1
00:00:00,000 --> 00:00:20,310
36C3 preroll music
2
00:00:20,310 --> 00:00:25,860
Herald: In the following talk Mr. Bernd
Sieker will speak about the crashes and
3
00:00:25,860 --> 00:00:33,930
what led to the crashes of the most recent
737 model. He is a flight safety
4
00:00:33,930 --> 00:00:38,320
engineer and he also worked on
flight safety and he analyzed the plane
5
00:00:38,320 --> 00:00:43,940
crashes for a lot of time and a long time.
And you have to keep in mind that this
6
00:00:43,940 --> 00:00:49,620
737, although multiple models have been
built, can be flown. All models can be
7
00:00:49,620 --> 00:00:55,950
flown with the same type rating since
1967, which is one of the many root causes
8
00:00:55,950 --> 00:01:02,210
of the issues that led to the disaster
that killed 346 people. Let's listen to a
9
00:01:02,210 --> 00:01:04,980
Bernd and he'll enlighten us, what else
went wrong?
10
00:01:04,980 --> 00:01:13,700
applause
11
00:01:13,700 --> 00:01:17,020
Bernd Sieker: Yes, thank you very much for
the introduction. I see they are not quite
12
00:01:17,020 --> 00:01:22,021
as many people as with the Edward Snowden
talk, but I'm not disappointed. Aviation
13
00:01:22,021 --> 00:01:25,420
safety has always been very important to
me and I've done a lot of work on it and I
14
00:01:25,420 --> 00:01:30,900
am happy to share my passion with so many
of you. Thank you.
15
00:01:30,900 --> 00:01:36,439
applause
So it's basically the outline of what I'm
16
00:01:36,439 --> 00:01:42,540
going to talk about. It's the Boeing 737
Max or seven thirty seven as some may say.
17
00:01:42,540 --> 00:01:47,439
I will briefly talk about the accidents,
what we knew at the beginning, what went
18
00:01:47,439 --> 00:01:53,810
wrong and then what came to light. Later
on I will show our causal analysis method
19
00:01:53,810 --> 00:02:00,280
that we use very shortly, very briefly and
the analysis and overview of the analysis
20
00:02:00,280 --> 00:02:05,390
that I did of these accidents. Then talk
about the infamous MCAS system, the
21
00:02:05,390 --> 00:02:11,230
Maneuvering Characteristics Augmentation
System, as it's called, by its full name.
22
00:02:11,230 --> 00:02:15,480
Then I'll talk about certification, how
certain aircraft certification works in
23
00:02:15,480 --> 00:02:18,870
the United States. It's very similar in
Europe, although there are some
24
00:02:18,870 --> 00:02:22,650
differences. But I'm not going to talk
about European details in this talk. So
25
00:02:22,650 --> 00:02:29,540
it's mostly about the FAA and aircraft
certification across the pond. Some other
26
00:02:29,540 --> 00:02:38,670
things and an outlook, how it is going to
go on with the Boeing 737 Max. We
27
00:02:38,670 --> 00:02:42,940
currently don't know exactly what's going
to happen, but we'll see. And if we have
28
00:02:42,940 --> 00:02:51,069
time, they have a few bonus slides later
on. So the Boeing 737 Max - the star of
29
00:02:51,069 --> 00:02:54,920
the show, as you may say, it's the fourth
iteration, as the Herald already
30
00:02:54,920 --> 00:03:02,200
indicated, of the world's best selling
airliner. I think I looked it up just
31
00:03:02,200 --> 00:03:07,799
recently. I think there are almost 15,000
orders that have been for the 737 of all
32
00:03:07,799 --> 00:03:14,450
the series, the original, the classic, the
NG and now the Max. And the Max itself is
33
00:03:14,450 --> 00:03:19,459
the fastest selling airliner of all time.
So within months, it had literally
34
00:03:19,459 --> 00:03:24,950
thousands of orders. It has now almost
5,000 orders. The 737 Max, and all the
35
00:03:24,950 --> 00:03:29,290
airlines in the world are waiting for the
grounding to be lifted so they can receive
36
00:03:29,290 --> 00:03:40,019
and fly the aircraft. So the first
accident was last year. It was a Lion Air,
37
00:03:40,019 --> 00:03:46,030
an Indonesian flag carrier. Actually, I
think the second or third largest Boeing
38
00:03:46,030 --> 00:03:51,541
737 Max customer in the world with a
couple of hundred, 250 or something
39
00:03:51,541 --> 00:04:01,969
aircraft and it crashed relatively shortly
after it entered service. And so we've heard
40
00:04:01,969 --> 00:04:08,840
some strange things in the news and on the
forums that deal with aviation safety. It
41
00:04:08,840 --> 00:04:15,549
seems that there had been uncommanded nose
down trim. So the tail plane is moved by
42
00:04:15,549 --> 00:04:21,150
an electric motor and it forces the nose
of the aircraft down. The pilot can
43
00:04:21,150 --> 00:04:27,670
counter that movement with some switches
on his control column. And apparently the
44
00:04:27,670 --> 00:04:32,940
stick shaker was active during the flight
and there were difficulties in controlling
45
00:04:32,940 --> 00:04:37,540
the aircraft. We didn't know at the time
exactly what it was. And then for the
46
00:04:37,540 --> 00:04:46,220
first time, the abbreviation MCAS surfaced
and even 737 pilots, even 737 Max pilots,
47
00:04:46,220 --> 00:04:50,880
at least some of them said they'd never
heard of it. It was a mystery. We later
48
00:04:50,880 --> 00:04:55,230
found that actually in some documentation,
it was very briefly mentioned that such a
49
00:04:55,230 --> 00:05:00,080
system existed, but not exactly why it was
there. And I guess Boeing knew and the
50
00:05:00,080 --> 00:05:05,680
certification authorities, as it turned
out, sort of knew a bit of the story, but
51
00:05:05,680 --> 00:05:11,440
not the whole story. But especially people
in the West, in the US and in other
52
00:05:11,440 --> 00:05:19,230
countries said: Oh, these are just poorly
trained Third World pilots. And we expect
53
00:05:19,230 --> 00:05:24,600
that. And they weren't completely wrong.
Lion Air has a particularly bad safety
54
00:05:24,600 --> 00:05:29,030
record. And it wasn't unknown to aviation
safety investigators. There have been a
55
00:05:29,030 --> 00:05:36,380
number of crashes with Lion Air. So in the
beginning, we thought, OK, maybe it's a
56
00:05:36,380 --> 00:05:41,510
fluke, it's a one off or maybe it's caused
by poor maintenance or bad pilots or
57
00:05:41,510 --> 00:05:47,940
whatever. So several people, on the other
hand, already began worrying because some
58
00:05:47,940 --> 00:05:53,600
flight data recorder traces became public.
And there was some very strange things
59
00:05:53,600 --> 00:05:59,830
which we will see shortly. And then only a
few months later, the second aircraft of
60
00:05:59,830 --> 00:06:06,173
exactly the same type and the same
variant, Boeing 737 Max 8, also crashed.
