Announcement

Collapse
No announcement yet.

Lion Air 737-Max missing, presumed down in the sea near CGK (Jakarta)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • TeeVee
    replied
    Originally posted by Evan View Post
    So the question I would like answered is: why is requiring triple modular redundancy for MCAS unreasonable in an age where it is the standard for critical systems?
    $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

    this is the question that should be posed to the congressional oversight stooges

    Leave a comment:


  • Evan
    replied
    Originally posted by Gabriel View Post
    A difference that you mentioned before, but are ignoring now, is that a bad "final" AoA would override the pilot's inputs in the Airbus. The Airbus will simply ignore nose-up commands from the pilot if the AoA is at or beyond Alpha max, even if that "final" AoA was false and the plane is pitching down into the ground against the pilot's nose-up inputs on the stick which will be fully ignored by the system, Of course, the chances for that to happen are almost zero thanks to the triple redundancy.

    That is NOT the case in the MAX, or in ANY Boeing, even in the most modern ones with fly-by-wire and envelope protection like the 777 and 787, where the pilot has override capability ALWAYS (using the normal controls, not needing to reconfigure systems). I would argue that that was not the case even with the MAX before the updates, since the pilots still regained full trim authority with override power over the MCAS by using the normal trim input device (thumb switch).

    I am not saying that A's approach is better than B's or B's better than A's (although you know I have my opinion or at least my preference). What I am saying is that there are reasons to make a differentiation between the requirements and, as such, the "double standard" would not exist, not at lest in the sense that the authorities are requiring different level of certification to different companies in the same scenarios, because the scenarios are clearly different: In an Airbus, if you get a bad "final" AoA you are pretty much dead unless you start to reconfigure systems. Not so in any Boeing (no so even with the previous version of the MCAS which was pretty horrible and totally unacceptable, so no need to convince me of that).
    The odds of an A320 having a bad ‘final AoA’ are extremely remote, and this was the standard used to certify it. I don’t recall the actual odds used, but they were considered, for all intents and purposes, impossible (barring any maintenance stoogery, of course). Even so, there are procedures to quickly degrade to alternate law without losing controllability or FBW methodology (whether those procedures are widely known is another story). But the point is, every REASONABLE precaution was taken to ensure that envelope protections required to certify the aircraft would be fail-operational following the failure of a single air-data source.

    As I understand it, MCAS will now be inop following the failure of a single air-data source. It is now fail-safe but not fail-operational. That means the airplane, by certification criteria, is potentially unsafe (and we have learned many times over that aviation disasters often are the result of a rare but still foreseeable combination of failures and pilot error).

    So the question I would like answered is: why is requiring triple modular redundancy for MCAS unreasonable in an age where it is the standard for critical systems?

    Leave a comment:


  • Gabriel
    replied
    Originally posted by Black Ram View Post
    Stuff like that has happened, though not close to the ground. And usually you wouldn't expect AoA vanes contaminated with water to freeze when the plane is close to the ground as opposed to being at altitude. But there is a procedure to deal with this and it has been used successfully, though not avoiding a scary incident.

    The point is, I and many others feel Boeing is still moving in the wrong direction. At a time when 3 AoA vanes have been shown not to be bulletproof, when some airplanes come standard with 4 AoAs, Boeing is fixing a troubled system by keeping its 2 AoA vanes.
    And I may agree with that. But as I explained before, I was not judging A's and B's approach by themselves but rather looking whether Evan's comparison of the A's and B's certification requirements was a fair apples-to-apples comparison, which in my opinion it is not.

    Leave a comment:


  • Black Ram
    replied
    Originally posted by Gabriel View Post
    A difference that you mentioned before, but are ignoring now, is that a bad "final" AoA would override the pilot's inputs in the Airbus. The Airbus will simply ignore nose-up commands from the pilot if the AoA is at or beyond Alpha max, even if that "final" AoA was false and the plane is pitching down into the ground against the pilot's nose-up inputs on the stick which will be fully ignored by the system, Of course, the chances for that to happen are almost zero thanks to the triple redundancy.

