Announcement

Collapse
No announcement yet.

What is it doing now?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    Originally posted by Schwartz View Post
    These pilots were very very lucky. A lot of things went well enough for them to survive especially given that the engines lasted just long enough to support their quick turn back to the runway.

    They also lucked out from the timing, it appears the only reason they were able to climb out initially was because the landing gear was in transit and the front gear pushed the nose up as the engines spooled up. This is why they were able to gain altitude and figure out how to get the plane back to the runway.
    Two things. Firstly, I said this was phenomenal because of the very rare and complex combination of failures and pilot errors that made it possible. Secondly, that combination is not going to present itself on a revenue flight.

    In order for this to occur, the SEC's must be in control of pitch (both ELAC faulted) on the ground AND the LGCIU's have to be sending opposing air/ground signals to them (the left and right MLG have to be in a very different state of compression for at least one second.)

    In other words, this requires the aircraft to begin the take-off roll with zero ELAC's functioning and then experience an asymmetrical "bounce" large enough to make that possible BEFORE rotation.

    How could that ever happen in a revenue flight?

    1) You could dispatch a flight with a single functional ELAC. Then during the takeoff roll, the remaining ELAC would have to suddenly fault (why?) AND then you need to lift off, drop back hard on the runway, asymmetrically AND then decide to continue the takeoff. That would be a fantastically bad day.

    2) You could engage in a very late go-around (perhaps due to some runway incursion) with both ELAC's already in a faulted state (perhaps after being dispatched with a single ELAC and it failed during the flight), touch down hard to get the asymmetrical bounce, THEN land and THEN attempt to lift off again. That would be a fantastically bad day.

    3) You could have an improperly maintained stabilizer override mechanism malfunction, undetected, and then do what these guys did. Why would you ever do that on a revenue flight?

    And lastly, after the Airbus software upgrade, even then it won't happen.

    I agree that complexity brings new risks (the 737-MAX is a perfect example of this) but it seems the Airbus engineers thought things out very, very carefully. The only FBW flight control failures I'm aware resulting in loss-of-control were similarly phenomenal in nature and thus nearly impossible to predict or defend against.

    Comment


    • #17
      Warning: This is a VERY complex scenario and will be Gabriellian in length. It may contain acronyms.
      I just wonder if it isn't rather Evanesque , or Evanescence. Before this topic really takes off, I like to bring back the reason why the threadstarter started this topic.

      On February 28th 2018, an Estonian Airbus A320, with domestic registration ES-SAN, was en route during training flights, seven souls on board (7), all crew. They were flying 'go around', 'approach', 'go around' and so on, all g.a.'s with at least the main gear on the ground.
      In German this is a Platzrunde, or quite a few of them. In English.. traffic patterns is the expression which I like most. If you ask the internet you can find translations which I've never heard on an airport..
      Tallinn International airport was the place which they used for training. A place which seems to be good not only for A320 training:
      EETN 08/26 11,417 ft/3480 m @ 131 AMSL .

      For the next go around the pilot tried to accelerate, but somehow he was not able to take all the thrust with him after he became airborne. So far so bad. That's where my knowledge about an Airbus A320 ends. Isn't it fascinating how really alot of A320s stay in the air without damage although this flyin computer sometimes seems to work against the active pilot?

      Could that be the reason why Randazzo only publishes aircraft which do not have an own idea of how a go around should work?

      The B744 and also the B748 almost seem to be beginner a/c compared to what I tried to understand here in #16 .

      PS: I have an assumption why not only alot of avatars have been erased, but also all signatures of people who always had a signature. Have there been people who exaggerated the signature option? But completely without signature, that feels so naked.
      LH and the Hamburg - Düsseldorf - Shannon - NYC route, open since June 1st, 1955. A/C type: Lockheed Super Constellation.
      EW, one of the dearest LH daughters, the brandnew November 19 schedule (frequency):
      DUS - VRA (--3-5-7), DUS - EWR (1234567), DUS - MIA (1-3-56-), DUS - BGI # 1152 (Mon and Thu with exceptions), ...

      Aviation enthusiast since more than 30 years. A whole decade here on this platform.

