planecane
Posts: 718
Joined: Thu Feb 09, 2017 4:58 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 10:40 am

Interested wrote:
So we need the incidence or having to use trim on Max 737 to be as low as on the NG to be able to maintain safety levels?

Preferably with pilots that are trained properly and can handle runaway stabilizer on both. Unless trim is accomplished only with the manual trim wheel, the incidence of runaway stabilizer will never be zero. If I'm on the 1 in 100,000,000 flight where it happens, I pray the pilots have the skill and knowledge to recover.
 
kalvado
Posts: 1709
Joined: Wed Mar 01, 2006 4:29 am

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 10:51 am

planecane wrote:
Interested wrote:
So we need the incidence or having to use trim on Max 737 to be as low as on the NG to be able to maintain safety levels?

Preferably with pilots that are trained properly and can handle runaway stabilizer on both. Unless trim is accomplished only with the manual trim wheel, the incidence of runaway stabilizer will never be zero. If I'm on the 1 in 100,000,000 flight where it happens, I pray the pilots have the skill and knowledge to recover.

If blowback explanation is correct, real trim runaway is unrecoverable in NG, at least not using NG procedures.
 
mjoelnir
Posts: 8361
Joined: Sun Feb 03, 2013 11:06 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 10:56 am

planecane wrote:
Interested wrote:
So we need the incidence or having to use trim on Max 737 to be as low as on the NG to be able to maintain safety levels?

Preferably with pilots that are trained properly and can handle runaway stabilizer on both. Unless trim is accomplished only with the manual trim wheel, the incidence of runaway stabilizer will never be zero. If I'm on the 1 in 100,000,000 flight where it happens, I pray the pilots have the skill and knowledge to recover.


And I would also like to fly on planes, where the runaway stabilizer trim procedure would be working well. If the runaway stabilizer trim event would be a daily occurrence, nobody would accept the current manual wheel not working in part of the frames flight envelope. We would furthermore very likely see a switch allowing manual electrical trim, but cutting off automatic trim.
The MCAS situation is also that bad, because the intended backup is not really working. All the work has in the last decades have rather been to make runaway trim events to nearly disappear.
 
planecane
Posts: 718
Joined: Thu Feb 09, 2017 4:58 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 10:58 am

kalvado wrote:
planecane wrote:
Interested wrote:
So we need the incidence or having to use trim on Max 737 to be as low as on the NG to be able to maintain safety levels?

Preferably with pilots that are trained properly and can handle runaway stabilizer on both. Unless trim is accomplished only with the manual trim wheel, the incidence of runaway stabilizer will never be zero. If I'm on the 1 in 100,000,000 flight where it happens, I pray the pilots have the skill and knowledge to recover.

If blowback explanation is correct, real trim runaway is unrecoverable in NG, at least not using NG procedures.

This is not true. First, it is possible and likely that the thumb switch can be used to electrically trim before cutting off electric trim. This is part of the NG (and MAX) procedure.

Second, although described differently the "roller coaster" procedure is still in the NG training manual. I quoted it a few weeks ago. It's a more technically worded but it says the stabilizer needs to be unloaded in extreme situations.
 
kalvado
Posts: 1709
Joined: Wed Mar 01, 2006 4:29 am

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 11:03 am

planecane wrote:
kalvado wrote:
planecane wrote:
Preferably with pilots that are trained properly and can handle runaway stabilizer on both. Unless trim is accomplished only with the manual trim wheel, the incidence of runaway stabilizer will never be zero. If I'm on the 1 in 100,000,000 flight where it happens, I pray the pilots have the skill and knowledge to recover.

If blowback explanation is correct, real trim runaway is unrecoverable in NG, at least not using NG procedures.

This is not true. First, it is possible and likely that the thumb switch can be used to electrically trim before cutting off electric trim. This is part of the NG (and MAX) procedure.

Second, although described differently the "roller coaster" procedure is still in the NG training manual. I quoted it a few weeks ago. It's a more technically worded but it says the stabilizer needs to be unloaded in extreme situations.

You realize that in a real runaway thumb switch can cause anything between no effect in case of simple problem to circuit breaker trip if you're lucky and electric fire as the worse case?
 
planecane
Posts: 718
Joined: Thu Feb 09, 2017 4:58 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 11:04 am

mjoelnir wrote:
planecane wrote:
Interested wrote:
So we need the incidence or having to use trim on Max 737 to be as low as on the NG to be able to maintain safety levels?

Preferably with pilots that are trained properly and can handle runaway stabilizer on both. Unless trim is accomplished only with the manual trim wheel, the incidence of runaway stabilizer will never be zero. If I'm on the 1 in 100,000,000 flight where it happens, I pray the pilots have the skill and knowledge to recover.


And I would also like to fly on planes, where the runaway stabilizer trim procedure would be working well. If the runaway stabilizer trim event would be a daily occurrence, nobody would accept the current manual wheel not working in part of the frames flight envelope. We would furthermore very likely see a switch allowing manual electrical trim, but cutting off automatic trim.
The MCAS situation is also that bad, because the intended backup is not really working. All the work has in the last decades have rather been to make runaway trim events to nearly disappear.


The backup does work, the documentation and training are the issues. If the Lion Air crew had either continued trimming or cut off electric trim when they were back in trim they wouldn't have crashed. If the ET crew would have gotten back in trim with electric trim before cutting it off they wouldn't have crashed (under the assumption that PW100's theory that the trim wouldn't move past 2.3 units is not proven correct). This is not intended as a "blame the pilots" post.
 
smartplane
Posts: 876
Joined: Fri Aug 03, 2018 9:23 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 11:05 am

Interested wrote:
Very well said on both counts. It's the planes that are grounded. Not airlines or pilots. And it's certainly not just a software glitch.

That simple paragraph sums up the current situation perfectly.
 
morrisond
Posts: 1082
Joined: Thu Jan 07, 2010 12:22 am

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 11:06 am

asdf wrote:
DenverTed wrote:
h1fl1er wrote:
it's unclear whether the NG could be certified under the version of the FARs that mandates the current force gradient. 767s for the .mil have the mcas as well.


Yes, would the NG need MCAS if it were certified today? Since MCAS was designed to meet a force gradient spec., what is the force gradient of the -700, -900, MAX 7 to MAX 10? That would explain a lot.


you find it dozens of dozens times explained here in the thread

its all about the size of the engines
they don't fit under the wings because the wings have less clearance below the wings than other planes like the bus 320 and others

B extended the landing gear once to fit the larger engines on the NG years ago
but they can't extend it any more now

so they needed to move the engines in front of the wing to get them fixed on that bird
and that is the problem

I am pretty sure there is no aircraft designer who would fix engines like that if he had the choice
because it makes the planes flight characteristic questionable

some say its all only about certification
others say its simply not safe

fact is B needs on the MAX electronic aids to compensate the momentum which arises because of that not suitable position of the engines - not below but - in front of the wings

all the other stuff like MCAS, AOA-problems, AOA-indicator, to less elevator authority and else are simply a result of the engines, fixed at a unsuitable point because they would not have enough ground clearance otherwise


You have to take a look at the 787 vs MAX then - they are mounted roughly in the same way/spot.

You can't generalize about aerodynamics like you have - they are way too complex - and it's not about creating momentum - the controls just get lighter than allowed by the FAR's in certain situations which in normal airline operations would be few and far between.
 
planecane
Posts: 718
Joined: Thu Feb 09, 2017 4:58 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 11:09 am

kalvado wrote:
planecane wrote:
kalvado wrote:
If blowback explanation is correct, real trim runaway is unrecoverable in NG, at least not using NG procedures.

This is not true. First, it is possible and likely that the thumb switch can be used to electrically trim before cutting off electric trim. This is part of the NG (and MAX) procedure.

Second, although described differently the "roller coaster" procedure is still in the NG training manual. I quoted it a few weeks ago. It's a more technically worded but it says the stabilizer needs to be unloaded in extreme situations.

You realize that in a real runaway thumb switch can cause anything between no effect in case of simple problem to circuit breaker trip if you're lucky and electric fire as the worse case?


The thumb switch has priority over automatic trim. If what you say is likely then using manual electric trim wouldn't be part of the procedure on the NG or earlier.

The way the procedure is written, it seems to me that Boeing believes most runaway stabilizer events would be caused by automatic trim going berserk. The dual thumb switch configuration makes the switches causing it extremely unlikely.
 
planecane
Posts: 718
Joined: Thu Feb 09, 2017 4:58 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 11:15 am

Noshow wrote:
The longer it takes the more it starts to feel uncomfortable to fly on a MAX to me I have to say. It should get some new certification as a different type after being modified as required. Just insisting on it being so similar to the NG doesn't cut it for me. Train the pilots properly and when they are happy we are good to go again. Grounding it for longer times will be more expensive than everything else.

That makes no sense. The longer it is grounded the more likely that the fix is implemented and reviewed properly. I would have been uncomfortable if the fix was completed and approved in a couple of weeks.
 
kalvado
Posts: 1709
Joined: Wed Mar 01, 2006 4:29 am

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 11:17 am

planecane wrote:
kalvado wrote:
planecane wrote:
This is not true. First, it is possible and likely that the thumb switch can be used to electrically trim before cutting off electric trim. This is part of the NG (and MAX) procedure.

Second, although described differently the "roller coaster" procedure is still in the NG training manual. I quoted it a few weeks ago. It's a more technically worded but it says the stabilizer needs to be unloaded in extreme situations.

You realize that in a real runaway thumb switch can cause anything between no effect in case of simple problem to circuit breaker trip if you're lucky and electric fire as the worse case?


The thumb switch has priority over automatic trim. If what you say is likely then using manual electric trim wouldn't be part of the procedure on the NG or earlier.

The way the procedure is written, it seems to me that Boeing believes most runaway stabilizer events would be caused by automatic trim going berserk. The dual thumb switch configuration makes the switches causing it extremely unlikely.

You cannot nitpick which failure modes emergency procedures should handle. Power off to the circuit trumps everything, so it is the real emergency procedure. Guessing if it really software glitch then do this, vs rat biting wire bundle then maybe try something else is a good idea when you have some time to figure it out. Not when catastrophic failure is only seconds away.
To make things worse, operation of electric trim in severe mistrim situation is not a given. More likely than not there will be bad problems.
 
User avatar
Momo1435
Posts: 851
Joined: Sat Aug 25, 2012 2:33 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 11:20 am

Interested wrote:
Momo1435 wrote:
Interested wrote:
Very well said on both counts. It's the planes that are grounded. Not airlines or pilots. And the software patch Boeing promised to fix the glitch within 2 weeks (that they had already been working on since Lion air) never materialised did it?

The Software patch is there, it's only the certification that takes longer then Boeing expected.