    Stuff like that has happened, though not close to the ground. And usually you wouldn't expect AoA vanes contaminated with water to freeze when the plane is close to the ground as opposed to being at altitude. But there is a procedure to deal with this and it has been used successfully, though not avoiding a scary incident.

    The point is, I and many others feel Boeing is still moving in the wrong direction. At a time when 3 AoA vanes have been shown not to be bulletproof, when some airplanes come standard with 4 AoAs, Boeing is fixing a troubled system by keeping its 2 AoA vanes.

    Leave a comment:


  • Gabriel
    replied
    Originally posted by Evan View Post
    These terms tend to be somewhat oblique depending on the context in which they are used, but the only term that matters here is an engineering term for designed redundancy: Triple modular redundancy. MCAS should be required to have triple modular redundancy, as the Airbus envelope protections were required to have. The apparent reasoning behind designing MCAS with no redundancy had to do with remaining in the NG certification. I suspect there is some behind the scenes negotiating going on to resolve the MCAS issues and get the fleet back in service that centers on not triggering additional certification. Perhaps adding a third vane and more robust comparator logic would do that. But the double-standard here is glaring.
    A difference that you mentioned before, but are ignoring now, is that a bad "final" AoA would override the pilot's inputs in the Airbus. The Airbus will simply ignore nose-up commands from the pilot if the AoA is at or beyond Alpha max, even if that "final" AoA was false and the plane is pitching down into the ground against the pilot's nose-up inputs on the stick which will be fully ignored by the system, Of course, the chances for that to happen are almost zero thanks to the triple redundancy.

    That is NOT the case in the MAX, or in ANY Boeing, even in the most modern ones with fly-by-wire and envelope protection like the 777 and 787, where the pilot has override capability ALWAYS (using the normal controls, not needing to reconfigure systems). I would argue that that was not the case even with the MAX before the updates, since the pilots still regained full trim authority with override power over the MCAS by using the normal trim input device (thumb switch).

    I am not saying that A's approach is better than B's or B's better than A's (although you know I have my opinion or at least my preference). What I am saying is that there are reasons to make a differentiation between the requirements and, as such, the "double standard" would not exist, not at lest in the sense that the authorities are requiring different level of certification to different companies in the same scenarios, because the scenarios are clearly different: In an Airbus, if you get a bad "final" AoA you are pretty much dead unless you start to reconfigure systems. Not so in any Boeing (no so even with the previous version of the MCAS which was pretty horrible and totally unacceptable, so no need to convince me of that).

    Leave a comment:


  • Gabriel
    replied
    Originally posted by Evan View Post
    I mean the system continues to operate in the event of a single point failure. Both fail-passive and fail-operational describe this state (not talking about autoland here).
    We are digressing here, but fail-passive systems don't continue to operate after a single failure. They stop working in a "friendly"passive way. A system would be fail-passive if, upon the failure of an AoA indicator, the system detects that failure and stops operating without responding to it with control inputs (i.e. no upset) but the pilot has to assume the lost function. The current design of the MCAS would be that. A fail-operational system remains operational (albeit in fail-passive state) after a single failure. To be fail-operational, the MCAS would either need a 3rd AoA sensor or as an alternate mean to decide which (if any) of the 2 AoA disagreeing sensors is correct.

    Leave a comment:


  • Evan
    replied
    These terms tend to be somewhat oblique depending on the context in which they are used, but the only term that matters here is an engineering term for designed redundancy: Triple modular redundancy. MCAS should be required to have triple modular redundancy, as the Airbus envelope protections were required to have. The apparent reasoning behind designing MCAS with no redundancy had to do with remaining in the NG certification. I suspect there is some behind the scenes negotiating going on to resolve the MCAS issues and get the fleet back in service that centers on not triggering additional certification. Perhaps adding a third vane and more robust comparator logic would do that. But the double-standard here is glaring.

    Leave a comment:


  • BoeingBobby
    replied
    Originally posted by Evan View Post
    I mean the system continues to operate in the event of a single point failure. Both fail-passive and fail-operational describe this state (not talking about autoland here).
    See I told you. = puking.

    Leave a comment:


  • Evan
    replied
    Originally posted by Gabriel View Post
    NOW it will be fail passive. Did you mean fail operational?
    I mean the system continues to operate in the event of a single point failure. Both fail-passive and fail-operational describe this state (not talking about autoland here).