      Comment


      • #18
        Secondly, that combination is not going to present itself on a revenue flight.
        Interesting and notable observation, because this wouldn't be the first airbus to crash because the plane didn't do what was expected or input under non-revenue flight conditions.

        2) You could engage in a very late go-around (perhaps due to some runway incursion) with both ELAC's already in a faulted state (perhaps after being dispatched with a single ELAC and it failed during the flight), touch down hard to get the asymmetrical bounce, THEN land and THEN attempt to lift off again. That would be a fantastically bad day.
        I think most aircraft incidents involve fantastically bad days. They happen... not very often, but they do.

        I think you're missing the point. You can't predict how this or some similar vulnerability will exhibit itself. Arguable this already was a rare set of circumstances which allowed -- not for the first, or the last time -- the aircraft to ignore the pilots and do something seemingly incomprehensible. The odds of incomprehensible behaviour from a system like these planes (both Boeing and Airbus) increases with the amount of redundancy and intermediaries between the pilot and the plane. That is a pretty indisputable design principle.

        This is why I raised this incident on the other thread. Your posts there imply that redundancy can just be added and it will automatically make things better. There are tradeoffs for everything including "safety features". This will not be the last time that a safety feature caused a major risk to life.

        This is very very very similar to what is coming with AI in computers. The computers measure the world in very different ways than humans. Sometimes that is better, other times it is worse. The human pilot knows exactly whether the plane is landing or not. The computer needs to determine that from pressure on the landing gear. In this case, that pressure was not as expected and the computer decided to do nothing. The pilots knew they were landing, the computer was confused because the computer doesn't measure the world in context. It only looks at inputs.

        Same for the ELAC warnings. The computer did not know it was important for the pilots to realize the ELAC warning should have been better connected to the event instead of being suppressed in this case. It has no idea when the warning will be useful or not to the pilot. It is probably not a bad decision to suppress warnings during landing/takeoff, that are not essential, but the computer will blindly follow the rule because it has no sense of context whatsoever.

        These examples are the case with every single computer decision making system. The computer has no idea of context. The designers will create different contexts, and they will use proxy inputs to create those contexts. The more of that you have going on, the more likely you will end up with some rare -- but still likely to happen -- scenario like this.

        As an aside, it was a context issue that resulted in that uber car running over the walking cyclist.

        Comment


        • #19
          Originally posted by Schwartz View Post
          The odds of incomprehensible behaviour from a system like these planes (both Boeing and Airbus) increases with the amount of redundancy and intermediaries between the pilot and the plane. That is a pretty indisputable design principle.
          I am disputing that 'principal'. Risk only increases when redundant systems are not very carefully engineered, whereas risk decreases with redundancy, so when the trade-off for increased risk due to complexity vs. decreased risk due to redundancy is overwhelmingly in favor of complexity and redundancy, as it was here, then we are doing the right thing.

          This is why I raised this incident on the other thread. Your posts there imply that redundancy can just be added and it will automatically make things better.
          I'm not implying that. I'm implying what I just wrote above. Carelessly designed redundancy, such as MCAS, is a separate issue and will always be detrimental.

          This is very very very similar to what is coming with AI in computers. The computers measure the world in very different ways than humans. Sometimes that is better, other times it is worse. The human pilot knows exactly whether the plane is landing or not. The computer needs to determine that from pressure on the landing gear. In this case, that pressure was not as expected and the computer decided to do nothing. The pilots knew they were landing, the computer was confused because the computer doesn't measure the world in context. It only looks at inputs.

          Same for the ELAC warnings. The computer did not know it was important for the pilots to realize the ELAC warning should have been better connected to the event instead of being suppressed in this case. It has no idea when the warning will be useful or not to the pilot. It is probably not a bad decision to suppress warnings during landing/takeoff, that are not essential, but the computer will blindly follow the rule because it has no sense of context whatsoever.