61
00:06:06,173 --> 00:06:11,560
And you can see maybe on the picture on
the left, it left a rather big crater. It
62
00:06:11,560 --> 00:06:17,930
really dove into the earth quite fast. It
turned out, I think, about between seven
63
00:06:17,930 --> 00:06:25,000
and eight hundred kilometers per hour. So,
so really fast and not much left. Not much
64
00:06:25,000 --> 00:06:30,630
was left. I think the biggest parts were
about this size, I guess. So all small
65
00:06:30,630 --> 00:06:38,540
pieces of debris and the engine cores,
which are a bit bigger. And from that as
66
00:06:38,540 --> 00:06:45,520
well, flight data recorder traces became
public. The recorders had survived at
67
00:06:45,520 --> 00:06:51,740
least the memory in them and were
readable. So we finally found out
68
00:06:51,740 --> 00:06:57,780
something and found some similarities,
some rather disturbing similarities. We
69
00:06:57,780 --> 00:07:03,210
come to that in a moment, but I'll talk a
little bit about the Boeing 737 family in
70
00:07:03,210 --> 00:07:08,340
general. So there were four, as I said,
models. That was the original, which had
71
00:07:08,340 --> 00:07:14,050
narrow engines under the wings. Not a lot
of room between the ground and the
72
00:07:14,050 --> 00:07:20,370
engines, but it looked quite normal. You
could say it was one of the first short-
73
00:07:20,370 --> 00:07:27,020
haul airliners with under slung engines,
under the wings and then new high bypassed
74
00:07:27,020 --> 00:07:31,240
turbo fire engines entered the market,
which were much more fuel efficient. We're
75
00:07:31,240 --> 00:07:36,360
talking about maybe some 15 to 20 percent
lower fuel consumption. So it was a big
76
00:07:36,360 --> 00:07:42,610
deal. And the Boeing 737 was reengined and
became known as the classic, bigger
77
00:07:42,610 --> 00:07:47,051
engines, but still mostly analog
mechanical instruments. And it was
78
00:07:47,051 --> 00:07:51,930
basically the same as the original,
instead that it had some bigger engines
79
00:07:51,930 --> 00:07:55,540
and they had to shape the cowling a little
differently to accommodate the bigger
80
00:07:55,540 --> 00:08:02,890
engines. But more or less, it worked for a
while. And then as airlines demanded more
81
00:08:02,890 --> 00:08:08,340
modern avionics, so the cockpit
electronics in aircraft, the next
82
00:08:08,340 --> 00:08:14,620
generation was conceived. It also got a
new wing, new winglets, which again saved
83
00:08:14,620 --> 00:08:19,590
a lot of fuel. It had basically the same
engines, except that the engines now were
84
00:08:19,590 --> 00:08:24,820
also computer controlled by what we call
FADEC full authority, digital engine
85
00:08:24,820 --> 00:08:31,310
control. And Boeing said, well, that's
probably going to be the last one. And in
86
00:08:31,310 --> 00:08:36,149
the next few years, we are going to
develop an all new, short and medium haul
87
00:08:36,149 --> 00:08:43,120
single aisle aircraft which will be all
new and super efficient and super cheap to
88
00:08:43,120 --> 00:08:49,830
operate - all the promises that
manufacturers always make. In the
89
00:08:49,830 --> 00:08:56,410
meantime, Airbus was becoming a major
player with the A320. It was overall a
90
00:08:56,410 --> 00:09:00,470
much more modern aircraft. It had digital
fly by wire. It always had digitally
91
00:09:00,470 --> 00:09:04,940
controlled engines. It had much higher
ground clearance. So it was no problem to
92
00:09:04,940 --> 00:09:10,440
accommodate the larger engines in the
A320. And Airbus then announced that it
93
00:09:10,440 --> 00:09:14,990
was going to reengine the A320. And for
the A320, that was the first time it got
94
00:09:14,990 --> 00:09:19,830
new engines. It for a long time it had you
had the choice of two types of engines for
95
00:09:19,830 --> 00:09:25,410
the A320 And then they said, we're going
to install these new super efficient
96
00:09:25,410 --> 00:09:32,029
engines, which brought with it another
optimization of fuel consumption. That was
97
00:09:32,029 --> 00:09:37,529
another 15 percent fuel saved per mile
traveled something on the order of that.
98
00:09:37,529 --> 00:09:42,910
So it was a huge improvement again. And
many Airbus customers immediately ordered
99
00:09:42,910 --> 00:09:49,050
the so-called A320neo and some Boeing
customers also thought, well, this one is
100
00:09:49,050 --> 00:09:55,670
going to consume so much less fuel that we
might consider switching to Airbus, even
101
00:09:55,670 --> 00:09:59,810
though it's a major hassle if you
have fleet entirely consisting of Boeing
102
00:09:59,810 --> 00:10:03,830
aircraft, if you then switch to Airbus,
it's a huge hassle and nobody really wants
103
00:10:03,830 --> 00:10:08,310
that unless they're really forced to. But
the promised fuel savings were so big that
104
00:10:08,310 --> 00:10:13,079
companies actually considered this and
lots of them. And so Boeing said we need
105
00:10:13,079 --> 00:10:20,830
something very quickly, preferably within
two years I think. For airline
106
00:10:20,830 --> 00:10:26,839
development, that's very, very, very, very
quickly. And they said, well, scrap all
107
00:10:26,839 --> 00:10:33,550
the plans about the new small airliner.
We're going to change the 737 again. And
108
00:10:33,550 --> 00:10:38,800
now the new engines, were going to be
bigger, again. And so actually, there was
109
00:10:38,800 --> 00:10:45,339
no ground clearance to move them in the
same way as on the on the NG. So there to
110
00:10:45,339 --> 00:10:50,339
modify the landing gear, to mount the
engines even further forward and higher.
111
00:10:50,339 --> 00:10:55,410
And the engines were bigger. But the
engines were, on the whole, they were very
112
00:10:55,410 --> 00:10:58,731
good new development. The same type of
engines that you could get for the new
113
00:10:58,731 --> 00:11:08,480
Airbus - CFM international. And so
we decided to make the Boeing 737 4th
114
00:11:08,480 --> 00:11:17,819
generation and call it "the Max".So when
we analyze accidents, we use a causal
115
00:11:17,819 --> 00:11:22,199
analysis method called Why-Because
analysis. And we have some counterfactual
116
00:11:22,199 --> 00:11:26,709
tests which determines if something is a
cause of something else. We call it a
117
00:11:26,709 --> 00:11:32,839
necessary causal factor. And it's very
simple. A is a causal factor of B, if you
118
00:11:32,839 --> 00:11:36,990
can say had A not happened, then B would
not have happened either. So, I mean, you
119
00:11:36,990 --> 00:11:41,279
need to show for everything that there is
a causal relationship and that all the
120
00:11:41,279 --> 00:11:48,449
factors that you have found actually
sufficient to cause the other event. So
121
00:11:48,449 --> 00:11:51,819
you can probably not read everything of
it, but it's not really important. This is
122
00:11:51,819 --> 00:11:57,960
a simplified graph and I will show the
relevant details later.And this is the
123
00:11:57,960 --> 00:12:02,879
analysis that I made of these accidents.
And you can see it's not a simple tree; as
124
00:12:02,879 --> 00:12:06,589
computer scientists, many of you are
familiar with trees and this is just a
125
00:12:06,589 --> 00:12:15,110
directed graph and it can have branches
and so on. And so some things are causal
126
00:12:15,110 --> 00:12:19,519
influence, causal effect of several
different things. So some of the factors
127
00:12:19,519 --> 00:12:24,130
actually have an influence on multiple
levels. For example, the airspeed
128
00:12:24,130 --> 00:12:29,819
influences the control forces and it also
influences the time the crew had to
129
00:12:29,819 --> 00:12:36,910
recover the aircraft before impact with
the ground. So these are some of the
130
00:12:36,910 --> 00:12:42,829
things that I will look at in a bit more
detail. So here is one of them:
131
00:12:42,829 --> 00:12:47,249
Uncommanded nose down trim. So what
happened apparently on these accident
132
00:12:47,249 --> 00:12:54,279
flights was that you can see it in the
flight data recorder traces. I don't know.
133
00:12:54,279 --> 00:13:00,339
Can you see the mouse pointer? Here,
that's the blue line. And that is labeled
134
00:13:00,339 --> 00:13:06,029
trim manual. And there's the orange line
that is labeled Trim Automatic. And if
135
00:13:06,029 --> 00:13:14,240
they have, do displacement to the bottom,
that means that the aircraft is being
136
00:13:14,240 --> 00:13:20,059
trimmed nose down, which means in order to
continue to fly level, you have to pull
137
00:13:20,059 --> 00:13:25,309
the control column with more force towards
you. And what you can see is in the
138
00:13:25,309 --> 00:13:28,600
beginning, there are a few trim, trim
movements. And on this type, they are
139
00:13:28,600 --> 00:13:33,519
expected it has an automatic trim system
for some phases of flight which trims the
140
00:13:33,519 --> 00:13:41,110
aircraft to keep it flying stable. And
then after a while, it started doing many
141
00:13:41,110 --> 00:13:47,009
automatic nose down trim movements. Each
of these lasts almost 10 seconds and there
142
00:13:47,009 --> 00:13:52,339
is a pause between them. And in every
case, the pilots counter the nose down
143
00:13:52,339 --> 00:13:56,649
trim movement with the nose up trim
movement on the control yoke. There are
144
00:13:56,649 --> 00:14:02,720
switches that you operate with your thumb
and you can trim the aircraft that way and
145
00:14:02,720 --> 00:14:07,300
change the control forces and cause the
aircraft nose to go up or down. So for a
146
00:14:07,300 --> 00:14:11,160
very long time, this went on: The computer
trimmed the aircraft nose down, the pilots
147
00:14:11,160 --> 00:14:18,779
trimmed the aircraft nose up, and so on.
Until at the very end, you can see that
148
00:14:18,779 --> 00:14:23,309
the trim, the nose up trim movements that
the pilots made, become shorter and
149
00:14:23,309 --> 00:14:29,389
shorter. And this line here, it says pitch
trim position. That is the resulting
150
00:14:29,389 --> 00:14:34,309
position of the trim control surface,
which is the entire horizontal stabilizer
151
00:14:34,309 --> 00:14:39,490
on the aircraft. And it moves down and it
doesn't really go up anymore because the
152
00:14:39,490 --> 00:14:44,009
pilot inputs become very short. And that
means the control forces to keep the
153
00:14:44,009 --> 00:14:48,459
aircraft flying level become extremely
high. And in the end, it became
154
00:14:48,459 --> 00:14:55,199
uncontrollable and crashed, as you can see
here. So the pilots, for various reasons,
155
00:14:55,199 --> 00:14:59,759
which I will highlight later, the pilots
were unable to trim the aircraft manually
156
00:14:59,759 --> 00:15:05,999
and the nose down trim persisted and the
aircraft crashed. And this is only the
157
00:15:05,999 --> 00:15:10,660
graph of one of the accidents. But the
other one is very similar. And so that's
158
00:15:10,660 --> 00:15:15,990
what we see. There is a known system,
which was already known before on the
159
00:15:15,990 --> 00:15:21,350
Boeing 737. I think it's available on
all the old versions as well, which is
160
00:15:21,350 --> 00:15:25,110
called the speed trim system, which in
some circumstances trims the aircraft
161
00:15:25,110 --> 00:15:32,930
automatically. But the inputs that we see,
the automatic trim inputs don't really fit
162
00:15:32,930 --> 00:15:41,740
the so-called speed trim system. And so
for the first time, we hear the word MCAS.