I think that the technical issues of the MAX and the issues surrounding the certification are 2 different processes. The fix for the software is there, and will probably be working as it should making the MAX safe to fly again. Remember that it was not the instability caused by the engine placement that caused the crashes, it was the botched MCAS software. And we will only see more and more software in future planes, so the fact that software is needed should not be seen as the core problem as long as the software is properly designed. But now there are doubts about the initial certification process the handbrakes are pulled on a quick certification on the MCAS fix. This is what Ed Bastian means with the industry being in shock, it's much more then just Boeing messing up the software. It's much more important to know how this was not caught by the industry before the crashes even happened.

And when it comes to this discussion in this thread I would say that the main issue is that it's too reactive. The pilot error talk is fueled by claims that the MAX is completely unsafe, which is already a reaction to claims that nothing is wrong. So it just goes round in circles, only resulting in more insinuations and personal attacks every time this circle is completed. This makes it pretty much impossible to follow this thread for people who just want to read new information and proper insights surrounding on the grounding of the MAX.


Of course the plane isnt "completely unsafe"

Aren't we faced though with a very unusual situation where we have a grandfathered plane that was initially (at least) far less safe than the plane it grandfathered? That's why we have two disasters and a grounding on our hands.

I'm sure it's accepted that the grandfathering system on planes is there (in a very large part) to build on safety of the previous plane and hopefully improve on it?

I can't see how even with the very best software, communication, manuals and/or training from now on that this plane can ever be as safe as the plane it grandfathered? The are inherent extra risks and things that can go wrong that just weren't there before.

So the question surely has to be - how those new risks can be minimised to the nth degree and once they are is the extra risk acceptable?

I think the problem is magnified as there will be at least 5,000 of these planes flying 25,000 times plus per day if all goes to plan. So far we've had 2 crashes with less than 400 of these planes even built and flying.

So even minimal increase in risk can become a significant number in terms of potential disasters

What actually is an acceptable increase in risk from needing MCAS and all that comes with it to allow this plane in the air ?

0.000001 per cent more chance of a crash compared to NG after all the extra software work, training and communication is done etc - at first glance to me would seem brilliant figures and a great result from where we are now IMO

But I multiply that out over 25,000 flights per day around the world in the future and that's still 9 extra crashes per year! Nobody would accept those stats of course.

We know there are extra risks involved with MCAS. We all surely have to accept that if the plane is to fly again - but realistically what's the lowest that those extra risks can be reduced to compared to the NG plane without MCAS?

0.0000001 per cent extra risk of a crash compared to NG due to MCAS still gives 1 MCAS crash per year in the future with 5,000 max 737 planes in the air. Still clearly unacceptable by modern aviation expectations.

The numbers scare me.

Isn't that a real tough ask that Boeing and co are up against?

How do they get the inherent extra risks from having MCAS on the plane below those what seem tiny extra risk levels to me above?

The CEO has promised Max 737 will be one of the safest planes in the air in the future. How can it possibly be as safe as NG? And if not what extra risk level is acceptable?

As an outsider looking in this seems a very tough question to answer.

Is my maths right?

Have I missed anything?


You missed one major point, a properly working MCAS should not crash a plane.

So the MAX with the proper MCAS should be as safe as the NG. That's is what Boeing has to do right now, proof to the regulators that their software fix for the MCAS is now working as it should.
 
Noshow
Posts: 883
Joined: Wed Jun 15, 2016 3:20 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 11:21 am

That makes no sense. The longer it is grounded the more likely that the fix is implemented and reviewed properly. I would have been uncomfortable if the fix was completed and approved in a couple of weeks.


The longer it takes the more complex the issues behind seem to be. It's not a fast fix anymore. We learned about forgotten infos to the FAA and such. The whole certification process and it's oversight had problems.
 
xmp125a
Posts: 196
Joined: Mon Mar 11, 2019 6:38 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 11:24 am

planecane wrote:
However, in the hypothetical situation where they had a runaway stabilizer on the NG along with the other parameters, I believe that they still would have crashed. I don't think you can say that they were well trained for the safe operation of the NG. I think the few orders of magnitude higher incidence of runaway stabilizer on the MAX due to MCAS makes it appear that your statement is true.


Well. How many times runaway stabilizer happened in NG? These two flights did not have runaway stabilizer, they had faulty software which manifests quite differently.

I just checked ASIAS/ASRS and there is 0 reports on 737 runaway stabilizer - (as a side note, there is concerning number of reports regarding MD8x planes).
In ASIAS/AIDS database there is only one entry, from 1985, concerning DC9.

I think that is very reasonable to argue "if the plane would not be MAX, it would not crash".
 
kalvado
Posts: 1709
Joined: Wed Mar 01, 2006 4:29 am

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 11:25 am

Momo1435 wrote:
Interested wrote:
Momo1435 wrote:
The Software patch is there, it's only the certification that takes longer then Boeing expected.

I think that the technical issues of the MAX and the issues surrounding the certification are 2 different processes. The fix for the software is there, and will probably be working as it should making the MAX safe to fly again. Remember that it was not the instability caused by the engine placement that caused the crashes, it was the botched MCAS software. And we will only see more and more software in future planes, so the fact that software is needed should not be seen as the core problem as long as the software is properly designed. But now there are doubts about the initial certification process the handbrakes are pulled on a quick certification on the MCAS fix. This is what Ed Bastian means with the industry being in shock, it's much more then just Boeing messing up the software. It's much more important to know how this was not caught by the industry before the crashes even happened.

And when it comes to this discussion in this thread I would say that the main issue is that it's too reactive. The pilot error talk is fueled by claims that the MAX is completely unsafe, which is already a reaction to claims that nothing is wrong. So it just goes round in circles, only resulting in more insinuations and personal attacks every time this circle is completed. This makes it pretty much impossible to follow this thread for people who just want to read new information and proper insights surrounding on the grounding of the MAX.


Of course the plane isnt "completely unsafe"

Aren't we faced though with a very unusual situation where we have a grandfathered plane that was initially (at least) far less safe than the plane it grandfathered? That's why we have two disasters and a grounding on our hands.

I'm sure it's accepted that the grandfathering system on planes is there (in a very large part) to build on safety of the previous plane and hopefully improve on it?

I can't see how even with the very best software, communication, manuals and/or training from now on that this plane can ever be as safe as the plane it grandfathered? The are inherent extra risks and things that can go wrong that just weren't there before.

So the question surely has to be - how those new risks can be minimised to the nth degree and once they are is the extra risk acceptable?

I think the problem is magnified as there will be at least 5,000 of these planes flying 25,000 times plus per day if all goes to plan. So far we've had 2 crashes with less than 400 of these planes even built and flying.

So even minimal increase in risk can become a significant number in terms of potential disasters

What actually is an acceptable increase in risk from needing MCAS and all that comes with it to allow this plane in the air ?

0.000001 per cent more chance of a crash compared to NG after all the extra software work, training and communication is done etc - at first glance to me would seem brilliant figures and a great result from where we are now IMO

But I multiply that out over 25,000 flights per day around the world in the future and that's still 9 extra crashes per year! Nobody would accept those stats of course.

We know there are extra risks involved with MCAS. We all surely have to accept that if the plane is to fly again - but realistically what's the lowest that those extra risks can be reduced to compared to the NG plane without MCAS?

0.0000001 per cent extra risk of a crash compared to NG due to MCAS still gives 1 MCAS crash per year in the future with 5,000 max 737 planes in the air. Still clearly unacceptable by modern aviation expectations.

The numbers scare me.

Isn't that a real tough ask that Boeing and co are up against?

How do they get the inherent extra risks from having MCAS on the plane below those what seem tiny extra risk levels to me above?

The CEO has promised Max 737 will be one of the safest planes in the air in the future. How can it possibly be as safe as NG? And if not what extra risk level is acceptable?

As an outsider looking in this seems a very tough question to answer.

Is my maths right?

Have I missed anything?


You missed one major point, a properly working MCAS should not crash a plane.

So the MAX with the proper MCAS should be as safe as the NG. That's is what Boeing has to do right now, proof to the regulators that their software fix for the MCAS is now working as it should.

Not exactly. Looks like NG is not as safe as it should be. Not in terms of practical numbers, when crashes seem to be not directly related to design, but in terms of rare events which are still subject to regulation, and exposed by ongoing events. I doubt NG would be grounded for those issues, but possibly max will not be ungrounded until those are resolved
 
planecane
Posts: 718
Joined: Thu Feb 09, 2017 4:58 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 11:32 am

xmp125a wrote:
planecane wrote:
However, in the hypothetical situation where they had a runaway stabilizer on the NG along with the other parameters, I believe that they still would have crashed. I don't think you can say that they were well trained for the safe operation of the NG. I think the few orders of magnitude higher incidence of runaway stabilizer on the MAX due to MCAS makes it appear that your statement is true.


Well. How many times runaway stabilizer happened in NG? These two flights did not have runaway stabilizer, they had faulty software which manifests quite differently.

I just checked ASIAS/ASRS and there is 0 reports on 737 runaway stabilizer - (as a side note, there is concerning number of reports regarding MD8x planes).
In ASIAS/AIDS database there is only one entry, from 1985, concerning DC9.

I think that is very reasonable to argue "if the plane would not be MAX, it would not crash".

We can argue the semantics of "continuous" for runaway stabilizer until we are blue in the face but your data gets to the root of the issue. Since it really never happens, training for it had probably not been adequate for decades. Unfortunately, the safety analysis by Boeing assumed that pilots were well trained on it and didn't think it was a big deal if MCAS caused a runaway stabilizer. It was a very bad assumption that led to acceptance of a single sensor MCAS design.
 
Noshow
Posts: 883
Joined: Wed Jun 15, 2016 3:20 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 11:33 am

The NG seems to do well. It's the MAX that needs mods.
 
User avatar
PixelFlight
Posts: 417
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 11:37 am

planecane wrote:
xmp125a wrote:
SEU wrote:
There was nothing telling the pilots what it was as the light wasnt there, by the time they flicked through 200 odd pages to find the answer to something that even ETs MAX Simulator (which boeing has now admitted didnt act like a MAX in flight) couldnt teach them, they were dead.


To me the question is very simple (Boeing had made it very simple by insisting that there only superficial differences between 737NG and 737MAX, like different position of switches, etc)

So the question is Had the LionAir and ET crew been sitting in 737NG, not 737MAX and everything else would be the same - e.g. AoA failure, flight parameters, and their response, WOULD THEY CRASH?

I think the answer to this is pretty simple. They would not. So they were trained for safe operation of NG, but not for the safe operation of MAX. The key Boeing argument "no additional training" goes down the toilet. The longer they insist on it, the worse they look.

The question about pilot training is immaterial in this case, if it is established that their action in NG would not result in accident, but in MAX it resulted in loss of life.