          These examples are the case with every single computer decision making system. The computer has no idea of context. The designers will create different contexts, and they will use proxy inputs to create those contexts. The more of that you have going on, the more likely you will end up with some rare -- but still likely to happen -- scenario like this.
          I don't think you understand the sequence of events that led to this incident. First of all, it could never have occurred without THE COMBINATION of shoddy, reckless maintenance and careless piloting following a non-standard company procedure. It required the wrong viscosity oil in the OVM, pilots repeatedly resetting ELAC faults over a five-hour period involving multiple touch-and-goes, an ELAC left inoperable (not reset) between flight cycles with no regard for MEL requirements and the failure to arm ground-spoilers prior to landing (and the deletion of this requirement from the standard Airbus procedure).

          Secondly, it required the SEC's to be in command of pitch during the takeoff roll, which, as I've pointed out, is never going to happen in legal revenue operations.

          And thirdly, it needs a prolonged 'bounce' large enough to create an asymmetry between the LGCIU's during the takeoff roll. Where is that going to come from?

          Fourthly, regarding context and alerts, the system is very aware of context, which is why the alerts are inhibited at that phase of lfight. However the L/R ELEVATOR FAULT ECAM was not inhibited, nor was the accompanying master caution. Did that stop them?

          And fifthly, Airbus has since upgraded the software to eliminate even this very, very, very remote threat. These types of vulnerabilities only tend to reveal themselves when the aircraft is being used in non-standard operations in combination with pilot error or maintenance error or, as was the case here, both. We can only ask engineers to do the best they possibly can and that is what is being done here.

          You'll note that the fix here was to add more complexity, not to eliminate redundancy, because that was deemed the safer thing to do.

          Comment


          • #20
            There are some trade-offs of course. This accident would have never ever ever ever ever happened in a 737 because they direct hydraulic elevator does whatever the pilot commands with the control column, no matter squat switches, flight control computers, etc.

            We do know that increased automation, redundancy and technology create new failure modes, ways to crash that didn't exist before. Including ways that were not even foreseen when those systems were created.
            But, if done right, the number of accidents of old failures mode that are AVOIDED by the new technology greatly exceeds the number that is CREATED by the new technology, thus constituting a positive progress in safety.

            That said, my perception is that some times these new systems are made more complex than actually needed. Why isn't the direct mode a DIRECT mode? I.e. a mode where the analog output of the sidestick is a direct analog input to the hydraulic actuator and there is no computer having any say on what to do or not to do or analyzing if the plane is on the ground, in the air or under the water, flying nicely, inverted or stalling?

            --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
            --- Defend what you say with arguments, not by imposing your credentials ---

            Comment


            • #21
              Originally posted by Gabriel View Post
              There are some trade-offs of course. This accident would have never ever ever ever ever happened in a 737 because they direct hydraulic elevator does whatever the pilot commands with the control column, no matter squat switches, flight control computers, etc.
              Yes, and how many people have died as a result of that? Look, this argument has been over for along time. We're not going back to cables and bellcranks. It's computers baby. The trick now is to do it right. It will require systems that have the highest possible confidence in their situational 'awareness'. That REQUIRES at least triple redundancy.

              That said, my perception is that some times these new systems are made more complex than actually needed. Why isn't the direct mode a DIRECT mode? I.e. a mode where the analog output of the sidestick is a direct analog input to the hydraulic actuator and there is no computer having any say on what to do or not to do or analyzing if the plane is on the ground, in the air or under the water, flying nicely, inverted or stalling?
              The direct mode is a deflection of control surfaces proportional to stick input, just like a control column. That is essentially eliminating the computer 'interpretations'. But not the safeguards against things like runaways in a system with no physical feedback to otherwise alert you.

              The bottom line to this thread is that, if you want to break the airplane, you are going to break the airplane. Idiot proof is probably further off than AI. Airbus did a bang-up job of finding the discretionary middle ground. But if you want to survive airline stoogery on this level, you have to be discerning about who you fly with, unless of course Easyjet makes that impossible by sticking you on a random Smartlynx ACMI flight that may or may not have the proper viscosity oil in the proper places...

