Wednesday, March 27, 2019

How Did MCAS Get Here and What Hurdles Remain?

The Seattle Times reported that the development of MCAS was limited to features that would not jeopardize differences training, including any new warning light.
A single point of failure is an absolute no-no,” said one former Boeing engineer who worked on the MAX"
"Rick Ludtke, a former Boeing engineer who worked on designing the interfaces on the MAX’s flight deck, said managers mandated that any differences from the previous 737 had to be small enough that they wouldn’t trigger the need for pilots to undergo new simulator training."
"He said that if the group had built the MCAS in a way that would depend on two sensors, and would shut the system off if one fails, he thinks the company would have needed to install an alert in the cockpit to make the pilots aware that the safety system was off. And if that happens, Ludtke said, the pilots would potentially need training on the new alert and the underlying system. That could mean simulator time, which was off the table.
"Matt Menza, a former Boeing pilot who worked on the MAX, said that during flight testing of planes ready for delivery, he wasn’t aware of any events that indicated a problem with the stall warning or the MCAS system. But he said an ideal system would have been built on two angle-of-attack probes, so that a single bad value wouldn’t cause problems. Menza and two other pilots who have worked on the MAX said they were unaware that the system used only one AOA probe."
REVISED 27 March 10am - ADDED AC120-53B FSB discussion
Does any failure of MCAS result in an unsafe condition, if the pilot were not aware of the failure? 
I would say by evidence of JT610, yes.

Does the loss of MCAS constitute an unsafe condition? 
Only in the case where it is needed, an accelerated stall, flaps up. The combination of an event where MCAS is legitimately engaged is no more than 1/100,000 compared to all flights.

If MCAS is active in the left FCC, if MCAS is failed on that side, does MCAS switch to the right FCC (or vica-versa)?
Uncertain, but could very well be. This would allow fault-tolerance for any single detected fault. This may have been a factor in showing no need for a fault light.

Is MCAS mandatory to show compliance to flight characteristics?
Yes.

From what I can gather, Boeing is proposing to modify the MCAS to inhibit on AoA disagree, to reset only upon recovery as reflected in AoA, and to make the AoA Disagree Alert basic.

Boeing and their test pilots characterize the MCAS failure as simple to detect and to respond to.
"Still, Menza pointed out that handling uncommanded inputs from the MCAS would be the same as past procedures for any similar problems, with pilots able to easily flip cutout switches to regain manual control.
A properly trained pilot should be able to solve an MCAS anomaly or any uncommanded flight-control input through procedures that are taught to all 737 pilots,” said Menza, noting that the emergency information Boeing distributed in December reiterated those procedures.
Boeing has contended since the Lion Air crash that the pilots, even though they’d been told nothing about the MCAS, should still have realized that the nose was turning down because of uncommanded movement of the horizontal tail. A large wheel beside the pilot is connected to the tail and would have spun each time the horizontal tail moved. "
"Boeing told The Times Tuesday that the company’s internal analysis determined that a pilot would be able to counteract an erroneous command by using trim switches on the control column, or by following the standard checklist to use cutoff switches that would have turned off all automatic movement of the horizontal tail."
As discussed in earlier posts, in fact MCAS failure is hard to detect as it is a slowover, and Speed Trim System (STS) applies automatic trim routinely, masking MCAS motion. JT043 only related the situation to a stab trim runaway after an observing pilot suggested it. JT610 crew never figured it out. It is possible ET302 flight crew did not detect the failure in spite of specifically be briefed to look for it. The situation was compounded by the AoA trigger of Stall Warning. Boeing should not assume so readily how pilots will perform when MCAS fails, while the evidence is in stark contrast.

The failure of MCAS must be prevented. This is further exacerbated by removing the aft column cutout switch that would stall MCAS if the column were pulled back. The removal of the aft column cutout reduces the likelihood a pilot will stop a mistrim, particularly in a nose-over dive.  MCAS failure must be treated as a hazardous condition. A hazardous condition should ensure no single hardware failure can create a fault.  These issues are related to architecture and Failure Modes and Effects, not the intended function which is what Boeing is modifying.

The 737 is a single type rating; common type rating does not apply. The FAA’s Flight Standardization Board (FSB) formulates Master Differences Requirements (MDRs) to address differences between related aircraft. These MDRs are presented in tabular format in the appropriate FSB report.

“Common type rating” is a term used in FSB reports to describe a relationship between type ratings for aircraft with different TCs that have no greater than level D training differences, as described in AC 120-53B and also below, for example as applied to 757 and 767.

For example, here is the MDR for the 737 (prior to MAX)


The letters refer to levels for difference training/difference checking.

Aircraft with the same TC when evaluated for type rating determination are assigned the same type rating if training differences are no greater than level D.

