Announcement

Collapse
No announcement yet.

Another Indonesian aircraft down

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Final report out: pilot error and a malfunctioning auto-throttle, oh, and a failure to properly train pilots. what a surprise!

    Comment


    • Aviation Herald - News, Incidents and Accidents in Aviation



      --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
      --- Defend what you say with arguments, not by imposing your credentials ---

      Comment


      • Haven't found time to read the report, but, from the summary I gather that the mechanical issue was binding or friction of a throttle control cable and the subsequent failure of the crew to monitor and intervene.

        - Mechanical controls jam. Modern airliners (or which the 737 is not one and should have been retired by now) should never have A/T commands inhibited by thrust lever mechanical linkage issues. These should be digital commands sent from the autoflight computers to the EEC/FADEC components that control the engine power settings with no mechanical control reliability requirements. Airbus has been on board with this since the 80's. Solid state reliability. I think it's a good idea (though not a necessity) to servo drive the thrust levers but not in any way that might inhibit actual autoflight commands. The 737 is a relic from an age where autopilot had a very different design philosophy and subsequent attempts at modernization have left it with layers of needless complexity, i.e. added points of failure, thay continue to reveal themselves to this day.

        - At this point, the MAIN reason we still need human pilots is as a means to monitor and intervene when autoflight errors occur. If we didn't have a need for monitoring and occasional intervention, we wouldn't need human pilots. They are the line of defense needed to overcome the reality of inevitable system errors and failures, systems which otherwise can aviate and navigate (and communicate) very well on their own. Therefore, that is the job. If pilots fail to monitor automation and intervene, what do they think are they there for? A stolen paycheck?

        Comment


        • The main reasons for the autothrust to be linked to the TLA in Boeing's philosophy are consistency with visual / tactile feedback and giving the pilot the ability to override or augment the AT even without disconnecting it.

          It is not a "relic 737" issue but a design philosophy. The 777 and 787 are fully FBW and the AT still works like this.


          --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
          --- Defend what you say with arguments, not by imposing your credentials ---

          Comment


          • Originally posted by Evan View Post

            - Mechanical controls jam. Modern airliners (or which the 737 is not one and should have been retired by now) should never have A/T commands inhibited by thrust lever mechanical linkage issues. These should be digital commands sent from the autoflight computers to the EEC/FADEC components that control the engine power settings with no mechanical control reliability requirements. Airbus has been on board with this since the 80's. Solid state reliability. I think it's a good idea (though not a necessity) to servo drive the thrust levers but not in any way that might inhibit actual autoflight commands. The 737 is a relic from an age where autopilot had a very different design philosophy and subsequent attempts at modernization have left it with layers of needless complexity, i.e. added points of failure, thay continue to reveal themselves to this day.
            Couple things:

            1. I am not sure the Airbus fixed-lever AT philosophy is necessarily inherently more reliable than Boeing's. At best, it replaced one failure mode with another, in fact, I remember you taking issue with it in re AF447.

            2. I'm not sure what drastic change there has been to autopilot "design philosophy" since the 731 prototype first flew. Care to elaborate?

            Comment


            • Originally posted by ATLcrew View Post
              2. I'm not sure what drastic change there has been to autopilot "design philosophy" since the 731 prototype first flew. Care to elaborate?
              Well, to begin with—correct me if I'm wrong—but the original 737 did not even have autothrottle. At that point, there was no FCC and autopilot philosophy was contained to the axes represented by the two paddle activation switches on the rudimentary glareshield panel: ailerons and elevator. The primary purpose of autopilot at that point was more to hold a selected flightpath as a tool against pilot fatigue rather than a fully capable flight guidance and management system that is the primary means of flight control in most phases of flight. By the time the A320 (and the 777 and the 787) were developed, autoflight was a thing and it integrated flightpath control with power settings and modern nav avionics.

              With FADEC coming in the late 70's and EEC replacing control cables, a thrust lever assembly now only needed to move a resolver for the EEC signal and a potentiometer for the flight computer inputs. Therefore it could become a much simpler and, one would expect, more reliable assembly. More on that in my next post...

              Comment


              • Originally posted by ATLcrew View Post
                1. I am not sure the Airbus fixed-lever AT philosophy is necessarily inherently more reliable than Boeing's. At best, it replaced one failure mode with another, in fact, I remember you taking issue with it in re AF447.
                Ok, I'll walk that back a bit. The A320 thrust lever assembly itself is not 'solid state'. It moves through an artificial feel unit to position resolvers and potentiometers. This is all done with solid components (pushrods, cranks, gears). There are no pulleys and cables involved. What I meant was that, in autoflight, it operates in solid state, nothing moving unless the pilot sets the levers manually within the A/T operating range. If anything did jam, either it wouldn't affect FADEC power settings or, if the pilot attempted to set them manually, the pilot would then feel the jam and recognize the problem.