163
00:15:41,740 --> 00:15:47,019
And we'll talk a bit more about what made
the Boeing 737 different from all the
164
00:15:47,019 --> 00:15:52,410
previous models. And that is the bigger
engines. As I said, the engines were much
165
00:15:52,410 --> 00:15:57,910
bigger. And to achieve the necessary
ground clearance, they had to be
166
00:15:57,910 --> 00:16:03,209
mounted further forward. And there are
also a lot bigger, which means at high
167
00:16:03,209 --> 00:16:06,869
angles of attack, when the aircraft is
flying against the stream of the oncoming
168
00:16:06,869 --> 00:16:13,080
air at a higher angle, these engine cells
produce additional lift in front of the
169
00:16:13,080 --> 00:16:18,709
center of gravity, which creates a pitch
up moment. And the certification criteria
170
00:16:18,709 --> 00:16:25,990
are quite strict in that and say
exactly what the forces on the
171
00:16:25,990 --> 00:16:34,130
flight controls must be to be certified.
And due to the bigger engines, there was
172
00:16:34,130 --> 00:16:41,149
some phases or some angles of attack at
which these certification criteria were no
173
00:16:41,149 --> 00:16:46,630
longer met. And so it was decided to
introduce a small piece of software which
174
00:16:46,630 --> 00:16:51,999
would just introduce a small trim movement
to bring it in line with certification
175
00:16:51,999 --> 00:16:59,319
criteria again. And one of the reasons
this was done was probably so the aircraft
176
00:16:59,319 --> 00:17:04,390
could retain the same type certificate as
was mentioned in the introduction. So
177
00:17:04,390 --> 00:17:10,350
pilots can change within one airline,
between the aircraft, between the 737 NG
178
00:17:10,350 --> 00:17:15,130
and the 737 Max. They have the same type
certificate. There's a very brief
179
00:17:15,130 --> 00:17:18,720
differences training, but they can switch
even in line operations between the
180
00:17:18,720 --> 00:17:27,950
aircraft from day to day. And another
reason. No other changes were made. Boeing
181
00:17:27,950 --> 00:17:32,950
could, for example, have made a longer
main landing gear to create additional
182
00:17:32,950 --> 00:17:38,070
ground clearance to move the engines in a
more traditional position, that would have
183
00:17:38,070 --> 00:17:44,210
probably made it more aerodynamically in
line with certification criteria. I
184
00:17:44,210 --> 00:17:49,500
hesitate to say the word "to make it more
stable" because even as it is, the Boeing
185
00:17:49,500 --> 00:17:56,640
737 Max is not inherently aerodynamically
unstable. If all these electronic gimmicks
186
00:17:56,640 --> 00:18:01,390
fail, it will just fly like an airplane
and it is probably in the normal flight
187
00:18:01,390 --> 00:18:09,420
envelope easily controllable. But to make
big mechanical changes would have delayed
188
00:18:09,420 --> 00:18:14,060
the project a lot and would have required
recertification and what instead could be
189
00:18:14,060 --> 00:18:18,970
done with the airframe essentially the
same. The certification could be what is
190
00:18:18,970 --> 00:18:26,060
known as grandfathered: so it doesn't need
to fulfill all the current criteria of
191
00:18:26,060 --> 00:18:31,830
certification, because the aircraft has
been certified and has been proven in
192
00:18:31,830 --> 00:18:36,700
service. And so only some of the
modifications need to be recertified,
193
00:18:36,700 --> 00:18:45,090
which is much easier and much cheaper and
much quicker. So this is one of the
194
00:18:45,090 --> 00:18:50,240
certification criteria that must be
fulfilled. It's even though I have removed
195
00:18:50,240 --> 00:18:54,530
some of the additional stuff that doesn't
really add anything useful, it's still
196
00:18:54,530 --> 00:19:00,200
rather complicated. It's a procedure that
you have to do where you slow down one
197
00:19:00,200 --> 00:19:04,550
knot per second. And the stick forces need
to increase with every knot of speed that
198
00:19:04,550 --> 00:19:10,250
you lose and things like that. And it says
it this stick force versus speed curve may
199
00:19:10,250 --> 00:19:16,510
not be less than one pound for each six
knots. And it's quite interesting, if you
200
00:19:16,510 --> 00:19:21,810
look at the European certification
criteria, is that they took this exact
201
00:19:21,810 --> 00:19:28,680
paragraph and just translated the US units
into metric units, but really calculated
202
00:19:28,680 --> 00:19:33,730
the new value. So the European
certification have now very strange values
203
00:19:33,730 --> 00:19:41,590
like, I don't know, 11.79 kilometers per
hour, per second or something like that.
204
00:19:41,590 --> 00:19:45,120
It's really strange. So you can see where
it comes from. But they said we can't have
205
00:19:45,120 --> 00:19:49,910
knots even though the entire world except
Russia and China basically flies in knots,
206
00:19:49,910 --> 00:19:56,060
even Western Europe. But the criteria in
the certification specification need to be
207
00:19:56,060 --> 00:20:02,270
in kilometers per hour. Well, I would have
thought that you would even - if you do
208
00:20:02,270 --> 00:20:06,610
the conversion, you would use meters per
second, but it used kilometers per hour
209
00:20:06,610 --> 00:20:14,130
for whatever reason. So due to the
aerodynamic changes that were made, the
210
00:20:14,130 --> 00:20:19,760
Max did not quite fulfill the criteria to
the letter. So something had to be done.
211
00:20:19,760 --> 00:20:24,080
And as I said, mechanical redesign was out
of the question because it would have
212
00:20:24,080 --> 00:20:28,450
taken too long, would have been too
expensive, and maybe would have broken the
213
00:20:28,450 --> 00:20:33,910
type certificate commonality. So they
introduced just this little additional
214
00:20:33,910 --> 00:20:40,180
software in a computer that also existed
already. And so it measures angle of
215
00:20:40,180 --> 00:20:44,891
attack, it measures airspeed and a few
other parameters, flap configuration, for
216
00:20:44,891 --> 00:20:52,060
example, and then it applies nose down
pitch trim as it sees fit. But it has a
217
00:20:52,060 --> 00:20:57,150
rather interesting design from a software
engineering point of view. Can you read
218
00:20:57,150 --> 00:21:04,030
that? Is that... They are flight control
computers. And one part of this flight
219
00:21:04,030 --> 00:21:09,160
control computer, one additional piece of
software, is called the MCAS, the
220
00:21:09,160 --> 00:21:12,870
Maneuvering Characteristics Augmentation
System. And the flight control computer
221
00:21:12,870 --> 00:21:17,010
actually gets input from both angle of
attack sensors. It has two, one on each
222
00:21:17,010 --> 00:21:25,300
side for redundancy, but the MCAS
algorithm only uses one of them, at least
223
00:21:25,300 --> 00:21:29,120
in the old version. In the new version, it
will probably use both if it ever gets
224
00:21:29,120 --> 00:21:36,230
recertificated. And then if that angle of
attack sensor senses a value that is too
225
00:21:36,230 --> 00:21:42,950
high, then it introduces nose down trim
and it may switch between flights between
226
00:21:42,950 --> 00:21:46,990
the left and the right sensor. But at any
given time for any given flight, it only
227
00:21:46,990 --> 00:21:55,270
ever uses one. So what could possibly go
wrong here? Here we can see what went
228
00:21:55,270 --> 00:22:01,830
wrong. It's the same graph as before, and
I may direct your attention to this red
229
00:22:01,830 --> 00:22:06,710
line that says angle of attack indicated
left and the green line which says angle
230
00:22:06,710 --> 00:22:12,030
of attack indicated right. So that is the
data that the computer got from the angle
231
00:22:12,030 --> 00:22:17,870
of attack sensors. Both are recorded in
the data recorder, but only one is
232
00:22:17,870 --> 00:22:24,130
evaluated by the MCAS. And you can see
here's the scale on the right. You can see
233
00:22:24,130 --> 00:22:30,480
that one is indicating relatively normally
around zero, a bit above zero, which is to
234
00:22:30,480 --> 00:22:37,940
be expected during takeoff and climb. And
the red value is about 20 degrees higher.
235
00:22:37,940 --> 00:22:42,980
And of course, that is above the threshold
at which the MCAS activates. So it
236
00:22:42,980 --> 00:22:46,910
activates. Right. And apparently in the
old version of the software, there were no
237
00:22:46,910 --> 00:22:54,630
sanity checks, no cross checks with other
air data values like airspeed and altitude
238
00:22:54,630 --> 00:22:59,580
or other things. And it would be
relatively easy to do. Not quite trivial.
