WEBVTT

00:00:00.000 --> 00:00:20.310
<i>36C3 preroll music</i>

00:00:20.310 --> 00:00:25.860
Herald: In the following talk Mr. Bernd
Sieker will speak about the crashes and

00:00:25.860 --> 00:00:33.930
what led to the crashes of the most recent
737 model. He is a flight safety

00:00:33.930 --> 00:00:38.320
engineer and he also worked on
flight safety and he analyzed the plane

00:00:38.320 --> 00:00:43.940
crashes for a lot of time and a long time.
And you have to keep in mind that this

00:00:43.940 --> 00:00:49.620
737, although multiple models have been
built, can be flown. All models can be

00:00:49.620 --> 00:00:55.950
flown with the same type rating since
1967, which is one of the many root causes

00:00:55.950 --> 00:01:02.210
of the issues that led to the disaster
that killed 346 people. Let's listen to a

00:01:02.210 --> 00:01:04.980
Bernd and he'll enlighten us, what else
went wrong?

00:01:04.980 --> 00:01:13.700
<i>applause</i>

00:01:13.700 --> 00:01:17.020
Bernd Sieker: Yes, thank you very much for
the introduction. I see they are not quite

00:01:17.020 --> 00:01:22.021
as many people as with the Edward Snowden
talk, but I'm not disappointed. Aviation

00:01:22.021 --> 00:01:25.420
safety has always been very important to
me and I've done a lot of work on it and I

00:01:25.420 --> 00:01:30.900
am happy to share my passion with so many
of you. Thank you.

00:01:30.900 --> 00:01:36.439
<i>applause</i>
So it's basically the outline of what I'm

00:01:36.439 --> 00:01:42.540
going to talk about. It's the Boeing 737
Max or seven thirty seven as some may say.

00:01:42.540 --> 00:01:47.439
I will briefly talk about the accidents,
what we knew at the beginning, what went

00:01:47.439 --> 00:01:53.810
wrong and then what came to light. Later
on I will show our causal analysis method

00:01:53.810 --> 00:02:00.280
that we use very shortly, very briefly and
the analysis and overview of the analysis

00:02:00.280 --> 00:02:05.390
that I did of these accidents. Then talk
about the infamous MCAS system, the

00:02:05.390 --> 00:02:11.230
Maneuvering Characteristics Augmentation
System, as it's called, by its full name.

00:02:11.230 --> 00:02:15.480
Then I'll talk about certification, how
certain aircraft certification works in

00:02:15.480 --> 00:02:18.870
the United States. It's very similar in
Europe, although there are some

00:02:18.870 --> 00:02:22.650
differences. But I'm not going to talk
about European details in this talk. So

00:02:22.650 --> 00:02:29.540
it's mostly about the FAA and aircraft
certification across the pond. Some other

00:02:29.540 --> 00:02:38.670
things and an outlook, how it is going to
go on with the Boeing 737 Max. We

00:02:38.670 --> 00:02:42.940
currently don't know exactly what's going
to happen, but we'll see. And if we have

00:02:42.940 --> 00:02:51.069
time, they have a few bonus slides later
on. So the Boeing 737 Max - the star of

00:02:51.069 --> 00:02:54.920
the show, as you may say, it's the fourth
iteration, as the Herald already

00:02:54.920 --> 00:03:02.200
indicated, of the world's best selling
airliner. I think I looked it up just

00:03:02.200 --> 00:03:07.799
recently. I think there are almost 15,000
orders that have been for the 737 of all

00:03:07.799 --> 00:03:14.450
the series, the original, the classic, the
NG and now the Max. And the Max itself is

00:03:14.450 --> 00:03:19.459
the fastest selling airliner of all time.
So within months, it had literally

00:03:19.459 --> 00:03:24.950
thousands of orders. It has now almost
5,000 orders. The 737 Max, and all the

00:03:24.950 --> 00:03:29.290
airlines in the world are waiting for the
grounding to be lifted so they can receive

00:03:29.290 --> 00:03:40.019
and fly the aircraft. So the first
accident was last year. It was a Lion Air,

00:03:40.019 --> 00:03:46.030
an Indonesian flag carrier. Actually, I
think the second or third largest Boeing

00:03:46.030 --> 00:03:51.541
737 Max customer in the world with a
couple of hundred, 250 or something

00:03:51.541 --> 00:04:01.969
aircraft and it crashed relatively shortly
after it entered service. And so we've heard