                The 737 was designed before autothrottle. The TL assembly moved lengthy control cables that were connected to the engine throttle units. When it was redesigned with autothrottle, the engine control cables were replaced with resolvers but the cable and pulley method was retained to backdrive the throttles, so you end up with a complex mechanical situation there merging the old with the new. As this accident has shown (and many other incidents before it), if something prevents the TL's from moving on the 737, it also prevents the autothrottle from functioning correctly. Since these jams typically affect only one side, the result is thrust asymmetry and can lead to upset and loss of control.

                Thrust asymmetry related occurrences on the 737 autothrottle were so numerous that, in 1998, Boeing issued an Alert Service Bulletin to upgrade the existing autothrottle computer with a new one incorporating a safeguard against this threat. This was followed in 2001 by an AD requiring the upgrade within 18 months.

                The new safeguard was called Cruise Thrust Split Monitor (CTSM). CTSM does not detect TL position split directly, it detects the signs of a thrust asymmetry by monitoring engine parameters, flap positions and spoiler positions. If it detects uncommanded roll, it disengages the autothrottle, whereby the pilots—if they are pilots—will quickly take over manual thrust and recognize the jam (or perhaps the torque switches will then release the levers from the jam).

                CTSM did not protect this flight because the spoiler position inputs were not valid. The investigation did not determine the cause of this input deficiency. So it remains phenomenal (just as when the A/T of Turkish 1951 did not recognize the radalt asymmetry due to a known flaw in that A/T computer's comparator logic).

                Sounds sort of familiar... CTSM... MCAS... Boeing had been shoehorning systemic fixes into this airframe for decades. I feel that the philosophy of adding complexity to align an aging airframe with a new era is all wrong and particularly dangerous. That is why I have been spouting off about Boeing's need for a clean-sheet single-aisle replacement since the 90's.

                On the issue of back-driven TL's, I think neither Boeing nor Airbus gets it right. The best solution is one where the thrust levers are servo-driven in a simple manner where, should one become jammed, it will not inhibit the FCC commands to the EEC. Instead, a master caution and TLA INVALID 1 (2) annunciation would alert the crew to the fact that a lever has malfunctioned—that the lever position is invalid. I don't have eyes on the 777 or 787 mechanisms, but I wonder if they are more along that model. I find it absurd to think these airframes are still using pulleys and cables and a strict TLA to EEC logic. But Boeing does not fail to surprise me when it comes to anachronisms...

                Comment


                • Originally posted by Evan View Post
                  Well, to begin with—correct me if I'm wrong—but the original 737 did not even have autothrottle. At that point, there was no FCC and autopilot philosophy was contained to the axes represented by the two paddle activation switches on the rudimentary glareshield panel: ailerons and elevator. The primary purpose of autopilot at that point was more to hold a selected flightpath as a tool against pilot fatigue rather than a fully capable flight guidance and management system that is the primary means of flight control in most phases of flight. By the time the A320 (and the 777 and the 787) were developed, autoflight was a thing and it integrated flightpath control with power settings and modern nav avionics.

                  With FADEC coming in the late 70's and EEC replacing control cables, a thrust lever assembly now only needed to move a resolver for the EEC signal and a potentiometer for the flight computer inputs. Therefore it could become a much simpler and, one would expect, more reliable assembly. More on that in my next post...
                  Explain again what the 320 is doing in the same sentence as either the Triple or the Ol' Sparky, especially in this context.

                  Comment


                  • Originally posted by Evan View Post


                    On the issue of back-driven TL's, I think neither Boeing nor Airbus gets it right. The best solution is one where the thrust levers are servo-driven in a simple manner where, should one become jammed, it will not inhibit the FCC commands to the EEC. Instead, a master caution and TLA INVALID 1 (2) annunciation would alert the crew to the fact that a lever has malfunctioned—that the lever position is invalid. I don't have eyes on the 777 or 787 mechanisms, but I wonder if they are more along that model. I find it absurd to think these airframes are still using pulleys and cables and a strict TLA to EEC logic. But Boeing does not fail to surprise me when it comes to anachronisms...
                    I'm surprised you haven't proposed several GUARDED SWITCHES somewhere amid all that. I remember that being your answer to everything.


