New FAA "system safety assessment" ? 1

[rb1957]

from Flight ... "Aircraft designs must better account for pilot responses: US law"

It's worth a read. Sure Boeing could have done things better. But now (maybe this is just public-speak ?) ...
1) "The law also requires that manufactures take steps to ensure their designs are safe even when pilots respond to failures in unanticipated ways." "unanticipated" ways ... surely if we're proving the airplane safe after some pilot response, it's not "unanticipated" ?? can we prove the airplane safe for "any" pilot input ?
2) "Additionally, within two years, new aircraft types must have improved flight crew alerting systems. Specifically, aircraft will need an alerting system that “displays and differentiates among warnings, cautions and advisories, and includes functions to assist the flight crew in prioritising corrective actions and responding to systems failures”." WTF? red for warning, amber for caution. I get what they mean ... the cockpit warnings can be a headache ... particularly if your next headache is going to be caused by the ground hitting you at a couple hundred knots. It was interesting to see the QF72 accident and how the 1st officer had his hands full with warnings and problems and had to resolve them all.

I know this (the '37 Max) is the biggest thread in Eng-Tips history (over on the "Engineering Disasters" forum) but I'm sure a big part of those accidents was pilot training. Ok, the Boeing training for the Max may have been wanting but it is also reasonably "adequate". how many safe take-offs were there ? how often did the MCAS system malfunction but the plane didn't crash ?

I wonder if the new rule will be retroactive ? Else it won't impact designs and working airplanes for another 10 years.

I feel the real issue with the '37 is that it's basically a '60s design, operating way past any reasonable lifetime. The real issue is "grandfathering". I thin a TC should have a life of 20 years, and the design should be updated to the latest standard to continue production beyond that time.

another day in paradise, or is paradise one day closer ?

 

[moon161]

Airbus has ECAM which I'm told (pilot in the 737 thread) presents & prioritizes fault notifications & checks off checklist items in a central display.

And if you think pixels have been spilled about the 737, look at the miami pedestrian bridge threads.

 

[rb1957]

surely 777 has something similar ?

another day in paradise, or is paradise one day closer ?

 

[MintJulep]

For complex systems with many inputs good design does this anyway.

It is not trying to anticipate every possible thing that might happen. Rather it is defining explicitly what must happen when the "expected" inputs don't happen.

Simplistically, it's the "else if" statement.

If

A and B then reaction 1​

A and C then reaction 2​

B and D then reaction 3​

Else if do something defined and predictable.

 

[3DDave]

Since Airbus is held as the exemplar then what can one make of the ability to alert and deal with the situation created by the crew of PIA 8303?

 

[rb1957]

@3DD, there's only so much stupidity and incompetence you can allow for in your system design ?

@MJ, agreed, but I doubt you can script every possible scenario, and I doubt anyone can read and remember them all, and I think you need to account for some "mistaken actions"

another day in paradise, or is paradise one day closer ?

 

[MintJulep]

@rb1957

Hopefully flight software is not as crude as a bunch of if...then statements.

You can and should be able to script anything that falls within the limits of "expected" inputs.

Any system has a finite number of inputs. And each input has either a finite number of values, or an acceptable range of values.

So it is possible to define every possible combination of inputs - although that can be cumbersome. Fortunately it is usually possible to group big bunches of combinations that are outside "expected" or "normal" and categorize them as "failure"

Then script the reaction to failure.

 

[3DDave]

That's why this left me angry:

https://www.youtube.com/watch?v=mVL_cpi7j00

 

[rb1957]

I'm with you 3DD. Whilst Boeing is not blameless in this (designing a system with such a single point of failure, their reaction to the first crash) I don't think they are the arch-demon that they are made out to be in the press. I wish I could find statistics on how many times the system failed but the airplane landed safely.

I do think it was an engine stretch too far, that the plane was limited because it was originally designed (in the 60s) for turbo-jets ... they had to flatten the intakes for the high bypass engines in the 90s. I think this (trouble in fitting the larger cowl) explains why they took so long in getting the Max out of Engineering (compared with the A320).

another day in paradise, or is paradise one day closer ?

 

[Sparweb]

RB,
This little rabbit hole has so many many burrows and warrens inside it...

Grandfathering is the underlying problem, absolutely. But the irony is that the "CPR" thing came about because it was perceived (by some) that Boeing had already pushed the type design too far with the 737-700's, AND YET then they push through the Max. We wouldn't have Changed Product Rule if there weren't cases like the 737-700 that the FAA got beat up about, but then they failed to apply the rule to the next expansion of the series. So that's blunder #1.

Next on our list is that system safety analysis that didn't discover the failure mode because right hands didn't know (and didn't check) what left hands were doing. And it's been proven that some of the left hands were sinister, indeed. More irony because the SSA is supposed to move through phases (SAE ARP4761) that Boeing doesn't use but everyone else in the world is forced to. The phases are meant to set preliminary targets and then go back and check to make sure those targets were met. The drastic change in MCAS functions should have raised the red flag there.

One more is the training which deliberately concealed changes to the pilot procedure required to respond to a particular type of system failure. Since the procedure that was released was not specific enough to give flight crews insight into the nature of the failure that could be occurring, there were two holes of the swiss cheese lined up right there.

Then you get the situation in the cockpit as it happens, when alarms start going off and they dictate several responses must be carried out but somehow prioritized according to the level of threat each one poses. Well sorry folks but the right response to MCAS runaway is not on that list because the alarms aren't telling you that's the problem.