Aircraft of the same make having different TCs, that have training differences no greater than level D, will be assigned different type ratings that may be considered in common with each other.

Aircraft of the same make that have level E training difference requirements will be assigned a different type rating.
(1) Level A Training. Level A training is that training between related aircraft that can adequately be addressed through self-instruction. Level A training represents a knowledge requirement that, once appropriate information is provided, understanding and compliance can be assumed. Level A compliance is achieved by such methods as issuance of operating manual page revisions, dissemination of operating bulletins, or differences handouts to describe minor differences in aircraft. Level A training is limited to the following situations:
(a) A change that introduces a different version of a system/component for which the pilot has already shown the ability to understand and use (e.g., an updated version of an engine).
(b) A change that results in minor or no procedural changes and does not adversely affect safety if the information is not reviewed or forgotten (e.g., a different vibration damping engine mount is installed, expect more vibration in descent; logo lights are installed, use
is optional).
(c) Information that highlights a difference, which is evident to the pilot, inherently obvious, and easily accommodated (e.g., different location of a communication radio panel,
a different exhaust gas temperature limit that is placarded, or changes to non-normal “read and do” procedures).
 
(2) Level B Training. Level B training applies to related aircraft with system or procedure differences that can adequately be addressed through aided instruction. At level B, aided instruction is appropriate to ensure pilot understanding, emphasize issues, provide a standardized method of presenting material, or aid retention of material following training. Level B aided instruction can utilize audiovisual presentations, computer-based tutorial instruction, or stand-up lectures. Situations not covered under level A training may require level B training (or higher levels) if certain tests described in later paragraphs fail. 
(3) Level C Training. Level C training applies to related aircraft having part task differences that affect knowledge, skills, and/or abilities. Level C training can only
be accomplished through use of devices that are capable of systems training. The training objectives focus on mastering individual systems, procedures, or tasks, as opposed to performing highly integrated flight operations and maneuvers in “real time.” Level C may require self-instruction or aided instruction, but cannot be adequately addressed by a knowledge requirement alone. Training devices are required to supplement instruction, ensure attainment or retention of pilot skills and abilities, and accomplish the more complex tasks, usually related to operation of particular aircraft systems. Typically, the minimum acceptable training method for level C training would be interactive computer-based training (CBT), cockpit procedure trainers, part task trainers (e.g., FMS or Traffic Alert Collision and Avoidance System (TCAS)), or a level 4 or 5 flight training device (FTD).
 
(4) Level D Training. Level D training applies to related aircraft having full task differences of knowledge, skills, and/or abilities. Level D training can only be accomplished with devices capable of performing flight maneuvers in a dynamic real-time environment. The devices enable integration of knowledge, skills, and abilities in a simulated flight environment, involving combinations of operationally oriented tasks and realistic task loading for each relevant phase of flight. Level D training requires mastery of interrelated skills that cannot be adequately addressed by separate acquisition of those skills. However, the differences are not so significant that a full transition training course is required. Training for level D differences requires a training device that has accurate, high-fidelity integration of systems and controls, and realistic instrument indications. Level D training may also require maneuvers, visual cues, motion cues, dynamics, control loading, or specific environmental conditions. Weather phenomenon such as low visibility, CAT III, or windshear may or may not be incorporated. Where simplified or generic characteristics of an aircraft type are used in devices to satisfy difference level D training, significant negative training must not occur
as a result of the simplification. Typically, the minimum acceptable training method for level D training would be FTD level 6.
 
(5) Level E Training. Level E training applies to aircraft having such significant full task differences that a high-fidelity environment is required to attain or maintain knowledge, skills, or abilities. Training at level E can only be satisfied by the use of a full flight simulator (FFS) qualified at level C or D consistent with FAA criteria. Level E training, if done in an aircraft, should be modified for safety reasons where maneuvers can result in a high degree of risk (e.g., an engine set at idle thrust to simulate an engine failure). As with other levels, when level E training is assigned, suitable credit or constraints may be applied for knowledge, skills, and/or abilities related to other pertinent related aircraft. Credits or constraints are specified for the subjects, procedures, or maneuvers shown in FSB reports and are applied through the ODR table.
NOTE: Training difference levels specified by the FSB represent minimum requirements. Operators may use a device associated with a higher difference level to satisfy a training difference requirement. For example, if level C differences are assessed due to installation of a different FMS, operators may train pilots using the FMS installed in a FFS as a system trainer if a dedicated part task FMS training device is not available.
 
Checking Difference Levels.
(1) Initial and Recurrent Checking. Differences and related aircraft differences checking addresses any pertinent pilot qualification requirements and any other checks specified by FSB reports. Initial and recurrent checking levels are the same unless otherwise specified by the FSB. In certain instances, it may be possible to satisfactorily accomplish recurrent checking objectives in devices that do not meet initial checking requirements. In such instances, the FSB may recommend certain devices that do not meet initial check requirements for use to administer recurring checks. The POI/Training Center Program Manager, in coordination with the FSB, may require checking in the initial level device when doubt exists regarding pilot competency or program adequacy.
 