00:04:01.969 --> 00:04:08.840
some strange things in the news and on the
forums that deal with aviation safety. It

00:04:08.840 --> 00:04:15.549
seems that there had been uncommanded nose
down trim. So the tail plane is moved by

00:04:15.549 --> 00:04:21.150
an electric motor and it forces the nose
of the aircraft down. The pilot can

00:04:21.150 --> 00:04:27.670
counter that movement with some switches
on his control column. And apparently the

00:04:27.670 --> 00:04:32.940
stick shaker was active during the flight
and there were difficulties in controlling

00:04:32.940 --> 00:04:37.540
the aircraft. We didn't know at the time
exactly what it was. And then for the

00:04:37.540 --> 00:04:46.220
first time, the abbreviation MCAS surfaced
and even 737 pilots, even 737 Max pilots,

00:04:46.220 --> 00:04:50.880
at least some of them said they'd never
heard of it. It was a mystery. We later

00:04:50.880 --> 00:04:55.230
found that actually in some documentation,
it was very briefly mentioned that such a

00:04:55.230 --> 00:05:00.080
system existed, but not exactly why it was
there. And I guess Boeing knew and the

00:05:00.080 --> 00:05:05.680
certification authorities, as it turned
out, sort of knew a bit of the story, but

00:05:05.680 --> 00:05:11.440
not the whole story. But especially people
in the West, in the US and in other

00:05:11.440 --> 00:05:19.230
countries said: Oh, these are just poorly
trained Third World pilots. And we expect

00:05:19.230 --> 00:05:24.600
that. And they weren't completely wrong.
Lion Air has a particularly bad safety

00:05:24.600 --> 00:05:29.030
record. And it wasn't unknown to aviation
safety investigators. There have been a

00:05:29.030 --> 00:05:36.380
number of crashes with Lion Air. So in the
beginning, we thought, OK, maybe it's a

00:05:36.380 --> 00:05:41.510
fluke, it's a one off or maybe it's caused
by poor maintenance or bad pilots or

00:05:41.510 --> 00:05:47.940
whatever. So several people, on the other
hand, already began worrying because some

00:05:47.940 --> 00:05:53.600
flight data recorder traces became public.
And there was some very strange things

00:05:53.600 --> 00:05:59.830
which we will see shortly. And then only a
few months later, the second aircraft of

00:05:59.830 --> 00:06:06.173
exactly the same type and the same
variant, Boeing 737 Max 8, also crashed.

00:06:06.173 --> 00:06:11.560
And you can see maybe on the picture on
the left, it left a rather big crater. It

00:06:11.560 --> 00:06:17.930
really dove into the earth quite fast. It
turned out, I think, about between seven

00:06:17.930 --> 00:06:25.000
and eight hundred kilometers per hour. So,
so really fast and not much left. Not much

00:06:25.000 --> 00:06:30.630
was left. I think the biggest parts were
about this size, I guess. So all small

00:06:30.630 --> 00:06:38.540
pieces of debris and the engine cores,
which are a bit bigger. And from that as

00:06:38.540 --> 00:06:45.520
well, flight data recorder traces became
public. The recorders had survived at

00:06:45.520 --> 00:06:51.740
least the memory in them and were
readable. So we finally found out

00:06:51.740 --> 00:06:57.780
something and found some similarities,
some rather disturbing similarities. We

00:06:57.780 --> 00:07:03.210
come to that in a moment, but I'll talk a
little bit about the Boeing 737 family in

00:07:03.210 --> 00:07:08.340
general. So there were four, as I said,
models. That was the original, which had

00:07:08.340 --> 00:07:14.050
narrow engines under the wings. Not a lot
of room between the ground and the

00:07:14.050 --> 00:07:20.370
engines, but it looked quite normal. You
could say it was one of the first short-

00:07:20.370 --> 00:07:27.020
haul airliners with under slung engines,
under the wings and then new high bypassed

00:07:27.020 --> 00:07:31.240
turbo fire engines entered the market,
which were much more fuel efficient. We're

00:07:31.240 --> 00:07:36.360
talking about maybe some 15 to 20 percent
lower fuel consumption. So it was a big

00:07:36.360 --> 00:07:42.610
deal. And the Boeing 737 was reengined and
became known as the classic, bigger

00:07:42.610 --> 00:07:47.051
engines, but still mostly analog
mechanical instruments. And it was

00:07:47.051 --> 00:07:51.930
basically the same as the original,
instead that it had some bigger engines

