Announcement

Collapse
No announcement yet.

Lion Air 737-Max missing, presumed down in the sea near CGK (Jakarta)

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Originally posted by Evan View Post
    Boeing will get away with two. If one fails, the MCAS system will be unavailable. Now the risk that made MCAS necessary in the first place is present: you have a 737-MAX without MCAS. It may now be unrecoverable in certain stall avoidance situations.
    Define "may".
    Do you mean that in certain stall avoidance situations the condition would be unrecoverable? (meaning that it WILL be unrecoverable IF that condition materializes). If so, source please.
    Or do you mean that it may or may not, YOU just don't know?

    It was never clear to me if the MCAS was a feature to make the plane certifiable in the first place (meaning that it would not have been possible to certify it without the MCAS) or if it was rather a feature to minimize the training requirements and have the MAX been able to be flown under the same type rating than the NG. I tend to think it was the latter.

    --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
    --- Defend what you say with arguments, not by imposing your credentials ---

    Comment


    • Originally posted by Gabriel View Post
      Define "may".
      Do you mean that in certain stall avoidance situations the condition would be unrecoverable? (meaning that it WILL be unrecoverable IF that condition materializes). If so, source please.
      Or do you mean that it may or may not, YOU just don't know?

      It was never clear to me if the MCAS was a feature to make the plane certifiable in the first place (meaning that it would not have been possible to certify it without the MCAS) or if it was rather a feature to minimize the training requirements and have the MAX been able to be flown under the same type rating than the NG. I tend to think it was the latter.
      Either way Gabriel, MCAS was introduced to address a concern serious enough to warrant a system like MCAS, and in a very “friendly” certification environment. Whether it was introduced to overcome a very dangerous pitch tendency at certain weights near the limit of the envelope of just to assure characteristics are sufficiently similar to the NG by which it was certified is immaterial. It was NEEDED for safety reasons related to flight control. Under the current fix, a single point (and not so uncommon) failure removes that safety feature. Such a system needs to be fail-passive in that condition. Or at least that’s how it was for Airbus. Maybe employing the FAA gives you the right to a double-standard. I’m open to that possibility...

      Comment


      • Originally posted by Evan View Post
        Such a system needs to be fail-passive in that condition. Or at least that’s how it was for Airbus.
        NOW it will be fail passive. Did you mean fail operational?

        --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
        --- Defend what you say with arguments, not by imposing your credentials ---

        Comment


        • Originally posted by Gabriel View Post
          NOW it will be fail passive. Did you mean fail operational?
          I mean the system continues to operate in the event of a single point failure. Both fail-passive and fail-operational describe this state (not talking about autoland here).

          Comment


          • Originally posted by Evan View Post
            I mean the system continues to operate in the event of a single point failure. Both fail-passive and fail-operational describe this state (not talking about autoland here).
            See I told you. = puking.

            Comment


            • These terms tend to be somewhat oblique depending on the context in which they are used, but the only term that matters here is an engineering term for designed redundancy: Triple modular redundancy. MCAS should be required to have triple modular redundancy, as the Airbus envelope protections were required to have. The apparent reasoning behind designing MCAS with no redundancy had to do with remaining in the NG certification. I suspect there is some behind the scenes negotiating going on to resolve the MCAS issues and get the fleet back in service that centers on not triggering additional certification. Perhaps adding a third vane and more robust comparator logic would do that. But the double-standard here is glaring.

              Comment


              • Originally posted by Evan View Post
                I mean the system continues to operate in the event of a single point failure. Both fail-passive and fail-operational describe this state (not talking about autoland here).
                We are digressing here, but fail-passive systems don't continue to operate after a single failure. They stop working in a "friendly"passive way. A system would be fail-passive if, upon the failure of an AoA indicator, the system detects that failure and stops operating without responding to it with control inputs (i.e. no upset) but the pilot has to assume the lost function. The current design of the MCAS would be that. A fail-operational system remains operational (albeit in fail-passive state) after a single failure. To be fail-operational, the MCAS would either need a 3rd AoA sensor or as an alternate mean to decide which (if any) of the 2 AoA disagreeing sensors is correct.