(2) Level A Checking. Level A checking indicates that no check is required at the time of training. A pilot is responsible for knowledge of each related aircraft flown. Difference items should be included as an integral part of subsequent recurring proficiency checks. 
(3) Level B Checking. Level B checking indicates that a “task” or “systems” check
is required following training. Level B checking typically applies to particular tasks or systems such as FMS, TCAS, or other individual systems or related groups of systems.
 
(4) Level C Checking. Level C checking requires a device suitable for meeting level C (or higher) difference training requirements following training. The checking is conducted relative to particular maneuvers or systems determined by the FSB. An example of level C checking: evaluation of a sequence of maneuvers demonstrating a pilot’s ability to use a FGCS or FMS. An acceptable scenario would include each relevant phase of flight that uses the FGCS or FMS. 
(5) Level D Checking. Level D checking requires a check for one or more related aircraft following training. The check covers the particular maneuvers, systems, or devices determined by the FSB. Level D checks are performed using scenarios representing a real-time flight environment and devices permitted for level D difference training. A full proficiency check is typically conducted on the base aircraft, and a partial proficiency check on the related aircraft, covering all pertinent differences. 
(6) Level E Checking. Unless specified, level E checking requires that a full proficiency check be conducted in a level C or D FFS. As with other levels, when level E checking
is assigned, suitable credit or constraints may be applied for knowledge, skills, and/or abilities related to other pertinent related aircraft. Credits or constraints are specified for the subjects, procedures, or maneuvers shown in FSB reports and are applied through the ODR table.
 
NOTE: Assignment of level E checking requirements alone does not result in determining a separate type rating. Only the assignment of level E training requirements may result in a separate type rating determination.

The issues relating to MCAS differences would not likely rise to Level E training, more likely level B or level C. 
Operator Difference Requirements (ODR) 
(1) ODR Purpose. If differences exist within an operator’s fleet, which affect pilot knowledge, skills, or abilities pertinent to systems or procedures, ODR tables provide a uniform means for operators to comprehensively manage differences and related aircraft differences training programs and provide a basis for FAA approval of mixed fleet flying. 
(2) ODR Content. ODRs identify a base aircraft, describe differences between aircraft, and show an operator’s methods of compliance with FAA requirements. The FAA approves an operator’s initial ODR and each subsequent revision for the following: 
(a) Base Aircraft. ODRs identify an aircraft or group of aircraft within an operator’s fleet as a base aircraft. The base aircraft serves as a reference for comparison with other related aircraft to describe their differences. 
(b) Significance of Differences. Differences are described in summary form and are categorized by differences in design features and maneuvers. Differences are evaluated relative to their effect on either flight characteristics, pilot skills, and/or procedures. 
(c) Compliance Methods. ODRs show how each operator’s program addresses differences, through description of training and checking methods for each fleet. ODRs describe the specific or unique constraints or credits applicable, and any precautions necessary to address differences between aircraft. ODRs must comply with and may not be less restrictive than FAA MDRs and other FSB recommendations if they are part of the operator’s approved training program. Constraints or credits may be applied to all aircraft in a fleet or only to certain aircraft. Constraints or credits may address FSTDs, checking methods, knowledge, skills, procedures, maneuvers, or any other factors that apply to or are necessary for safe operations. Training and checking compliance methods are proposed and revised by each operator consistent with Differences Tables found in FSB reports
At the Paris Air Show in 2017, Boeing's 737 MAX chief pilot at the time, Ed Wilson, highlighted the similarities between the 737 MAX 9 and the previous series known as the Next Generation or NG. At the time, the video of the demonstration was posted by the aviation website FlightGlobal. "The airplane is configured to be very common with the NG," Wilson, who is now retired, said, "and so a pilot can walk into here and will find everything he can just like he can in the NG." "FAA-approved this for two-and-a-half hours of computer-based training for the transition between the two aircraft," Wilson continued. "All the overhead panel switches are the same. The only minor difference is, because of the change in the display, is to move some of the center console items here on the forward console."

The FSB report for the 737 MAX makes no mention of MCAS. It does note that the cutout switches have new nomenclature. Note that there is no evaluation for any 737 prior to the NG.




I have compiled a set of regulations excerpts from advisory circulars highlighting relevant terms in red. It is not apparent to me how MCAS will meet all these requirements with the changes Boeing has outlined. The regulators involved will have an opportunity to press on each of these. It seems possible that there could be additional requirements levied beyond what Boeing is proposing. Boeing surely is prepared to address each of these, knowing full well the criteria. The question is whether the regulators will agree.