However, in the hypothetical situation where they had a runaway stabilizer on the NG along with the other parameters, I believe that they still would have crashed. I don't think you can say that they were well trained for the safe operation of the NG. I think the few orders of magnitude higher incidence of runaway stabilizer on the MAX due to MCAS makes it appear that your statement is true.

I think that you are mixing 4 different nodes (1)(2)(3)(4) of a failure mode analysis. In a failure mode analysis you can have situation where you have an increase of susceptibility and you can have situation where you have an increase of triggering event. In the case of the MCAS erratic high AoA value, the (1) triggering event (erratic high AoA value) probability was the same as for the NG. The change was that the (2) MCAS increased the susceptibility causing nose action down. The "standard" stab runaway event failure mode (3) susceptibility and (4) trigger probability that already exists on the NG stay the same on the MAX.

Once you remove the (2) node that killed 346 peoples (f.ex. with MCAS v2 if is work perfectly), you end up with the same graph as the NG. So the "xmp125a" statement is true.
 
morrisond
Posts: 1082
Joined: Thu Jan 07, 2010 12:22 am

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 11:38 am

smartplane wrote:
Interested wrote:
Very well said on both counts. It's the planes that are grounded. Not airlines or pilots. And it's certainly not just a software glitch.

That simple paragraph sums up the current situation perfectly.



No - Boeing really screwed up - the software was totally not robust enough - it was not as though there was a mistake in one line a.k.a a glitch. Plus the FAA needed to do a lot better job. The MAX shouldn't be ungrounded until the fix is proven very robust.

As for the involved Airlines and there training procedures - I wouldn't be letting them into Western airspace until they prove that there pilots have a better grasp of manual flight and how to control airplanes in case the nannies fail than they have demonstrated.

However I would also require this of all Pilots Worldwide as part of recurrent training - All (I use all loosely - I'm sure there are many great pilots out there - but the lowest common denominator doesn't seem like they have the assumed skills they need as part of assumptions of Airliner certification) pilots seem to have become way too reliant on the Nannies and have lost the manual flying skills needed for safe flight when they fail.

There are unfortunately many examples of this in the west as well - and confessions on these boards and others of what is not being trained anymore.
 
planecane
Posts: 718
Joined: Thu Feb 09, 2017 4:58 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 11:38 am

kalvado wrote:
planecane wrote:
kalvado wrote:
You realize that in a real runaway thumb switch can cause anything between no effect in case of simple problem to circuit breaker trip if you're lucky and electric fire as the worse case?


The thumb switch has priority over automatic trim. If what you say is likely then using manual electric trim wouldn't be part of the procedure on the NG or earlier.

The way the procedure is written, it seems to me that Boeing believes most runaway stabilizer events would be caused by automatic trim going berserk. The dual thumb switch configuration makes the switches causing it extremely unlikely.

You cannot nitpick which failure modes emergency procedures should handle. Power off to the circuit trumps everything, so it is the real emergency procedure. Guessing if it really software glitch then do this, vs rat biting wire bundle then maybe try something else is a good idea when you have some time to figure it out. Not when catastrophic failure is only seconds away.
To make things worse, operation of electric trim in severe mistrim situation is not a given. More likely than not there will be bad problems.


You'd better contact Boeing since power off does not trump everything in the certified and published procedure. Grasp and hold the wheel is the last step even though it should override anything.

I think a rat eating wires and causing a short circuit is pretty unlikely. It would have to strip enough from both wires that the insulation further away wouldn't keep separation. I think a rat is more likely to cause an open circuit.
 
Thorkel
Posts: 15
Joined: Mon Dec 15, 2014 2:38 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 11:39 am

planecane wrote:
xmp125a wrote:
SEU wrote:
There was nothing telling the pilots what it was as the light wasnt there, by the time they flicked through 200 odd pages to find the answer to something that even ETs MAX Simulator (which boeing has now admitted didnt act like a MAX in flight) couldnt teach them, they were dead.


To me the question is very simple (Boeing had made it very simple by insisting that there only superficial differences between 737NG and 737MAX, like different position of switches, etc)

So the question is Had the LionAir and ET crew been sitting in 737NG, not 737MAX and everything else would be the same - e.g. AoA failure, flight parameters, and their response, WOULD THEY CRASH?

I think the answer to this is pretty simple. They would not. So they were trained for safe operation of NG, but not for the safe operation of MAX. The key Boeing argument "no additional training" goes down the toilet. The longer they insist on it, the worse they look.

The question about pilot training is immaterial in this case, if it is established that their action in NG would not result in accident, but in MAX it resulted in loss of life.


However, in the hypothetical situation where they had a runaway stabilizer on the NG along with the other parameters, I believe that they still would have crashed. I don't think you can say that they were well trained for the safe operation of the NG. I think the few orders of magnitude higher incidence of runaway stabilizer on the MAX due to MCAS makes it appear that your statement is true.


I wouldn’t trivialise a ‘few orders of magnitude incidence’ of runaway trim. Functional Safety analysis is all probabilistic - we rarely talk in absolutes.

Let’s say you’re doing a Layers Of Protection Analysis or bow tie. You have an initiating event frequency, which is where the Max appears to differ significantly from the NG. You then have risk controls which have an associated Probability of Failure on Demand (PFD - For a low demand application) - these reduce the risk level. The risk controls can be split into two types - those that prevent Loss Of Control (on the left hand side of the bow tie) and those that mitigate or prevent a Loss Of Control turning into a hazard (the right hand side of the bow tie). You want sufficient independent layers of risk controls that a) ultimately get the residual risk down to an acceptable risk level and b) are demonstrably As Low As Reasonably Practicable (ALARP).

Looking at this from my armchair, there are big issues here:
1. An initiating event frequency going up by several orders of magnitude is a real problem. It will likely drag any residual risk out of the acceptable or tolerable residual risk zone, and if that’s an increase in comparison with a previous model you’ll have a hard time proving ALARP. You need to get the risk back down, either by reducing the initiating event frequency, by beefing up risk controls to make them more effective (lower PFD) or by introducing more independent risk controls.

2. Risk controls are never assumed to be perfect, and in the industry I work in we’d rarely consider people (no matter how well skilled and educated) as a sole safety critical risk control. A person based control must be part of a series of layers that ultimately result in the residual risk being acceptable. That means we typically allow, at best, a PFD of 0.1 for a human based risk control - in other words we expect people, at best, to get a risk control wrong once in every ten attempts when they’re required to do that task in an emergency to prevent a problem turning into something worse. The human based risk control should be just one in many layers of risk controls so that failure shouldn’t always result in a significant consequence by itself.

We would have a hard time justifying a human based control having a PFD of less than 0.1. If the safety case has a low initiating event frequency, multiple layers of protection, and you end up with an acceptable residual risk then that’s fine - in other words, in the NG case, people can be a long way from perfect in conducting the manual trim checklist and there is still an acceptable safety argument.

However, if your initiating event frequency goes up by an order of magnitude or more, we’d have an extremely hard time making a safety argument that a human based control could be beefed up sufficiently to still argue the system is safe - legislation, best practice and precedent would likely prevent that argument being accepted.

If you’ve got a situation when an initiating event has gone up by several orders of magnitude, your main solutions for making a successful safety argument from my perspective are to either get the initiating frequency back down, or introduce additional safety-rated engineering risk controls. Expecting people to have a PFD of 0.01 or 0.001 conducting a safety critical risk control in an emergency situation is just not done - I’ve never seen it accepted.
 
kalvado
Posts: 1709
Joined: Wed Mar 01, 2006 4:29 am

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 11:42 am

planecane wrote:
kalvado wrote:
planecane wrote:

The thumb switch has priority over automatic trim. If what you say is likely then using manual electric trim wouldn't be part of the procedure on the NG or earlier.

The way the procedure is written, it seems to me that Boeing believes most runaway stabilizer events would be caused by automatic trim going berserk. The dual thumb switch configuration makes the switches causing it extremely unlikely.

You cannot nitpick which failure modes emergency procedures should handle. Power off to the circuit trumps everything, so it is the real emergency procedure. Guessing if it really software glitch then do this, vs rat biting wire bundle then maybe try something else is a good idea when you have some time to figure it out. Not when catastrophic failure is only seconds away.
To make things worse, operation of electric trim in severe mistrim situation is not a given. More likely than not there will be bad problems.


You'd better contact Boeing since power off does not trump everything in the certified and published procedure. Grasp and hold the wheel is the last step even though it should override anything.

I think a rat eating wires and causing a short circuit is pretty unlikely. It would have to strip enough from both wires that the insulation further away wouldn't keep separation. I think a rat is more likely to cause an open circuit.

And now we're starting to get close to proper training manual for 737 pilots. Should we also require EE degree as part of 737 type rating?
 
mjoelnir
Posts: 8361
Joined: Sun Feb 03, 2013 11:06 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 12:01 pm

planecane wrote:
kalvado wrote:
planecane wrote:
Preferably with pilots that are trained properly and can handle runaway stabilizer on both. Unless trim is accomplished only with the manual trim wheel, the incidence of runaway stabilizer will never be zero. If I'm on the 1 in 100,000,000 flight where it happens, I pray the pilots have the skill and knowledge to recover.

If blowback explanation is correct, real trim runaway is unrecoverable in NG, at least not using NG procedures.

This is not true. First, it is possible and likely that the thumb switch can be used to electrically trim before cutting off electric trim. This is part of the NG (and MAX) procedure.

Second, although described differently the "roller coaster" procedure is still in the NG training manual. I quoted it a few weeks ago. It's a more technically worded but it says the stabilizer needs to be unloaded in extreme situations.


Absolut BS!!!!!!

If you get a real runaway trim situation, you throw the switches as fast as you can. You can not trim with the manual electrical trim switches. And than you hope to have enough height over the ground to do the, not any longer in the manuals, roller coaster procedure.

As long as the manual backup in the 737 is designed as a test to kill all pilots (and passengers with them) that fail the test, as long it has to be the policy of design, to minimize the occurrence of any form of runaway trim, or automatic rogue trim commands.
 
User avatar
Momo1435
Posts: 851
Joined: Sat Aug 25, 2012 2:33 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 12:08 pm

kalvado wrote:
Momo1435 wrote:
Interested wrote:

Of course the plane isnt "completely unsafe"

Aren't we faced though with a very unusual situation where we have a grandfathered plane that was initially (at least) far less safe than the plane it grandfathered? That's why we have two disasters and a grounding on our hands.

I'm sure it's accepted that the grandfathering system on planes is there (in a very large part) to build on safety of the previous plane and hopefully improve on it?

I can't see how even with the very best software, communication, manuals and/or training from now on that this plane can ever be as safe as the plane it grandfathered? The are inherent extra risks and things that can go wrong that just weren't there before.

So the question surely has to be - how those new risks can be minimised to the nth degree and once they are is the extra risk acceptable?

