0:00:00.000,0:00:20.310
<i>36C3 preroll music</i>

0:00:20.310,0:00:25.860
Herald: In the following talk Mr. Bernd[br]Sieker will speak about the crashes and

0:00:25.860,0:00:33.930
what led to the crashes of the most recent[br]737 model. He is a flight safety

0:00:33.930,0:00:38.320
engineer and he also worked on[br]flight safety and he analyzed the plane

0:00:38.320,0:00:43.940
crashes for a lot of time and a long time.[br]And you have to keep in mind that this

0:00:43.940,0:00:49.620
737, although multiple models have been[br]built, can be flown. All models can be

0:00:49.620,0:00:55.950
flown with the same type rating since[br]1967, which is one of the many root causes

0:00:55.950,0:01:02.210
of the issues that led to the disaster[br]that killed 346 people. Let's listen to a

0:01:02.210,0:01:04.980
Bernd and he'll enlighten us, what else[br]went wrong?

0:01:04.980,0:01:13.700
<i>applause</i>

0:01:13.700,0:01:17.020
Bernd Sieker: Yes, thank you very much for[br]the introduction. I see they are not quite

0:01:17.020,0:01:22.021
as many people as with the Edward Snowden[br]talk, but I'm not disappointed. Aviation

0:01:22.021,0:01:25.420
safety has always been very important to[br]me and I've done a lot of work on it and I

0:01:25.420,0:01:30.900
am happy to share my passion with so many[br]of you. Thank you.

0:01:30.900,0:01:36.439
<i>applause</i>[br]So it's basically the outline of what I'm

0:01:36.439,0:01:42.540
going to talk about. It's the Boeing 737[br]Max or seven thirty seven as some may say.

0:01:42.540,0:01:47.439
I will briefly talk about the accidents,[br]what we knew at the beginning, what went

0:01:47.439,0:01:53.810
wrong and then what came to light. Later[br]on I will show our causal analysis method

0:01:53.810,0:02:00.280
that we use very shortly, very briefly and[br]the analysis and overview of the analysis

0:02:00.280,0:02:05.390
that I did of these accidents. Then talk[br]about the infamous MCAS system, the

0:02:05.390,0:02:11.230
Maneuvering Characteristics Augmentation[br]System, as it's called, by its full name.

0:02:11.230,0:02:15.480
Then I'll talk about certification, how[br]certain aircraft certification works in

0:02:15.480,0:02:18.870
the United States. It's very similar in[br]Europe, although there are some

0:02:18.870,0:02:22.650
differences. But I'm not going to talk[br]about European details in this talk. So

0:02:22.650,0:02:29.540
it's mostly about the FAA and aircraft[br]certification across the pond. Some other

0:02:29.540,0:02:38.670
things and an outlook, how it is going to[br]go on with the Boeing 737 Max. We

0:02:38.670,0:02:42.940
currently don't know exactly what's going[br]to happen, but we'll see. And if we have

0:02:42.940,0:02:51.069
time, they have a few bonus slides later[br]on. So the Boeing 737 Max - the star of

0:02:51.069,0:02:54.920
the show, as you may say, it's the fourth[br]iteration, as the Herald already

0:02:54.920,0:03:02.200
indicated, of the world's best selling[br]airliner. I think I looked it up just

0:03:02.200,0:03:07.799
recently. I think there are almost 15,000[br]orders that have been for the 737 of all

0:03:07.799,0:03:14.450
the series, the original, the classic, the[br]NG and now the Max. And the Max itself is

0:03:14.450,0:03:19.459
the fastest selling airliner of all time.[br]So within months, it had literally

0:03:19.459,0:03:24.950
thousands of orders. It has now almost[br]5,000 orders. The 737 Max, and all the

0:03:24.950,0:03:29.290
airlines in the world are waiting for the[br]grounding to be lifted so they can receive

0:03:29.290,0:03:40.019
and fly the aircraft. So the first[br]accident was last year. It was a Lion Air,

0:03:40.019,0:03:46.030
an Indonesian flag carrier. Actually, I[br]think the second or third largest Boeing

0:03:46.030,0:03:51.541
737 Max customer in the world with a[br]couple of hundred, 250 or something

0:03:51.541,0:04:01.969
aircraft and it crashed relatively shortly[br]after it entered service. And so we've heard

0:04:01.969,0:04:08.840
some strange things in the news and on the[br]forums that deal with aviation safety. It

0:04:08.840,0:04:15.549
seems that there had been uncommanded nose[br]down trim. So the tail plane is moved by

0:04:15.549,0:04:21.150
an electric motor and it forces the nose[br]of the aircraft down. The pilot can

0:04:21.150,0:04:27.670
counter that movement with some switches[br]on his control column. And apparently the

0:04:27.670,0:04:32.940
stick shaker was active during the flight[br]and there were difficulties in controlling

0:04:32.940,0:04:37.540
the aircraft. We didn't know at the time[br]exactly what it was. And then for the

0:04:37.540,0:04:46.220
first time, the abbreviation MCAS surfaced[br]and even 737 pilots, even 737 Max pilots,

0:04:46.220,0:04:50.880
at least some of them said they'd never[br]heard of it. It was a mystery. We later

0:04:50.880,0:04:55.230
found that actually in some documentation,[br]it was very briefly mentioned that such a

0:04:55.230,0:05:00.080
system existed, but not exactly why it was[br]there. And I guess Boeing knew and the

0:05:00.080,0:05:05.680
certification authorities, as it turned[br]out, sort of knew a bit of the story, but

0:05:05.680,0:05:11.440
not the whole story. But especially people[br]in the West, in the US and in other

0:05:11.440,0:05:19.230
countries said: Oh, these are just poorly[br]trained Third World pilots. And we expect

0:05:19.230,0:05:24.600
that. And they weren't completely wrong.[br]Lion Air has a particularly bad safety

0:05:24.600,0:05:29.030
record. And it wasn't unknown to aviation[br]safety investigators. There have been a

0:05:29.030,0:05:36.380
number of crashes with Lion Air. So in the[br]beginning, we thought, OK, maybe it's a

0:05:36.380,0:05:41.510
fluke, it's a one off or maybe it's caused[br]by poor maintenance or bad pilots or

0:05:41.510,0:05:47.940
whatever. So several people, on the other[br]hand, already began worrying because some

0:05:47.940,0:05:53.600
flight data recorder traces became public.[br]And there was some very strange things

0:05:53.600,0:05:59.830
which we will see shortly. And then only a[br]few months later, the second aircraft of

0:05:59.830,0:06:06.173
exactly the same type and the same[br]variant, Boeing 737 Max 8, also crashed.

0:06:06.173,0:06:11.560
And you can see maybe on the picture on[br]the left, it left a rather big crater. It

0:06:11.560,0:06:17.930
really dove into the earth quite fast. It[br]turned out, I think, about between seven

0:06:17.930,0:06:25.000
and eight hundred kilometers per hour. So,[br]so really fast and not much left. Not much

0:06:25.000,0:06:30.630
was left. I think the biggest parts were[br]about this size, I guess. So all small

0:06:30.630,0:06:38.540
pieces of debris and the engine cores,[br]which are a bit bigger. And from that as

0:06:38.540,0:06:45.520
well, flight data recorder traces became[br]public. The recorders had survived at

0:06:45.520,0:06:51.740
least the memory in them and were[br]readable. So we finally found out

0:06:51.740,0:06:57.780
something and found some similarities,[br]some rather disturbing similarities. We

0:06:57.780,0:07:03.210
come to that in a moment, but I'll talk a[br]little bit about the Boeing 737 family in

0:07:03.210,0:07:08.340
general. So there were four, as I said,[br]models. That was the original, which had

0:07:08.340,0:07:14.050
narrow engines under the wings. Not a lot[br]of room between the ground and the

0:07:14.050,0:07:20.370
engines, but it looked quite normal. You[br]could say it was one of the first short-

0:07:20.370,0:07:27.020
haul airliners with under slung engines,[br]under the wings and then new high bypassed

0:07:27.020,0:07:31.240
turbo fire engines entered the market,[br]which were much more fuel efficient. We're

0:07:31.240,0:07:36.360
talking about maybe some 15 to 20 percent[br]lower fuel consumption. So it was a big

0:07:36.360,0:07:42.610
deal. And the Boeing 737 was reengined and[br]became known as the classic, bigger

0:07:42.610,0:07:47.051
engines, but still mostly analog[br]mechanical instruments. And it was

0:07:47.051,0:07:51.930
basically the same as the original,[br]instead that it had some bigger engines