Still no word from anyone on the source of AoA malfunction.

BTW, All Boeing airplanes other than the 737 use triple-channel systems (L-C-R) (747,757,767,777,787) with three independent sets of sensors. The 737-100/-200 only had one AoA vane.


REGULATIONS - ADVISORY CIRCULARS

14 CFR § 25.672 - Stability augmentation and automatic and power-operated systems

If the functioning of stability augmentation or other automatic or power-operated systems is necessary to show compliance with the flight characteristics requirements of this part, such systems must comply with § 25.671 and the following:

(a) A warning which is clearly distinguishable to the pilot under expected flight conditions without requiring his attention must be provided for any failure in the stability augmentation system or in any other automatic or power-operated system which could result in an unsafe condition if the pilot were not aware of the failure. Warning systems must not activate the control systems.

(b) The design of the stability augmentation system or of any other automatic or power-operated system must permit initial counteraction of failures of the type specified in § 25.671(c) without requiring exceptional pilot skill or strength, by either the deactivation of the system, or a failed portion thereof, or by overriding the failure by movement of the flight controls in the normal sense.

(c) It must be shown that after any single failure of the stability augmentation system or any other automatic or power-operated system -
(1) The airplane is safely controllable when the failure or malfunction occurs at any speed or altitude within the approved operating limitations that is critical for the type of failure being considered;
(2) The controllability and maneuverability requirements of this part are met within a practical operational flight envelope (for example, speed, altitude, normal acceleration, and airplane configurations) which is described in the Airplane Flight Manual; and
(3) The trim, stability, and stall characteristics are not impaired below a level needed to permit continued safe flight and landing.

14 CFR § 25.671 - General

(a) Each control and control system must operate with the ease, smoothness, and positiveness appropriate to its function.

(b) Each element of each flight control system must be designed, or distinctively and permanently marked, to minimize the probability of incorrect assembly that could result in the malfunctioning of the system.

(c) The airplane must be shown by analysis, tests, or both, to be capable of continued safe flight and landing after any of the following failures or jamming in the flight control system and surfaces (including trim, lift, drag, and feel systems), within the normal flight envelope, without requiring exceptional piloting skill or strength. Probable malfunctions must have only minor effects on control system operation and must be capable of being readily counteracted by the pilot.
(1) Any single failure, excluding jamming (for example, disconnection or failure of mechanical elements, or structural failure of hydraulic components, such as actuators, control spool housing, and valves).
(2) Any combination of failures not shown to be extremely improbable, excluding jamming (for example, dual electrical or hydraulic system failures, or any single failure in combination with any probable hydraulic or electrical failure).
(3) Any jam in a control position normally encountered during takeoff, climb, cruise, normal turns, descent, and landing unless the jam is shown to be extremely improbable, or can be alleviated. A runaway of a flight control to an adverse position and jam must be accounted for if such runaway and subsequent jamming is not extremely improbable.

(d) The airplane must be designed so that it is controllable if all engines fail. Compliance with this requirement may be shown by analysis where that method has been shown to be reliable.

14 CFR § 25.255 - Out-of-trim characteristics.

(a) From an initial condition with the airplane trimmed at cruise speeds up to VMO/MMO, the airplane must have satisfactory maneuvering stability and controllability with the degree of out-of-trim in both the airplane nose-up and nose-down directions, which results from the greater of -
(1) A three-second movement of the longitudinal trim system at its normal rate for the particular flight condition with no aerodynamic load (or an equivalent degree of trim for airplanes that do not have a power-operated trim system), except as limited by stops in the trim system, including those required by § 25.655(b) for adjustable stabilizers; or
(2) The maximum mistrim that can be sustained by the autopilot while maintaining level flight in the high speed cruising condition.

(b) In the out-of-trim condition specified in paragraph (a) of this section, when the normal acceleration is varied from + 1 g to the positive and negative values specified in paragraph (c) of this section -
(1) The stick force vs. g curve must have a positive slope at any speed up to and including VFC/MFC; and
(2) At speeds between VFC/MFC and VDF/MDF the direction of the primary longitudinal control force may not reverse.

(c) Except as provided in paragraphs (d) and (e) of this section, compliance with the provisions of paragraph (a) of this section must be demonstrated in flight over the acceleration range -
(1) −1 g to + 2.5 g; or
(2) 0 g to 2.0 g, and extrapolating by an acceptable method to −1 g and + 2.5 g.

(d) If the procedure set forth in paragraph (c)(2) of this section is used to demonstrate compliance and marginal conditions exist during flight test with regard to reversal of primary longitudinal control force, flight tests must be accomplished from the normal acceleration at which a marginal condition is found to exist to the applicable limit specified in paragraph (b)(1) of this section.