How could I forget the rapidly mounting control forces. Perhaps in training you could attach a big spring to the control column and remind them to keep the nose up, which takes both hands of a strong man to accomplish. Take that all you advocates of female flight crews, pass the test on the bench press. Have you watched the video of the pilots in a full-feature simulator demonstrating a trim-runaway and the manual cranking of the trim wheel? It's a lot of fun watching two grown men sweat through it.

Whew. Now that we've worked our way through that disaster, I still think I missed a few items. Now we also find some folks kindly pointing out that a cacophony of noise in the cockpit is not conducive to troubleshooting or crew resource management. Duh! This is one of the findings that were published in the JTAB report last year. That evaluation referred to other findings where crew inability to distinguish specific responses during multiple alerts played a factor in an accident. Things like this were seized upon by the Senate reports, too. If you read back through the press at the beginning of this disaster, recommendations were being made very early on that the crew alerts were going to be an issue. This was announced so early in the investigation process (by Transport Canada) that it must have been an outstanding problem that was recognized before, and just couldn't be ignored any more (except by the FAA, of course).

http://www.sparweb.ca

 

[3DDave]

What alarms should sound for trim runaway, which was expected to be due to an unexpected electrical short in the wiring that mimics pushing the button on the control wheel? Airbus doesn't have one for when their computers command a trim runaway. Maybe that's why cockpit management is one pilot looks at the panels and the other one keeps pressing the trim switch when the pitch force gets too high. That button that requires the full strength of a thumb? One wonders how the crew of the first MCAS operation managed to keep the plane in trim with the trim wheel without breaking a sweat.

Anyway, the Ethiopian pilots explained how they would crash the plane when given the chance. I missed that discussion in the Senate report.

 

[WKTaylor]

My 2-cents/perspective...

The ultimate problem with new generation aircraft designs is our ability to incorporate complexity [mechanical electrical software, aerodynamics, etc] into the designs... and our moth-to-the-flame passion for packing-it-in. This is results in man-machine interfaces that have become exponentially more complex in years... not over generations.

Imagine any [2] pilots [commercial aviation scenario] with ordinary [but good quality] training interfacing with a new aircraft with inherently different flight characteristics than previous versions and that has both maintenance and software complexities and quirks... that the pilots and supporting personnel [maintainers, managers, etc] have yet to fully grasp... how the new-damn-thing-really-works... and what can happen when it doesn't work [properly/logically].

"A complex system [that works] is invariably found to have evolved from a simple system that works."
This quote presumes one factor that is now a 'wild-card'... it presumes steady evolution of both 'the system' and the operating humans... IE designers, builders, pilots, loading crews, maintainers, etc. HOWEVER... in real terms it seems that the complexity of new aircraft is accelerating precipitously... while most humans are ‘a mile-behind’.

Years ago I absorbed a 'funny' quote... that has evolved beyond humor to 'very serious' over-time: the human factor is the hardest to merge in the human-machine interface.
Airplanes are designed by people with BS, MS and Doctorate degrees.
Airplanes are flown by people that mostly have college degrees.
Airplanes are maintained by people that mostly have high school degrees.

Murphy stated the inevitability of failures in the most simple and memorable fashion... "Anything that can go wrong - will go wrong”.
NOTE.

As a ‘similarity example’ I present an article on the complexity of human-to-human [H2H] interactions. NOW... To make this example relevant to the human-machine interface: try ‘squinting’ to see this example with the addition of complex-machines added into this ‘equation’.

Complexity in the Lines-of-Communication between People

https://getlighthouse.com/blog/entrepreneurs-leadership-lessons-hard-way/

3 people 3-lines
4 people 6-lines
5 people 10-lines
6 people 15-lines
7 people 21-lines
8 people 28-lines
9 people 36-lines
10 people 45-lines
11 people 55-lines
12 people 66-lines
13 people 78-lines
14 people 91-lines

NOW... to make all of this even more difficult... factor-in the ‘global’ nature of our business... countries, cultures, languages, training, stressors, etc-etc of the many human complexities. Uhhhhh my head hurts.

NOTE. Military aircraft have been evolving with massive layers of operational complexity and training needs. These aircraft are so complex here appears to be a trend for inserting artificial intelligence into the flight systems and into maintenance/diagnosis data systems... so it [will] function as a ‘smart co-pilot’ and as a 'smart mechanic'. This has also been expanding to ‘high performance UAVs’ that will fly as ‘loyal wingman to manned combat aircraft’.



Regards, Wil Taylor
o Trust - But Verify!
o We believe to be true what we prefer to be true. [Unknown]
o For those who believe, no proof is required; for those who cannot believe, no proof is possible. [variation,Stuart Chase]
o Unfortunately, in science what You 'believe' is irrelevant. ["Orion", Homebuiltairplanes.com forum]

 

[SAITAETGrad]

Basically, Airbus doctrine wins - right?

 

[waross]

We have been assured that the 737 MAX is now a perfectly safe aircraft by Boeing and by international regulators.
A question;
In the event of a trim runaway, can the pilots turn the manual trim wheels?
Yes or no please.

Bill
--------------------
Ohm's law
Not just a good idea;
It's the LAW!

 

[3DDave]

Yes. Just like they worked for the first crew which flew for 90 trouble-free minutes, at least for maintaining control of the plane after shutting off the trim motors, including an impromptu test to confirm the trim problem persisted. Other than the AoA system not falling over on disagree there have been no other causes** for needing to use the manual trim wheels.

**It's informed speculation; the fact is if there was a case it would certainly have been uncovered and crowed about. Just like there would be details about how this trim-wheel problem, which was clearly demonstrable on the NG for the last 20+ years but was never noticed by any pilot, would have also been exposed.