00:07:51.930 --> 00:07:55.540
and they had to shape the cowling a little
differently to accommodate the bigger

00:07:55.540 --> 00:08:02.890
engines. But more or less, it worked for a
while. And then as airlines demanded more

00:08:02.890 --> 00:08:08.340
modern avionics, so the cockpit
electronics in aircraft, the next

00:08:08.340 --> 00:08:14.620
generation was conceived. It also got a
new wing, new winglets, which again saved

00:08:14.620 --> 00:08:19.590
a lot of fuel. It had basically the same
engines, except that the engines now were

00:08:19.590 --> 00:08:24.820
also computer controlled by what we call
FADEC full authority, digital engine

00:08:24.820 --> 00:08:31.310
control. And Boeing said, well, that's
probably going to be the last one. And in

00:08:31.310 --> 00:08:36.149
the next few years, we are going to
develop an all new, short and medium haul

00:08:36.149 --> 00:08:43.120
single aisle aircraft which will be all
new and super efficient and super cheap to

00:08:43.120 --> 00:08:49.830
operate - all the promises that
manufacturers always make. In the

00:08:49.830 --> 00:08:56.410
meantime, Airbus was becoming a major
player with the A320. It was overall a

00:08:56.410 --> 00:09:00.470
much more modern aircraft. It had digital
fly by wire. It always had digitally

00:09:00.470 --> 00:09:04.940
controlled engines. It had much higher
ground clearance. So it was no problem to

00:09:04.940 --> 00:09:10.440
accommodate the larger engines in the
A320. And Airbus then announced that it

00:09:10.440 --> 00:09:14.990
was going to reengine the A320. And for
the A320, that was the first time it got

00:09:14.990 --> 00:09:19.830
new engines. It for a long time it had you
had the choice of two types of engines for

00:09:19.830 --> 00:09:25.410
the A320 And then they said, we're going
to install these new super efficient

00:09:25.410 --> 00:09:32.029
engines, which brought with it another
optimization of fuel consumption. That was

00:09:32.029 --> 00:09:37.529
another 15 percent fuel saved per mile
traveled something on the order of that.

00:09:37.529 --> 00:09:42.910
So it was a huge improvement again. And
many Airbus customers immediately ordered

00:09:42.910 --> 00:09:49.050
the so-called A320neo and some Boeing
customers also thought, well, this one is

00:09:49.050 --> 00:09:55.670
going to consume so much less fuel that we
might consider switching to Airbus, even

00:09:55.670 --> 00:09:59.810
though it's a major hassle if you
have fleet entirely consisting of Boeing

00:09:59.810 --> 00:10:03.830
aircraft, if you then switch to Airbus,
it's a huge hassle and nobody really wants

00:10:03.830 --> 00:10:08.310
that unless they're really forced to. But
the promised fuel savings were so big that

00:10:08.310 --> 00:10:13.079
companies actually considered this and
lots of them. And so Boeing said we need

00:10:13.079 --> 00:10:20.830
something very quickly, preferably within
two years I think. For airline

00:10:20.830 --> 00:10:26.839
development, that's very, very, very, very
quickly. And they said, well, scrap all

00:10:26.839 --> 00:10:33.550
the plans about the new small airliner.
We're going to change the 737 again. And

00:10:33.550 --> 00:10:38.800
now the new engines, were going to be
bigger, again. And so actually, there was

00:10:38.800 --> 00:10:45.339
no ground clearance to move them in the
same way as on the on the NG. So there to

00:10:45.339 --> 00:10:50.339
modify the landing gear, to mount the
engines even further forward and higher.

00:10:50.339 --> 00:10:55.410
And the engines were bigger. But the
engines were, on the whole, they were very

00:10:55.410 --> 00:10:58.731
good new development. The same type of
engines that you could get for the new

00:10:58.731 --> 00:11:08.480
Airbus - CFM international. And so
we decided to make the Boeing 737 4th

00:11:08.480 --> 00:11:17.819
generation and call it "the Max".So when
we analyze accidents, we use a causal

00:11:17.819 --> 00:11:22.199
analysis method called Why-Because
analysis. And we have some counterfactual

00:11:22.199 --> 00:11:26.709
tests which determines if something is a
cause of something else. We call it a

00:11:26.709 --> 00:11:32.839
necessary causal factor. And it's very
simple. A is a causal factor of B, if you

00:11:32.839 --> 00:11:36.990
can say had A not happened, then B would
not have happened either. So, I mean, you