(e) During flight tests required by paragraph (a) of this section, the limit maneuvering load factors prescribed in §§ 25.333(b) and 25.337, and the maneuvering load factors associated with probable inadvertent excursions beyond the boundaries of the buffet onset envelopes determined under § 25.251(e), need not be exceeded. In addition, the entry speeds for flight test demonstrations at normal acceleration values less than 1 g must be limited to the extent necessary to accomplish a recovery without exceeding VDF/MDF.

(f) In the out-of-trim condition specified in paragraph (a) of this section, it must be possible from an overspeed condition at VDF/MDF to produce at least 1.5 g for recovery by applying not more than 125 pounds of longitudinal control force using either the primary longitudinal control alone or the primary longitudinal control and the longitudinal trim system. If the longitudinal trim is used to assist in producing the required load factor, it must be shown at VDF/MDF that the longitudinal trim can be actuated in the airplane nose-up direction with the primary surface loaded to correspond to the least of the following airplane nose-up control forces:
(1) The maximum control forces expected in service as specified in §§ 25.301 and 25.397.
(2) The control force required to produce 1.5 g.
(3) The control force corresponding to buffeting or other phenomena of such intensity that it is a strong deterrent to further application of primary longitudinal control force.

14 CFR § 25.203 - Stall Characteristics

(a) It must be possible to produce and to correct roll and yaw by unreversed use of the aileron and rudder controls, up to the time the airplane is stalled. No abnormal nose-up pitching may occur. The longitudinal control force must be positive up to and throughout the stall. In addition, it must be possible to promptly prevent stalling and to recover from a stall by normal use of the controls.

(b) For level wing stalls, the roll occurring between the stall and the completion of the recovery may not exceed approximately 20 degrees.

(c) For turning flight stalls, the action of the airplane after the stall may not be so violent or extreme as to make it difficult, with normal piloting skill, to effect a prompt recovery and to regain control of the airplane. The maximum bank angle that occurs during the recovery may not exceed -
(1) Approximately 60 degrees in the original direction of the turn, or 30 degrees in the opposite direction, for deceleration rates up to 1 knot per second; and
(2) Approximately 90 degrees in the original direction of the turn, or 60 degrees in the opposite direction, for deceleration rates in excess of 1 knot per second.

14 CFR § 25.207 Stall Warning

(f) Accelerated stall: The stall warning margin must be sufficient in both non-icing and icing conditions to allow the pilot to prevent stalling when the pilot starts a recovery maneuver not less than one second after the onset of stall warning in slow-down turns with at least 1.5 g load factor normal to the flight path and airspeed deceleration rates of at least 2 knots per second. When demonstrating compliance with this paragraph for icing conditions, the pilot must perform the recovery maneuver in the same way as for the airplane in non-icing conditions. Compliance with this requirement must be demonstrated in flight with -
(1) The flaps and landing gear in any normal position;
(2) The airplane trimmed for straight flight at a speed of 1.3 VSR; and
(3) The power or thrust necessary to maintain level flight at 1.3 VSR.

AC 25-7D

8.1.5.3.3 During the approach to the stall, the longitudinal control pull force should increase continuously as speed is reduced from the trimmed speed to the onset of stall warning. Below that speed some reduction in longitudinal control force is acceptable, provided it is not sudden or excessive.

8.1.7.1  describes the accelerated stall: Section 25.207(f) requires that, in slow-down turns with at least a 1.5 g load factor normal to the flight path and an airspeed deceleration rate greater than 2 knots per second, sufficient stall warning is provided to prevent stalling when the pilot takes recovery action not less than one second after recognition of stall warning. The purpose of the requirement is to ensure that adequate stall warning exists to prevent an inadvertent stall under the most demanding conditions that are likely to occur in normal flight. The elevated load factor will emphasize any adverse stall characteristics, such as wing drop or asymmetric wing flow breakdown, while also investigating Mach and potential aeroelastic effects on available lift.

The normal flight envelope works up to minspeed. The operational envelope is from minspeed to stall warning (Vsw). The Limit Flight Envelope is from stall warning to stall. Outside of the LFE if full stalled. MCAS should apply after stall warning and before stall (LFE).  The probability to enter the Limit Flight Envelope is considered 10E-5. AC 25-7D defines these aspects.





While AC 25.1329-1C  and 25.1329 are directed to autopilot, it gives some useful definitions. Slowover best describes and MCAS malfunction. Pilot reaction time, in the context of autopilot, is a matter of seconds.