I think the problem is magnified as there will be at least 5,000 of these planes flying 25,000 times plus per day if all goes to plan. So far we've had 2 crashes with less than 400 of these planes even built and flying.

So even minimal increase in risk can become a significant number in terms of potential disasters

What actually is an acceptable increase in risk from needing MCAS and all that comes with it to allow this plane in the air ?

0.000001 per cent more chance of a crash compared to NG after all the extra software work, training and communication is done etc - at first glance to me would seem brilliant figures and a great result from where we are now IMO

But I multiply that out over 25,000 flights per day around the world in the future and that's still 9 extra crashes per year! Nobody would accept those stats of course.

We know there are extra risks involved with MCAS. We all surely have to accept that if the plane is to fly again - but realistically what's the lowest that those extra risks can be reduced to compared to the NG plane without MCAS?

0.0000001 per cent extra risk of a crash compared to NG due to MCAS still gives 1 MCAS crash per year in the future with 5,000 max 737 planes in the air. Still clearly unacceptable by modern aviation expectations.

The numbers scare me.

Isn't that a real tough ask that Boeing and co are up against?

How do they get the inherent extra risks from having MCAS on the plane below those what seem tiny extra risk levels to me above?

The CEO has promised Max 737 will be one of the safest planes in the air in the future. How can it possibly be as safe as NG? And if not what extra risk level is acceptable?

As an outsider looking in this seems a very tough question to answer.

Is my maths right?

Have I missed anything?


You missed one major point, a properly working MCAS should not crash a plane.

So the MAX with the proper MCAS should be as safe as the NG. That's is what Boeing has to do right now, proof to the regulators that their software fix for the MCAS is now working as it should.

Not exactly. Looks like NG is not as safe as it should be. Not in terms of practical numbers, when crashes seem to be not directly related to design, but in terms of rare events which are still subject to regulation, and exposed by ongoing events. I doubt NG would be grounded for those issues, but possibly max will not be ungrounded until those are resolved

That has nothing to do with the MAX still being "less safe or not" then the NG after installation of the improved MCAS software as the person who I replied to was suggesting.

If the other issues need to be resolved for ungrounding it's all down to the review of the certification process by the regulators, which will also have a spillover effect on any new version of any plane by any manufacturer that goes through certification.
 
User avatar
PixelFlight
Posts: 417
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 12:09 pm

planecane wrote:
I think a rat eating wires and causing a short circuit is pretty unlikely. It would have to strip enough from both wires that the insulation further away wouldn't keep separation. I think a rat is more likely to cause an open circuit.

Rat is unlikely, but there exists a few events of short circuits caused by missing metallic part going down to the wiring. In addition AH contains those entries of various short-circuit events:
http://avherald.com/h?article=402cb4f7&opt=0
http://avherald.com/h?article=41ae74e0&opt=0
http://avherald.com/h?article=42fab717/0000&opt=0
http://avherald.com/h?article=45c377c5/0024&opt=0
While there can be view at first as unrelated events, remember that the stab actuator motor controller is an electronic circuit board.
 
planecane
Posts: 718
Joined: Thu Feb 09, 2017 4:58 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 12:12 pm

mjoelnir wrote:
planecane wrote:
kalvado wrote:
If blowback explanation is correct, real trim runaway is unrecoverable in NG, at least not using NG procedures.

This is not true. First, it is possible and likely that the thumb switch can be used to electrically trim before cutting off electric trim. This is part of the NG (and MAX) procedure.

Second, although described differently the "roller coaster" procedure is still in the NG training manual. I quoted it a few weeks ago. It's a more technically worded but it says the stabilizer needs to be unloaded in extreme situations.


Absolut BS!!!!!!

If you get a real runaway trim situation, you throw the switches as fast as you can.


If that's the case then why didn't the Lion Air and ET crews throw the switches right away? By your statement surely they shouldn't have allowed the trim to run away for 10 seconds. You are saying that they never should have known MCAS wasn't continuous since "as fast as you can" would certainly be under 10 seconds.
 
User avatar
PixelFlight
Posts: 417
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 12:13 pm

Thorkel wrote:
I wouldn’t trivialise a ‘few orders of magnitude incidence’ of runaway trim. Functional Safety analysis is all probabilistic - we rarely talk in absolutes.

Let’s say you’re doing a Layers Of Protection Analysis or bow tie. You have an initiating event frequency, which is where the Max appears to differ significantly from the NG. You then have risk controls which have an associated Probability of Failure on Demand (PFD - For a low demand application) - these reduce the risk level. The risk controls can be split into two types - those that prevent Loss Of Control (on the left hand side of the bow tie) and those that mitigate or prevent a Loss Of Control turning into a hazard (the right hand side of the bow tie). You want sufficient independent layers of risk controls that a) ultimately get the residual risk down to an acceptable risk level and b) are demonstrably As Low As Reasonably Practicable (ALARP).

Looking at this from my armchair, there are big issues here:
1. An initiating event frequency going up by several orders of magnitude is a real problem. It will likely drag any residual risk out of the acceptable or tolerable residual risk zone, and if that’s an increase in comparison with a previous model you’ll have a hard time proving ALARP. You need to get the risk back down, either by reducing the initiating event frequency, by beefing up risk controls to make them more effective (lower PFD) or by introducing more independent risk controls.

2. Risk controls are never assumed to be perfect, and in the industry I work in we’d rarely consider people (no matter how well skilled and educated) as a sole safety critical risk control. A person based control must be part of a series of layers that ultimately result in the residual risk being acceptable. That means we typically allow, at best, a PFD of 0.1 for a human based risk control - in other words we expect people, at best, to get a risk control wrong once in every ten attempts when they’re required to do that task in an emergency to prevent a problem turning into something worse. The human based risk control should be just one in many layers of risk controls so that failure shouldn’t always result in a significant consequence by itself.

We would have a hard time justifying a human based control having a PFD of less than 0.1. If the safety case has a low initiating event frequency, multiple layers of protection, and you end up with an acceptable residual risk then that’s fine - in other words, in the NG case, people can be a long way from perfect in conducting the manual trim checklist and there is still an acceptable safety argument.

However, if your initiating event frequency goes up by an order of magnitude or more, we’d have an extremely hard time making a safety argument that a human based control could be beefed up sufficiently to still argue the system is safe - legislation, best practice and precedent would likely prevent that argument being accepted.

If you’ve got a situation when an initiating event has gone up by several orders of magnitude, your main solutions for making a successful safety argument from my perspective are to either get the initiating frequency back down, or introduce additional safety-rated engineering risk controls. Expecting people to have a PFD of 0.01 or 0.001 conducting a safety critical risk control in an emergency situation is just not done - I’ve never seen it accepted.

:checkmark: :checkmark: :checkmark: :checkmark:
Many thanks for your so insightful detailed explanation !
 
User avatar
Revelation
Posts: 20286
Joined: Wed Feb 09, 2005 9:37 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 12:26 pm

h1fl1er wrote:
the truth nobody wants to hear is that when automation fails it frequently results in craters. nobody else could land on the Hudson other than that one guy either. the vast majority of pilots crash in these situations. the rason for this is because when automation fails things have already gone way outside the control capability of the automated system, outside what the engineers had thought of. and so it's a tough situation and expecting 30 yo pilots with paltry hours to fly the plane isn't realistic becase even experienced pilots have lousy odds

the truth is that this 50 year old warmed over design has been incredibly safe because of the automation and these crashes are notable because of how rare they are.

I think you're making the right point with the wrong example.

The guy who landed in the Hudson didn't lose automation, he lost propulsion. His FO was able to start the APU and all the black boxes had power. It was his passenger's (and his airlines) great fortune that the pilot also happened to be an active glider instructor. Pretty much every time he flew a glider he was doing the same kind of mental math he needed to do upon both engines ingesting geese that told him his only viable landing would be in the Hudson. Take another pilot who spend his spare time doing something else and you probably get a different outcome.

I think you're trying to say airlines don't train pilots to deal with non-normal situations well enough, and I think evidence supports that. Not only do we have the MAX tragedy to look at, but we have AF447 where two first world pilots did not follow training to deal with unreliable airspeed, but instead they made up their own procedure which failed miserably. Yet we have counter examples such as QF32 where the RR engine exploded and QF72 where the Airbus FBW went psycho and the pilot was able to recover, so it's not a universal thing. Maybe the lesson to learn is to fly with QF? :biggrin:

We know airlines prefer to not spend money on training. We know WN offered incentives to Boeing to avoid expensive pilot training for MAX. We know airlines prefer the automation fly the plane because it does it smoother which saves fuel. We know pilot skill degrades because of this, yet nothing gets done about it.

asdf wrote:
so they needed to move the engines in front of the wing to get them fixed on that bird and that is the problem

Again, you're presuming facts not in evidence, because we don't know if there was a way to do the engine integration without requiring MCAS.

What we do know is MCAS was not a part of MAX originally but when problems were encountered they went to MCAS rather than revising the pylon or nacelle design.
Wake up to find out that you are the eyes of the world
The heart has its beaches, its homeland and thoughts of its own
Wake now, discover that you are the song that the morning brings
The heart has its seasons, its evenings and songs of its own
 
Interested
Posts: 588
Joined: Thu May 19, 2016 12:19 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 12:54 pm

planecane wrote:
Interested wrote:
So we need the incidence or having to use trim on Max 737 to be as low as on the NG to be able to maintain safety levels?

Preferably with pilots that are trained properly and can handle runaway stabilizer on both. Unless trim is accomplished only with the manual trim wheel, the incidence of runaway stabilizer will never be zero. If I'm on the 1 in 100,000,000 flight where it happens, I pray the pilots have the skill and knowledge to recover.


The oh so rare times it's happened on the NG they've all had the skills and knowledge to cope haven't they?

I get your point - but isn't the harder bit getting to the 1 in 100,000,000 where it happend bit first on Max?

If it's going to happen more often than that now we have MCAS to contend with then we've failed before we even worry about adding the pilot training

Haven't we?

It's ok saying it will never be zero but surely the ideal is we move in the direction of zero rather than away from it?
 
Interested
Posts: 588
Joined: Thu May 19, 2016 12:19 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 1:04 pm

Momo1435 wrote:
Interested wrote:
Momo1435 wrote:
The Software patch is there, it's only the certification that takes longer then Boeing expected.

I think that the technical issues of the MAX and the issues surrounding the certification are 2 different processes. The fix for the software is there, and will probably be working as it should making the MAX safe to fly again. Remember that it was not the instability caused by the engine placement that caused the crashes, it was the botched MCAS software. And we will only see more and more software in future planes, so the fact that software is needed should not be seen as the core problem as long as the software is properly designed. But now there are doubts about the initial certification process the handbrakes are pulled on a quick certification on the MCAS fix. This is what Ed Bastian means with the industry being in shock, it's much more then just Boeing messing up the software. It's much more important to know how this was not caught by the industry before the crashes even happened.