0:07:51.930,0:07:55.540
and they had to shape the cowling a little[br]differently to accommodate the bigger

0:07:55.540,0:08:02.890
engines. But more or less, it worked for a[br]while. And then as airlines demanded more

0:08:02.890,0:08:08.340
modern avionics, so the cockpit[br]electronics in aircraft, the next

0:08:08.340,0:08:14.620
generation was conceived. It also got a[br]new wing, new winglets, which again saved

0:08:14.620,0:08:19.590
a lot of fuel. It had basically the same[br]engines, except that the engines now were

0:08:19.590,0:08:24.820
also computer controlled by what we call[br]FADEC full authority, digital engine

0:08:24.820,0:08:31.310
control. And Boeing said, well, that's[br]probably going to be the last one. And in

0:08:31.310,0:08:36.149
the next few years, we are going to[br]develop an all new, short and medium haul

0:08:36.149,0:08:43.120
single aisle aircraft which will be all[br]new and super efficient and super cheap to

0:08:43.120,0:08:49.830
operate - all the promises that[br]manufacturers always make. In the

0:08:49.830,0:08:56.410
meantime, Airbus was becoming a major[br]player with the A320. It was overall a

0:08:56.410,0:09:00.470
much more modern aircraft. It had digital[br]fly by wire. It always had digitally

0:09:00.470,0:09:04.940
controlled engines. It had much higher[br]ground clearance. So it was no problem to

0:09:04.940,0:09:10.440
accommodate the larger engines in the[br]A320. And Airbus then announced that it

0:09:10.440,0:09:14.990
was going to reengine the A320. And for[br]the A320, that was the first time it got

0:09:14.990,0:09:19.830
new engines. It for a long time it had you[br]had the choice of two types of engines for

0:09:19.830,0:09:25.410
the A320 And then they said, we're going[br]to install these new super efficient

0:09:25.410,0:09:32.029
engines, which brought with it another[br]optimization of fuel consumption. That was

0:09:32.029,0:09:37.529
another 15 percent fuel saved per mile[br]traveled something on the order of that.

0:09:37.529,0:09:42.910
So it was a huge improvement again. And[br]many Airbus customers immediately ordered

0:09:42.910,0:09:49.050
the so-called A320neo and some Boeing[br]customers also thought, well, this one is

0:09:49.050,0:09:55.670
going to consume so much less fuel that we[br]might consider switching to Airbus, even

0:09:55.670,0:09:59.810
though it's a major hassle if you[br]have fleet entirely consisting of Boeing

0:09:59.810,0:10:03.830
aircraft, if you then switch to Airbus,[br]it's a huge hassle and nobody really wants

0:10:03.830,0:10:08.310
that unless they're really forced to. But[br]the promised fuel savings were so big that

0:10:08.310,0:10:13.079
companies actually considered this and[br]lots of them. And so Boeing said we need

0:10:13.079,0:10:20.830
something very quickly, preferably within[br]two years I think. For airline

0:10:20.830,0:10:26.839
development, that's very, very, very, very[br]quickly. And they said, well, scrap all

0:10:26.839,0:10:33.550
the plans about the new small airliner.[br]We're going to change the 737 again. And

0:10:33.550,0:10:38.800
now the new engines, were going to be[br]bigger, again. And so actually, there was

0:10:38.800,0:10:45.339
no ground clearance to move them in the[br]same way as on the on the NG. So there to

0:10:45.339,0:10:50.339
modify the landing gear, to mount the[br]engines even further forward and higher.

0:10:50.339,0:10:55.410
And the engines were bigger. But the[br]engines were, on the whole, they were very

0:10:55.410,0:10:58.731
good new development. The same type of[br]engines that you could get for the new

0:10:58.731,0:11:08.480
Airbus - CFM international. And so[br]we decided to make the Boeing 737 4th

0:11:08.480,0:11:17.819
generation and call it "the Max".So when[br]we analyze accidents, we use a causal

0:11:17.819,0:11:22.199
analysis method called Why-Because[br]analysis. And we have some counterfactual

0:11:22.199,0:11:26.709
tests which determines if something is a[br]cause of something else. We call it a

0:11:26.709,0:11:32.839
necessary causal factor. And it's very[br]simple. A is a causal factor of B, if you

0:11:32.839,0:11:36.990
can say had A not happened, then B would[br]not have happened either. So, I mean, you

0:11:36.990,0:11:41.279
need to show for everything that there is[br]a causal relationship and that all the

0:11:41.279,0:11:48.449
factors that you have found actually[br]sufficient to cause the other event. So

0:11:48.449,0:11:51.819
you can probably not read everything of[br]it, but it's not really important. This is

0:11:51.819,0:11:57.960
a simplified graph and I will show the[br]relevant details later.And this is the

0:11:57.960,0:12:02.879
analysis that I made of these accidents.[br]And you can see it's not a simple tree; as

0:12:02.879,0:12:06.589
computer scientists, many of you are[br]familiar with trees and this is just a

0:12:06.589,0:12:15.110
directed graph and it can have branches[br]and so on. And so some things are causal

0:12:15.110,0:12:19.519
influence, causal effect of several[br]different things. So some of the factors

0:12:19.519,0:12:24.130
actually have an influence on multiple[br]levels. For example, the airspeed

0:12:24.130,0:12:29.819
influences the control forces and it also[br]influences the time the crew had to

0:12:29.819,0:12:36.910
recover the aircraft before impact with[br]the ground. So these are some of the

0:12:36.910,0:12:42.829
things that I will look at in a bit more[br]detail. So here is one of them:

0:12:42.829,0:12:47.249
Uncommanded nose down trim. So what[br]happened apparently on these accident

0:12:47.249,0:12:54.279
flights was that you can see it in the[br]flight data recorder traces. I don't know.

0:12:54.279,0:13:00.339
Can you see the mouse pointer? Here,[br]that's the blue line. And that is labeled

0:13:00.339,0:13:06.029
trim manual. And there's the orange line[br]that is labeled Trim Automatic. And if

0:13:06.029,0:13:14.240
they have, do displacement to the bottom,[br]that means that the aircraft is being

0:13:14.240,0:13:20.059
trimmed nose down, which means in order to[br]continue to fly level, you have to pull

0:13:20.059,0:13:25.309
the control column with more force towards[br]you. And what you can see is in the

0:13:25.309,0:13:28.600
beginning, there are a few trim, trim[br]movements. And on this type, they are

0:13:28.600,0:13:33.519
expected it has an automatic trim system[br]for some phases of flight which trims the

0:13:33.519,0:13:41.110
aircraft to keep it flying stable. And[br]then after a while, it started doing many

0:13:41.110,0:13:47.009
automatic nose down trim movements. Each[br]of these lasts almost 10 seconds and there

0:13:47.009,0:13:52.339
is a pause between them. And in every[br]case, the pilots counter the nose down

0:13:52.339,0:13:56.649
trim movement with the nose up trim[br]movement on the control yoke. There are

0:13:56.649,0:14:02.720
switches that you operate with your thumb[br]and you can trim the aircraft that way and

0:14:02.720,0:14:07.300
change the control forces and cause the[br]aircraft nose to go up or down. So for a

0:14:07.300,0:14:11.160
very long time, this went on: The computer[br]trimmed the aircraft nose down, the pilots

0:14:11.160,0:14:18.779
trimmed the aircraft nose up, and so on.[br]Until at the very end, you can see that

0:14:18.779,0:14:23.309
the trim, the nose up trim movements that[br]the pilots made, become shorter and

0:14:23.309,0:14:29.389
shorter. And this line here, it says pitch[br]trim position. That is the resulting

0:14:29.389,0:14:34.309
position of the trim control surface,[br]which is the entire horizontal stabilizer

0:14:34.309,0:14:39.490
on the aircraft. And it moves down and it[br]doesn't really go up anymore because the

0:14:39.490,0:14:44.009
pilot inputs become very short. And that[br]means the control forces to keep the

0:14:44.009,0:14:48.459
aircraft flying level become extremely[br]high. And in the end, it became

0:14:48.459,0:14:55.199
uncontrollable and crashed, as you can see[br]here. So the pilots, for various reasons,

0:14:55.199,0:14:59.759
which I will highlight later, the pilots[br]were unable to trim the aircraft manually

0:14:59.759,0:15:05.999
and the nose down trim persisted and the[br]aircraft crashed. And this is only the

0:15:05.999,0:15:10.660
graph of one of the accidents. But the[br]other one is very similar. And so that's

0:15:10.660,0:15:15.990
what we see. There is a known system,[br]which was already known before on the

0:15:15.990,0:15:21.350
Boeing 737. I think it's available on[br]all the old versions as well, which is

0:15:21.350,0:15:25.110
called the speed trim system, which in[br]some circumstances trims the aircraft

0:15:25.110,0:15:32.930
automatically. But the inputs that we see,[br]the automatic trim inputs don't really fit

0:15:32.930,0:15:41.740
the so-called speed trim system. And so[br]for the first time, we hear the word MCAS.