                --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
                --- Defend what you say with arguments, not by imposing your credentials ---

                Comment


                • Originally posted by Evan View Post
                  These terms tend to be somewhat oblique depending on the context in which they are used, but the only term that matters here is an engineering term for designed redundancy: Triple modular redundancy. MCAS should be required to have triple modular redundancy, as the Airbus envelope protections were required to have. The apparent reasoning behind designing MCAS with no redundancy had to do with remaining in the NG certification. I suspect there is some behind the scenes negotiating going on to resolve the MCAS issues and get the fleet back in service that centers on not triggering additional certification. Perhaps adding a third vane and more robust comparator logic would do that. But the double-standard here is glaring.
                  A difference that you mentioned before, but are ignoring now, is that a bad "final" AoA would override the pilot's inputs in the Airbus. The Airbus will simply ignore nose-up commands from the pilot if the AoA is at or beyond Alpha max, even if that "final" AoA was false and the plane is pitching down into the ground against the pilot's nose-up inputs on the stick which will be fully ignored by the system, Of course, the chances for that to happen are almost zero thanks to the triple redundancy.

                  That is NOT the case in the MAX, or in ANY Boeing, even in the most modern ones with fly-by-wire and envelope protection like the 777 and 787, where the pilot has override capability ALWAYS (using the normal controls, not needing to reconfigure systems). I would argue that that was not the case even with the MAX before the updates, since the pilots still regained full trim authority with override power over the MCAS by using the normal trim input device (thumb switch).

                  I am not saying that A's approach is better than B's or B's better than A's (although you know I have my opinion or at least my preference). What I am saying is that there are reasons to make a differentiation between the requirements and, as such, the "double standard" would not exist, not at lest in the sense that the authorities are requiring different level of certification to different companies in the same scenarios, because the scenarios are clearly different: In an Airbus, if you get a bad "final" AoA you are pretty much dead unless you start to reconfigure systems. Not so in any Boeing (no so even with the previous version of the MCAS which was pretty horrible and totally unacceptable, so no need to convince me of that).

                  --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
                  --- Defend what you say with arguments, not by imposing your credentials ---

                  Comment


                  • Originally posted by Gabriel View Post
                    A difference that you mentioned before, but are ignoring now, is that a bad "final" AoA would override the pilot's inputs in the Airbus. The Airbus will simply ignore nose-up commands from the pilot if the AoA is at or beyond Alpha max, even if that "final" AoA was false and the plane is pitching down into the ground against the pilot's nose-up inputs on the stick which will be fully ignored by the system, Of course, the chances for that to happen are almost zero thanks to the triple redundancy.

                    Stuff like that has happened, though not close to the ground. And usually you wouldn't expect AoA vanes contaminated with water to freeze when the plane is close to the ground as opposed to being at altitude. But there is a procedure to deal with this and it has been used successfully, though not avoiding a scary incident.

                    The point is, I and many others feel Boeing is still moving in the wrong direction. At a time when 3 AoA vanes have been shown not to be bulletproof, when some airplanes come standard with 4 AoAs, Boeing is fixing a troubled system by keeping its 2 AoA vanes.

                    Comment


                    • Originally posted by Black Ram View Post
                      Stuff like that has happened, though not close to the ground. And usually you wouldn't expect AoA vanes contaminated with water to freeze when the plane is close to the ground as opposed to being at altitude. But there is a procedure to deal with this and it has been used successfully, though not avoiding a scary incident.

                      The point is, I and many others feel Boeing is still moving in the wrong direction. At a time when 3 AoA vanes have been shown not to be bulletproof, when some airplanes come standard with 4 AoAs, Boeing is fixing a troubled system by keeping its 2 AoA vanes.
                      And I may agree with that. But as I explained before, I was not judging A's and B's approach by themselves but rather looking whether Evan's comparison of the A's and B's certification requirements was a fair apples-to-apples comparison, which in my opinion it is not.

                      --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
                      --- Defend what you say with arguments, not by imposing your credentials ---

                      Comment


                      • Originally posted by Gabriel View Post
                        A difference that you mentioned before, but are ignoring now, is that a bad "final" AoA would override the pilot's inputs in the Airbus. The Airbus will simply ignore nose-up commands from the pilot if the AoA is at or beyond Alpha max, even if that "final" AoA was false and the plane is pitching down into the ground against the pilot's nose-up inputs on the stick which will be fully ignored by the system, Of course, the chances for that to happen are almost zero thanks to the triple redundancy.

                        That is NOT the case in the MAX, or in ANY Boeing, even in the most modern ones with fly-by-wire and envelope protection like the 777 and 787, where the pilot has override capability ALWAYS (using the normal controls, not needing to reconfigure systems). I would argue that that was not the case even with the MAX before the updates, since the pilots still regained full trim authority with override power over the MCAS by using the normal trim input device (thumb switch).