239
00:22:59,580 --> 00:23:04,460
You have to get it right in these kinds of
things which influence flight controls,
240
00:23:04,460 --> 00:23:14,110
but nothing too fancy. But apparently that
was also not done. So the MCAS became
241
00:23:14,110 --> 00:23:21,070
active. So how could it happen? And it's
still to me, a bit of a mystery how it
242
00:23:21,070 --> 00:23:27,720
could actually get so far that it could be
certified with this kind of system. And
243
00:23:27,720 --> 00:23:33,650
the severity of each failure, the possible
consequences have to be evaluated. And the
244
00:23:33,650 --> 00:23:39,990
certification criteria specify five
severities: catastrophic, hazardous,
245
00:23:39,990 --> 00:23:45,390
major, minor and no safety effect, and
that doesn't have to be analyzed any
246
00:23:45,390 --> 00:23:50,540
further, but for catastrophic failures,
you have to do a very, very complex risk
247
00:23:50,540 --> 00:23:57,140
assessment and see what you can do and
what needs to be done to bring it in line,
248
00:23:57,140 --> 00:24:02,970
to make it either mitigate the
consequences or make it so extremely
249
00:24:02,970 --> 00:24:10,440
improbable that it is not going to happen.
So here are the probabilities with which
250
00:24:10,440 --> 00:24:15,810
the certification criteria deal and its
different orders of magnitude. There are
251
00:24:15,810 --> 00:24:20,440
usually two orders of magnitude between
them. It's from a probability of 1 times
252
00:24:20,440 --> 00:24:27,810
10 to the minus 5 per hour to 1 times 10
to the minus 9 for operating hour. And
253
00:24:27,810 --> 00:24:32,580
this is the risk matrix. Many of you are
probably familiar with those. And it
254
00:24:32,580 --> 00:24:39,130
basically says if something is major, then
it may not happen with a probability of
255
00:24:39,130 --> 00:24:44,290
probable. And if its catastrophic the only
probability that is allowed for that is
256
00:24:44,290 --> 00:24:51,781
extremely improbable. Which is less than
once in a billion flight hours. Right. And
257
00:24:51,781 --> 00:24:57,060
to put that into perspective, the fleets
with the most flight hours to date, I
258
00:24:57,060 --> 00:25:01,950
think, are in the low hundreds of millions
of flight hours combined. So we're still
259
00:25:01,950 --> 00:25:06,850
even for the 737 or the A320. We're still
quite far away from a billion flight
260
00:25:06,850 --> 00:25:16,510
hours. So you might have expected perhaps
one of these events because statistical
261
00:25:16,510 --> 00:25:23,950
distribution being what it is, the one
event might happen, of course, and but
262
00:25:23,950 --> 00:25:32,470
certainly not two in less than two years.
And quite obviously, the severity of these
263
00:25:32,470 --> 00:25:40,090
failures was catastrophic. I think there's
no - there's no discussion about that. And
264
00:25:40,090 --> 00:25:43,610
here's the relevant part, actually,
about flight controls and the
265
00:25:43,610 --> 00:25:48,040
certification criteria, which was clearly
violated. It says the airplane must be
266
00:25:48,040 --> 00:25:53,910
shown to be capable of continued safe
flight for any single failure. Without
267
00:25:53,910 --> 00:25:59,400
further qualification, any single system
that can break must not make the plane
268
00:25:59,400 --> 00:26:05,840
unflyable or any combination of failures
not shown to be extremely improbable - and
269
00:26:05,840 --> 00:26:12,040
extremely improbable is these 10 to the
minus 9 per hour. And this hazard
270
00:26:12,040 --> 00:26:16,830
assessment must be performed for all
systems, of course, and severity must be
271
00:26:16,830 --> 00:26:27,540
assigned to all these. And the unintended
MCAS activation was classified as major.
272
00:26:27,540 --> 00:26:32,810
And let's briefly look at that. What's
major? Reduction in capability, maybe some
273
00:26:32,810 --> 00:26:38,300
injuries, major damage. So nothing you can
just shrug off, but certainly not an
274
00:26:38,300 --> 00:26:48,070
accident with hundreds of dead. So and
therefore, there are some regulations
275
00:26:48,070 --> 00:26:56,270
which say which kinds of specific analysis
you have to do for the various categories.
276
00:26:56,270 --> 00:27:02,650
And for major no big failure modes and
effects analysis FMEA, was required. And
277
00:27:02,650 --> 00:27:07,400
these are all findings from the Indonesian
investigation board. And they're all in
278
00:27:07,400 --> 00:27:11,700
the report that is publicly downloadable.
In the final version of the slides, I'll
279
00:27:11,700 --> 00:27:16,720
probably put some of the sources and links
in there so you can read it for
280
00:27:16,720 --> 00:27:23,650
yourselves. It's quite eye opening. So
only a very small failure in failure
281
00:27:23,650 --> 00:27:30,370
analysis was made, comparatively small. It
probably took a few man hours, but not as
282
00:27:30,370 --> 00:27:36,530
extensive as it should have been for the
event had it been correctly classified as
283
00:27:36,530 --> 00:27:44,240
catastrophic. And some of these things
that could happen were not at all
284
00:27:44,240 --> 00:27:50,400
considered, such as large stabilizer
deflection. So continued trim movement in
285
00:27:50,400 --> 00:27:55,211
the same direction or a repeated
activation of the MCAS system, because
286
00:27:55,211 --> 00:28:05,640
apparently the only design of the MCAS
system that the FAA saw was limited to a
287
00:28:05,640 --> 00:28:11,600
0.6 degree deflection at high speeds and
to one single activation only. And that
288
00:28:11,600 --> 00:28:18,290
was changed. And it is still unclear how
that could happen. It was changed to
289
00:28:18,290 --> 00:28:22,730
multiple activations, even at high speed.
And each activation could move the
290
00:28:22,730 --> 00:28:27,820
stabilizer as much as almost 2.5 degrees.
And there was no limit to how often it
291
00:28:27,820 --> 00:28:35,310
could activate. And what was also not
considered was the effect of the flight
292
00:28:35,310 --> 00:28:41,080
characteristics caused by large movements
of the stabilizer or movement of the
293
00:28:41,080 --> 00:28:47,280
stabilizer to the limit of the MCAS
authority. The MCAS doesn't have authority
294
00:28:47,280 --> 00:28:52,690
to move the stabilizer all the way to the
mechanical stop, but only a bit short of
295
00:28:52,690 --> 00:28:57,520
that, much more than the manual electric
trim is capable of trimming the airplane
296
00:28:57,520 --> 00:29:03,190
on the aircraft. You can always trim back
with a manual electric trim switches on
297
00:29:03,190 --> 00:29:09,350
the yoke, but you cannot trim it nose down
as far as MCAS can. So that's quite
298
00:29:09,350 --> 00:29:15,300
interesting. That was not considered. What
was also not considered, at least it
299
00:29:15,300 --> 00:29:21,130
wasn't in the report apparently that the
Indonesian agency had seen, was that
300
00:29:21,130 --> 00:29:26,401
flight crew workload increases
dramatically if you have to pull on the
301
00:29:26,401 --> 00:29:34,390
yoke continuously with about, let's say, a
force equivalent of 40 kilograms of 50
302
00:29:34,390 --> 00:29:37,810
kilograms continuously, otherwise if you
let go, you're going to go into a very
303
00:29:37,810 --> 00:29:43,380
steep nosedive. And at that short, it is
at a low altitude that they were they
304
00:29:43,380 --> 00:29:50,420
would not have been able to recover the
aircraft. And in fact, they weren't. What
305
00:29:50,420 --> 00:29:54,970
was also not considered was an AOA sensor
failure in the way that we have seen it in
306
00:29:54,970 --> 00:29:59,990
these two accidents, although apparently
they those had different causes. The
307
00:29:59,990 --> 00:30:04,091
effect for the MCAS was the same, that one
of the sensors showed a value that was
308
00:30:04,091 --> 00:30:12,310
about 22 and a half degrees too high. And
that was not considered in the analysis of
309
00:30:12,310 --> 00:30:17,490
the MCAS system. So I hope that is
readable. That is a simplified state
310
00:30:17,490 --> 00:30:24,330
machine of the MCAS system. And what we
can see is that it can indeed activate
311
00:30:24,330 --> 00:30:32,720
repeatedly, but only if the pilot uses the
manual electric trim in between. It will
312
00:30:32,720 --> 00:30:38,440
go into a dormant state if the pilot trims
manually with the hand wheel or if the
313
00:30:38,440 --> 00:30:42,980
pilot doesn't use the trim at all, it will
go dormant after a single activation and
314
00:30:42,980 --> 00:30:49,100
stay that way until electric trim is used.