And when it comes to this discussion in this thread I would say that the main issue is that it's too reactive. The pilot error talk is fueled by claims that the MAX is completely unsafe, which is already a reaction to claims that nothing is wrong. So it just goes round in circles, only resulting in more insinuations and personal attacks every time this circle is completed. This makes it pretty much impossible to follow this thread for people who just want to read new information and proper insights surrounding on the grounding of the MAX.


Of course the plane isnt "completely unsafe"

Aren't we faced though with a very unusual situation where we have a grandfathered plane that was initially (at least) far less safe than the plane it grandfathered? That's why we have two disasters and a grounding on our hands.

I'm sure it's accepted that the grandfathering system on planes is there (in a very large part) to build on safety of the previous plane and hopefully improve on it?

I can't see how even with the very best software, communication, manuals and/or training from now on that this plane can ever be as safe as the plane it grandfathered? The are inherent extra risks and things that can go wrong that just weren't there before.

So the question surely has to be - how those new risks can be minimised to the nth degree and once they are is the extra risk acceptable?

I think the problem is magnified as there will be at least 5,000 of these planes flying 25,000 times plus per day if all goes to plan. So far we've had 2 crashes with less than 400 of these planes even built and flying.

So even minimal increase in risk can become a significant number in terms of potential disasters

What actually is an acceptable increase in risk from needing MCAS and all that comes with it to allow this plane in the air ?

0.000001 per cent more chance of a crash compared to NG after all the extra software work, training and communication is done etc - at first glance to me would seem brilliant figures and a great result from where we are now IMO

But I multiply that out over 25,000 flights per day around the world in the future and that's still 9 extra crashes per year! Nobody would accept those stats of course.

We know there are extra risks involved with MCAS. We all surely have to accept that if the plane is to fly again - but realistically what's the lowest that those extra risks can be reduced to compared to the NG plane without MCAS?

0.0000001 per cent extra risk of a crash compared to NG due to MCAS still gives 1 MCAS crash per year in the future with 5,000 max 737 planes in the air. Still clearly unacceptable by modern aviation expectations.

The numbers scare me.

Isn't that a real tough ask that Boeing and co are up against?

How do they get the inherent extra risks from having MCAS on the plane below those what seem tiny extra risk levels to me above?

The CEO has promised Max 737 will be one of the safest planes in the air in the future. How can it possibly be as safe as NG? And if not what extra risk level is acceptable?

As an outsider looking in this seems a very tough question to answer.

Is my maths right?

Have I missed anything?


You missed one major point, a properly working MCAS should not crash a plane.

So the MAX with the proper MCAS should be as safe as the NG. That's is what Boeing has to do right now, proof to the regulators that their software fix for the MCAS is now working as it should.


But software must have a risk of failure rate so it won't properly work?

We know sensors (that weren't needed before on NG) can fail

If the nosedives can't be so severe as test pilots asked for what extra risk are we bringing in from what the less severe nosedive that they wanted to happen?

There's 3 things above that must bring added risk to the NG plane that weren't there before no matter if it normally will work as it should

Is it possible dealing with those 3 combined can add less than 0.0000001 per cent extra risk of a disaster to NG ?

Bearing in mind an NG itself still has risks of disaster itself - albeit risks we accept
 
Interested
Posts: 588
Joined: Thu May 19, 2016 12:19 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 1:11 pm

Thorkel wrote:
planecane wrote:
xmp125a wrote:

To me the question is very simple (Boeing had made it very simple by insisting that there only superficial differences between 737NG and 737MAX, like different position of switches, etc)

So the question is Had the LionAir and ET crew been sitting in 737NG, not 737MAX and everything else would be the same - e.g. AoA failure, flight parameters, and their response, WOULD THEY CRASH?

I think the answer to this is pretty simple. They would not. So they were trained for safe operation of NG, but not for the safe operation of MAX. The key Boeing argument "no additional training" goes down the toilet. The longer they insist on it, the worse they look.

The question about pilot training is immaterial in this case, if it is established that their action in NG would not result in accident, but in MAX it resulted in loss of life.


However, in the hypothetical situation where they had a runaway stabilizer on the NG along with the other parameters, I believe that they still would have crashed. I don't think you can say that they were well trained for the safe operation of the NG. I think the few orders of magnitude higher incidence of runaway stabilizer on the MAX due to MCAS makes it appear that your statement is true.


I wouldn’t trivialise a ‘few orders of magnitude incidence’ of runaway trim. Functional Safety analysis is all probabilistic - we rarely talk in absolutes.

Let’s say you’re doing a Layers Of Protection Analysis or bow tie. You have an initiating event frequency, which is where the Max appears to differ significantly from the NG. You then have risk controls which have an associated Probability of Failure on Demand (PFD - For a low demand application) - these reduce the risk level. The risk controls can be split into two types - those that prevent Loss Of Control (on the left hand side of the bow tie) and those that mitigate or prevent a Loss Of Control turning into a hazard (the right hand side of the bow tie). You want sufficient independent layers of risk controls that a) ultimately get the residual risk down to an acceptable risk level and b) are demonstrably As Low As Reasonably Practicable (ALARP).

Looking at this from my armchair, there are big issues here:
1. An initiating event frequency going up by several orders of magnitude is a real problem. It will likely drag any residual risk out of the acceptable or tolerable residual risk zone, and if that’s an increase in comparison with a previous model you’ll have a hard time proving ALARP. You need to get the risk back down, either by reducing the initiating event frequency, by beefing up risk controls to make them more effective (lower PFD) or by introducing more independent risk controls.

2. Risk controls are never assumed to be perfect, and in the industry I work in we’d rarely consider people (no matter how well skilled and educated) as a sole safety critical risk control. A person based control must be part of a series of layers that ultimately result in the residual risk being acceptable. That means we typically allow, at best, a PFD of 0.1 for a human based risk control - in other words we expect people, at best, to get a risk control wrong once in every ten attempts when they’re required to do that task in an emergency to prevent a problem turning into something worse. The human based risk control should be just one in many layers of risk controls so that failure shouldn’t always result in a significant consequence by itself.

We would have a hard time justifying a human based control having a PFD of less than 0.1. If the safety case has a low initiating event frequency, multiple layers of protection, and you end up with an acceptable residual risk then that’s fine - in other words, in the NG case, people can be a long way from perfect in conducting the manual trim checklist and there is still an acceptable safety argument.

However, if your initiating event frequency goes up by an order of magnitude or more, we’d have an extremely hard time making a safety argument that a human based control could be beefed up sufficiently to still argue the system is safe - legislation, best practice and precedent would likely prevent that argument being accepted.

If you’ve got a situation when an initiating event has gone up by several orders of magnitude, your main solutions for making a successful safety argument from my perspective are to either get the initiating frequency back down, or introduce additional safety-rated engineering risk controls. Expecting people to have a PFD of 0.01 or 0.001 conducting a safety critical risk control in an emergency situation is just not done - I’ve never seen it accepted.


Exactly why I don't really care that much for the pilot training element

I want it but it's just icing on the cake for me. I don't want them facing these issues full stop. And thats exactly what aviation safety should be aiming for before we even worry about their training

I fear to get MACS safe then Max 737 may have to compromise elsewhere and we bring more risk in elsewhere as a result

And the plane is a compromise and a flawed design
 
OldAeroGuy
Posts: 3835
Joined: Sun Dec 05, 2004 6:50 am

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 1:44 pm

Thorkel wrote:
We would have a hard time justifying a human based control having a PFD of less than 0.1. If the safety case has a low initiating event frequency, multiple layers of protection, and you end up with an acceptable residual risk then that’s fine - in other words, in the NG case, people can be a long way from perfect in conducting the manual trim checklist and there is still an acceptable safety argument.

However, if your initiating event frequency goes up by an order of magnitude or more, we’d have an extremely hard time making a safety argument that a human based control could be beefed up sufficiently to still argue the system is safe - legislation, best practice and precedent would likely prevent that argument being accepted.

If you’ve got a situation when an initiating event has gone up by several orders of magnitude, your main solutions for making a successful safety argument from my perspective are to either get the initiating frequency back down, or introduce additional safety-rated engineering risk controls. Expecting people to have a PFD of 0.01 or 0.001 conducting a safety critical risk control in an emergency situation is just not done - I’ve never seen it accepted.


Thanks for providing one of the most insightful posts on this thread.

I have a question about the assumption of PFD being 0.10. Aviation has many failure modes that assume correct pilot actions are several orders of magnitude more reliable to assure continued safe flight and landing.

For instance, the probability of an engine failure on a twin engine airplane is on the order of 10-6. If correct pilot action is assumed to be 10-1, the result, of an engine failure and pilot failure to deal with it correctly is 10-7. If an engine failure is not dealt with correctly, the airplane will crash. Accordingly, the FAA safety requirement for such a combined event is 10-9. Therefore, it is commonly accepted that a properly trained crew will fail to deal with an engine failure correctly on the order of 10-3. This would make the airliner crew 100 times more reliable than the assumption in your industry.

Please comment on this seemingly major discrepancy.
Airplane design is easy, the difficulty is getting them to fly - Barnes Wallis
 
mjoelnir
Posts: 8361
Joined: Sun Feb 03, 2013 11:06 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 1:47 pm

planecane wrote:
mjoelnir wrote:
planecane wrote:
This is not true. First, it is possible and likely that the thumb switch can be used to electrically trim before cutting off electric trim. This is part of the NG (and MAX) procedure.

Second, although described differently the "roller coaster" procedure is still in the NG training manual. I quoted it a few weeks ago. It's a more technically worded but it says the stabilizer needs to be unloaded in extreme situations.


Absolut BS!!!!!!

If you get a real runaway trim situation, you throw the switches as fast as you can.


If that's the case then why didn't the Lion Air and ET crews throw the switches right away? By your statement surely they shouldn't have allowed the trim to run away for 10 seconds. You are saying that they never should have known MCAS wasn't continuous since "as fast as you can" would certainly be under 10 seconds.


Because very simply said, the procedure advertised by Boeing does not work or only very badly. The trim wheel does not work, apart from when the frame is nearly in trim anyway.

In a real runaway trim, you do not have the option of using the manual electrical trim before throwing the switch. It is just the hope that you are still not so far out of trim that you can still use the wheel. If you are to far out of trim and out of height you are dead.

If the automatic is going berserk you still have the possibility of using electrical trim with the manual switches. With the qualification, that nothing else is keeping you from trimming back.

That is also why one should keep apart if there is an automatic going berserk, or if you have a runaway trim. But wise Boeing tells you to look at it being the same event, even if the same procedures do not work.
 