00:11:36.990 --> 00:11:41.279
need to show for everything that there is
a causal relationship and that all the

00:11:41.279 --> 00:11:48.449
factors that you have found actually
sufficient to cause the other event. So

00:11:48.449 --> 00:11:51.819
you can probably not read everything of
it, but it's not really important. This is

00:11:51.819 --> 00:11:57.960
a simplified graph and I will show the
relevant details later.And this is the

00:11:57.960 --> 00:12:02.879
analysis that I made of these accidents.
And you can see it's not a simple tree; as

00:12:02.879 --> 00:12:06.589
computer scientists, many of you are
familiar with trees and this is just a

00:12:06.589 --> 00:12:15.110
directed graph and it can have branches
and so on. And so some things are causal

00:12:15.110 --> 00:12:19.519
influence, causal effect of several
different things. So some of the factors

00:12:19.519 --> 00:12:24.130
actually have an influence on multiple
levels. For example, the airspeed

00:12:24.130 --> 00:12:29.819
influences the control forces and it also
influences the time the crew had to

00:12:29.819 --> 00:12:36.910
recover the aircraft before impact with
the ground. So these are some of the

00:12:36.910 --> 00:12:42.829
things that I will look at in a bit more
detail. So here is one of them:

00:12:42.829 --> 00:12:47.249
Uncommanded nose down trim. So what
happened apparently on these accident

00:12:47.249 --> 00:12:54.279
flights was that you can see it in the
flight data recorder traces. I don't know.

00:12:54.279 --> 00:13:00.339
Can you see the mouse pointer? Here,
that's the blue line. And that is labeled

00:13:00.339 --> 00:13:06.029
trim manual. And there's the orange line
that is labeled Trim Automatic. And if

00:13:06.029 --> 00:13:14.240
they have, do displacement to the bottom,
that means that the aircraft is being

00:13:14.240 --> 00:13:20.059
trimmed nose down, which means in order to
continue to fly level, you have to pull

00:13:20.059 --> 00:13:25.309
the control column with more force towards
you. And what you can see is in the

00:13:25.309 --> 00:13:28.600
beginning, there are a few trim, trim
movements. And on this type, they are

00:13:28.600 --> 00:13:33.519
expected it has an automatic trim system
for some phases of flight which trims the

00:13:33.519 --> 00:13:41.110
aircraft to keep it flying stable. And
then after a while, it started doing many

00:13:41.110 --> 00:13:47.009
automatic nose down trim movements. Each
of these lasts almost 10 seconds and there

00:13:47.009 --> 00:13:52.339
is a pause between them. And in every
case, the pilots counter the nose down

00:13:52.339 --> 00:13:56.649
trim movement with the nose up trim
movement on the control yoke. There are

00:13:56.649 --> 00:14:02.720
switches that you operate with your thumb
and you can trim the aircraft that way and

00:14:02.720 --> 00:14:07.300
change the control forces and cause the
aircraft nose to go up or down. So for a

00:14:07.300 --> 00:14:11.160
very long time, this went on: The computer
trimmed the aircraft nose down, the pilots

00:14:11.160 --> 00:14:18.779
trimmed the aircraft nose up, and so on.
Until at the very end, you can see that

00:14:18.779 --> 00:14:23.309
the trim, the nose up trim movements that
the pilots made, become shorter and

00:14:23.309 --> 00:14:29.389
shorter. And this line here, it says pitch
trim position. That is the resulting

00:14:29.389 --> 00:14:34.309
position of the trim control surface,
which is the entire horizontal stabilizer

00:14:34.309 --> 00:14:39.490
on the aircraft. And it moves down and it
doesn't really go up anymore because the

00:14:39.490 --> 00:14:44.009
pilot inputs become very short. And that
means the control forces to keep the

00:14:44.009 --> 00:14:48.459
aircraft flying level become extremely
high. And in the end, it became

00:14:48.459 --> 00:14:55.199
uncontrollable and crashed, as you can see
here. So the pilots, for various reasons,

00:14:55.199 --> 00:14:59.759
which I will highlight later, the pilots
were unable to trim the aircraft manually

00:14:59.759 --> 00:15:05.999
and the nose down trim persisted and the
aircraft crashed. And this is only the

00:15:05.999 --> 00:15:10.660
graph of one of the accidents. But the
other one is very similar. And so that's

00:15:10.660 --> 00:15:15.990
what we see. There is a known system,
which was already known before on the

00:15:15.990 --> 00:15:21.350
Boeing 737. I think it's available on
all the old versions as well, which is

00:15:21.350 --> 00:15:25.110
called the speed trim system, which in
some circumstances trims the aircraft

00:15:25.110 --> 00:15:32.930
automatically. But the inputs that we see,
the automatic trim inputs don't really fit

00:15:32.930 --> 00:15:41.740
the so-called speed trim system. And so
for the first time, we hear the word MCAS.

