Boeing 737 Max8 Aircraft Crashes and Investigations [Part 2] 44

[Alistair_Heaton]

This thread is a continuation of:

thread815-445840


****************************
Another 737 max has crashed during departure in Ethiopia.

To note the data in the picture is intally ground 0 then when airborne is GPS altitude above MSL. The airport is extremely high.

The debris is extremely compact and the fuel burned, they reckon it was 400knts plus when it hit the ground.

Here is the radar24 data pulled from there local site.

It's already being discussed if was another AoA issue with the MCAS system for stall protection.

I will let you make your own conclusions.

 

[zeusfaber]

Maybe there should be a well guarded button labeled "Let humans fly the plane".

... with an electric cattle prod connected to the guard, so that if the pilot touches it while somato-gyrally/gravically deluded, the switch stays open.

... and an infallible system to decide when the cattle prod ought to be energised.

A

 

[Sparweb]

I'm going to seize on this quote from Alistair:

It started off as a single job system which only triggered an alerting system. Then the data was used to feed into other systems which wasn't a problem when those system had no direct control over the aircraft apart from say setting a cruise power. Now its being used to directly control the aircraft and its systems. But fundamentally the sensor and data handling and error trapping is the same as it was in the 1950's when it was developed when the limit of its authority was sounding an annoying alarm in the cockpit and triggering a vibrator on the stick.

It's an example of extension of the use of a device beyond its original intent or ability.
Just like the 737 has been extended beyond its original scope of performance.
So whether you focus on a narrow or a wide field, this happens. Sometimes the growth is carefully done, sometimes it's a kludge.

Here's an example:
About 15 years ago, operational regulations changed in the USA & Europe related to the heating of the pitot tubes (aerodynamic airspeed sensors). Heating them prevents ice from forming, so this example seems to be appropriate here. The rule change made it mandatory to alert the flight crew to a potential failure of the heater, letting them know that one of the airspeeds could be faulty. The rule was retroactive on aircraft based on the kind of operation used by the owner. Private owners didn't have to do this, but commercial operators flying scheduled routes did. This led to a zillion failure detection systems being figured out by technicians as "one-off" designs in dozens of aircraft types by hundreds of companies, rather than the aircraft manufacturers providing one common kit to upgrade each aircraft type that every operator could use. I got involved in a few of these, and made sure to have a number of functional and operational tests done to demonstrate that the system works every time it was installed, and include a supplement in the crew's flight manual to be clear on what the warnings mean.

Even so, for each type of aircraft and helicopter I repeated the system on, I had to come up with a new way to integrate it into the existing functions and warnings. One one aircraft, I was able to integrate the warning into the group of existing caution/warning lights, by picking my way through the fault logic board to find the spot. On another, no such caution/warning panel existed so it was just a pair of crude lights on the instrument panel, itself a crude layout from the decades before anyone heard of system design.

This is what it's like coming up with a new system, or modifying an existing system with new features on an aircraft that's already been designed and built. You have to take the machine as it is, and splice in the new stuff as smoothly as you can. If you do it well, you provide the crew with the intended improvement in their safety and a way to diagnose problems. Do it badly, and you confuse the crew or introduce a new mode of failure.

None of the aircraft or helicopters that needed this system had to undergo a FMEA, so it wasn't done. It is not part of the basic type design of most light aircraft or helicopters, certainly not old ones, and if you think about it, that's WHY they didn't have a warning system in the first place. The new rule didn't specify that FMEA was needed, either.

The introduction of that rule would have been completely different if the responsibility had been placed on the OEM's to provide the system.

No one believes the theory except the one who developed it. Everyone believes the experiment except the one who ran it.
STF

 

[LionelHutz]

I personally wouldn't want self learning AI in a plane I'm flying on. I want the system to have very well developed and vetted rules for how it responds to certain inputs, not an output it's learned that won't be known until it's required to respond to an certain set of inputs.

 

[Alistair_Heaton]

"Why not three on a $120M plane and why not a voting controller that dumps the bad one. Sigh."

Because that would have explosively destroyed the grandfather certification usage of the 737 type and meant that crew would not have been able to have done less than 1 hours training on an Ipad and gone and flown it. Plus also the avionics system would have had to have a complete re certification because I suspect it would then have been deemed FBW and all the critical software quality checks would need to have been done. We can be pretty certain they haven't. Which in the time frame they had would have been impossible. They could have junked the 737 system and then brought in the 787 FBW control system but again that would have failed the grandfather certification for the 737.