OldAeroGuy
Posts: 3835
Joined: Sun Dec 05, 2004 6:50 am

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 1:58 pm

Interested wrote:

Exactly why I don't really care that much for the pilot training element

I want it but it's just icing on the cake for me. I don't want them facing these issues full stop. And thats exactly what aviation safety should be aiming for before we even worry about their training

I fear to get MACS safe then Max 737 may have to compromise elsewhere and we bring more risk in elsewhere as a result

And the plane is a compromise and a flawed design


If you think that pilot training is icing on the cake, you should stay off airplanes in the future. There are many potential commercial airplane failures that are improbable but occur routinely in the airliner system.

Engine Failure
Inflight fires
De-pressurization
Airspeed measurement
Control system issues
Runaway stabilizer trim
Etc.

All these failures require that pilots act correctly at a rate greater than 1 time in 10 events to assure continued safe flight and landing.

Properly trained crew are an integral part of the overall aviation safety system.
Airplane design is easy, the difficulty is getting them to fly - Barnes Wallis
 
Thorkel
Posts: 15
Joined: Mon Dec 15, 2014 2:38 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 2:06 pm

OldAeroGuy wrote:
Thorkel wrote:
We would have a hard time justifying a human based control having a PFD of less than 0.1. If the safety case has a low initiating event frequency, multiple layers of protection, and you end up with an acceptable residual risk then that’s fine - in other words, in the NG case, people can be a long way from perfect in conducting the manual trim checklist and there is still an acceptable safety argument.

However, if your initiating event frequency goes up by an order of magnitude or more, we’d have an extremely hard time making a safety argument that a human based control could be beefed up sufficiently to still argue the system is safe - legislation, best practice and precedent would likely prevent that argument being accepted.

If you’ve got a situation when an initiating event has gone up by several orders of magnitude, your main solutions for making a successful safety argument from my perspective are to either get the initiating frequency back down, or introduce additional safety-rated engineering risk controls. Expecting people to have a PFD of 0.01 or 0.001 conducting a safety critical risk control in an emergency situation is just not done - I’ve never seen it accepted.


Thanks for providing one of the most insightful posts on this thread.

I have a question about the assumption of PFD being 0.10. Aviation has many failure modes that assume correct pilot actions are several orders of magnitude more reliable to assure continued safe flight and landing.

For instance, the probability of an engine failure on a twin engine airplane is on the order of 10-6. If correct pilot action is assumed to be 10-1, the result, of an engine failure and pilot failure to deal with it correctly is 10-7. If an engine failure is not dealt with correctly, the airplane will crash. Accordingly, the FAA safety requirement for such a combined event is 10-9. Therefore, it is commonly accepted that a properly trained crew will fail to deal with an engine failure correctly on the order of 10-3. This would make the airliner crew 100 times more reliable than the assumption in your industry.

Please comment on this seemingly major discrepancy.


So, I have a background in applying these of standards to autonomous, robotic and process systems, and one of the key standards we use is IEC 61508 (and various derivatives thereof).

Typically with 61508 and related standards we specify events in terms of ‘per year’ - so as a guide, we aim for a residual risk for catastrophic events at a rate of 1x10-6 per year - or once every million years (this figure may change depending on circumstance).

I’m not directly familiar with the aviation standards (DO-178-* typically, although exactly what that covers and whether there is additional stuff for HAZID, risk assessments, etc) - however, from what I’ve seen posted here is that the frequencies are represented as event per hour rather than per year.

So, if that is the case, 1000 hours (1x10^3) is reasonably approximate to 1 year when you’re dealing with events per million years or billion hours. The remaining order of magnitude difference is likely just due to rounding/different standards/etc.

There’s a further complication because PFDs don’t have a time component - they’re just ‘when this event occurs, how likely is a control to stop it’, and this is different to saying ‘how likely is a failure to occur over a period of time’. They’re both probabilities - just probabilities for different things. Standards like 61508 make allowances for different types of system from Low Demand (so the initiating event is infrequent) through to High Demand and Continuous (these systems are continuously operating to keep something safe). You model these styles of system slightly different, and in my explanation above I treated MCAS as a ‘Low Demand’ system - i.e. an initiating event should occur less than once per year.

That’s my off the cuff explanation without doing any research on the aerospace safety standard side of things!
 
kalvado
Posts: 1709
Joined: Wed Mar 01, 2006 4:29 am

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 2:08 pm

OldAeroGuy wrote:
Thorkel wrote:
We would have a hard time justifying a human based control having a PFD of less than 0.1. If the safety case has a low initiating event frequency, multiple layers of protection, and you end up with an acceptable residual risk then that’s fine - in other words, in the NG case, people can be a long way from perfect in conducting the manual trim checklist and there is still an acceptable safety argument.

However, if your initiating event frequency goes up by an order of magnitude or more, we’d have an extremely hard time making a safety argument that a human based control could be beefed up sufficiently to still argue the system is safe - legislation, best practice and precedent would likely prevent that argument being accepted.

If you’ve got a situation when an initiating event has gone up by several orders of magnitude, your main solutions for making a successful safety argument from my perspective are to either get the initiating frequency back down, or introduce additional safety-rated engineering risk controls. Expecting people to have a PFD of 0.01 or 0.001 conducting a safety critical risk control in an emergency situation is just not done - I’ve never seen it accepted.


Thanks for providing one of the most insightful posts on this thread.

I have a question about the assumption of PFD being 0.10. Aviation has many failure modes that assume correct pilot actions are several orders of magnitude more reliable to assure continued safe flight and landing.

For instance, the probability of an engine failure on a twin engine airplane is on the order of 10-6. If correct pilot action is assumed to be 10-1, the result, of an engine failure and pilot failure to deal with it correctly is 10-7. If an engine failure is not dealt with correctly, the airplane will crash. Accordingly, the FAA safety requirement for such a combined event is 10-9. Therefore, it is commonly accepted that a properly trained crew will fail to deal with an engine failure correctly on the order of 10-3. This would make the airliner crew 100 times more reliable than the assumption in your industry.

Please comment on this seemingly major discrepancy.

I believe we talked about it before. This is about drilling specific failure modes (rejected takeoff, for example) for better response - a very finite number of situations; and those a high risk event even with training; otherwise designing things so that person has a second chance in case of error.
What kind of fatal error engine shutdown can cause? Shutting down wrong engine is surely one thing; and it have happened before. You probably know better than me what are precautions to avoid that. What else can be done what cannot be undone? What other actions are critical to be performed right away?
Checklists are another way of minimizing potential for mistake...
 
h1fl1er
Posts: 68
Joined: Thu Jun 06, 2019 5:58 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 2:09 pm

Interested wrote:
Exactly why I don't really care that much for the pilot training element

I want it but it's just icing on the cake for me. I don't want them facing these issues full stop. And thats exactly what aviation safety should be aiming for before we even worry about their training

I fear to get MACS safe then Max 737 may have to compromise elsewhere and we bring more risk in elsewhere as a result

And the plane is a compromise and a flawed design


yes, we must have perfection. especially from boeing

the animus toward this one plane maker among various people commenting is obvious. just come out and say it. it's transparent and it's pollution

do you guys understand that every engine on forward underwing mounts creates lift at high AOA? a ge90 creates way more than the Max.

the mcas software was a massive f-up. two planes crashed and 350 peple died. and now here it's like people are conjecturing about laminar flow separation as a result of these engines or some kind of bogus stall propensity or some how this design is bad bc it needed automatic control

it was really just a software screw up by idiots. not a conspiracy. not some secret major flaw that somehow for 50 years kept the 737 the most popular plane ever with a fantastic safety record

55 pages of round nad round

the pilot who crashed af447 was a young guy, inexperienced. failed. all in one guy's lap, hundreds of people killed. automation failures that hand dicey aircraft to inexperienced pilots in troubling circumstances frequently end up in crashes

bc if the computer can't fly it, the pilot prob can't either. to the guy who responded about my comment on the Hudson river, yeah automation was lost. the plane stopped flying itself and scully had to take over and hand fly the plane. he could no longer depend o the computer. nost pilots they sim tested (americans) crashed. the dc10 with the exploding #3, most pilots (americans) had total hull loss and bodies everywhere, again a situation where the ap can't fly the plane

this is my point when the computer can't fly the pilot probably can't either. a few guys are exceptional and can land dead stick on a river. most pilots are crashing that. other people can argue about whether et should have watched their airspeed or whether lion copilot should have E-trimmed out mcas (as the captain had been doing for minutes over and over) but the basic situation is still the same. when the computer can't fly the plane is compromised and pilots are likely to screw up
 
AirBoat
Posts: 34
Joined: Sun Jan 18, 2015 11:58 am

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 2:11 pm

how about this idea.
the max needs extra training, but its the same as the ng
therefore ALL 737 pilots need extra training....
I am sure Boeing does not want to go there.
maybe the FAA is thinking about this, and is trying to find the best middle ground.
if its different, then re-certify.
 
User avatar
Momo1435
Posts: 851
Joined: Sat Aug 25, 2012 2:33 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 2:36 pm

Interested wrote:
But software must have a risk of failure rate so it won't properly work?

We know sensors (that weren't needed before on NG) can fail

If the nosedives can't be so severe as test pilots asked for what extra risk are we bringing in from what the less severe nosedive that they wanted to happen?

There's 3 things above that must bring added risk to the NG plane that weren't there before no matter if it normally will work as it should

Is it possible dealing with those 3 combined can add less than 0.0000001 per cent extra risk of a disaster to NG ?

Bearing in mind an NG itself still has risks of disaster itself - albeit risks we accept

A risk of failure rate? Do you even understand what you are saying?

Any mechanical or electronic system can fail, there's always a failure rate. You have to accept a failure rate, as system will always fail. What you don't want to accept is that a single failure will lead to a crash. It's not a matter of how many times the new MCAS software is allowed to fail, it should never result in a crash. That's where the 1st MCAS went wrong, not that it failed, but that it failed in a lethal way which is simply unacceptable. But that doesn't mean that it can't be fixed by Boeing.
 
User avatar
PixelFlight
Posts: 417
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 2:49 pm

h1fl1er wrote:
bc if the computer can't fly it, the pilot prob can't either. to the guy who responded about my comment on the Hudson river, yeah automation was lost. the plane stopped flying itself and scully had to take over and hand fly the plane. he could no longer depend o the computer. nost pilots they sim tested (americans) crashed.

Sorry, but your claim about US1549 is wrong.

The normal law flight envelope protection automation was active from the rotation up to the contact with the water, thanks to the early decision to enable the APU, contrary to the procedure that enable it far too late for there situation. The final report detail how this helped the pilot to keep with the minimal speed as the pilot was subject to various psychological stress that altered his perception of his control of the speed. Without that normal law flight envelope protection automation US1549 would have been more susceptible to stall in a situation where is played with the limit of it. The A320 computers of the US1549 was always flying, even without engines, and the pilots greatly depended on them because there have absolutely more vital decisions to handle at the same time. All the simulations of this accident assumed normal law flight envelope protection automation.