0:15:41.740,0:15:47.019
And we'll talk a bit more about what made[br]the Boeing 737 different from all the

0:15:47.019,0:15:52.410
previous models. And that is the bigger[br]engines. As I said, the engines were much

0:15:52.410,0:15:57.910
bigger. And to achieve the necessary[br]ground clearance, they had to be

0:15:57.910,0:16:03.209
mounted further forward. And there are[br]also a lot bigger, which means at high

0:16:03.209,0:16:06.869
angles of attack, when the aircraft is[br]flying against the stream of the oncoming

0:16:06.869,0:16:13.080
air at a higher angle, these engine cells[br]produce additional lift in front of the

0:16:13.080,0:16:18.709
center of gravity, which creates a pitch[br]up moment. And the certification criteria

0:16:18.709,0:16:25.990
are quite strict in that and say [br]exactly what the forces on the

0:16:25.990,0:16:34.130
flight controls must be to be certified.[br]And due to the bigger engines, there was

0:16:34.130,0:16:41.149
some phases or some angles of attack at[br]which these certification criteria were no

0:16:41.149,0:16:46.630
longer met. And so it was decided to[br]introduce a small piece of software which

0:16:46.630,0:16:51.999
would just introduce a small trim movement[br]to bring it in line with certification

0:16:51.999,0:16:59.319
criteria again. And one of the reasons[br]this was done was probably so the aircraft

0:16:59.319,0:17:04.390
could retain the same type certificate as[br]was mentioned in the introduction. So

0:17:04.390,0:17:10.350
pilots can change within one airline,[br]between the aircraft, between the 737 NG

0:17:10.350,0:17:15.130
and the 737 Max. They have the same type[br]certificate. There's a very brief

0:17:15.130,0:17:18.720
differences training, but they can switch[br]even in line operations between the

0:17:18.720,0:17:27.950
aircraft from day to day. And another[br]reason. No other changes were made. Boeing

0:17:27.950,0:17:32.950
could, for example, have made a longer[br]main landing gear to create additional

0:17:32.950,0:17:38.070
ground clearance to move the engines in a[br]more traditional position, that would have

0:17:38.070,0:17:44.210
probably made it more aerodynamically in[br]line with certification criteria. I

0:17:44.210,0:17:49.500
hesitate to say the word "to make it more[br]stable" because even as it is, the Boeing

0:17:49.500,0:17:56.640
737 Max is not inherently aerodynamically[br]unstable. If all these electronic gimmicks

0:17:56.640,0:18:01.390
fail, it will just fly like an airplane[br]and it is probably in the normal flight

0:18:01.390,0:18:09.420
envelope easily controllable. But to make[br]big mechanical changes would have delayed

0:18:09.420,0:18:14.060
the project a lot and would have required[br]recertification and what instead could be

0:18:14.060,0:18:18.970
done with the airframe essentially the[br]same. The certification could be what is

0:18:18.970,0:18:26.060
known as grandfathered: so it doesn't need[br]to fulfill all the current criteria of

0:18:26.060,0:18:31.830
certification, because the aircraft has[br]been certified and has been proven in

0:18:31.830,0:18:36.700
service. And so only some of the[br]modifications need to be recertified,

0:18:36.700,0:18:45.090
which is much easier and much cheaper and[br]much quicker. So this is one of the

0:18:45.090,0:18:50.240
certification criteria that must be[br]fulfilled. It's even though I have removed

0:18:50.240,0:18:54.530
some of the additional stuff that doesn't[br]really add anything useful, it's still

0:18:54.530,0:19:00.200
rather complicated. It's a procedure that[br]you have to do where you slow down one

0:19:00.200,0:19:04.550
knot per second. And the stick forces need[br]to increase with every knot of speed that

0:19:04.550,0:19:10.250
you lose and things like that. And it says[br]it this stick force versus speed curve may

0:19:10.250,0:19:16.510
not be less than one pound for each six[br]knots. And it's quite interesting, if you

0:19:16.510,0:19:21.810
look at the European certification[br]criteria, is that they took this exact

0:19:21.810,0:19:28.680
paragraph and just translated the US units[br]into metric units, but really calculated

0:19:28.680,0:19:33.730
the new value. So the European[br]certification have now very strange values

0:19:33.730,0:19:41.590
like, I don't know, 11.79 kilometers per[br]hour, per second or something like that.

0:19:41.590,0:19:45.120
It's really strange. So you can see where[br]it comes from. But they said we can't have

0:19:45.120,0:19:49.910
knots even though the entire world except[br]Russia and China basically flies in knots,

0:19:49.910,0:19:56.060
even Western Europe. But the criteria in[br]the certification specification need to be

0:19:56.060,0:20:02.270
in kilometers per hour. Well, I would have[br]thought that you would even - if you do

0:20:02.270,0:20:06.610
the conversion, you would use meters per[br]second, but it used kilometers per hour

0:20:06.610,0:20:14.130
for whatever reason. So due to the[br]aerodynamic changes that were made, the

0:20:14.130,0:20:19.760
Max did not quite fulfill the criteria to[br]the letter. So something had to be done.

0:20:19.760,0:20:24.080
And as I said, mechanical redesign was out[br]of the question because it would have

0:20:24.080,0:20:28.450
taken too long, would have been too[br]expensive, and maybe would have broken the

0:20:28.450,0:20:33.910
type certificate commonality. So they[br]introduced just this little additional

0:20:33.910,0:20:40.180
software in a computer that also existed[br]already. And so it measures angle of

0:20:40.180,0:20:44.891
attack, it measures airspeed and a few[br]other parameters, flap configuration, for

0:20:44.891,0:20:52.060
example, and then it applies nose down[br]pitch trim as it sees fit. But it has a

0:20:52.060,0:20:57.150
rather interesting design from a software[br]engineering point of view. Can you read

0:20:57.150,0:21:04.030
that? Is that... They are flight control[br]computers. And one part of this flight

0:21:04.030,0:21:09.160
control computer, one additional piece of[br]software, is called the MCAS, the

0:21:09.160,0:21:12.870
Maneuvering Characteristics Augmentation[br]System. And the flight control computer

0:21:12.870,0:21:17.010
actually gets input from both angle of[br]attack sensors. It has two, one on each

0:21:17.010,0:21:25.300
side for redundancy, but the MCAS[br]algorithm only uses one of them, at least

0:21:25.300,0:21:29.120
in the old version. In the new version, it[br]will probably use both if it ever gets

0:21:29.120,0:21:36.230
recertificated. And then if that angle of[br]attack sensor senses a value that is too

0:21:36.230,0:21:42.950
high, then it introduces nose down trim[br]and it may switch between flights between

0:21:42.950,0:21:46.990
the left and the right sensor. But at any[br]given time for any given flight, it only

0:21:46.990,0:21:55.270
ever uses one. So what could possibly go[br]wrong here? Here we can see what went

0:21:55.270,0:22:01.830
wrong. It's the same graph as before, and[br]I may direct your attention to this red

0:22:01.830,0:22:06.710
line that says angle of attack indicated[br]left and the green line which says angle

0:22:06.710,0:22:12.030
of attack indicated right. So that is the[br]data that the computer got from the angle

0:22:12.030,0:22:17.870
of attack sensors. Both are recorded in[br]the data recorder, but only one is

0:22:17.870,0:22:24.130
evaluated by the MCAS. And you can see[br]here's the scale on the right. You can see

0:22:24.130,0:22:30.480
that one is indicating relatively normally[br]around zero, a bit above zero, which is to

0:22:30.480,0:22:37.940
be expected during takeoff and climb. And[br]the red value is about 20 degrees higher.

0:22:37.940,0:22:42.980
And of course, that is above the threshold[br]at which the MCAS activates. So it

0:22:42.980,0:22:46.910
activates. Right. And apparently in the[br]old version of the software, there were no

0:22:46.910,0:22:54.630
sanity checks, no cross checks with other[br]air data values like airspeed and altitude

0:22:54.630,0:22:59.580
or other things. And it would be[br]relatively easy to do. Not quite trivial.

