'mismatch', as it were.

Brad Waybright

It's all okay as long as it's okay.
 
you can see the circuit diagram on the side of it. Its just a potentiometer.

They usually have a couple of bolts out of phase with the rest and lugs at funny angles so they can only be fitted the right way and on the correct side.

Plus also there will be a part number check with the old one when its replaced.

And they don't sit at zero when the aircraft is powered up for a bite check. They can be at any angle mainly due to local wind conditions. Still winds they will at the bottom of travel and 40 knts of wind on the nose and they will have lifted.

Limit for taxing and starting engines is usually in the 65knt region with a Vr (takeoff speed) in the 120-130 knt region depending on weight.


As i have said before its 1960's tech.



 
Alistair Heaton said:
you can see the circuit diagram on the side of it. Its just a potentiometer.
Actually, I believe it is a resolver. Either way, whether left or right, swapping polarity of supply power would provide duplicate signals from each side, whether degrees down, degrees up, or neutral would be the same so the sensors would be identical.

Brad Waybright

It's all okay as long as it's okay.
 
SparWeb said:
Generally, there isn't anywhere to put a "friendly message" like that in a down-to-business aircraft flight deck.
I'll accept that Spar, but there may be other methods available.
I was installing talking fire alarm systems over 30 years ago.
I am not an aviation guy, but from a problem solving perspective I have to wonder:
Who has the ultimate control of the aircraft? The programmer/designer or the pilot.
It feels as if the designer has decided that in the case of a disagreement between the sensors and the pilots the sensors are always right and the pilot is always wrong.
One sensor apparently failed. That should not cause a crash.
Due to the failed sensor the system put the aircraft into a dive. The pilot pulled up and turned the faulty system off. That should not have caused a crash.
A designer sitting in a safe office has decided in advance that the pilots are always wrong and has the system turn itself back on.
So from a design and implementation perspective:
A life critical system is designed with two sensors, but does not check for gross and obvious errors between the sensors.
When the pilots correctly identify a malfunction and turn the system off, the system assumes that the pilots are wrong and turns the system back on.
With such a potential life threatening change in operating parameters from previous similar craft, should there not be mandatory, specific and documented training on the changes and how to deal with malfunctions?
How were these design changes approved without iron clad assurances that the implications would be made known to the pilots?
If a pilot makes an error he has a chance to correct the error.
If the designer makes an error the pilot has much less chance to correct the error.

Back in the Reagan days and the air traffic controller's strike an air traffic controller made a public statement that was not well received by the pilots.
A friend that I had known since high school was a pilot on 737s at the time.
His comment, words to the effect that:
"Before he makes statements like that, he should strap his ass in the saddle and fly the d_mm plane!"
There may be a parallel here.

From a problem solving perspective, both the design and and the implementation of the changes were fatally flawed.



Bill
--------------------
"Why not the best?"
Jimmy Carter
 
Alistair Heaton said:
Would that work with a frequency wild AC supply?
Hmm, that probably depends mostly on the device reading the resolver. Input is AC and outputs are analog AC voltage, so it would still be an AC voltage value regardless of the frequency. I'm not sure what 'frequency wild' means exactly, but I think the output voltage would not be affected a whole lot by frequency change unless it's crazy like 10-1000 hZ swings.

Brad Waybright

It's all okay as long as it's okay.
 
Waross, I mostly agree with you, but I'm sure you can imagine that this software/automation goes through a long and arduous design process with many people and organizations providing input and peer review. A single designer isn't just throwing something together that he thinks will work, which is what I do mostly, but the level of risk on systems I design is much lower and also, everything's on the ground so sometimes the worst thing that happens is that everything stops. But, as you say, when redundant or backup sensors are available, I always use them to error-check each other. That way an operator can at least know something is wrong with one of them and use his judgement to determine how to proceed. If this accident sequence was triggered by a single faulty sensor input when a backup is available, then I would consider that to be a design flaw.

Brad Waybright

It's all okay as long as it's okay.
 
AC generators on aircraft put out a varying frequency depending on the rotation speed of the N2 shaft which connects the HP turbine to the hp compressor they are geared off. So high power it will be high frequency and low it will be low. So they call it frequency wild.
 
waross you are correct, the who is in charge of the aircraft is changing with FBW and no direct linkage to the controls any more. The 737 max has direct linkage to the main flight surfaces but the trim system is now FBW. To be fair pilots have a long history of crashing serviceable aircraft for years and since the FBW has come in the accident rate has dropped.

The training about the system and the system itself I am sure will be discussed in court.


 
"Who has the ultimate control of the aircraft?"

It's mostly the programmer, for the bulk of a typical flight, since they're often running on the auto-nav system and software. Takeoffs and landings are still in the purview of the human pilot, but even then, unless they're flying a mechanically linkaged plane, there's a truckload of firmware and hardware between the stick and actual flying surfaces.

Nevertheless, flying, in general, is safer than driving, per miles traveled. The typical numbers cited claim about 90x worse odds of dying in a car, compared to a plane. Of course, those statistics are typically cited for US carriers.

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert! faq731-376 forum1529 Entire Forum list
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top