Malfunction. A control or display element performs in an inappropriate manner, including the following subtypes:
(a) Hardover. The control or display goes to full displacement in a brief period of time. The resultant effect on the flightpath and occupants of the airplane and possible adverse structural effects are the primary concerns.
(b) Slowover. The control or display moves away from the correct control or display value over a relatively long period of time. The potential delay in recognizing the situation and the effect on the flightpath are the primary concerns.
(c) Oscillatory. The control or display is replaced or augmented by an oscillatory element. In addition to difficulty controlling the aircraft flightpath, there may be effects on structural integrity and occupant well-being.

“Slowover” effects. Typically, these are not readily detected by the flightcrew. The effect may involve departures from intended flightpath that are not initially detectable by aircraft motion alone and may be detectable only by motion cues when a significant flightpath deviation has occurred or by an appropriate flightcrew alert.

The following sets the stage for the progression from MCAS failure, the pilot recognition of the failure, the reacting to the situation and to taking the right action (cutout switch). The hazard is limited by the pilot backstop, only if the pilot takes the right action.

Assessment. The safety assessment described in Chapter 8 of this AC establishes the FGS failure condition for which appropriate testing should be undertaken. Assessment of failure conditions has the following elements:
(a) Failure condition insertion.
(b) Pilot recognition of the effects of the failure condition.
(c) Pilot reaction time. That is, the time between pilot recognition of the failure condition and initiation of the recovery.
(d) Pilot recovery.


Assessment of Human Factors

a. General. The evaluation, demonstration, and testing should assess the acceptability of the HMI with the FGS and the potential for flightcrew errors and confusion concerning the behavior and operation of the FGS, when used by a representative range of pilots.
The evaluation of normal and non-normal FGS operations should include the representative range of conditions in terms of crew mental or physical workload, required crew response timeliness, and potential for confusion or indecision. The set of test cases should represent operationally relevant scenarios and the assumptions about pilot training and skill level should be documented.

Hazardous failure conditions
The following effects have been assessed hazardous in previous airplane certification programs:
(1) Exceedance of an airspeed halfway between VMO (maximum operating limit speed) and VDF or a Mach number halfway between MMO (maximum operating limit Mach) and MDF.
(2) A stall, even if the flightcrew is able to recover safe flightpath control.
(3) A load factor less than zero.
(4) Bank angles of more than 60 degrees en route or more than 30 degrees below a
height of 1000 feet (304.8 meters above an applicable airport elevation).
(5) Degradation of the flying qualities of the airplane that excessively increases flight crew workload.
(6) Failure that could result in a rejected takeoff (RTO) and high speed overrun (for example, 60 knots).
(7) A flightpath deviation that requires a severe maneuver to prevent contact with obstacle, terrain, or other aircraft.
Note: Severe maneuver includes risk of serious injury or death of a small number of occupants.

Major failure conditions
The following effects have been assessed “major” in previous airplane certification programs:
(1) A flightpath deviation, including the required recovery maneuver, which may result in passenger injuries. Consideration should be given to phases of flight where the occupants may reasonably be moving about the airplane or be serving or consuming hot drinks.
(2) Degradation of the flying qualities of the airplane that significantly increase flight crew workload.

14 CFR § 25.1329 - Flight guidance system

(c) Engagement or switching of the flight guidance system, a mode, or a sensor may not cause a transient response of the airplane's flight path any greater than a minor transient, as defined in paragraph (n)(1) of this section.

(g) Under any condition of flight appropriate to its use, the flight guidance system may not produce hazardous loads on the airplane, nor create hazardous deviations in the flight path. This applies to both fault-free operation and in the event of a malfunction, and assumes that the pilot begins corrective action within a reasonable period of time.

(n) For purposes of this section, a transient is a disturbance in the control or flight path of the airplane that is not consistent with response to flightcrew inputs or environmental conditions.
(1) A minor transient would not significantly reduce safety margins and would involve flightcrew actions that are well within their capabilities. A minor transient may involve a slight increase in flightcrew workload or some physical discomfort to passengers or cabin crew.
(2) A significant transient may lead to a significant reduction in safety margins, an increase in flightcrew workload, discomfort to the flightcrew, or physical distress to the passengers or cabin crew, possibly including non-fatal injuries. Significant transients do not require, in order to remain within or recover to the normal flight envelope, any of th following:
(i) Exceptional piloting skill, alertness, or strength.
(ii) Forces applied by the pilot which are greater than those specified in § 25.143(c).
(iii) Accelerations or attitudes in the airplane that might result in further hazard to secured or non-secured occupants.

While Part 23 does not apply to air transport, AC 23-1309E offers some insights not found specifically in AC 25-1309A that seem to set the stage for what I would have expected when doing the hazard assessment for MCAS.



Stay tuned!