Please read the final report before making wrong claim. Here are some relevant part of it:

"Despite not reaching this portion of the Engine Dual Failure checklist, the captain stated
during postaccident interviews that he thought that he had obtained green dot speed immediately
after the bird strike, maintained that speed until the airplane was configured for landing, and,
after deploying the flaps, maintained a speed “safely above V LS ,” which is the lowest selectable
airspeed providing an appropriate margin to the stall speed. However, FDR data indicated that
the airplane was below green dot speed and at V LS or slightly less for most of the descent, and
about 15 to 19 knots below V LS during the last 200 feet."


"The NTSB concludes that, despite being unable to complete the Engine Dual Failure
checklist, the captain started the APU, which improved the outcome of the ditching by ensuring
that a primary source of electrical power was available to the airplane and that the airplane
remained in normal law and maintained the flight envelope protections, one of which protects
against a stall."


"2.7.1 High-AOA and Low-Airspeed Awareness
Typically, pilots are made aware that an airplane has reached alpha-protection speed and
that, therefore, the high-AOA protection has become active, by viewing a black and amber strip
along the airspeed scale. Under normal circumstances, the black and amber strip is sufficient to
alert pilots visually that they have entered alpha-protection mode. However, in emergency
situations, when visual resources are overloaded, pilots may inadvertently overlook the airspeed
tape. As noted, the airplane was flown at V LS or slightly less for most of the descent. Maintaining
a sufficiently higher airspeed makes it possible to maintain sufficient energy to significantly
reduce the descent rate during the flare. The Airbus simulation indicated that the airplane
performed as designed and was in the alpha-protection mode from 150 feet to touchdown. As
discussed previously, the captain’s attention was narrowed, which would have made it difficult
for him to maintain awareness of the airplane’s low-speed condition during the descent."


"The flight envelope protections allowed the
captain to pull full aft on the sidestick without the risk of stalling the airplane."
 
Interested
Posts: 588
Joined: Thu May 19, 2016 12:19 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 2:54 pm

OldAeroGuy wrote:
Interested wrote:

Exactly why I don't really care that much for the pilot training element

I want it but it's just icing on the cake for me. I don't want them facing these issues full stop. And thats exactly what aviation safety should be aiming for before we even worry about their training

I fear to get MACS safe then Max 737 may have to compromise elsewhere and we bring more risk in elsewhere as a result

And the plane is a compromise and a flawed design


If you think that pilot training is icing on the cake, you should stay off airplanes in the future. There are many potential commercial airplane failures that are improbable but occur routinely in the airliner system.

Engine Failure
Inflight fires
De-pressurization
Airspeed measurement
Control system issues
Runaway stabilizer trim
Etc.

All these failures require that pilots act correctly at a rate greater than 1 time in 10 events to assure continued safe flight and landing.

Properly trained crew are an integral part of the overall aviation safety system.


I'm talking about training for MCAS being the icing on the cake for making that safe
 
Interested
Posts: 588
Joined: Thu May 19, 2016 12:19 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 2:58 pm

OldAeroGuy wrote:
Thorkel wrote:
We would have a hard time justifying a human based control having a PFD of less than 0.1. If the safety case has a low initiating event frequency, multiple layers of protection, and you end up with an acceptable residual risk then that’s fine - in other words, in the NG case, people can be a long way from perfect in conducting the manual trim checklist and there is still an acceptable safety argument.

However, if your initiating event frequency goes up by an order of magnitude or more, we’d have an extremely hard time making a safety argument that a human based control could be beefed up sufficiently to still argue the system is safe - legislation, best practice and precedent would likely prevent that argument being accepted.

If you’ve got a situation when an initiating event has gone up by several orders of magnitude, your main solutions for making a successful safety argument from my perspective are to either get the initiating frequency back down, or introduce additional safety-rated engineering risk controls. Expecting people to have a PFD of 0.01 or 0.001 conducting a safety critical risk control in an emergency situation is just not done - I’ve never seen it accepted.


Thanks for providing one of the most insightful posts on this thread.

I have a question about the assumption of PFD being 0.10. Aviation has many failure modes that assume correct pilot actions are several orders of magnitude more reliable to assure continued safe flight and landing.

For instance, the probability of an engine failure on a twin engine airplane is on the order of 10-6. If correct pilot action is assumed to be 10-1, the result, of an engine failure and pilot failure to deal with it correctly is 10-7. If an engine failure is not dealt with correctly, the airplane will crash. Accordingly, the FAA safety requirement for such a combined event is 10-9. Therefore, it is commonly accepted that a properly trained crew will fail to deal with an engine failure correctly on the order of 10-3. This would make the airliner crew 100 times more reliable than the assumption in your industry.

Please comment on this seemingly major discrepancy.


I'm assuming what comes into it is not only the chance of failure of the physical item but then the chance of that leading to a crash

I guess all of the above bring different levels of risk?

And certain failures can handle a large amount of human error afterwards without crashing and some less so

So it's not just the chance of the failure and the chance of human error but also how much human error the situation can deal with

Even planes that don't crash will have pilots making loads of mistakes etc and vice versa
 
Interested
Posts: 588
Joined: Thu May 19, 2016 12:19 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 3:04 pm

Momo1435 wrote:
Interested wrote:
But software must have a risk of failure rate so it won't properly work?

We know sensors (that weren't needed before on NG) can fail

If the nosedives can't be so severe as test pilots asked for what extra risk are we bringing in from what the less severe nosedive that they wanted to happen?

There's 3 things above that must bring added risk to the NG plane that weren't there before no matter if it normally will work as it should

Is it possible dealing with those 3 combined can add less than 0.0000001 per cent extra risk of a disaster to NG ?

Bearing in mind an NG itself still has risks of disaster itself - albeit risks we accept

A risk of failure rate? Do you even understand what you are saying?

Any mechanical or electronic system can fail, there's always a failure rate. You have to accept a failure rate, as system will always fail. What you don't want to accept is that a single failure will lead to a crash. It's not a matter of how many times the new MCAS software is allowed to fail, it should never result in a crash. That's where the 1st MCAS went wrong, not that it failed, but that it failed in a lethal way which is simply unacceptable. But that doesn't mean that it can't be fixed by Boeing.


I understand that. But to make MCAS not deadly what other safety that MCAS was there to support with its current aggressivenes will itself become compromised

People have mentioned some tiny window that MCAS is designed to make safer - that tiny widow must have its own risk of occurring that NG doesn't face

And how dangerous is that if it happens. And how often can it happen etc?

I've seen posters mention pilots needing to take fast evasive action etc being a potential risk for the Max compared to the NG

Isn't this like a bucket with several holes that need plugging at same time

You make MCAS less aggressive what risks do they create elsewhere?
Last edited by Interested on Wed Jun 12, 2019 3:25 pm, edited 1 time in total.
 
planecane
Posts: 718
Joined: Thu Feb 09, 2017 4:58 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 3:05 pm

mjoelnir wrote:
planecane wrote:
mjoelnir wrote:

Absolut BS!!!!!!

If you get a real runaway trim situation, you throw the switches as fast as you can.


If that's the case then why didn't the Lion Air and ET crews throw the switches right away? By your statement surely they shouldn't have allowed the trim to run away for 10 seconds. You are saying that they never should have known MCAS wasn't continuous since "as fast as you can" would certainly be under 10 seconds.


Because very simply said, the procedure advertised by Boeing does not work or only very badly. The trim wheel does not work, apart from when the frame is nearly in trim anyway.

In a real runaway trim, you do not have the option of using the manual electrical trim before throwing the switch. It is just the hope that you are still not so far out of trim that you can still use the wheel. If you are to far out of trim and out of height you are dead.

If the automatic is going berserk you still have the possibility of using electrical trim with the manual switches. With the qualification, that nothing else is keeping you from trimming back.

That is also why one should keep apart if there is an automatic going berserk, or if you have a runaway trim. But wise Boeing tells you to look at it being the same event, even if the same procedures do not work.


You are starting to just make stuff up and put out contradictory arguments. So you are saying that a runaway stabilizer requires flipping the switches as quickly as possible but neither crash crew did that because the procedure doesn't work even though they wouldn't have known if it would have worked or not?

Do you have facts to support that in a "real runaway" you don't have the option of using manual electric trim? The NNC says to use it and only use the cutoff switches if the runaway continues.

Also, you state that the trim wheel does not work apart from when the frame is nearly in trim. Do you have facts to support that statement? At what point out of trim does it become difficult to turn the wheel? We know it is near impossible when extremely out of trim AND at high speed but we don't know how far out of trim you can be and have it be relatively easy. It's hard to tell exactly due to the scaling and unlabeled axis but JT043 seems to have been pretty far out of trim when they cut off electric trim and used the trim wheel.
 
OldAeroGuy
Posts: 3835
Joined: Sun Dec 05, 2004 6:50 am

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 3:16 pm

kalvado wrote:
What kind of fatal error engine shutdown can cause? Shutting down wrong engine is surely one thing; and it have happened before. You probably know better than me what are precautions to avoid that. What else can be done what cannot be undone? What other actions are critical to be performed right away?
Checklists are another way of minimizing potential for mistake...


For engine failure on takeoff, there can be quite a few:

Engine failure below Vmcg -> Attempt to continue takeoff will result in off the side of the runway at high speed

Engine failure before V1 -> Attempt to continue can result in off the end of the runway at high speed

Engine failure after V1 -> Attempt to stop can result if off the end of the runway at high speed

Engine failure in 1st or 2nd Segment Climb -> there are several issues:

If speed drops below Vmca -> Loss of control at low altitude
Failure to control thrust imbalance -> Loss of control at low altitude
Improper use of controls to control thrust imbalance -> Loss of obstacle clearance capability

There are no "do overs" or second chances for these errors. Passengers need to trust that the crew on their flight has been properly trained to deal with malfunctions correctly
Airplane design is easy, the difficulty is getting them to fly - Barnes Wallis
 
planecane
Posts: 718
Joined: Thu Feb 09, 2017 4:58 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 3:18 pm

Interested wrote:
Momo1435 wrote:
Interested wrote:
But software must have a risk of failure rate so it won't properly work?

We know sensors (that weren't needed before on NG) can fail

If the nosedives can't be so severe as test pilots asked for what extra risk are we bringing in from what the less severe nosedive that they wanted to happen?

There's 3 things above that must bring added risk to the NG plane that weren't there before no matter if it normally will work as it should

Is it possible dealing with those 3 combined can add less than 0.0000001 per cent extra risk of a disaster to NG ?