                    Comment


                    • Originally posted by ATLcrew View Post

                      Explain again what the 320 is doing in the same sentence as either the Triple or the Ol' Sparky, especially in this context.
                      TL/DR?

                      The A320, 777 and 787 are all airframes designed around autothrust and digital autoflight.

                      I'm surprised you haven't proposed several GUARDED SWITCHES somewhere amid all that. I remember that being your answer to everything.
                      The guarded 'give-me-the-effing-airplane' direct law switch? Yeah, that wasn't me.

                      But what does that have to do with anything? I'm not suggesting that Boeing should 'fix' the 737 in any way. I'm saying they should replace it.

                      Comment


                      • Originally posted by Gabriel View Post
                        The main reasons for the autothrust to be linked to the TLA in Boeing's philosophy are consistency with visual / tactile feedback...
                        A lot of good that did here. How often do pilots have their hands or eyes on the thrust levers above 8000ft on autoflight? These guys didn't even notice the levers.

                        BTW, the A320 does give TLA visual feedback. It just gives that on the E/WD display. But again, these guys obviously weren't looking at the engine readings either.

                        Comment


                        • Click image for larger version

Name:	566AA614-7C46-42E6-A63C-4E5D8D7AADD5.jpeg
Views:	43
Size:	183.7 KB
ID:	1148558 I found this diagram of the 777 backdrive servo mechanism. Simple, solid links, no cables or pulleys. As I expected. Designed around electronic engine control.

                          Comment


                          • Originally posted by Evan View Post
                            A lot of good that did here. How often do pilots have their hands or eyes on the thrust levers above 8000ft on autoflight? These guys didn't even notice the levers.... these guys obviously weren't looking at the engine readings either.
                            You cannot take one case and make a general statement out of it. I wonder how these pilots would have handled a somewhat inconspicuous engine failure / roll back, one that had nothing to do with the autothrottle. Planes still need pilots, not just system managers. Or ask AF 447, or (to give examples of the A320 family) PIA 8303, or AF 296Q, or Gulf Air 072, or TAM 3054, or AirAsia Flight 8501. One can pick and choose. More on that later.

                            One might as well wonder how these Sriwijaya pilots would have related to a more-or less inconspicuous engine failure or roll back that was not related to the autothrottle.
                            Well, we know how, right? Just like they handled the one related to the autothrottle.

                            By the time the A320 (and the 777 and the 787) were developed, autoflight was a thing and it integrated flightpath control with power settings and modern nav avionics.
                            I think that the 737-200-adv had what would be considered a modern autopilot, and autothrottle.

                            The best solution is one where the thrust levers are servo-driven in a simple manner where, should one become jammed, it will not inhibit the FCC commands to the EEC.
                            And how would the system distinguish between the throttle being mechanically jammed or forced by the pilot? I know, the pilot should not be playing with the throttle lever if the AT is engaged. But still Boeing's philosophy is that the pilot takes precedent over automation. And it is not uncommon that, when commanding a slow down or descent via automation, will "help" the autothrottle by pulling back, or that during a go around they would click the go-around button and shove the throttle levers fully forward. You may argue that in that case the pilots are moving the levers so the system would identify that they are not stuck. But for every piece of logic and "decision" you add you are generally adding potential failure modes, although I cannot think of one right now.

                            I find it absurd to think these airframes are still using pulleys and cables and a strict TLA to EEC logic. But Boeing does not fail to surprise me when it comes to anachronisms...
                            I'm not suggesting that Boeing should 'fix' the 737 in any way. I'm saying they should replace it.
                            Let's compare the A320 "classic" with he Boeing 737 NG
                            The A320 has hard envelope protections in pitch, roll, speed and AoA. The 737 has minimal to none.
                            The A320 has an autoflight system that is not susceptible to jams in the pilot's controls. The 737 autoflight is susceptible.
                            The A320 has ECAM / EICAS. The 737 doesn't (something that is creating ridiculous discussions in the US right now and that would deserve its own thread).

                            How much actual impact do you think that all that has on safety?
                            Let me tell you how much.
                            0.01 parts per million. Literally, that's how much.
                            The A320 (classic) family has 0.17 hull loss accidents and 0.08 fatal hull loss accidents per million departures.
                            The 737 NG has 0.18 and 0.09.


                            So how do explain this?
                            Is it that these safety features really don't have any significant impact on safety?
                            Is it that Boing pilots happen to be better than Airbus pilots?
                            Is it that these safety features do have a measurable impact, but at the same time create side effects that compensates the benefit?