    Leave a comment:


  • Gabriel
    replied
    Originally posted by Evan View Post
    Such a system needs to be fail-passive in that condition. Or at least that’s how it was for Airbus.
    NOW it will be fail passive. Did you mean fail operational?

    Leave a comment:


  • Evan
    replied
    Originally posted by Gabriel View Post
    Define "may".
    Do you mean that in certain stall avoidance situations the condition would be unrecoverable? (meaning that it WILL be unrecoverable IF that condition materializes). If so, source please.
    Or do you mean that it may or may not, YOU just don't know?

    It was never clear to me if the MCAS was a feature to make the plane certifiable in the first place (meaning that it would not have been possible to certify it without the MCAS) or if it was rather a feature to minimize the training requirements and have the MAX been able to be flown under the same type rating than the NG. I tend to think it was the latter.
    Either way Gabriel, MCAS was introduced to address a concern serious enough to warrant a system like MCAS, and in a very ďfriendlyĒ certification environment. Whether it was introduced to overcome a very dangerous pitch tendency at certain weights near the limit of the envelope of just to assure characteristics are sufficiently similar to the NG by which it was certified is immaterial. It was NEEDED for safety reasons related to flight control. Under the current fix, a single point (and not so uncommon) failure removes that safety feature. Such a system needs to be fail-passive in that condition. Or at least thatís how it was for Airbus. Maybe employing the FAA gives you the right to a double-standard. Iím open to that possibility...

    Leave a comment:


  • Gabriel
    replied
    Originally posted by Evan View Post
    Boeing will get away with two. If one fails, the MCAS system will be unavailable. Now the risk that made MCAS necessary in the first place is present: you have a 737-MAX without MCAS. It may now be unrecoverable in certain stall avoidance situations.
    Define "may".
    Do you mean that in certain stall avoidance situations the condition would be unrecoverable? (meaning that it WILL be unrecoverable IF that condition materializes). If so, source please.
    Or do you mean that it may or may not, YOU just don't know?

    It was never clear to me if the MCAS was a feature to make the plane certifiable in the first place (meaning that it would not have been possible to certify it without the MCAS) or if it was rather a feature to minimize the training requirements and have the MAX been able to be flown under the same type rating than the NG. I tend to think it was the latter.

    Leave a comment:


  • Gabriel
    replied
    Originally posted by Evan View Post
    The A320 needed three AoA sensors to achieve certification. Why? Because AoA data can override pilot inputs.
    Exactly, something that NOW cannot happen anymore in the 737 MAX.

    Leave a comment:


  • TeeVee
    replied
    kinda surprised no one has mentioned it...boeing is now saying that they are going to do what they should've done to begin with. after this, they will pat themselves on the shoulder, pay the judgments and attorneys, and in no time at all, everything will be forgotten except by asshat parlour talkers.

    Leave a comment:


  • Evan
    replied
    Originally posted by Schwartz View Post
    You're exaggerating. There are several other changes which would mitigate the highly unlikely scenario of two sensors failing or being simultaneously mis-calibrated in the exact same way.
    First, they are no longer hiding the mechanism for how MCAS works which makes mis-understanding what the plane is doing a lot less likely. Second, they are changing some software to make sure that pulling back with sufficient force on the yoke will override the MCAS behaviour or something to that effect. No need to add another part that just makes a part failure all the more likely.
    The A320 needed three AoA sensors to achieve certification. Why? Because AoA data can override pilot inputs. They needed that extra vane to allow the system to vote out a faulty vane with the two in agreement, to be assuredly safe.

    Sure. Pilots can always follow a procedure to override those system protections, but just requiring them to establish SA and take the correct steps carries a threat of upset or distraction. To be truly safe, any system that can override pilot commands must remain fail-passive after a single-point failure. Fail passive means the system retains redundancy. That requires three sensors.

    Boeing will get away with two. If one fails, the MCAS system will be unavailable. Now the risk that made MCAS necessary in the first place is present: you have a 737-MAX without MCAS. It may now be unrecoverable in certain stall avoidance situations.

    Leave a comment:

Working...
X