So that's the basic upshot of this state
315
00:30:49,100 --> 00:30:56,190
machine. So when the pilot thinks he's
doing something to counter the MCAS and
316
00:30:56,190 --> 00:31:03,010
he's actually making it worse. But this
isn't documented in any pilot
317
00:31:03,010 --> 00:31:07,460
documentation anywhere. It will probably
be in the next way. If it's still working
318
00:31:07,460 --> 00:31:15,730
like that. But so far it wasn't. So
Boeing was under a lot of pressure to try
319
00:31:15,730 --> 00:31:24,310
to sell a new, more fuel efficient version
of their 737. And so I can't say for sure
320
00:31:24,310 --> 00:31:29,480
how it was internally between the FAA and
Boeing, but it's not unreasonable to
321
00:31:29,480 --> 00:31:33,680
assume that they were under a lot of
pressure from management to accelerate
322
00:31:33,680 --> 00:31:41,890
certification and possibly take shortcuts.
I can't make any accusations here, but it
323
00:31:41,890 --> 00:31:47,160
looks that not all is well in the
certification department between Boeing
324
00:31:47,160 --> 00:31:54,520
and the Federal Aviation Authority. So
originally, the idea, of course, is the
325
00:31:54,520 --> 00:32:00,270
manufacture builds the aircraft, analyzes
everything, documents everything, and the
326
00:32:00,270 --> 00:32:06,730
FAA checks all the documentation and maybe
even looks at original data and maybe
327
00:32:06,730 --> 00:32:11,280
looks at the physical pieces that are
being made for the prototype and approves
328
00:32:11,280 --> 00:32:19,170
or rejects the documentation. There is
already a potential conflict that is not
329
00:32:19,170 --> 00:32:24,050
there in most other countries because they
have separate agencies. But the FAA has a
330
00:32:24,050 --> 00:32:30,840
dual mandate. It is supposed to promote
aviation, to make it more efficient, but
331
00:32:30,840 --> 00:32:40,000
also to ensure aviation safety. And there
may be conflicts of interests, I think. So
332
00:32:40,000 --> 00:32:47,640
here's what this certification has been up
until not quite sure, 10, 15 years ago. So
333
00:32:47,640 --> 00:32:57,120
the FAA, the actual government agency, the
Aviation Authority, appoints a designated
334
00:32:57,120 --> 00:33:03,240
engineering representative. The DER is
employed and paid by Boeing, but is
335
00:33:03,240 --> 00:33:12,690
accountable only to the FAA. And the DER
checks and documents everything that is
336
00:33:12,690 --> 00:33:20,410
being done. There's usually more than one,
thatt for simplicity's sake, let's say. And
337
00:33:20,410 --> 00:33:24,630
the DER then reports the findings and all
the documentation, all the low level
338
00:33:24,630 --> 00:33:30,360
engineering and analysis documentation
that has been done to the FAA, and the FAA
339
00:33:30,360 --> 00:33:35,720
signs off on that or asks questions and
visits the company and looks at things and
340
00:33:35,720 --> 00:33:41,630
makes audits and everything like that. And
so that usually has been working more or
341
00:33:41,630 --> 00:33:47,090
less and has certainly improved the
overall safety of airliners that have been
342
00:33:47,090 --> 00:33:57,520
built in the last decades. And this is the
new version. And the person is
343
00:33:57,520 --> 00:34:03,430
now not called DER, but it's called AR,
the authorized representative, is still
344
00:34:03,430 --> 00:34:08,070
employed and paid by Boeing. That hasn't
changed, but is appointed by Boeing
345
00:34:08,070 --> 00:34:13,419
management and reports to Boeing
management. And the Boeing management
346
00:34:13,419 --> 00:34:19,899
compiles a report and sends that to the
FAA and the FAA then signs off on the
347
00:34:19,899 --> 00:34:25,859
report. They hopefully at least read it,
but they don't have all the low level
348
00:34:25,859 --> 00:34:31,859
engineering details readily available and
only rarely speak to the actual engineers.
349
00:34:31,859 --> 00:34:42,280
So anyone seeing a problem here? Well, you
have to say that most aircraft that are
350
00:34:42,280 --> 00:34:48,419
being built have been built in the last
years aren't really terrible. Right. The
351
00:34:48,419 --> 00:34:55,470
787 is a new aircraft. The 777
has been one of the safest aircraft
352
00:34:55,470 --> 00:35:03,499
around, at least looking at the flight
hours that it has accumulated. So it's not
353
00:35:03,499 --> 00:35:11,380
all bad, but there's potential for real,
really bad screw ups. I guess. There's
354
00:35:11,380 --> 00:35:17,560
another factor maybe that I've briefly
mentioned is that the Boeing 737, even in
355
00:35:17,560 --> 00:35:21,951
its latest version, is not computer
controlled. It's not fly by wire, although
356
00:35:21,951 --> 00:35:27,940
it has some computers as we have seen,
that can move some control surfaces. But
357
00:35:27,940 --> 00:35:31,269
mostly it's really, it really looks like
that. I think that's an actual photo from
358
00:35:31,269 --> 00:35:36,910
a 737 has some corrosion on it. So it's
probably not a max an older version, but
359
00:35:36,910 --> 00:35:41,550
it's basically the same, which is also why
the grandfathering certification still
360
00:35:41,550 --> 00:35:47,150
works. So it's all cables and pulleys and
even if both hydraulic systems fails - so,
361
00:35:47,150 --> 00:35:51,480
yes, it is hydraulically assisted, the
flight controls - but if both hydraulic
362
00:35:51,480 --> 00:35:57,079
systems fail with the combined forces of
both pilots, you can you can still fly it
363
00:35:57,079 --> 00:36:03,711
and you can still land it. That usually
works, except when it doesn't. And the
364
00:36:03,711 --> 00:36:11,210
cases where it doesn't work are when the
aircraft is going very fast and has a very
365
00:36:11,210 --> 00:36:15,700
high stabilizer deflection. And this is
from a video some of you may have seen
366
00:36:15,700 --> 00:36:21,759
there, it's from Mentour Pilot. And he has
actually tested that in a full flight
367
00:36:21,759 --> 00:36:27,660
simulator, which represents realistic
forces on all flight controls, including
368
00:36:27,660 --> 00:36:32,960
the trim wheel. You can be in the center
console under the thrust levers, there are
369
00:36:32,960 --> 00:36:37,780
these two shiny black wheels and they are
the trim wheels. You can move them
370
00:36:37,780 --> 00:36:42,499
manually in all phases of flight to trim
the aircraft. If electric trim is not
371
00:36:42,499 --> 00:36:45,420
available.
Pilot: in the normal trim system would not
372
00:36:45,420 --> 00:36:50,950
do this. OK. It would require manual
trimming to get it away from this. That's
373
00:36:50,950 --> 00:36:55,940
fine, it's fine, trim it backwards. Trim
it backwards again
374
00:36:55,940 --> 00:37:00,510
Bernd: So now he is trying to trim it nose
up again after he has manually trimmed it
375
00:37:00,510 --> 00:37:06,170
nose down because the normal electric trim
system cannot trim it so far nose down.
376
00:37:06,170 --> 00:37:10,130
They have to do it manually. And now he is
trying to trim it back nose up from the
377
00:37:10,130 --> 00:37:15,650
position which is known from the flight
data recorder that it was in the
378
00:37:15,650 --> 00:37:20,749
accident flight and is trying to trim it
manually because some people said: "oh,
379
00:37:20,749 --> 00:37:24,509
turn off the electric trim, the electric
trim system and trim it manually. That
380
00:37:24,509 --> 00:37:27,700
will always work." And they're trying to
do that. And it has representative forces
381
00:37:27,700 --> 00:37:34,539
to the real aircraft.
Copilot: Oh my god.
382
00:37:34,539 --> 00:37:41,230
heavy breathing
Pilot: Ok, pause the rec...
383
00:37:41,230 --> 00:37:46,119
Bernd: and you can see that the pilot on
the left, the captain, can't even help
384
00:37:46,119 --> 00:37:50,960
him. In theory, both could turn the crank
at the same time. And they have a handle
385
00:37:50,960 --> 00:37:56,310
on both sides because he has to hold the
control column with all his force. So you
386
00:37:56,310 --> 00:38:00,380
can't let go. He must hold it with both
arms. Otherwise, it would go into a
387
00:38:00,380 --> 00:38:04,619
nosedive immediately. And this is the
physical situation with which the pilots
388
00:38:04,619 --> 00:38:09,849
were confronted in the accident flight.
And he now says: "press the red button in
389
00:38:09,849 --> 00:38:23,640
the simulator." So end the simulation
because it's clear that they're going to crash.