                            In any case, statistic (and not based on a small sample size precisely) seem to indicate that flying in an A320 or a 737 is about equally safe.
                            So can we stop please?

                            --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
                            --- Defend what you say with arguments, not by imposing your credentials ---

                            Comment



                            • Originally posted by Gabriel
                              I think that the 737-200-adv had what would be considered a modern autopilot, and autothrottle.
                              it was adapted to EEC from a Hydromechanical design, which is my point. It was an overly-complex, failure-prone autothrottle design that ultimately required a software ‘fix’ that, in this flight, failed to work for reasons the investigation could not determine. Therefore, the design risk cannot be assuredly removed.

                              The 757/767 was the first Boeing design around modern digital autoflight. FADEC was first introduced to a commercial airline on the 757 in 1984 I think. If Boeing had ended the 737 and modified the 757 instead, a lot of people would still be alive today. But, of course, that would have required re-certification which would have dented short-term profitability… we all know the story by now.

                              So can we stop please?
                              Stop what? Suggesting where risks lie and what can be done about them? Sure, we could stop. But that would remove a lot of your posts as well (see: TOPMS).

                              You like to cite safety statistics. But those are misleading. How many hull loses on the A320 are involving system failures that cause upset rather than egregious pilot error (or pilot malice)? That is the only relevant comparison when discussing airframe design safety. And before you tell me that the A320 instills pilot complacency, go back and read the report on this one (and Turkish 1951).

                              Comment


                              • Originally posted by Evan View Post
                                Stop what? Suggesting where risks lie and what can be done about them? Sure, we could stop. But that would remove a lot of your posts as well (see: TOPMS).
                                Suggesting that the difference in original airframe development era, technology, systems, and design philosophy between the A32 and the 737 makes a significant difference in the actual safety performance of both types, to the point that the 737 should be scrapped. It doesn't. That's not an opinion.

                                The original A320 and its competition the 737NG have almost exactly the same safety record on a sample size of dozens of millions of flights. The difference is in the one-hundredth of one PPM digit. That is not significan neither statistically nor in practice. The next single hull loss accident will itself make a difference bigger than that.

                                I am very confident that the 737 MAX, after the criminally negligent MCAS manslaughter, both by Boeing and by the FAA, will be as safe as the A320NEO.

                                You like to cite safety statistics. But those are misleading. How many hull loses on the A320 are involving system failures that cause upset rather than egregious pilot error?
                                I don't know. That's the point. Is one type of accident compensating for the other? Again, I don't know. It would be very interesting to understand what are the factors that make the safety records to be almost exactly identical and why these factors are what they are. I am quite sure that wither the differences don't have such a significan impact in safety as one (even myself) tend to think, or that somehow there is some interaction where hen positive factor is linked to another negative factor. Hard to believe that it is just random chance that most of the system failures happen on one type and most of the egregious pilot errors happen in the other type... just to compensate the former?

                                That is the only relevant comparison when discussing airframe design safety.
                                I totally disagree. The situation of human-machine-procedure interactions is much more complicated than that. I don't claim any particular mechanism, but again, the lack of difference in safety performance on such a big sample size and over so many years strongly suggest that either these particular differences in design don't have such a direct significant impact in safety performance as we think, or that there is some interaction where the same characteristics interactions and have side effects (good and bad) that compensate the direct impact.

                                I've worked in factories all my life and I have seen, over and over, how untrained or not-commited workers can bypass error-proof features ("it is very difficult to fool-proof something because the fools are very creative") and how the best trained and most committed worker makes a mistake he/she was very intentionally trying to avoid, which typically ends up being linked to product and process designs that had unforeseen weaknesses that made them prone to human error.

                                And before you tell me that the A320 instills pilot complacency, go back and read the report on this one (and Turkish 1951).
                                I am not telling anything. Again, I don't know the mechanism and causes why the safety record are almost identical. But they are almost identical. And I don't think that it is just buy chance or intentional pilot action to crash the safer design more frequently.

                                Don't get me wrong, I agree with you that it is time already that Boeings moves forward (in a lot of ways, not only in a 737 replacement but also in its culture, management, etc). And I am all for modern airplanes with modern designs and safety features. But the modern versions of the 737 (NG, MAX) is NOT an unsafer type than the A320. I may not know why, but that's what reality seems to show. And I don't argue against reality. I just try to understand it and, in a few occasions, to change it (and I am not always successful in either effort).

                                --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
                                --- Defend what you say with arguments, not by imposing your credentials ---

                                Comment

                                Working...
                                X