0:22:59.580,0:23:04.460
You have to get it right in these kinds of[br]things which influence flight controls,

0:23:04.460,0:23:14.110
but nothing too fancy. But apparently that[br]was also not done. So the MCAS became

0:23:14.110,0:23:21.070
active. So how could it happen? And it's[br]still to me, a bit of a mystery how it

0:23:21.070,0:23:27.720
could actually get so far that it could be[br]certified with this kind of system. And

0:23:27.720,0:23:33.650
the severity of each failure, the possible[br]consequences have to be evaluated. And the

0:23:33.650,0:23:39.990
certification criteria specify five[br]severities: catastrophic, hazardous,

0:23:39.990,0:23:45.390
major, minor and no safety effect, and[br]that doesn't have to be analyzed any

0:23:45.390,0:23:50.540
further, but for catastrophic failures,[br]you have to do a very, very complex risk

0:23:50.540,0:23:57.140
assessment and see what you can do and[br]what needs to be done to bring it in line,

0:23:57.140,0:24:02.970
to make it either mitigate the[br]consequences or make it so extremely

0:24:02.970,0:24:10.440
improbable that it is not going to happen.[br]So here are the probabilities with which

0:24:10.440,0:24:15.810
the certification criteria deal and its[br]different orders of magnitude. There are

0:24:15.810,0:24:20.440
usually two orders of magnitude between[br]them. It's from a probability of 1 times

0:24:20.440,0:24:27.810
10 to the minus 5 per hour to 1 times 10[br]to the minus 9 for operating hour. And

0:24:27.810,0:24:32.580
this is the risk matrix. Many of you are[br]probably familiar with those. And it

0:24:32.580,0:24:39.130
basically says if something is major, then[br]it may not happen with a probability of

0:24:39.130,0:24:44.290
probable. And if its catastrophic the only[br]probability that is allowed for that is

0:24:44.290,0:24:51.781
extremely improbable. Which is less than[br]once in a billion flight hours. Right. And

0:24:51.781,0:24:57.060
to put that into perspective, the fleets[br]with the most flight hours to date, I

0:24:57.060,0:25:01.950
think, are in the low hundreds of millions[br]of flight hours combined. So we're still

0:25:01.950,0:25:06.850
even for the 737 or the A320. We're still[br]quite far away from a billion flight

0:25:06.850,0:25:16.510
hours. So you might have expected perhaps[br]one of these events because statistical

0:25:16.510,0:25:23.950
distribution being what it is, the one[br]event might happen, of course, and but

0:25:23.950,0:25:32.470
certainly not two in less than two years.[br]And quite obviously, the severity of these

0:25:32.470,0:25:40.090
failures was catastrophic. I think there's[br]no - there's no discussion about that. And

0:25:40.090,0:25:43.610
here's the relevant part, actually,[br]about flight controls and the

0:25:43.610,0:25:48.040
certification criteria, which was clearly[br]violated. It says the airplane must be

0:25:48.040,0:25:53.910
shown to be capable of continued safe[br]flight for any single failure. Without

0:25:53.910,0:25:59.400
further qualification, any single system[br]that can break must not make the plane

0:25:59.400,0:26:05.840
unflyable or any combination of failures[br]not shown to be extremely improbable - and

0:26:05.840,0:26:12.040
extremely improbable is these 10 to the[br]minus 9 per hour. And this hazard

0:26:12.040,0:26:16.830
assessment must be performed for all[br]systems, of course, and severity must be

0:26:16.830,0:26:27.540
assigned to all these. And the unintended[br]MCAS activation was classified as major.

0:26:27.540,0:26:32.810
And let's briefly look at that. What's[br]major? Reduction in capability, maybe some

0:26:32.810,0:26:38.300
injuries, major damage. So nothing you can[br]just shrug off, but certainly not an

0:26:38.300,0:26:48.070
accident with hundreds of dead. So and[br]therefore, there are some regulations

0:26:48.070,0:26:56.270
which say which kinds of specific analysis[br]you have to do for the various categories.

0:26:56.270,0:27:02.650
And for major no big failure modes and[br]effects analysis FMEA, was required. And

0:27:02.650,0:27:07.400
these are all findings from the Indonesian[br]investigation board. And they're all in

0:27:07.400,0:27:11.700
the report that is publicly downloadable.[br]In the final version of the slides, I'll

0:27:11.700,0:27:16.720
probably put some of the sources and links[br]in there so you can read it for

0:27:16.720,0:27:23.650
yourselves. It's quite eye opening. So[br]only a very small failure in failure

0:27:23.650,0:27:30.370
analysis was made, comparatively small. It[br]probably took a few man hours, but not as

0:27:30.370,0:27:36.530
extensive as it should have been for the[br]event had it been correctly classified as

0:27:36.530,0:27:44.240
catastrophic. And some of these things[br]that could happen were not at all

0:27:44.240,0:27:50.400
considered, such as large stabilizer[br]deflection. So continued trim movement in

0:27:50.400,0:27:55.211
the same direction or a repeated[br]activation of the MCAS system, because

0:27:55.211,0:28:05.640
apparently the only design of the MCAS[br]system that the FAA saw was limited to a

0:28:05.640,0:28:11.600
0.6 degree deflection at high speeds and[br]to one single activation only. And that

0:28:11.600,0:28:18.290
was changed. And it is still unclear how[br]that could happen. It was changed to

0:28:18.290,0:28:22.730
multiple activations, even at high speed.[br]And each activation could move the

0:28:22.730,0:28:27.820
stabilizer as much as almost 2.5 degrees.[br]And there was no limit to how often it

0:28:27.820,0:28:35.310
could activate. And what was also not[br]considered was the effect of the flight

0:28:35.310,0:28:41.080
characteristics caused by large movements[br]of the stabilizer or movement of the

0:28:41.080,0:28:47.280
stabilizer to the limit of the MCAS[br]authority. The MCAS doesn't have authority

0:28:47.280,0:28:52.690
to move the stabilizer all the way to the[br]mechanical stop, but only a bit short of

0:28:52.690,0:28:57.520
that, much more than the manual electric[br]trim is capable of trimming the airplane

0:28:57.520,0:29:03.190
on the aircraft. You can always trim back[br]with a manual electric trim switches on

0:29:03.190,0:29:09.350
the yoke, but you cannot trim it nose down[br]as far as MCAS can. So that's quite

0:29:09.350,0:29:15.300
interesting. That was not considered. What[br]was also not considered, at least it

0:29:15.300,0:29:21.130
wasn't in the report apparently that the[br]Indonesian agency had seen, was that

0:29:21.130,0:29:26.401
flight crew workload increases[br]dramatically if you have to pull on the

0:29:26.401,0:29:34.390
yoke continuously with about, let's say, a[br]force equivalent of 40 kilograms of 50

0:29:34.390,0:29:37.810
kilograms continuously, otherwise if you[br]let go, you're going to go into a very

0:29:37.810,0:29:43.380
steep nosedive. And at that short, it is[br]at a low altitude that they were they

0:29:43.380,0:29:50.420
would not have been able to recover the[br]aircraft. And in fact, they weren't. What

0:29:50.420,0:29:54.970
was also not considered was an AOA sensor[br]failure in the way that we have seen it in

0:29:54.970,0:29:59.990
these two accidents, although apparently[br]they those had different causes. The

0:29:59.990,0:30:04.091
effect for the MCAS was the same, that one[br]of the sensors showed a value that was

0:30:04.091,0:30:12.310
about 22 and a half degrees too high. And[br]that was not considered in the analysis of

0:30:12.310,0:30:17.490
the MCAS system. So I hope that is[br]readable. That is a simplified state

0:30:17.490,0:30:24.330
machine of the MCAS system. And what we[br]can see is that it can indeed activate

0:30:24.330,0:30:32.720
repeatedly, but only if the pilot uses the[br]manual electric trim in between. It will

0:30:32.720,0:30:38.440
go into a dormant state if the pilot trims[br]manually with the hand wheel or if the

0:30:38.440,0:30:42.980
pilot doesn't use the trim at all, it will[br]go dormant after a single activation and

0:30:42.980,0:30:49.100
stay that way until electric trim is used.[br]So that's the basic upshot of this state

0:30:49.100,0:30:56.190
machine. So when the pilot thinks he's[br]doing something to counter the MCAS and

0:30:56.190,0:31:03.010
he's actually making it worse. But this[br]isn't documented in any pilot

0:31:03.010,0:31:07.460
documentation anywhere. It will probably[br]be in the next way. If it's still working