390
00:38:23,640 --> 00:38:28,120
So there is another thing that came
that came up after the accidents and 737
391
00:38:28,120 --> 00:38:33,080
pilot said: "oh, it's just a runaway trim,
runaway stabilizer trim, there's a
392
00:38:33,080 --> 00:38:37,660
procedure for that and just do the
procedure and you'll be fine." Well,
393
00:38:37,660 --> 00:38:43,750
runaway stabilizer trim is one of the
emergency procedures that is trained ad
394
00:38:43,750 --> 00:38:49,520
infinitum. Right. That's something that
every 737 pilot is aware of because there
395
00:38:49,520 --> 00:38:55,380
are some conditions under which the trim
motor always gets electric current and
396
00:38:55,380 --> 00:38:59,641
doesn't stop running. That just happens
occasionally, not very often, but
397
00:38:59,641 --> 00:39:03,740
occasionally. And every pilot is primed to
recognize the symptoms. Oh, this is one of
398
00:39:03,740 --> 00:39:10,240
a runaway stabilizer. And you turn off the
electric motors for the stabilizer trim
399
00:39:10,240 --> 00:39:16,789
and trim manually and that'll work. But if
you look at what are the actual symptoms
400
00:39:16,789 --> 00:39:21,700
of runaway stabilizer, it says uncommanded
stabilizer trim movement occurs
401
00:39:21,700 --> 00:39:27,970
continuously. And MCAS movement isn't
continuously, MCAS trim movement is more
402
00:39:27,970 --> 00:39:34,010
like the speed trim system, which occurs
intermittently and then stops and then
403
00:39:34,010 --> 00:39:38,510
trims again for a bit and then stops
again. So most pilots wouldn't recognize
404
00:39:38,510 --> 00:39:42,259
this as a runaway trim, because the
symptoms are very different. The
405
00:39:42,259 --> 00:39:47,109
circumstances are different. So I guess
some pilots might have recognized that
406
00:39:47,109 --> 00:39:51,769
there's something going on with the trim
that is not right and will have turned it
407
00:39:51,769 --> 00:39:57,550
off. But some didn't, even though they
know they all know about runaway
408
00:39:57,550 --> 00:40:07,460
stabilizer. And yeah, that's the second
file that I have.
409
00:40:07,460 --> 00:40:16,400
loud rattling noise
So that's the sound. The stick shaker
410
00:40:16,400 --> 00:40:21,440
makes on a Boeing 737. And now imagine
flying with that sound all the while
411
00:40:21,440 --> 00:40:27,830
shaking the control column violently,
flying with that going on for an hour. And
412
00:40:27,830 --> 00:40:32,670
that's what the crew on the previous
flight did. They flew the entire flight of
413
00:40:32,670 --> 00:40:37,170
about an hour with a stick shaker going. I
mean, that's quite that's quite
414
00:40:37,170 --> 00:40:44,460
interesting because the stick shaker says
your wing is about to stall. Right. But on
415
00:40:44,460 --> 00:40:47,650
the other hand, they knew they were flying
level. They were flying fast enough.
416
00:40:47,650 --> 00:40:51,809
Everything was fine. The aircraft wasn't
about to stall because it was going fast
417
00:40:51,809 --> 00:40:58,170
and. Right. So from an aerodynamics
perspective, of course, they could fly the
418
00:40:58,170 --> 00:41:03,309
airplane because they knew it was nowhere
near a stall. But still, I think in most
419
00:41:03,309 --> 00:41:07,029
countries and most airlines, they would
have just turned around and landed again
420
00:41:07,029 --> 00:41:13,420
and saying the aircraft is broken, please
fix it. Something is wrong. But yeah. So
421
00:41:13,420 --> 00:41:19,359
the stick shaker is activated by the angle
of attack reading on each side and it
422
00:41:19,359 --> 00:41:24,460
sticks out mechanically coupled of both of
them will shake with activation from
423
00:41:24,460 --> 00:41:31,570
either side. So is it going to fly again?
It's still somewhat of an open question,
424
00:41:31,570 --> 00:41:38,220
but I suspect that it will because it's
it's hard to imagine that letting these
425
00:41:38,220 --> 00:41:43,869
460 airplanes or some something like that
that have been built sometimes sitting
426
00:41:43,869 --> 00:41:50,239
around on an employee parking lots like
here, just letting them be scrapped or
427
00:41:50,239 --> 00:41:56,210
whatever. I don't know. Almost 5000 have
been ordered. As I said, neither airlines
428
00:41:56,210 --> 00:42:04,170
nor Boeing will be happy. But it's not
quite clear. It's not yet being certified
429
00:42:04,170 --> 00:42:13,109
again. So it's still unairworthy. So
there's another little thing,
430
00:42:13,109 --> 00:42:16,880
certification issues with new Boeing
aircraft. Reminded me of this. Have you
431
00:42:16,880 --> 00:42:23,830
ever seen that? So battery exhaust, which
the aircraft has a battery exhaust? I
432
00:42:23,830 --> 00:42:31,760
mean, what did you do with that? Does
anybody know? Yeah, of course some know.
433
00:42:31,760 --> 00:42:38,069
Yeah. Boeing 787 Dreamliner. Less than two
years after introduction. Now, after
434
00:42:38,069 --> 00:42:44,180
entering the service, actually had two
major battery fires. They have two big
435
00:42:44,180 --> 00:42:51,380
lithium ion batteries. Lithium, lithium,
cobalt. I think, not sure. The one that
436
00:42:51,380 --> 00:42:55,809
burns the brightest.
laughter
437
00:42:55,809 --> 00:43:00,819
Bernd: Because they wanted the energy
density, really, and that wasn't available
438
00:43:00,819 --> 00:43:06,170
in other packages. If they had used nickel
cadmium batteries instead, they would have
439
00:43:06,170 --> 00:43:12,180
been like 40 kilograms heavier for two
batteries. That's almost a passenger. So
440
00:43:12,180 --> 00:43:18,359
yeah, they were onboard fires. And if you
ask pilots what's your worst fear of
441
00:43:18,359 --> 00:43:25,880
something happening in flight, they'll
say: flight control failure and fire. So
442
00:43:25,880 --> 00:43:32,099
you don't want to have a fire in the air,
absolutely not. And one of the fires was
443
00:43:32,099 --> 00:43:36,330
actually in-flight with passengers on
board. One was on the ground shortly after
444
00:43:36,330 --> 00:43:41,569
disembarking and the lithium ion
batteries, because they are unusual and a
445
00:43:41,569 --> 00:43:45,819
novel feature, as it's called, have
special certification conditions because
446
00:43:45,819 --> 00:43:52,009
they are not covered by the original
certification criteria, and it says here:
447
00:43:52,009 --> 00:43:55,869
Safe cell temperatures and pressures must
be maintained during any foreseeable
448
00:43:55,869 --> 00:44:01,599
condition and during any failure of the
charging system, not shown to be extremely
449
00:44:01,599 --> 00:44:07,569
improbable... extremely remote, sorry, and
extremely remote is actually two orders of
450
00:44:07,569 --> 00:44:13,299
magnitude more frequent than extremely
improbable. Extremely remote is only less
451
00:44:13,299 --> 00:44:18,400
than once every 10 million flight hours.
But I think the combined flight hours for
452
00:44:18,400 --> 00:44:26,619
the 787 at that time were, not quite sure,
maybe a few hundred thousand at most. So
453
00:44:26,619 --> 00:44:32,220
and also happened two times. There was not
really not really fun. And then it says no
454
00:44:32,220 --> 00:44:37,609
explosive or toxic gases emitted as the
result of any failure may accumulate in
455
00:44:37,609 --> 00:44:43,140
hazardous quantities within the airplane.
I think they've neatly solved the third
456
00:44:43,140 --> 00:44:48,130
point by putting the battery in a
stainless steel box, really thick walls
457
00:44:48,130 --> 00:44:53,990
maybe, I don't know, eight millimeters or
something like that. And piping them to
458
00:44:53,990 --> 00:45:00,340
this hole in the bottom of the aircraft.
So the gases cannot accumulate in the
459
00:45:00,340 --> 00:45:05,880
aircraft, obviously. So, yes. And with
that, I'm at the end of my talk and
460
00:45:05,880 --> 00:45:12,650
there's now, I think quite some time for
questions. Thank you.
461
00:45:12,650 --> 00:45:22,419
applause
462
00:45:22,419 --> 00:45:26,410
Herald: Extremely punctual, I have to say.
Thank you for this interesting talk. We do
463
00:45:26,410 --> 00:45:31,681
have the opportunity for quite some
questions and a healthy discussion. Please
464
00:45:31,681 --> 00:45:36,529
come to the microphones that we have
distributed through the hall. And while
465
00:45:36,529 --> 00:45:46,090
you queue up behind them: Do we have a
question from the Internet already? Dear
466
00:45:46,090 --> 00:45:50,299
signal Angel. Is your microphone working?
Signal Angel: No.
467
00:45:50,299 --> 00:45:53,819
Herald: Yes.
Signal Angel: Yes. Do you think extensive
468
00:45:53,819 --> 00:45:57,450
software tests could have solved this
situation?
469
00:45:57,450 --> 00:46:02,380
Bernd: Software tests in this case,
perhaps? Yes. Although software tests are
470
00:46:02,380 --> 00:46:09,099
really a problematic thing because to test
software to these extreme reliability is
471
00:46:09,099 --> 00:46:13,230
required. You really have to test them for
a very, very, very, very long time indeed.
472
00:46:13,230 --> 00:46:17,839
So to achieve some confidence, they have
99 percent that a failure will not occur
473
00:46:17,839 --> 00:46:23,670
in, say, 10 million hours, you will have
to test it for 45 million hours. Really.