It all circulates round the bean counters/commercial stipulating a set of requirements which the lead engineer didn't have the balls or if they did to have the ability to say sex and travel.

Coming away from aviation but using a case study which I personally use while training CRM to pilots, it has aspects of the big picture of why Chernobyl went bang.

You might wonder why a pilot would use a nuclear power plant failure to facilitate crew resource management?

Its something different to what pilots are used to. They all get hammered to death with Kegworth/Tenerife and other big name aircraft crashes which AF477 is now on the list.
Give them something which is equally complex to operate, its operated by a bunch of people who don't and can't understand the big picture of the design. We can then focus discussions on the interactions between humans and the machine and the error cheese, than get involved with the excuse of are but "good airmanship" would save the day and minute detail of the technicalities of operating an aircraft.

Note that I use operating not flying an aircraft. Yes there are times we fly it. 99% of the time we are operating it and cross checking that our instructions have achieved our intent of what it was meant to do. This aircraft design has failed because the aircraft isn't predictable by the pilots and when they do choose to then fly it..... it won't let them or its already in a condition which is not recoverable.

BTW I really can't see any number of test flights proving that the system is fixed. And they might think things are bad now..... if another 737 max crashes and there is any hint that its a control software issue then the current situation will seem like it was childs play to sort out.

 

[VEBill]

...self learning AI...

The "more AI and/or Fuzzy Logic" was intended merely as a placeholder to help convey the larger point about the need for a supervisory system to help ensure optimum man-machine synergy.

Any AI obviously wouldn't be self learning in the field.

And you're correct that the field of AI is very weak in fully understanding the systems they've created. That's why I mentioned fuzzy logic.

Ensuring optimum synergy is the point.

"This
margin
is too
small..."

...to include a design spec.

 

[waross]

"Why not three on a $120M plane and why not a voting controller that dumps the bad one. Sigh."

Because that would have explosively destroyed the grandfather certification usage of the 737 type and meant that crew would not have been able to have done less than 1 hours training on an Ipad and gone and flown it"

Was management telling engineering when they should be asking engineering?

Adding AoA sensors will "have explosively destroyed the grandfather certification" but the installations of physically larger engines in such a way as to drastically alter the flight characteristics is allowed to be grandfathered?
Incredible... unbelievable.
I don't doubt you but;
A 5-Why check may not get to the root cause, but with enough Whys, there may be a hard look at the grandfathering provisions and the general oversight of the FAA.


Bill
--------------------
"Why not the best?"
Jimmy Carter

 

[Alistair_Heaton]

We will have to wait for sparweb to confirm....


But engines are not actually part of the type certification. Power plant is treated as a separate entity which is then attached. The Aircraft gets certified and the engines get certified. Then there is a process for matching the two up but its not a full certification process.

 

[RVAmeche]

That makes some sense. Engines are always being improved and changing slightly. It's probably more related to the number of engines and general location (underwing, etc) if I had to guess.

 

[itsmoked]

I'm not seeing why a sensor system supplied by a contractor to the craft maker would affect anything about the plane certs or require one second of additional training time.

Right now the AoA system is completely hidden from the pilots in that they don't have any say in which of the 2 AoA systems is running the show, or even have the ability to select which one.

The pilots are probably not privy to obscure engine control algorithms or the electronics that convert pitot tube airflow into usable electronic signals either.

So, a voting AoA controller dishes up only good AoA info for the system to use and turns on a fault light somewhere that shows AoA "2 disabled". There is still nothing for the flight crew to do, no added switches, no selectability, and same operational situation if all the AoAs choked for some reason, you're back to, "you have bad AoA deal with it." At least you'd have the chance of the voting controller actually looking at the AoA data and indicating it's all unreliable.

A voted 3-AoA controller would've prevented both these disasters, by virtue of 'something' making a viable decision about AoA information correctness.

Keith Cress
kcress -

http://www.flaminsystems.com

 

[SwinnyGG]

I'm not seeing why a sensor system supplied by a contractor to the craft maker would affect anything about the plane certs or require one second of additional training time.

Certification of an aircraft design involves a lot more than what is and is not visible to the pilots.

A significant change in control design or structure means the control design or structure needs to be re-evaluated and re-certified. The gray area is what is defined as significant and what isn't.