Peter Lemme

peter @ satcom.guru
Follow me on twitter: @Satcom_Guru
Copyright 2019 satcom.guru All Rights Reserved

Peter Lemme has been a leader in avionics engineering for 38 years. He offers independent consulting services largely focused on avionics and L, Ku, and Ka band satellite communications to aircraft. Peter chaired the SAE-ITC AEEC Ku/Ka-band satcom subcommittee for more than ten years, developing ARINC 791 and 792 characteristics, and continues as a member. He contributes to the Network Infrastructure and Interfaces (NIS) subcommittee developing Project Paper 848, standard for Media Independent Secure Offboard Network.

Peter was Boeing avionics supervisor for 767 and 747-400 data link recording, data link reporting, and satellite communications. He was an FAA designated engineering representative (DER) for ACARS, satellite communications, DFDAU, DFDR, ACMS and printers. Peter was lead engineer for Thrust Management System (757, 767, 747-400), also supervisor for satellite communications for 777, and was manager of terminal-area projects (GLS, MLS, enhanced vision).

An instrument-rated private pilot, single engine land and sea, Peter has enjoyed perspectives from both operating and designing airplanes. Hundreds of hours of flight test analysis and thousands of hours in simulators have given him an appreciation for the many aspects that drive aviation; whether tandem complexity, policy, human, or technical; and the difficulties and challenges to achieving success.

8 comments:

  1. Just want to say excellent work and thanks. Compelling with facts and published data. Definitely top of your game and my respect to you for sharing your knowledge with us. Wish the 737 Max manufacturer could do just 5% of your effort to the public.

    ReplyDelete
  2. In 2006 a Boeing 747 taking off from London Heathrow with over 400 people onboard had both stick shakers begin to operate as the aircraft started to rotate. Once in the air, the stick shakers continued to operate, and the pilot’s and F/O’s instruments showed a continuous disagreement in the IAS air speed. The pilots turned back to land at Heathrow, where maintenance engineers diagnosed the problem as an ADIRU problem and replaced the RHS ADIRU. When the piolots tried to take off again, the stick shakers began to operate in exactly the same way, so they aborted the takeoff and taxied to an airport parking area, where they shut down the plane. Data from the flight data recorder did not show anything unusual in any of the sensors or the electronics. The next day, while the engineers were conducting a simulated flight test on the ground by forcing air past the pitot sensors, it was found that the right hand stick shaker was activated even when the AoA vane remained in the horizontal position. The RHS AoA sensor was then replaced and the system was re-tested, showing that the problem was fixed. The aircraft was returned to service, but a ten days later several diagnostic messages started to appear indicating a different type of intermittent “AoA vane” failure on the RHS. When the RHS AoA sensor was replaced again, the problem was fixed again.
    The first failed sensor was returned to the manufacturer’s facility in Seattle Washington, where it failed during a test. The problem was found to be a loose main drive gear on the vane shaft that connected the vane shaft to two inductive-type resolvers and an oil-filled damper. The loose drive gear was caused by an improperly torqued set screw that allowed the vane to rotate freely 360° around the main shaft. This caused angle readings that were offset randomly from the zero position, which correlated with the continuous abnormal activation of the stick shakers. A counter-weight was also found to be loose and had a free play of about ±2° rotation.
    The second failed AoA sensor was tested at the facility of its different manufacturer in the UK. It also failed its test. The problem was found to be an “open spot” in the older potentiometer-type resolver, which could have been caused by a contaminant particle acting between the brush-type angle contactor and the continuous resistor coil. This “open spot” almost certainly accounted for the intermittent failures reported by the aircraft’s diagnostic messages.
    What this incident report shows is that a vane-type AoA sensor is more complicated than just a vane with a resolver on the same shaft. The additional gearing required between the vane and the resolver can be the cause of random offsets in either direction if a gear can slip on its supporting shaft. The offsets can remain constant until sufficient force is placed on the vane to cause the gear to slip on its shaft, which causes a new offset value in the sensor output. This failure mechanism may explain the 22° offset in the LHS AoA reading on the 737 MAX Lion Air JT610 flight of 29 October 2018, which caused the stick shaker to activate and remain activated for the entire flight. While this reported anomalous sensor behavior does not prove that the AoA sensor was at fault in the Lion Air incident, it does provide a working hypothesis that may be tested further.
    For further information, see AAIB Bulletin 8/2008, titled G-VHOT, EW/C2006/12/01, available at http://www.smartcockpit.com/docs/Boeing_B747-Stick_Shakers_Activation_On_Takeoff.pdf .

    ReplyDelete
  3. The above post was provided by Ron Belt.

    ReplyDelete
    Replies
    1. Ron, thank you for sharing this report, it is quite relevant. The first AoA vane had a "loose" shaft, allowing somewhat random errors from the Vane angle to the Resolver angle, effectively adding a bias to the output. This would be similar to what was observed on JT043/JT610. The vane removed prior to JT043 suffered a large error (signal out of range). We don't have any data from ET302. The issue I wonder, when the vane was replaced prior to JT043, I had understood that the vane angle to output readings are verified as part of the maintenance procedure. This would have revealed an internal error between Vane to Output. The level of offset was identical JT043 and JT610, so I would have to assume it would have been present when installed, if they checked.