              Comment


              • #22
                Originally posted by Evan View Post

                Yes, and how many people have died as a result of that? Look, this argument has been over for along time. We're not going back to cables and bellcranks. It's computers baby. The trick now is to do it right.
                Excuse me, have you read the 2nd and 3rd paragraph of my previous post? (i.e. exactly the 2 paragraph that you did not quote)

                --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
                --- Defend what you say with arguments, not by imposing your credentials ---

                Comment


                • #23
                  Originally posted by Gabriel View Post
                  There are some trade-offs of course. This accident would have never ever ever ever ever happened in a 737 because they direct hydraulic elevator does whatever the pilot commands with the control column, no matter squat switches, flight control computers, etc.

                  We do know that increased automation, redundancy and technology create new failure modes, ways to crash that didn't exist before. Including ways that were not even foreseen when those systems were created.
                  But, if done right, the number of accidents of old failures mode that are AVOIDED by the new technology greatly exceeds the number that is CREATED by the new technology, thus constituting a positive progress in safety.

                  That said, my perception is that some times these new systems are made more complex than actually needed. Why isn't the direct mode a DIRECT mode? I.e. a mode where the analog output of the sidestick is a direct analog input to the hydraulic actuator and there is no computer having any say on what to do or not to do or analyzing if the plane is on the ground, in the air or under the water, flying nicely, inverted or stalling?
                  Are you talking about aeroplanies, or www.internet.com discussion fora?
                  Les règles de l'aviation de base découragent de longues périodes de dur tirer vers le haut.

                  Comment


                  • #24
                    Originally posted by Gabriel View Post
                    We do know that increased automation, redundancy and technology create new failure modes, ways to crash that didn't exist before. Including ways that were not even foreseen when those systems were created.
                    Rarely but yes. However, these failure modes require stoogery that wasn't forseen when those systems were created. So where where does the real problem lie?

                    But, if done right, the number of accidents of old failures mode that are AVOIDED by the new technology greatly exceeds the number that is CREATED by the new technology, thus constituting a positive progress in safety.
                    That is quite the understatement. Can you list the accidents created by the new technology and not the blatant abuse of the new technology?

                    Comment


                    • #25
                      Originally posted by Evan View Post
                      That is quite the understatement. Can you list the accidents created by the new technology and not the blatant abuse of the new technology?
                      That would be unfair unless we do the same filtering with the old technology. Unless you want to call it stoogery when it is the new technology but human factors when it is the old one.

                      --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
                      --- Defend what you say with arguments, not by imposing your credentials ---

                      Comment


                      • #26
                        Originally posted by 3WE View Post

                        Are you talking about aeroplanies, or www.internet.com discussion fora?
                        Aeroplanies, but can be extended to technology in general.

                        --- Judge what is said by the merits of what is said, not by the credentials of who said it. ---
                        --- Defend what you say with arguments, not by imposing your credentials ---

                        Comment


                        • #27
                          Originally posted by Gabriel View Post

                          That would be unfair unless we do the same filtering with the old technology. Unless you want to call it stoogery when it is the new technology but human factors when it is the old one.
                          Lexicon:

                          Human factors: Accidents attributed to the limits of human performance, involving such things as fatigue, panic, disorientation, mental bias, stress, etc.

                          Stoogery: Stupid, negligent, intentional behavior, such as blasting high-pressure jets of water at sensitive air-data probes, using any old lube lying around instead of referring to the manuals, repeatedly punching faulty ELAC's off and on while continuing to fly multiple cycles, pulling multiple FCC circuit breakers in flight because you saw someone do it on the ground and just generally being a person who should never be allowed near a commercial airliner.

                          Yes, there's some grey area there, but really, you know what I'm talking about. In 30 years of service, how many Airbus or Boeing FBW aircraft have experienced an accident caused by a flight control system failure that didn't require remarkable levels of unforeseeable stoogery?

                          The point is that FBW is waaaaaaaaaay safer than the old mechanical puppetry. The point is that complexity has made it safer. The argument that complexity adds risk as a principal is ignorant of the thorough engineering process that goes with it (unless, of course, your management puts safety on the back burner and gets in bed with the FAA). In those rare cases where a design weakness is revealed, it seems to always be revealed through blatant stoogery, and is thus not really the central problem (although such weaknesses should still be removed, as this one will be).

                          Comment

                          Working...
                          X