0:31:07.460,0:31:15.730
like that. But so far it wasn't. So[br]Boeing was under a lot of pressure to try

0:31:15.730,0:31:24.310
to sell a new, more fuel efficient version[br]of their 737. And so I can't say for sure

0:31:24.310,0:31:29.480
how it was internally between the FAA and[br]Boeing, but it's not unreasonable to

0:31:29.480,0:31:33.680
assume that they were under a lot of[br]pressure from management to accelerate

0:31:33.680,0:31:41.890
certification and possibly take shortcuts.[br]I can't make any accusations here, but it

0:31:41.890,0:31:47.160
looks that not all is well in the[br]certification department between Boeing

0:31:47.160,0:31:54.520
and the Federal Aviation Authority. So[br]originally, the idea, of course, is the

0:31:54.520,0:32:00.270
manufacture builds the aircraft, analyzes[br]everything, documents everything, and the

0:32:00.270,0:32:06.730
FAA checks all the documentation and maybe[br]even looks at original data and maybe

0:32:06.730,0:32:11.280
looks at the physical pieces that are[br]being made for the prototype and approves

0:32:11.280,0:32:19.170
or rejects the documentation. There is[br]already a potential conflict that is not

0:32:19.170,0:32:24.050
there in most other countries because they[br]have separate agencies. But the FAA has a

0:32:24.050,0:32:30.840
dual mandate. It is supposed to promote[br]aviation, to make it more efficient, but

0:32:30.840,0:32:40.000
also to ensure aviation safety. And there[br]may be conflicts of interests, I think. So

0:32:40.000,0:32:47.640
here's what this certification has been up[br]until not quite sure, 10, 15 years ago. So

0:32:47.640,0:32:57.120
the FAA, the actual government agency, the[br]Aviation Authority, appoints a designated

0:32:57.120,0:33:03.240
engineering representative. The DER is[br]employed and paid by Boeing, but is

0:33:03.240,0:33:12.690
accountable only to the FAA. And the DER[br]checks and documents everything that is

0:33:12.690,0:33:20.410
being done. There's usually more than one,[br]thatt for simplicity's sake, let's say. And

0:33:20.410,0:33:24.630
the DER then reports the findings and all[br]the documentation, all the low level

0:33:24.630,0:33:30.360
engineering and analysis documentation[br]that has been done to the FAA, and the FAA

0:33:30.360,0:33:35.720
signs off on that or asks questions and[br]visits the company and looks at things and

0:33:35.720,0:33:41.630
makes audits and everything like that. And[br]so that usually has been working more or

0:33:41.630,0:33:47.090
less and has certainly improved the[br]overall safety of airliners that have been

0:33:47.090,0:33:57.520
built in the last decades. And this is the[br]new version. And the person is

0:33:57.520,0:34:03.430
now not called DER, but it's called AR,[br]the authorized representative, is still

0:34:03.430,0:34:08.070
employed and paid by Boeing. That hasn't[br]changed, but is appointed by Boeing

0:34:08.070,0:34:13.419
management and reports to Boeing[br]management. And the Boeing management

0:34:13.419,0:34:19.899
compiles a report and sends that to the[br]FAA and the FAA then signs off on the

0:34:19.899,0:34:25.859
report. They hopefully at least read it,[br]but they don't have all the low level

0:34:25.859,0:34:31.859
engineering details readily available and[br]only rarely speak to the actual engineers.

0:34:31.859,0:34:42.280
So anyone seeing a problem here? Well, you[br]have to say that most aircraft that are

0:34:42.280,0:34:48.419
being built have been built in the last[br]years aren't really terrible. Right. The

0:34:48.419,0:34:55.470
787 is a new aircraft. The 777[br]has been one of the safest aircraft

0:34:55.470,0:35:03.499
around, at least looking at the flight[br]hours that it has accumulated. So it's not

0:35:03.499,0:35:11.380
all bad, but there's potential for real,[br]really bad screw ups. I guess. There's

0:35:11.380,0:35:17.560
another factor maybe that I've briefly[br]mentioned is that the Boeing 737, even in

0:35:17.560,0:35:21.951
its latest version, is not computer[br]controlled. It's not fly by wire, although

0:35:21.951,0:35:27.940
it has some computers as we have seen,[br]that can move some control surfaces. But

0:35:27.940,0:35:31.269
mostly it's really, it really looks like[br]that. I think that's an actual photo from

0:35:31.269,0:35:36.910
a 737 has some corrosion on it. So it's[br]probably not a max an older version, but

0:35:36.910,0:35:41.550
it's basically the same, which is also why[br]the grandfathering certification still

0:35:41.550,0:35:47.150
works. So it's all cables and pulleys and[br]even if both hydraulic systems fails - so,

0:35:47.150,0:35:51.480
yes, it is hydraulically assisted, the[br]flight controls - but if both hydraulic

0:35:51.480,0:35:57.079
systems fail with the combined forces of[br]both pilots, you can you can still fly it

0:35:57.079,0:36:03.711
and you can still land it. That usually[br]works, except when it doesn't. And the

0:36:03.711,0:36:11.210
cases where it doesn't work are when the[br]aircraft is going very fast and has a very

0:36:11.210,0:36:15.700
high stabilizer deflection. And this is[br]from a video some of you may have seen

0:36:15.700,0:36:21.759
there, it's from Mentour Pilot. And he has[br]actually tested that in a full flight

0:36:21.759,0:36:27.660
simulator, which represents realistic[br]forces on all flight controls, including

0:36:27.660,0:36:32.960
the trim wheel. You can be in the center[br]console under the thrust levers, there are

0:36:32.960,0:36:37.780
these two shiny black wheels and they are[br]the trim wheels. You can move them

0:36:37.780,0:36:42.499
manually in all phases of flight to trim[br]the aircraft. If electric trim is not

0:36:42.499,0:36:45.420
available.[br]Pilot: in the normal trim system would not

0:36:45.420,0:36:50.950
do this. OK. It would require manual[br]trimming to get it away from this. That's

0:36:50.950,0:36:55.940
fine, it's fine, trim it backwards. Trim[br]it backwards again

0:36:55.940,0:37:00.510
Bernd: So now he is trying to trim it nose[br]up again after he has manually trimmed it

0:37:00.510,0:37:06.170
nose down because the normal electric trim[br]system cannot trim it so far nose down.

0:37:06.170,0:37:10.130
They have to do it manually. And now he is[br]trying to trim it back nose up from the

0:37:10.130,0:37:15.650
position which is known from the flight[br]data recorder that it was in the

0:37:15.650,0:37:20.749
accident flight and is trying to trim it[br]manually because some people said: "oh,

0:37:20.749,0:37:24.509
turn off the electric trim, the electric[br]trim system and trim it manually. That

0:37:24.509,0:37:27.700
will always work." And they're trying to[br]do that. And it has representative forces

0:37:27.700,0:37:34.539
to the real aircraft.[br]Copilot: Oh my god.

0:37:34.539,0:37:41.230
<i>heavy breathing</i>[br]Pilot: Ok, pause the rec...

0:37:41.230,0:37:46.119
Bernd: and you can see that the pilot on[br]the left, the captain, can't even help

0:37:46.119,0:37:50.960
him. In theory, both could turn the crank[br]at the same time. And they have a handle

0:37:50.960,0:37:56.310
on both sides because he has to hold the[br]control column with all his force. So you

0:37:56.310,0:38:00.380
can't let go. He must hold it with both[br]arms. Otherwise, it would go into a

0:38:00.380,0:38:04.619
nosedive immediately. And this is the[br]physical situation with which the pilots

0:38:04.619,0:38:09.849
were confronted in the accident flight.[br]And he now says: "press the red button in

0:38:09.849,0:38:23.640
the simulator." So end the simulation[br]because it's clear that they're going to crash.