      Delete
  4. Bjr Peter
    Maybe you could find somme additional info on AOA failure with that incident which occured in Feb 2018.

    https://www.bea.aero/fr/les-enquetes/les-evenements-notifies/detail/event/alarme-sonde-dincidence-defaillante-en-montee-initiale-demi-tour-1/

    ReplyDelete
  5. Ron Belt March 30, 2019
    Peter, you mentioned, “The level of offset was identical JT043 and JT610, so I would have to assume it would have been present when installed, if they checked.”
    In response, I believe it may be possible that the testing process used after the installation of the new AoA sensor prior to the JT043 flight may have been the cause of the 22.5° offset. My reasoning is as follows.
    It is known that the range of rotation of the Rosemount 0861FL AoA sensor on the B737NG and B737MAX aircraft is ±110°. (See photo and drawing below, which show the F/O’s RHS sensor. The captain’s LHS sensor is the same 0861FL sensor flipped over about the horizontal [-A-] axis in the drawing).

    However, the report quoted above implies that the vane of the AoA sensor has no such end stops, because it states that if the main gear on the vane shaft becomes loose, then the vane can be rotated completely around 360°. Therefore, the end stops limiting the range of rotation of the AoA sensor must be elsewhere inside the sensor housing. Now, a review of the specifications of many types of resolvers on the internet shows that all resolvers have limitations on the ±angles they can be rotated through. This implies that the resolvers have stops inside them to prevent them from being rotated beyond their maximum angles of rotation. This implies that the maximum angle of rotation of the AoA sensor vane is limited by the stops in the resolver, and not by any stops on the vane or the shaft on which the vane is installed. Therefore, if one applies too much force to the AoA sensor vane to pin it against one of the stops, it is possible that this force can cause a slipping of the main gear on the vane shaft, causing the vane to be offset from the resolver while the resolver continues to read the same value because it is up against the stop inside the resolver. Therefore, an offset can be created between the vane angle and the resolver output angle.
    Now, we know from the maintenance records for the aircraft of flights JT043 and JT610 that an installation test was done after replacing the AoA sensor before flight JT043 because the maintenance engineer noted on 27 October 2018 that: “For troubleshooting due to repetitive problem perform replaced the angle of attack sensor in accordance with Aircraft Maintenance Manual (AMM) Task 34-21-05-000-001 and task 34-21-05-400-801 carried out. Installation test and heater system test result good”.
    But the Aircraft Maintenance Manual actually specifies TWO types of reference checks that can be performed:
    A recommended test using a test fixture similar to the one shown below. (Notice that it uses the two tooling holes on the AoA sensor to register the correct angular position). A maintenance technician outside the aircraft sets the AoA sensor vane to the angles 0°, -10°, and 10°, respectively, and either the same technician, or perhaps a different technician, checks the output of the ADIRU to see if the same angles are provided to the SMYD display.

    In the absence of a test fixture, a quick check can be done by setting the AoA sensor vane to the angles 0°, -100°, and +100°, the latter of which are the end stops of the vane travel. The output of the ADIRU is again checked to see if the same angles are provided to the SMYD display.
    (Continued below)

    ReplyDelete
  6. Ron Belt March 30, 2019

    The first reference check cannot cause an offset in the vane-to-resolver output angle. However, the second reference check CAN cause an offset in the vane-to-resolver output angle if the technician setting vane angle applies too much force while setting the vane against the end stop. Specifically, if the last angle to be tested is +100°, then the AoA sensor output will be offset in the positive direction as observed in the JT043 and JT610 flights. This offset will not be observed during the test because the resolver output remains pinned at its +100° output value. Only if the last angle to be tested is different from the +100° end stop setting will an offset be observed in the AoA output during the test.

    One further observation. Several posters have commented that the captain’s LHS AoA sensor that had an offset of 22° on flights JT043 and JT610 appeared to have a higher random noise on it than the F/O’s RHS AoA sensor. This may be the result of defective fluidic damper inside the captain’s LHS AoA sensor. This may indicate that the replacement LHS AoA sensor installed on flights JT043 and JT610 was, in fact, a reworked AoA sensor, which may explain why investigators want to review the procedures at the AoA sensor rework facility in Florida as well as the AoA production facility in Minneapolis. And if the sensor was a reworked sensor, perhaps the gearing between the vane and the resolver was not torqued high enough to prevent offsets being induced by pressure of the vane against the end stops.

    ReplyDelete
  7. very interesting , good job and thanks for sharing such a good blog.Ellen Kwame Corkrum Liberia

    ReplyDelete