474
00:46:23,670 --> 00:46:26,579
And you have to test it with the exact
conditions that will occur in flight. And
475
00:46:26,579 --> 00:46:33,930
apparently nobody's thought of an angle of
attack failure, angle of attack sensor
476
00:46:33,930 --> 00:46:38,170
failure. So maybe testing wouldn't have
done a lot in this case.
477
00:46:38,170 --> 00:46:44,250
Herald: Thank you. Microphone number four.
Mic4: Yes. Thank you for the talk. I've
478
00:46:44,250 --> 00:46:49,809
got a question concerning the grounding.
So what is your view that the FAA waited
479
00:46:49,809 --> 00:46:55,970
so long until they finally ground the
aircraft a week after the Chinese started
480
00:46:55,970 --> 00:46:58,381
with grounding.
Bernd: Yes, that's a good point. And I
481
00:46:58,381 --> 00:47:02,549
think it's an absolute disgrace that they
waited so long. Even after the first
482
00:47:02,549 --> 00:47:06,140
crash. They made an internal study and it
was reported in the news some some weeks
483
00:47:06,140 --> 00:47:13,239
ago and estimated that during the lifetime
of the 737 max, probably around 15
484
00:47:13,239 --> 00:47:17,869
aircraft would crash. So I say every two
to three years, one of them would crash
485
00:47:17,869 --> 00:47:22,720
and they still didn't ground it and waited
until four days after the second accident.
486
00:47:22,720 --> 00:47:27,900
Yes, it's a shame, really.
Herald: Thank you. Microphone number
487
00:47:27,900 --> 00:47:31,089
seven, please.
Mic7: Thank you for your talk. I have a
488
00:47:31,089 --> 00:47:38,670
question regarding the design decision to
only use one AOA sensor. So I've read that
489
00:47:38,670 --> 00:47:43,480
Boeing used the MCAS system before on a
military aircraft and that used both
490
00:47:43,480 --> 00:47:46,549
sensors. So why was that decision made to
downgrade?
491
00:47:46,549 --> 00:47:51,619
Bernd: Yeah, that's a good question. I'm
not aware of that military system. If that
492
00:47:51,619 --> 00:47:56,450
was really exactly the same. But if that's
the case, yes, that makes it even stranger
493
00:47:56,450 --> 00:48:00,160
that they chose to use only one in this
case. Yes. Thank you.
494
00:48:00,160 --> 00:48:04,950
Herald: Okay, Microphone number two,
please.
495
00:48:04,950 --> 00:48:10,619
Mic2: Yeah. Thank you for your talk.
So how do you actually test these
496
00:48:10,619 --> 00:48:15,200
requirements in practice? So how you
determine in practice if something is
497
00:48:15,200 --> 00:48:19,809
likely to fail every ten to the minus nine
as opposed to every ten to the minus
498
00:48:19,809 --> 00:48:22,440
eight?
Bernd: No, that's that's obviously
499
00:48:22,440 --> 00:48:27,150
practically completely impossible. You
can't. As I said, if you want to have a
500
00:48:27,150 --> 00:48:31,770
reasonable confidence that it's really the
error rate is really so low, you'd have to
501
00:48:31,770 --> 00:48:37,380
test it for four and a half billion hours
in operation, which is just impossible.
502
00:48:37,380 --> 00:48:42,990
What instead is done: there are some,
industry standards for aviation that is
503
00:48:42,990 --> 00:48:49,200
DEO178 currently in revision C, and that
says if you have software that if it
504
00:48:49,200 --> 00:48:53,529
fails, may have consequences of
this severity, then you have to use these
505
00:48:53,529 --> 00:48:59,670
very strict, very formal methods for
developing the software, like doing very
506
00:48:59,670 --> 00:49:05,489
strict and formal requirements analysis
specification in a formal language,
507
00:49:05,489 --> 00:49:12,720
preferably. And um, if possible, and some
some companies actually do that, formally
508
00:49:12,720 --> 00:49:16,680
prove your source code correct. And in
some languages that can be done. But it's
509
00:49:16,680 --> 00:49:21,960
it's very, it's a lot of effort. And
that's how this should be done. And this
510
00:49:21,960 --> 00:49:25,769
software obviously should have been
developed to the highest level according
511
00:49:25,769 --> 00:49:31,150
to the DEO178, which is level A and quite
obviously it wasn't.
512
00:49:31,150 --> 00:49:35,940
Herald: Thank you. Signal Angel, please.
The next question from the Internet.
513
00:49:35,940 --> 00:49:40,400
Signal Angel: The talk focused most on
MCAS, but someone noted that the plane was
514
00:49:40,400 --> 00:49:45,559
actually designed for engines below the
wings and the NG model, so the one before,
515
00:49:45,559 --> 00:49:49,039
already had problems of the wing mounts
and engine mounts. Do you think there will
516
00:49:49,039 --> 00:49:53,160
be mechanical problems with Max, too?
Bernd: I'm not sure there were really
517
00:49:53,160 --> 00:49:56,269
mechanical problems. There were
aerodynamic problems. And apparently.
518
00:49:56,269 --> 00:50:00,569
Well, I'm sure they have tested the NG to
the same standards, to the same
519
00:50:00,569 --> 00:50:04,559
certification standards, because obviously
there were aerodynamic changes even with
520
00:50:04,559 --> 00:50:10,069
the NG. And the NG apparently still
fulfilled the formal criteria of the
521
00:50:10,069 --> 00:50:15,329
certification. There are some acceptable
means of compliance and quite specific
522
00:50:15,329 --> 00:50:20,670
descriptions, how you test these stick
forces versus airspeed. And as far as I
523
00:50:20,670 --> 00:50:25,441
know, the NG just fulfilled them. And the
Max just didn't. So for the Max, something
524
00:50:25,441 --> 00:50:29,910
was required, although even the
classic, which basically at the same
525
00:50:29,910 --> 00:50:35,160
engine as the NG. Even the classic had
some problems there. That's where the
526
00:50:35,160 --> 00:50:41,410
speed trim system was introduced. And so
it has a similar system and actually the
527
00:50:41,410 --> 00:50:45,779
MCAS is just another little algorithm in
the computer that also does the speed trim
528
00:50:45,779 --> 00:50:48,549
system.
Herald: Please stay seated and buckled up
529
00:50:48,549 --> 00:50:54,099
until we reach our parking position. No.
We are still in the Q&A phase. Please
530
00:50:54,099 --> 00:50:59,579
stay seated and please be quiet so we can
enjoy all of this talk. And if you have to
531
00:50:59,579 --> 00:51:04,259
have to leave, then be super quiet right
now. It is a way too loud in here, please.
532
00:51:04,259 --> 00:51:07,200
The next question from microphone number
one.
533
00:51:07,200 --> 00:51:13,369
Mic1: So considering lessons learned from
this accident, has the FAA already changed
534
00:51:13,369 --> 00:51:17,839
the certification process or are they
about to change it? Or on what about other
535
00:51:17,839 --> 00:51:21,430
agencies worldwide?
Bernd: The FAA is probably going to move
536
00:51:21,430 --> 00:51:26,049
very slow. And I'm not aware of any
specific changes yet, but I haven't looked
537
00:51:26,049 --> 00:51:32,869
into too much detail in that. Other
certification agencies work somewhat
538
00:51:32,869 --> 00:51:37,500
different. And at least the EASA in Europe
and the Chinese authorities have already
539
00:51:37,500 --> 00:51:41,690
indicated that in this case they are not
going to follow the FAA certification, but
540
00:51:41,690 --> 00:51:46,839
going to do their own. And until now, it
was usually the case that if the FAA
541
00:51:46,839 --> 00:51:50,971
certified the airplane, everybody else in
the world just took that certification and
542
00:51:50,971 --> 00:51:55,819
said what the FAA did is probably fine and
vise versa. When the EASA certified a
543
00:51:55,819 --> 00:52:00,720
Boeing airplane, then the FAA would also
certify it. And that is probably changing
544
00:52:00,720 --> 00:52:04,750
now.
Herald: Thank you. Microphone number 3.
545
00:52:04,750 --> 00:52:11,210
Mic3: So, hi. Thank you for this talk.
Two questions, please. Were you part of an
546
00:52:11,210 --> 00:52:18,450
official investigation or is this your own
analysis of the facts? Here's the other
547
00:52:18,450 --> 00:52:24,700
one. I heard something about this software
being outsourced to India. Can you comment
548
00:52:24,700 --> 00:52:27,829
on that, please?
Bernd: The first one: no, this is my own
549
00:52:27,829 --> 00:52:36,040
private analysis. I have been doing some
accident analysis for a living for a
550
00:52:36,040 --> 00:52:41,369
while, but not for any official agency,
but always for private customers.