                        I am not saying that A's approach is better than B's or B's better than A's (although you know I have my opinion or at least my preference). What I am saying is that there are reasons to make a differentiation between the requirements and, as such, the "double standard" would not exist, not at lest in the sense that the authorities are requiring different level of certification to different companies in the same scenarios, because the scenarios are clearly different: In an Airbus, if you get a bad "final" AoA you are pretty much dead unless you start to reconfigure systems. Not so in any Boeing (no so even with the previous version of the MCAS which was pretty horrible and totally unacceptable, so no need to convince me of that).
                        The odds of an A320 having a bad ‘final AoA’ are extremely remote, and this was the standard used to certify it. I don’t recall the actual odds used, but they were considered, for all intents and purposes, impossible (barring any maintenance stoogery, of course). Even so, there are procedures to quickly degrade to alternate law without losing controllability or FBW methodology (whether those procedures are widely known is another story). But the point is, every REASONABLE precaution was taken to ensure that envelope protections required to certify the aircraft would be fail-operational following the failure of a single air-data source.

                        As I understand it, MCAS will now be inop following the failure of a single air-data source. It is now fail-safe but not fail-operational. That means the airplane, by certification criteria, is potentially unsafe (and we have learned many times over that aviation disasters often are the result of a rare but still foreseeable combination of failures and pilot error).

                        So the question I would like answered is: why is requiring triple modular redundancy for MCAS unreasonable in an age where it is the standard for critical systems?

                        Comment


                        • Originally posted by Evan View Post
                          So the question I would like answered is: why is requiring triple modular redundancy for MCAS unreasonable in an age where it is the standard for critical systems?
                          $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$

                          this is the question that should be posed to the congressional oversight stooges

                          Comment


                          • Originally posted by Black Ram View Post
                            Oh, how nice. Very grateful to Boeing for that.

                            I just thought that now, when this has dragged for like 8 months with practically no end in sight (at least until the end of the year), that the "defend them at all cost" people would be more chill. Not that they are really saying anything.

                            Boeingbob, we miss you!

                            Defend at all costs, please. Instead of waxing poetic why don't you point out the flaw in the logic? Or is that just rhetoric?

                            Comment


                            • Originally posted by Evan View Post
                              The A320 needed three AoA sensors to achieve certification. Why? Because AoA data can override pilot inputs. They needed that extra vane to allow the system to vote out a faulty vane with the two in agreement, to be assuredly safe.

                              Sure. Pilots can always follow a procedure to override those system protections, but just requiring them to establish SA and take the correct steps carries a threat of upset or distraction. To be truly safe, any system that can override pilot commands must remain fail-passive after a single-point failure. Fail passive means the system retains redundancy. That requires three sensors.

                              Boeing will get away with two. If one fails, the MCAS system will be unavailable. Now the risk that made MCAS necessary in the first place is present: you have a 737-MAX without MCAS. It may now be unrecoverable in certain stall avoidance situations.
                              The Airbus control design is fundamentally different and a loose comparison is not valid. Remember, MCAS may have only been necessary to make the MAX feel exactly like the old 737, so no new training was required. I would not be surprised, if they mandate new training for the MAX now. On it's own, the MCAS may not have been required as a safety issue. To be fair, I'm not certain of that, but again, I don't think your comparison is valid. It seems to me, the plane is entirely flyable without MCAS and the override if properly programmed is something the pilots train for.

                              Comment


                              • Originally posted by Evan View Post
                                These terms tend to be somewhat oblique depending on the context in which they are used, but the only term that matters here is an engineering term for designed redundancy: Triple modular redundancy. MCAS should be required to have triple modular redundancy, as the Airbus envelope protections were required to have. The apparent reasoning behind designing MCAS with no redundancy had to do with remaining in the NG certification. I suspect there is some behind the scenes negotiating going on to resolve the MCAS issues and get the fleet back in service that centers on not triggering additional certification. Perhaps adding a third vane and more robust comparator logic would do that. But the double-standard here is glaring.
                                More complexity does not always = more safety. More parts certainly increases the odds of a failure in that system. I would venture to say that the odds of 2 independent failures of those sensors (meaning no MCAS) is far more likely than two simultaneously failing to the exact same values.

                                Comment

                                Working...
                                X