And... right now the AoA system IS NOT hidden from the pilots. Good AoA feedback affects the function of the autopilot and the handling law of the airplane directly- meaning even if AoA is not displayed on the HUD, feedback about its functionality is of vital importance.

 

[Lou Scannon]

This is showing potential to be one of the great engineering/management blunders in history, in terms of notoriety, and consequences. Cases that immediately come to mind are automotive, e.g. Corvair, EPA consent decree, VW "Dieselgate"...
I rule out Comet 1 as they did what they did in good faith. I rule in Corvair as the swing axle is a low cost, inferior concept for independent suspension, and GM defended it until the model year 1965 Corvair was introduced with a fully articulated rear suspension that was not susceptible to axle jacking. Aerospace cases that come to mind are few; the Challenger shuttle,... the Concorde (not because of the accident, but rather because of the frightfully low return on investment). It could be argued that the Concorde program was a catalyst for profitable technology, like Apollo, but I'm skeptical, so show me the argument.
Others? I suggest blunders committed in wartime should be treated separately, due to urgency ("the fog of war") and political interference. For instance, Hitler's repurposing of the ME-262 as a bomber, hence delaying its availability as an interceptor.

"Schiefgehen wird, was schiefgehen kann" - das Murphygesetz

 

[SnTMan]

Nobody seemed to care that the old Beetle was a swing axle as well. Or old Triumphs. Or....or... The rap on the Corvair was total BS and a hit job. But a certain do-gooder and his non-profit came out OK on it.

The problem with sloppy work is that the supply FAR EXCEEDS the demand

 

[MikeHalloran]

The Corvair incident was not quite that simple.
I always ran nearly equal tire pressures in my 64 Corvair, and it handled well.
But GM recommended absurdly low front tire pressures, in order to make it understeer.
... which it did, but then the steering became terribly imprecise.

Axle jacking was just a fantasy based on a 2D drawing that was incorrect.
In truth, the springs took a set as soon as the car was loaded, so none of the early Corvairs ever had positive camber with a driver in them.

The only real danger was that it was very easy to drive very, very fast, because even with low front tire pressure, it didn't give much warning that the tires were nearing their limits, and it didn't have a loud sound signature in the cockpit, even at speed. The engine, and the noise, was all in the back.

My 64 Corvair was no better nor worse than its competitors.
My 65 Corvair was immensely improved; I miss it still.




Mike Halloran
Stratford, CT, USA

 

[Sparweb]

Fans of the Corvair should watch season 2 of the TV series Fargo (based on the movie).

Now I'll skate out on some thin ice for a moment... hopefully I won't skid like a Corvair.
Engines are not certified as a part of the airframe, they have their own type certificates. But that doesn't mean that the integration of the powerplant isn't a major part of the aircraft's own certification process. In fact the engine's integration drives a lot of the requirements and the design. Loads, speeds, torque, inertia... all are affected. The system demands to feed a particular engine are one thing, and the energy it supplies as electricity, hot compressed air, and hydraulic pressure, drives more system design downstream.

That said, there isn't a rule that forces you to re-certify everything, specifically, when upgrading an engine. As some of you can tell, engine changes start with slight component upgrades, run through the spectrum of performance possibilities from extra power to broader RPM ranges to higher altitudes to lower fuel consumption. Keep improving performance, or completely switch to a new powerplant, and many systems will start from scratch. Because this is a grey area, not a fine line, I find that there's room built into the process for negotiation - rightly so - of the kind that assumes equal parties acting in good faith. I won't take a position on anyone not acting in good faith because there's no evidence to say so at this point.

I will repeat something I said earlier though. The scope of the changes to the 737-700/800 models in the 90's (they were stretched, given a glass cockpit and the NG engines) appeared to me to be significant enough to trigger the re-certification process. Alas, the FAA/JAA hadn't come up with rules to control that decision, yet. It is possible that the 737NG's were the impetus that convinced the FAA/JAA that they had to get this policy in writing.

No one believes the theory except the one who developed it. Everyone believes the experiment except the one who ran it.
STF

 

[waross]

Hi SparWeb. Feel free to decline comment on this.
Under Canadian regs, could an engine selection and placement that is so different than the original that the flight characteristics were altered be grandfathered under type approval?