551
00:52:41,369 --> 00:52:46,809
And about outsourcing to India, I'm
not quite sure about that. I've read
552
00:52:46,809 --> 00:52:51,840
something like that. And what I've read is
that it was produced by Honeywell. I
553
00:52:51,840 --> 00:52:57,450
think. I may be wrong about that, but I
think it was Honeywell. And who the actual
554
00:52:57,450 --> 00:53:04,920
programmers were sitting. If it's done
properly, according to the methodologies
555
00:53:04,920 --> 00:53:09,589
prescribed by DO178 and fulfilling all
those requirements, then where the
556
00:53:09,589 --> 00:53:15,049
programmer sit is actually not that
important. And I don't want to deride
557
00:53:15,049 --> 00:53:21,140
Indian programmers, and I think if it's
done according to specification and
558
00:53:21,140 --> 00:53:27,119
analyzed with study code analyses and
everything else vis a vis the
559
00:53:27,119 --> 00:53:31,900
specification, then that would also be
fine, I guess. But the problem is not so
560
00:53:31,900 --> 00:53:35,599
much really in the implementation, but in
the design of the system, in the
561
00:53:35,599 --> 00:53:40,059
architecture.
Herald: Thank you. Microphone number 5
562
00:53:40,059 --> 00:53:45,240
please.
Mic5: Hello. I may go to your
563
00:53:45,240 --> 00:53:50,479
presentation wrong, but for me, the real
root cause of the problem is the
564
00:53:50,479 --> 00:53:58,920
competition and high deadline from the
management. So the question for you is: is
565
00:53:58,920 --> 00:54:05,759
there any suggestions from you that
process could be, I dunno, maybe changed
566
00:54:05,759 --> 00:54:18,779
in order to avoid the bugs in the
software and have the mission
567
00:54:18,779 --> 00:54:24,019
critical systems saved?
Bernd: Yeah. So we don't normally just
568
00:54:24,019 --> 00:54:29,069
talk about THE cause or THE root cause,
but there are always several causes.
569
00:54:29,069 --> 00:54:35,339
Basically you can say depending on where
you stop with the graph - where is it? -
570
00:54:35,339 --> 00:54:40,979
where you stop with the graph all the
leaves on the graph are root causes and
571
00:54:40,979 --> 00:54:46,779
but I've stopped relatively early and not
not I'm not gone into any more detail on
572
00:54:46,779 --> 00:54:51,019
that, but yeah. The competition between
Airbus and Boeing, obviously it was a big
573
00:54:51,019 --> 00:54:57,940
factor in this. And I don't suppose you do
suggest that we abolish competition in the
574
00:54:57,940 --> 00:55:04,460
market. But what needs to be changed, I
think, is the way certification is done.
575
00:55:04,460 --> 00:55:10,270
And that requires the FAA reasserting its
authority much more. And that will
576
00:55:10,270 --> 00:55:16,710
probably require a lot more personnel with
good engineering background, and maybe
577
00:55:16,710 --> 00:55:22,349
that would require the FAA paying better
wages. So I don't know, because currently
578
00:55:22,349 --> 00:55:27,489
probably all the good engineers will go to
Boeing instead of the FAA. But the FAA
579
00:55:27,489 --> 00:55:31,279
dearly needs engineering expertise and
lots of it.
580
00:55:31,279 --> 00:55:35,661
Herald: Thank you. The next question we
hear from microphone number 4.
581
00:55:35,661 --> 00:55:40,249
Mic4: Hi. Thank you for the talk. I've
heard that there is - I've heard - I've
582
00:55:40,249 --> 00:55:47,349
read that there's a version of the 737 Max
8 that did allow for a third airway
583
00:55:47,349 --> 00:55:52,729
sensitivity present that served as a
backup for either sensors but that this
584
00:55:52,729 --> 00:55:56,910
was a paid option. And I have not found
confirmation of this. Do you know anything
585
00:55:56,910 --> 00:56:00,999
about this?
Bernd: No, I'm not aware of that
586
00:56:00,999 --> 00:56:10,089
as a paid option. There was something
about an optional feature that was called
587
00:56:10,089 --> 00:56:13,750
a safety feature, but I can't exactly
remember what that was. Maybe it was and
588
00:56:13,750 --> 00:56:18,470
angle of attack indicator in the cockpit
that is available as an option, I think,
589
00:56:18,470 --> 00:56:26,839
for this 737 for most models, because the
sensor is there anyway. As for a third AOA
590
00:56:26,839 --> 00:56:31,710
sensor, I'd be surprised if that was an
option because that is a major change and
591
00:56:31,710 --> 00:56:36,259
requires a major change to all the system
layout. Then you'd need an additional a
592
00:56:36,259 --> 00:56:41,259
data inertial reference unit, which is a
big computer box in the aircraft of which
593
00:56:41,259 --> 00:56:46,440
there are only two. And that would've
taken a long, long time in addition to
594
00:56:46,440 --> 00:56:51,609
develop. So I'm skeptical about that third
angle of attack sensor. At least I've not
595
00:56:51,609 --> 00:56:56,070
heard of it.
Herald: Thank you. Signal angel, do we
596
00:56:56,070 --> 00:56:58,359
have more from the internet? Please one
quick one.
597
00:56:58,359 --> 00:57:03,390
Signal angel: If you need a quick one,
would you ever fly with a 737 Max again if
598
00:57:03,390 --> 00:57:05,970
it was ever cleared again?
applause
599
00:57:05,970 --> 00:57:10,750
Bernd: I was expecting that question. And
actually I don't have an answer yet for
600
00:57:10,750 --> 00:57:18,040
that. And that maybe would depend on how I
see the FAA and the EASA doing the
601
00:57:18,040 --> 00:57:23,349
certification. I've seen some people
saying that the 737 Max should never be
602
00:57:23,349 --> 00:57:31,310
recertified. I think that it will be. And
I look at it in some detail, seeing how
603
00:57:31,310 --> 00:57:37,290
the FAA develops and how the EASA is
handling it. And then maybe. Yes.
604
00:57:37,290 --> 00:57:43,259
Herald: Great. Okay, in that case, we
would take one more very short question
605
00:57:43,259 --> 00:57:48,769
from microphone number 5.
Mic5: Do you know why the important AOA
606
00:57:48,769 --> 00:57:53,779
sensor failed to give the correct values?
Bernd: There are some theories about that, but
607
00:57:53,779 --> 00:57:58,469
I haven't investigated that in any more
detail now. There were some stories that
608
00:57:58,469 --> 00:58:05,029
in the case of the Indonesian, the Lion
Air, that it was actually mounted or
609
00:58:05,029 --> 00:58:12,599
reassembled incorrectly. That would
explain why there was a constant offset.
610
00:58:12,599 --> 00:58:17,969
It may also have been somebody calculated
that it was actually, exactly - if you
611
00:58:17,969 --> 00:58:21,390
look at the raw data that is being
delivered on the bus -, there was exactly
612
00:58:21,390 --> 00:58:26,049
one flipped bit, which is also a
possibility. But I I don't really know.
613
00:58:26,049 --> 00:58:29,000
But there were some implications in the
report. Maybe I have to read that section
614
00:58:29,000 --> 00:58:34,869
again from the Indonesian authorities
about substandard maintenance, as it is
615
00:58:34,869 --> 00:58:39,400
euphemistically called.
Herald: OK. We have two more minutes. So I
616
00:58:39,400 --> 00:58:42,109
will take another question from microphone
number 1.
617
00:58:42,109 --> 00:58:49,509
Mic1: Hey, I would have expected that
modern aircraft would have some plug,
618
00:58:49,509 --> 00:58:54,829
physical plug, hermetic one that would
disconnect any automated system. Isn't
619
00:58:54,829 --> 00:58:58,070
this something that exist in our planes
today?
620
00:58:58,070 --> 00:59:02,390
Bernd: Now, and especially modern aircraft
can't just disconnect the automatics,
621
00:59:02,390 --> 00:59:06,880
because if you look at modern fly by wire
aircraft, there is no connection between
622
00:59:06,880 --> 00:59:11,420
the flight controls and the control
surfaces. There's only a computer and the
623
00:59:11,420 --> 00:59:16,450
flight controls that the pilots handle are
only inputs to the computer and there's no
624
00:59:16,450 --> 00:59:23,170
direct connection. That is true for every
Airbus since the A320, for every Boeing
625
00:59:23,170 --> 00:59:28,950
since the triple 7, so the triple 7 and
the 787 are totally 100 percent fly by
626
00:59:28,950 --> 00:59:33,160
wire. Well, I think 95 percent because
there's one control service that is
627
00:59:33,160 --> 00:59:38,609
directly connected, one spoiler on each
side. But basically, there's there's no
628
00:59:38,609 --> 00:59:43,280
way. And so you have to make sure that
flight control software is developed to
629
00:59:43,280 --> 00:59:47,740
the highest possible standards. Because
you can't turn it off, because that's
630
00:59:47,740 --> 00:59:53,200
everything. That's, Well, let me put it
this way: On the fly by wire aircraft,
631
00:59:53,200 --> 01:00:00,640
only the computer can control the flight,
the flight control surfaces know. So I
632
01:00:00,640 --> 01:00:03,910
just hope that it's good.
Herald: Think about that when you next
633
01:00:03,910 --> 01:00:08,840
enter a plane. And also, please give a big
round of applause for our speaker Bernd.
634
01:00:08,840 --> 01:00:21,142
applause
635
01:00:21,142 --> 01:00:31,720
36c3 postroll music
636
01:00:31,720 --> 01:00:48,000
Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!