0:38:23.640,0:38:28.120
So there is another thing that came[br]that came up after the accidents and 737

0:38:28.120,0:38:33.080
pilot said: "oh, it's just a runaway trim,[br]runaway stabilizer trim, there's a

0:38:33.080,0:38:37.660
procedure for that and just do the[br]procedure and you'll be fine." Well,

0:38:37.660,0:38:43.750
runaway stabilizer trim is one of the[br]emergency procedures that is trained ad

0:38:43.750,0:38:49.520
infinitum. Right. That's something that[br]every 737 pilot is aware of because there

0:38:49.520,0:38:55.380
are some conditions under which the trim[br]motor always gets electric current and

0:38:55.380,0:38:59.641
doesn't stop running. That just happens[br]occasionally, not very often, but

0:38:59.641,0:39:03.740
occasionally. And every pilot is primed to[br]recognize the symptoms. Oh, this is one of

0:39:03.740,0:39:10.240
a runaway stabilizer. And you turn off the[br]electric motors for the stabilizer trim

0:39:10.240,0:39:16.789
and trim manually and that'll work. But if[br]you look at what are the actual symptoms

0:39:16.789,0:39:21.700
of runaway stabilizer, it says uncommanded[br]stabilizer trim movement occurs

0:39:21.700,0:39:27.970
continuously. And MCAS movement isn't[br]continuously, MCAS trim movement is more

0:39:27.970,0:39:34.010
like the speed trim system, which occurs[br]intermittently and then stops and then

0:39:34.010,0:39:38.510
trims again for a bit and then stops[br]again. So most pilots wouldn't recognize

0:39:38.510,0:39:42.259
this as a runaway trim, because the[br]symptoms are very different. The

0:39:42.259,0:39:47.109
circumstances are different. So I guess[br]some pilots might have recognized that

0:39:47.109,0:39:51.769
there's something going on with the trim[br]that is not right and will have turned it

0:39:51.769,0:39:57.550
off. But some didn't, even though they[br]know they all know about runaway

0:39:57.550,0:40:07.460
stabilizer. And yeah, that's the second[br]file that I have.

0:40:07.460,0:40:16.400
<i>loud rattling noise</i>[br]So that's the sound. The stick shaker

0:40:16.400,0:40:21.440
makes on a Boeing 737. And now imagine[br]flying with that sound all the while

0:40:21.440,0:40:27.830
shaking the control column violently,[br]flying with that going on for an hour. And

0:40:27.830,0:40:32.670
that's what the crew on the previous[br]flight did. They flew the entire flight of

0:40:32.670,0:40:37.170
about an hour with a stick shaker going. I[br]mean, that's quite that's quite

0:40:37.170,0:40:44.460
interesting because the stick shaker says[br]your wing is about to stall. Right. But on

0:40:44.460,0:40:47.650
the other hand, they knew they were flying[br]level. They were flying fast enough.

0:40:47.650,0:40:51.809
Everything was fine. The aircraft wasn't[br]about to stall because it was going fast

0:40:51.809,0:40:58.170
and. Right. So from an aerodynamics[br]perspective, of course, they could fly the

0:40:58.170,0:41:03.309
airplane because they knew it was nowhere[br]near a stall. But still, I think in most

0:41:03.309,0:41:07.029
countries and most airlines, they would[br]have just turned around and landed again

0:41:07.029,0:41:13.420
and saying the aircraft is broken, please[br]fix it. Something is wrong. But yeah. So

0:41:13.420,0:41:19.359
the stick shaker is activated by the angle[br]of attack reading on each side and it

0:41:19.359,0:41:24.460
sticks out mechanically coupled of both of[br]them will shake with activation from

0:41:24.460,0:41:31.570
either side. So is it going to fly again?[br]It's still somewhat of an open question,

0:41:31.570,0:41:38.220
but I suspect that it will because it's[br]it's hard to imagine that letting these

0:41:38.220,0:41:43.869
460 airplanes or some something like that[br]that have been built sometimes sitting

0:41:43.869,0:41:50.239
around on an employee parking lots like[br]here, just letting them be scrapped or

0:41:50.239,0:41:56.210
whatever. I don't know. Almost 5000 have[br]been ordered. As I said, neither airlines

0:41:56.210,0:42:04.170
nor Boeing will be happy. But it's not[br]quite clear. It's not yet being certified

0:42:04.170,0:42:13.109
again. So it's still unairworthy. So[br]there's another little thing,

0:42:13.109,0:42:16.880
certification issues with new Boeing[br]aircraft. Reminded me of this. Have you

0:42:16.880,0:42:23.830
ever seen that? So battery exhaust, which[br]the aircraft has a battery exhaust? I

0:42:23.830,0:42:31.760
mean, what did you do with that? Does[br]anybody know? Yeah, of course some know.

0:42:31.760,0:42:38.069
Yeah. Boeing 787 Dreamliner. Less than two[br]years after introduction. Now, after

0:42:38.069,0:42:44.180
entering the service, actually had two[br]major battery fires. They have two big

0:42:44.180,0:42:51.380
lithium ion batteries. Lithium, lithium,[br]cobalt. I think, not sure. The one that

0:42:51.380,0:42:55.809
burns the brightest.[br]<i>laughter</i>

0:42:55.809,0:43:00.819
Bernd: Because they wanted the energy[br]density, really, and that wasn't available

0:43:00.819,0:43:06.170
in other packages. If they had used nickel[br]cadmium batteries instead, they would have

0:43:06.170,0:43:12.180
been like 40 kilograms heavier for two[br]batteries. That's almost a passenger. So

0:43:12.180,0:43:18.359
yeah, they were onboard fires. And if you[br]ask pilots what's your worst fear of

0:43:18.359,0:43:25.880
something happening in flight, they'll[br]say: flight control failure and fire. So

0:43:25.880,0:43:32.099
you don't want to have a fire in the air,[br]absolutely not. And one of the fires was

0:43:32.099,0:43:36.330
actually in-flight with passengers on[br]board. One was on the ground shortly after

0:43:36.330,0:43:41.569
disembarking and the lithium ion[br]batteries, because they are unusual and a

0:43:41.569,0:43:45.819
novel feature, as it's called, have[br]special certification conditions because

0:43:45.819,0:43:52.009
they are not covered by the original[br]certification criteria, and it says here:

0:43:52.009,0:43:55.869
Safe cell temperatures and pressures must[br]be maintained during any foreseeable

0:43:55.869,0:44:01.599
condition and during any failure of the[br]charging system, not shown to be extremely

0:44:01.599,0:44:07.569
improbable... extremely remote, sorry, and[br]extremely remote is actually two orders of

0:44:07.569,0:44:13.299
magnitude more frequent than extremely[br]improbable. Extremely remote is only less

0:44:13.299,0:44:18.400
than once every 10 million flight hours.[br]But I think the combined flight hours for

0:44:18.400,0:44:26.619
the 787 at that time were, not quite sure,[br]maybe a few hundred thousand at most. So

0:44:26.619,0:44:32.220
and also happened two times. There was not[br]really not really fun. And then it says no

0:44:32.220,0:44:37.609
explosive or toxic gases emitted as the[br]result of any failure may accumulate in

0:44:37.609,0:44:43.140
hazardous quantities within the airplane.[br]I think they've neatly solved the third

0:44:43.140,0:44:48.130
point by putting the battery in a[br]stainless steel box, really thick walls

0:44:48.130,0:44:53.990
maybe, I don't know, eight millimeters or[br]something like that. And piping them to

0:44:53.990,0:45:00.340
this hole in the bottom of the aircraft.[br]So the gases cannot accumulate in the

0:45:00.340,0:45:05.880
aircraft, obviously. So, yes. And with[br]that, I'm at the end of my talk and

0:45:05.880,0:45:12.650
there's now, I think quite some time for[br]questions. Thank you.

0:45:12.650,0:45:22.419
<i>applause</i>

0:45:22.419,0:45:26.410
Herald: Extremely punctual, I have to say.[br]Thank you for this interesting talk. We do

0:45:26.410,0:45:31.681
have the opportunity for quite some[br]questions and a healthy discussion. Please

0:45:31.681,0:45:36.529
come to the microphones that we have[br]distributed through the hall. And while

0:45:36.529,0:45:46.090
you queue up behind them: Do we have a[br]question from the Internet already? Dear

0:45:46.090,0:45:50.299
signal Angel. Is your microphone working?[br]Signal Angel: No.

0:45:50.299,0:45:53.819
Herald: Yes.[br]Signal Angel: Yes. Do you think extensive

0:45:53.819,0:45:57.450
software tests could have solved this[br]situation?

0:45:57.450,0:46:02.380
Bernd: Software tests in this case,[br]perhaps? Yes. Although software tests are

0:46:02.380,0:46:09.099
really a problematic thing because to test[br]software to these extreme reliability is

0:46:09.099,0:46:13.230
required. You really have to test them for[br]a very, very, very, very long time indeed.

0:46:13.230,0:46:17.839
So to achieve some confidence, they have[br]99 percent that a failure will not occur

0:46:17.839,0:46:23.670
in, say, 10 million hours, you will have[br]to test it for 45 million hours. Really.