Bill
--------------------
"Why not the best?"
Jimmy Carter

 

[Kwan]

The certification basis of the Max's is public information on the FAA.gov website.

Here is a link to the type certificate data sheet (TCDS) for the 737 series aircraft. One can see that each model is designed using specific amendment levels of the FAR's. Each platform shows the engines that are allowed for each model. The newer 737's are certified to higher amendment levels (generally) than the original.
Link

Each amendment level can be found here: Link
Interestingly the longitudinal control and longitudinal stability and control is designed to current amendment levels (25.143 amendment 108 and 25.231 amendment 108).
The longitudinal trim has an ELOS (equivalent level of safety findings) "PS12-0038-F-2" (Ref FAR 25.161 amendment 115 which is current). I would like to read this memo but I'm not sure it's public. See pdf page 96 of the TCDS.

I'm a structural guy so this stuff is quite out of my expertise and hesitate to comment. However, I have kept up with this thread and am thankful to the knowledge of the contributors!! Thanks Alistair for your pilot's point of view. I hope the above information helps.

 

[Alistair_Heaton]

Thanks for that, downloaded onto the IPad for reading in the cruise.

I will say discussing the subject here is much better than the pilot forums. Where hormones and emotional state seem to carry the day instead of informed discussion.

The certification stuff is way beyond what pilots need to know about. We get the aircraft with a thing called a service release signed by a licenced technician. There is what we call a post holder in charge of Engineering and a person called the CAMO which stands for Continuing Airworthiness Management Organisation. Between the two of them they ensure that the release for service is only given when the other paper work is correct and the plane is serviceable. So we only have to check the release for service is valid (its usually valid for between 24 and 48 hours depending on the type and the company approval). Then we can go flying. If the paper work isn't correct we don't go flying.

 

[thebard3]

Where hormones and emotional state seem to carry the day instead of informed discussion.

I'm quite familiar with this concept after 2 failed marriages. I don't think that's what you were referring, though?

Brad Waybright

It's all okay as long as it's okay.

 

[Alistair_Heaton]

Well to be honest we are all adrenalin junkies. And most of us classed as stable extroverts. With a large percentage of Alpha males.

The heated arguments and oxygen wasted about SOP's would quiet surprise you.

Should it be free on the left, clear on the left, left side free. left side clear.....

Then you get into cultural differences between nationality's, avid supporters of a particular aircraft type or make....

Must admit I do take the piss out of mates that fly ATR's..... so I am not entirely innocent about not fitting into the stereotype.

 

[Sparweb]

Under Canadian regs, could an engine selection and placement that is so different than the original that the flight characteristics were altered be grandfathered under type approval?

That's a really tough question to answer, especially for the 737's and the Leap engines.
Compare the engine thrust between a -700 model and a Max 8, and it's not really that different. Compare the placement, it's about a meter forward. Compare the diameter, it's not much larger. It's a drastic difference compared to the original 737, I agree, but model by model it just sneaks up.

I could spend hours/days trying to satisfy myself that this should go one way or another based on the information I have, but I know it would all be "armchair quarterbacking".
I did look at the policy and there's no fine line to be drawn. Advisory Circular 21.101A
That document is NOT fun to read. It's full of if/then/else/except stacks of logical deliberation. There is a table of examples in the back, which suggests all kinds of ridiculous proposed aircraft design changes, with a smattering of practical examples mixed in that I actually use in my job. Mostly I do my best to avoid ever invoking these conditions, but my excuse is the scope of the design work I do usually involves using the aircraft within its existing envelope, not expanding it.

If you want to drive yourself nuts, try it for yourself. I have to read the flow-charts slowly, and talking to myself helps. You may be most keenly interested in page A-5 from the appendix, but jumping to that part before reading the first parts will just make this discussion worse, not better. If you get that far, and still want to cite the example as a reason it should have invoked a certification change, then I'll play devil's advocate and pick apart the wording and show that it doesn't. We will go crazy trying to prove our points, but the REAL problem is that the policy is badly worded and convoluted. The examples are not very helpful, either. It's better than NO POLICY, but leaves room for misunderstanding still.

I think the FAA simply didn't want to tie its own hands on this issue, but they knew they had to do something, given the state of the industry prolonging the life of existing designs with upgrades, rather than creating new designs at the latest safety standards.

No one believes the theory except the one who developed it. Everyone believes the experiment except the one who ran it.
STF