Bearing in mind an NG itself still has risks of disaster itself - albeit risks we accept

A risk of failure rate? Do you even understand what you are saying?

Any mechanical or electronic system can fail, there's always a failure rate. You have to accept a failure rate, as system will always fail. What you don't want to accept is that a single failure will lead to a crash. It's not a matter of how many times the new MCAS software is allowed to fail, it should never result in a crash. That's where the 1st MCAS went wrong, not that it failed, but that it failed in a lethal way which is simply unacceptable. But that doesn't mean that it can't be fixed by Boeing.


I understand that. But to make MCAS not deadly what other safety that MCAS was there to support with its current aggressivenes will itself become compromised

People have mentioned some tiny window that MCAS is designed to make safer - that tiny widow must have its own risk of occurring that NG doesn't face

And how dangerous is that if it happens. And how often can it happen etc?

I've seen posters mention pilots needing to take fast evasive action etc being a potential risk for the Max compared to the NG

Isn't this like a bucket with several holes that need plugging at same time

You make MCAS less aggressive what risks to they create elsewhere?


Nothing I have seen has indicated that they are making it any less aggressive when the parameters are met that require it. What they are doing is giving it "intelligence" so that is doesn't add input beyond what would be required at the particular airspeed and AoA that the aircraft is currently experiencing. They are also making it so that it will never trim past the point where the crew loses elevator authority with the control column to keep the aircraft level. MCAS was intended to keep the force gradient consistent, not make it impossible to control the pitch with the elevator so this change won't reduce the MCAS effectiveness as intended.

There are two potential risks:

1) When MCAS is disabled due to AoA disagree. I assume there will be a checklist that will address this to ensure that the pilots don't enter the part of the envelope where MCAS would be needed. This may or may not include a "land at nearest airport" step.

2) In the extremely unlikely event that BOTH AoA sensors fail, fail within 5 degrees of each other and fail at an AoA reading that causes MCAS to trigger, the pilots will easily override the nose down trim with manual electric trim (MCAS will no longer have the authority to continue to activate until the physical stop). In this case, MCAS is now disabled and the situation of risk #1 will need to be addressed.

I guess the MAX will have a very slightly elevated risk of a stall compared to the NG in the cases where MCAS is disabled. However, from all I have read, no commercial flight should ever approach a stall that closely to start with. How often has a 737NG, classic or jurassic ever been put into a stall or approached a stall closely with passengers on board? A slightly higher risk on the MAX may still be a close to zero chance.
 
Interested
Posts: 588
Joined: Thu May 19, 2016 12:19 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 3:23 pm

planecane wrote:
Interested wrote:
Momo1435 wrote:
A risk of failure rate? Do you even understand what you are saying?

Any mechanical or electronic system can fail, there's always a failure rate. You have to accept a failure rate, as system will always fail. What you don't want to accept is that a single failure will lead to a crash. It's not a matter of how many times the new MCAS software is allowed to fail, it should never result in a crash. That's where the 1st MCAS went wrong, not that it failed, but that it failed in a lethal way which is simply unacceptable. But that doesn't mean that it can't be fixed by Boeing.


I understand that. But to make MCAS not deadly what other safety that MCAS was there to support with its current aggressivenes will itself become compromised

People have mentioned some tiny window that MCAS is designed to make safer - that tiny widow must have its own risk of occurring that NG doesn't face

And how dangerous is that if it happens. And how often can it happen etc?

I've seen posters mention pilots needing to take fast evasive action etc being a potential risk for the Max compared to the NG

Isn't this like a bucket with several holes that need plugging at same time

You make MCAS less aggressive what risks to they create elsewhere?


Nothing I have seen has indicated that they are making it any less aggressive when the parameters are met that require it. What they are doing is giving it "intelligence" so that is doesn't add input beyond what would be required at the particular airspeed and AoA that the aircraft is currently experiencing. They are also making it so that it will never trim past the point where the crew loses elevator authority with the control column to keep the aircraft level. MCAS was intended to keep the force gradient consistent, not make it impossible to control the pitch with the elevator so this change won't reduce the MCAS effectiveness as intended.

There are two potential risks:

1) When MCAS is disabled due to AoA disagree. I assume there will be a checklist that will address this to ensure that the pilots don't enter the part of the envelope where MCAS would be needed. This may or may not include a "land at nearest airport" step.

2) In the extremely unlikely event that BOTH AoA sensors fail, fail within 5 degrees of each other and fail at an AoA reading that causes MCAS to trigger, the pilots will easily override the nose down trim with manual electric trim (MCAS will no longer have the authority to continue to activate until the physical stop). In this case, MCAS is now disabled and the situation of risk #1 will need to be addressed.

I guess the MAX will have a very slightly elevated risk of a stall compared to the NG in the cases where MCAS is disabled. However, from all I have read, no commercial flight should ever approach a stall that closely to start with. How often has a 737NG, classic or jurassic ever been put into a stall or approached a stall closely with passengers on board? A slightly higher risk on the MAX may still be a close to zero chance.


Thanks. That's interesting stuff

I feel that when together on here we try to find solutions that don't involve blaming anyone it's much better!

So it's that last paragraph where the extra risk will have to be analysed

And I guess they also have to factor in the risk of a crash if the plane does stall etc. Both with and without pilot error involved
 
h1fl1er
Posts: 68
Joined: Thu Jun 06, 2019 5:58 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 3:28 pm

PixelFlight wrote:
m about US1549 is wrong.

The normal law flight envelope protection automation was active from the rotation up to the contact with the water, thanks to the early decision to enable the APU, contrary to the procedure that enable it far too late for there situation. The final report detail how this helped the pilot to keep with the minimal speed as the pilot was subject to various psychological stress that altered his perception of his control of the speed. Without that normal law flight envelope protection automation US1549 would have been more susceptible to stall in a situation where is played with the limit of it. The A320 computers of the US1549 was always flying, even without engines, and the pilots greatly depended on them because there have absolutely more vital decisions to handle at the same time. All the simulations of this accident assumed normal law flight envelope protection automation.


My claim was that the ap could no longer fly the plane. you're saying this is wrong???

mcas crashes were automation failures. maybe even on et because a bird hit the aoa vane. it doesn't matter why automation fialed. it failed.

regardless of why automation failed, when pilots get handed planes in these situations the exceptional ones are the only pilots who make it. they simmed 1529 and most guys crashed the aircraft. the situation where he landed with no deaths was exceptional! he was an exceptional pilot.

if automation fails on an embraer, beoing, airbus, Mitsubishi, sukhoi, bombardier, or any other type of automation dependent aircraft, it frequently leads to crashes.

ATR icing...AP kicked out suddenly, your airplane! surprise! and boom they rolled over and crashed immediately. in that case it was icing in mcas it was f-up software that was written by idiots. a failure is a failure. when the automation can no longer fly the plane for whatever reason it is because things have gone left and the situation is inherently dangerous regardless of whether the failure was because of ice or an idiotic software team.

stop trying to turn this forum into a polemic against boeing
 
kalvado
Posts: 1709
Joined: Wed Mar 01, 2006 4:29 am

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 3:28 pm

OldAeroGuy wrote:
kalvado wrote:
What kind of fatal error engine shutdown can cause? Shutting down wrong engine is surely one thing; and it have happened before. You probably know better than me what are precautions to avoid that. What else can be done what cannot be undone? What other actions are critical to be performed right away?
Checklists are another way of minimizing potential for mistake...


For engine failure on takeoff, there can be quite a few:

Engine failure below Vmcg -> Attempt to continue takeoff will result in off the side of the runway at high speed

Engine failure before V1 -> Attempt to continue can result in off the end of the runway at high speed

Engine failure after V1 -> Attempt to stop can result if off the end of the runway at high speed

Engine failure in 1st or 2nd Segment Climb -> there are several issues:

If speed drops below Vmca -> Loss of control at low altitude
Failure to control thrust imbalance -> Loss of control at low altitude
Improper use of controls to control thrust imbalance -> Loss of obstacle clearance capability

There are no "do overs" or second chances for these errors. Passengers need to trust that the crew on their flight has been properly trained to deal with malfunctions correctly

I was more thinking about cruise engine failure. Still a highly undesired situation, where possible mistakes are partially mitigated by enough time for a do-over.
As for engine failure at takeoff, at least from the formal perspective, what is the probability of failure within those 3-5 critical minutes? Optimistically, I assume less than 1e-6 - although 1 in 100k hours for ETOPS180 means just about 1e-6. If you will, there are 2.5k flights daily at ATL and 2.4k at ORD. That is more than 1.5 M annually in those 2 airports alone, and when was last case of takeoff failure in US?
Then.. Drill in sim for better response rate. Overrun protection at runway end. Probably checking engine parameters before releasing brakes is another piece of the puzzle. Oh, and pray hard. Even if you're not religious, that wouldn't hurt.
 
User avatar
PixelFlight
Posts: 417
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounded Worldwide Q2 2019

Wed Jun 12, 2019 3:43 pm

h1fl1er wrote:
PixelFlight wrote:
m about US1549 is wrong.

The normal law flight envelope protection automation was active from the rotation up to the contact with the water, thanks to the early decision to enable the APU, contrary to the procedure that enable it far too late for there situation. The final report detail how this helped the pilot to keep with the minimal speed as the pilot was subject to various psychological stress that altered his perception of his control of the speed. Without that normal law flight envelope protection automation US1549 would have been more susceptible to stall in a situation where is played with the limit of it. The A320 computers of the US1549 was always flying, even without engines, and the pilots greatly depended on them because there have absolutely more vital decisions to handle at the same time. All the simulations of this accident assumed normal law flight envelope protection automation.


My claim was that the ap could no longer fly the plane. you're saying this is wrong???

I dispute the claim "he could no longer depend o the computer". If fact he voluntary keep the dependency on the computer to still have normal law protection.

Popular Searches On Airliners.net

Top Photos of Last:   24 Hours  •  48 Hours  •  7 Days  •  30 Days  •  180 Days  •  365 Days  •  All Time

Military Aircraft Every type from fighters to helicopters from air forces around the globe

Classic Airliners Props and jets from the good old days

Flight Decks Views from inside the cockpit

Aircraft Cabins Passenger cabin shots showing seat arrangements as well as cargo aircraft interior

Cargo Aircraft Pictures of great freighter aircraft

Government Aircraft Aircraft flying government officials

Helicopters Our large helicopter section. Both military and civil versions

Blimps / Airships Everything from the Goodyear blimp to the Zeppelin

Night Photos Beautiful shots taken while the sun is below the horizon

Accidents Accident, incident and crash related photos

Air to Air Photos taken by airborne photographers of airborne aircraft

Special Paint Schemes Aircraft painted in beautiful and original liveries

Airport Overviews Airport overviews from the air or ground

Tails and Winglets Tail and Winglet closeups with beautiful airline logos