0:46:23.670,0:46:26.579
And you have to test it with the exact[br]conditions that will occur in flight. And

0:46:26.579,0:46:33.930
apparently nobody's thought of an angle of[br]attack failure, angle of attack sensor

0:46:33.930,0:46:38.170
failure. So maybe testing wouldn't have[br]done a lot in this case.

0:46:38.170,0:46:44.250
Herald: Thank you. Microphone number four.[br]Mic4: Yes. Thank you for the talk. I've

0:46:44.250,0:46:49.809
got a question concerning the grounding.[br]So what is your view that the FAA waited

0:46:49.809,0:46:55.970
so long until they finally ground the[br]aircraft a week after the Chinese started

0:46:55.970,0:46:58.381
with grounding.[br]Bernd: Yes, that's a good point. And I

0:46:58.381,0:47:02.549
think it's an absolute disgrace that they[br]waited so long. Even after the first

0:47:02.549,0:47:06.140
crash. They made an internal study and it[br]was reported in the news some some weeks

0:47:06.140,0:47:13.239
ago and estimated that during the lifetime[br]of the 737 max, probably around 15

0:47:13.239,0:47:17.869
aircraft would crash. So I say every two[br]to three years, one of them would crash

0:47:17.869,0:47:22.720
and they still didn't ground it and waited[br]until four days after the second accident.

0:47:22.720,0:47:27.900
Yes, it's a shame, really.[br]Herald: Thank you. Microphone number

0:47:27.900,0:47:31.089
seven, please.[br]Mic7: Thank you for your talk. I have a

0:47:31.089,0:47:38.670
question regarding the design decision to[br]only use one AOA sensor. So I've read that

0:47:38.670,0:47:43.480
Boeing used the MCAS system before on a[br]military aircraft and that used both

0:47:43.480,0:47:46.549
sensors. So why was that decision made to[br]downgrade?

0:47:46.549,0:47:51.619
Bernd: Yeah, that's a good question. I'm[br]not aware of that military system. If that

0:47:51.619,0:47:56.450
was really exactly the same. But if that's[br]the case, yes, that makes it even stranger

0:47:56.450,0:48:00.160
that they chose to use only one in this[br]case. Yes. Thank you.

0:48:00.160,0:48:04.950
Herald: Okay, Microphone number two,[br]please.

0:48:04.950,0:48:10.619
Mic2: Yeah. Thank you for your talk. [br]So how do you actually test these

0:48:10.619,0:48:15.200
requirements in practice? So how you[br]determine in practice if something is

0:48:15.200,0:48:19.809
likely to fail every ten to the minus nine[br]as opposed to every ten to the minus

0:48:19.809,0:48:22.440
eight?[br]Bernd: No, that's that's obviously

0:48:22.440,0:48:27.150
practically completely impossible. You[br]can't. As I said, if you want to have a

0:48:27.150,0:48:31.770
reasonable confidence that it's really the[br]error rate is really so low, you'd have to

0:48:31.770,0:48:37.380
test it for four and a half billion hours[br]in operation, which is just impossible.

0:48:37.380,0:48:42.990
What instead is done: there are some,[br]industry standards for aviation that is

0:48:42.990,0:48:49.200
DEO178 currently in revision C, and that[br]says if you have software that if it

0:48:49.200,0:48:53.529
fails, may have consequences of[br]this severity, then you have to use these

0:48:53.529,0:48:59.670
very strict, very formal methods for[br]developing the software, like doing very

0:48:59.670,0:49:05.489
strict and formal requirements analysis[br]specification in a formal language,

0:49:05.489,0:49:12.720
preferably. And um, if possible, and some[br]some companies actually do that, formally

0:49:12.720,0:49:16.680
prove your source code correct. And in[br]some languages that can be done. But it's

0:49:16.680,0:49:21.960
it's very, it's a lot of effort. And[br]that's how this should be done. And this

0:49:21.960,0:49:25.769
software obviously should have been[br]developed to the highest level according

0:49:25.769,0:49:31.150
to the DEO178, which is level A and quite[br]obviously it wasn't.

0:49:31.150,0:49:35.940
Herald: Thank you. Signal Angel, please.[br]The next question from the Internet.

0:49:35.940,0:49:40.400
Signal Angel: The talk focused most on[br]MCAS, but someone noted that the plane was

0:49:40.400,0:49:45.559
actually designed for engines below the[br]wings and the NG model, so the one before,

0:49:45.559,0:49:49.039
already had problems of the wing mounts[br]and engine mounts. Do you think there will

0:49:49.039,0:49:53.160
be mechanical problems with Max, too?[br]Bernd: I'm not sure there were really

0:49:53.160,0:49:56.269
mechanical problems. There were[br]aerodynamic problems. And apparently.

0:49:56.269,0:50:00.569
Well, I'm sure they have tested the NG to[br]the same standards, to the same

0:50:00.569,0:50:04.559
certification standards, because obviously[br]there were aerodynamic changes even with

0:50:04.559,0:50:10.069
the NG. And the NG apparently still[br]fulfilled the formal criteria of the

0:50:10.069,0:50:15.329
certification. There are some acceptable[br]means of compliance and quite specific

0:50:15.329,0:50:20.670
descriptions, how you test these stick[br]forces versus airspeed. And as far as I

0:50:20.670,0:50:25.441
know, the NG just fulfilled them. And the[br]Max just didn't. So for the Max, something

0:50:25.441,0:50:29.910
was required, although even the[br]classic, which basically at the same

0:50:29.910,0:50:35.160
engine as the NG. Even the classic had[br]some problems there. That's where the

0:50:35.160,0:50:41.410
speed trim system was introduced. And so[br]it has a similar system and actually the

0:50:41.410,0:50:45.779
MCAS is just another little algorithm in[br]the computer that also does the speed trim

0:50:45.779,0:50:48.549
system.[br]Herald: Please stay seated and buckled up

0:50:48.549,0:50:54.099
until we reach our parking position. No.[br]We are still in the Q&amp;A phase. Please

0:50:54.099,0:50:59.579
stay seated and please be quiet so we can[br]enjoy all of this talk. And if you have to

0:50:59.579,0:51:04.259
have to leave, then be super quiet right[br]now. It is a way too loud in here, please.

0:51:04.259,0:51:07.200
The next question from microphone number[br]one.

0:51:07.200,0:51:13.369
Mic1: So considering lessons learned from[br]this accident, has the FAA already changed

0:51:13.369,0:51:17.839
the certification process or are they[br]about to change it? Or on what about other

0:51:17.839,0:51:21.430
agencies worldwide?[br]Bernd: The FAA is probably going to move

0:51:21.430,0:51:26.049
very slow. And I'm not aware of any[br]specific changes yet, but I haven't looked

0:51:26.049,0:51:32.869
into too much detail in that. Other[br]certification agencies work somewhat

0:51:32.869,0:51:37.500
different. And at least the EASA in Europe[br]and the Chinese authorities have already

0:51:37.500,0:51:41.690
indicated that in this case they are not[br]going to follow the FAA certification, but

0:51:41.690,0:51:46.839
going to do their own. And until now, it[br]was usually the case that if the FAA

0:51:46.839,0:51:50.971
certified the airplane, everybody else in[br]the world just took that certification and

0:51:50.971,0:51:55.819
said what the FAA did is probably fine and[br]vise versa. When the EASA certified a

0:51:55.819,0:52:00.720
Boeing airplane, then the FAA would also[br]certify it. And that is probably changing

0:52:00.720,0:52:04.750
now.[br]Herald: Thank you. Microphone number 3.

0:52:04.750,0:52:11.210
Mic3: So, hi. Thank you for this talk.[br]Two questions, please. Were you part of an

0:52:11.210,0:52:18.450
official investigation or is this your own[br]analysis of the facts? Here's the other

0:52:18.450,0:52:24.700
one. I heard something about this software[br]being outsourced to India. Can you comment

0:52:24.700,0:52:27.829
on that, please?[br]Bernd: The first one: no, this is my own

0:52:27.829,0:52:36.040
private analysis. I have been doing some[br]accident analysis for a living for a

0:52:36.040,0:52:41.369
while, but not for any official agency,[br]but always for private customers.

0:52:41.369,0:52:46.809
And about outsourcing to India, I'm[br]not quite sure about that. I've read

0:52:46.809,0:52:51.840
something like that. And what I've read is[br]that it was produced by Honeywell. I

0:52:51.840,0:52:57.450
think. I may be wrong about that, but I[br]think it was Honeywell. And who the actual

0:52:57.450,0:53:04.920
programmers were sitting. If it's done[br]properly, according to the methodologies

0:53:04.920,0:53:09.589
prescribed by DO178 and fulfilling all[br]those requirements, then where the

0:53:09.589,0:53:15.049
programmer sit is actually not that[br]important. And I don't want to deride

0:53:15.049,0:53:21.140
Indian programmers, and I think if it's[br]done according to specification and

0:53:21.140,0:53:27.119
analyzed with study code analyses and[br]everything else vis a vis the

0:53:27.119,0:53:31.900
specification, then that would also be[br]fine, I guess. But the problem is not so

0:53:31.900,0:53:35.599
much really in the implementation, but in[br]the design of the system, in the

0:53:35.599,0:53:40.059
architecture.[br]Herald: Thank you. Microphone number 5

0:53:40.059,0:53:45.240
please.[br]Mic5: Hello. I may go to your

0:53:45.240,0:53:50.479
presentation wrong, but for me, the real[br]root cause of the problem is the

0:53:50.479,0:53:58.920
competition and high deadline from the[br]management. So the question for you is: is

0:53:58.920,0:54:05.759
there any suggestions from you that[br]process could be, I dunno, maybe changed

0:54:05.759,0:54:18.779
in order to avoid the bugs in the [br]software and have the mission

0:54:18.779,0:54:24.019
critical systems saved?[br]Bernd: Yeah. So we don't normally just

0:54:24.019,0:54:29.069
talk about THE cause or THE root cause,[br]but there are always several causes.

0:54:29.069,0:54:35.339
Basically you can say depending on where[br]you stop with the graph - where is it? -

0:54:35.339,0:54:40.979
where you stop with the graph all the[br]leaves on the graph are root causes and

0:54:40.979,0:54:46.779
but I've stopped relatively early and not[br]not I'm not gone into any more detail on

0:54:46.779,0:54:51.019
that, but yeah. The competition between[br]Airbus and Boeing, obviously it was a big

0:54:51.019,0:54:57.940
factor in this. And I don't suppose you do[br]suggest that we abolish competition in the

0:54:57.940,0:55:04.460
market. But what needs to be changed, I[br]think, is the way certification is done.

0:55:04.460,0:55:10.270
And that requires the FAA reasserting its[br]authority much more. And that will

0:55:10.270,0:55:16.710
probably require a lot more personnel with[br]good engineering background, and maybe

0:55:16.710,0:55:22.349
that would require the FAA paying better[br]wages. So I don't know, because currently

0:55:22.349,0:55:27.489
probably all the good engineers will go to[br]Boeing instead of the FAA. But the FAA

0:55:27.489,0:55:31.279
dearly needs engineering expertise and[br]lots of it.

0:55:31.279,0:55:35.661
Herald: Thank you. The next question we[br]hear from microphone number 4.

0:55:35.661,0:55:40.249
Mic4: Hi. Thank you for the talk. I've[br]heard that there is - I've heard - I've

0:55:40.249,0:55:47.349
read that there's a version of the 737 Max[br]8 that did allow for a third airway

0:55:47.349,0:55:52.729
sensitivity present that served as a[br]backup for either sensors but that this

0:55:52.729,0:55:56.910
was a paid option. And I have not found[br]confirmation of this. Do you know anything

0:55:56.910,0:56:00.999
about this?[br]Bernd: No, I'm not aware of that

0:56:00.999,0:56:10.089
as a paid option. There was something[br]about an optional feature that was called

0:56:10.089,0:56:13.750
a safety feature, but I can't exactly[br]remember what that was. Maybe it was and

0:56:13.750,0:56:18.470
angle of attack indicator in the cockpit[br]that is available as an option, I think,

0:56:18.470,0:56:26.839
for this 737 for most models, because the[br]sensor is there anyway. As for a third AOA

0:56:26.839,0:56:31.710
sensor, I'd be surprised if that was an[br]option because that is a major change and

0:56:31.710,0:56:36.259
requires a major change to all the system[br]layout. Then you'd need an additional a

0:56:36.259,0:56:41.259
data inertial reference unit, which is a[br]big computer box in the aircraft of which

0:56:41.259,0:56:46.440
there are only two. And that would've[br]taken a long, long time in addition to

0:56:46.440,0:56:51.609
develop. So I'm skeptical about that third[br]angle of attack sensor. At least I've not

0:56:51.609,0:56:56.070
heard of it.[br]Herald: Thank you. Signal angel, do we

0:56:56.070,0:56:58.359
have more from the internet? Please one[br]quick one.

0:56:58.359,0:57:03.390
Signal angel: If you need a quick one,[br]would you ever fly with a 737 Max again if

0:57:03.390,0:57:05.970
it was ever cleared again?[br]<i>applause</i>

0:57:05.970,0:57:10.750
Bernd: I was expecting that question. And[br]actually I don't have an answer yet for

0:57:10.750,0:57:18.040
that. And that maybe would depend on how I[br]see the FAA and the EASA doing the

0:57:18.040,0:57:23.349
certification. I've seen some people[br]saying that the 737 Max should never be

0:57:23.349,0:57:31.310
recertified. I think that it will be. And[br]I look at it in some detail, seeing how

0:57:31.310,0:57:37.290
the FAA develops and how the EASA is[br]handling it. And then maybe. Yes.

0:57:37.290,0:57:43.259
Herald: Great. Okay, in that case, we[br]would take one more very short question

0:57:43.259,0:57:48.769
from microphone number 5.[br]Mic5: Do you know why the important AOA

0:57:48.769,0:57:53.779
sensor failed to give the correct values?[br]Bernd: There are some theories about that, but

0:57:53.779,0:57:58.469
I haven't investigated that in any more[br]detail now. There were some stories that

0:57:58.469,0:58:05.029
in the case of the Indonesian, the Lion[br]Air, that it was actually mounted or

0:58:05.029,0:58:12.599
reassembled incorrectly. That would[br]explain why there was a constant offset.

0:58:12.599,0:58:17.969
It may also have been somebody calculated[br]that it was actually, exactly - if you

0:58:17.969,0:58:21.390
look at the raw data that is being[br]delivered on the bus -, there was exactly

0:58:21.390,0:58:26.049
one flipped bit, which is also a[br]possibility. But I I don't really know.

0:58:26.049,0:58:29.000
But there were some implications in the[br]report. Maybe I have to read that section

0:58:29.000,0:58:34.869
again from the Indonesian authorities[br]about substandard maintenance, as it is

0:58:34.869,0:58:39.400
euphemistically called.[br]Herald: OK. We have two more minutes. So I

0:58:39.400,0:58:42.109
will take another question from microphone[br]number 1.

0:58:42.109,0:58:49.509
Mic1: Hey, I would have expected that[br]modern aircraft would have some plug,

0:58:49.509,0:58:54.829
physical plug, hermetic one that would[br]disconnect any automated system. Isn't

0:58:54.829,0:58:58.070
this something that exist in our planes[br]today?

0:58:58.070,0:59:02.390
Bernd: Now, and especially modern aircraft[br]can't just disconnect the automatics,

0:59:02.390,0:59:06.880
because if you look at modern fly by wire[br]aircraft, there is no connection between

0:59:06.880,0:59:11.420
the flight controls and the control[br]surfaces. There's only a computer and the

0:59:11.420,0:59:16.450
flight controls that the pilots handle are[br]only inputs to the computer and there's no

0:59:16.450,0:59:23.170
direct connection. That is true for every[br]Airbus since the A320, for every Boeing

0:59:23.170,0:59:28.950
since the triple 7, so the triple 7 and[br]the 787 are totally 100 percent fly by

0:59:28.950,0:59:33.160
wire. Well, I think 95 percent because[br]there's one control service that is

0:59:33.160,0:59:38.609
directly connected, one spoiler on each[br]side. But basically, there's there's no

0:59:38.609,0:59:43.280
way. And so you have to make sure that[br]flight control software is developed to

0:59:43.280,0:59:47.740
the highest possible standards. Because[br]you can't turn it off, because that's

0:59:47.740,0:59:53.200
everything. That's, Well, let me put it[br]this way: On the fly by wire aircraft,

0:59:53.200,1:00:00.640
only the computer can control the flight,[br]the flight control surfaces know. So I

1:00:00.640,1:00:03.910
just hope that it's good.[br]Herald: Think about that when you next

1:00:03.910,1:00:08.840
enter a plane. And also, please give a big[br]round of applause for our speaker Bernd.

1:00:08.840,1:00:21.142
<i>applause</i>

1:00:21.142,1:00:31.720
<i>36c3 postroll music</i>

1:00:31.720,1:00:48.000
Subtitles created by c3subtitles.de[br]in the year 2020. Join, and help us!