00:15:41.740 --> 00:15:47.019
And we'll talk a bit more about what made
the Boeing 737 different from all the

00:15:47.019 --> 00:15:52.410
previous models. And that is the bigger
engines. As I said, the engines were much

00:15:52.410 --> 00:15:57.910
bigger. And to achieve the necessary
ground clearance, they had to be

00:15:57.910 --> 00:16:03.209
mounted further forward. And there are
also a lot bigger, which means at high

00:16:03.209 --> 00:16:06.869
angles of attack, when the aircraft is
flying against the stream of the oncoming

00:16:06.869 --> 00:16:13.080
air at a higher angle, these engine cells
produce additional lift in front of the

00:16:13.080 --> 00:16:18.709
center of gravity, which creates a pitch
up moment. And the certification criteria

00:16:18.709 --> 00:16:25.990
are quite strict in that and say 
exactly what the forces on the

00:16:25.990 --> 00:16:34.130
flight controls must be to be certified.
And due to the bigger engines, there was

00:16:34.130 --> 00:16:41.149
some phases or some angles of attack at
which these certification criteria were no

00:16:41.149 --> 00:16:46.630
longer met. And so it was decided to
introduce a small piece of software which

00:16:46.630 --> 00:16:51.999
would just introduce a small trim movement
to bring it in line with certification

00:16:51.999 --> 00:16:59.319
criteria again. And one of the reasons
this was done was probably so the aircraft

00:16:59.319 --> 00:17:04.390
could retain the same type certificate as
was mentioned in the introduction. So

00:17:04.390 --> 00:17:10.350
pilots can change within one airline,
between the aircraft, between the 737 NG

00:17:10.350 --> 00:17:15.130
and the 737 Max. They have the same type
certificate. There's a very brief

00:17:15.130 --> 00:17:18.720
differences training, but they can switch
even in line operations between the

00:17:18.720 --> 00:17:27.950
aircraft from day to day. And another
reason. No other changes were made. Boeing

00:17:27.950 --> 00:17:32.950
could, for example, have made a longer
main landing gear to create additional

00:17:32.950 --> 00:17:38.070
ground clearance to move the engines in a
more traditional position, that would have

00:17:38.070 --> 00:17:44.210
probably made it more aerodynamically in
line with certification criteria. I

00:17:44.210 --> 00:17:49.500
hesitate to say the word "to make it more
stable" because even as it is, the Boeing

00:17:49.500 --> 00:17:56.640
737 Max is not inherently aerodynamically
unstable. If all these electronic gimmicks

00:17:56.640 --> 00:18:01.390
fail, it will just fly like an airplane
and it is probably in the normal flight

00:18:01.390 --> 00:18:09.420
envelope easily controllable. But to make
big mechanical changes would have delayed

00:18:09.420 --> 00:18:14.060
the project a lot and would have required
recertification and what instead could be

00:18:14.060 --> 00:18:18.970
done with the airframe essentially the
same. The certification could be what is

00:18:18.970 --> 00:18:26.060
known as grandfathered: so it doesn't need
to fulfill all the current criteria of

00:18:26.060 --> 00:18:31.830
certification, because the aircraft has
been certified and has been proven in

00:18:31.830 --> 00:18:36.700
service. And so only some of the
modifications need to be recertified,

00:18:36.700 --> 00:18:45.090
which is much easier and much cheaper and
much quicker. So this is one of the

00:18:45.090 --> 00:18:50.240
certification criteria that must be
fulfilled. It's even though I have removed

00:18:50.240 --> 00:18:54.530
some of the additional stuff that doesn't
really add anything useful, it's still

00:18:54.530 --> 00:19:00.200
rather complicated. It's a procedure that
you have to do where you slow down one

00:19:00.200 --> 00:19:04.550
knot per second. And the stick forces need
to increase with every knot of speed that

00:19:04.550 --> 00:19:10.250
you lose and things like that. And it says
it this stick force versus speed curve may

00:19:10.250 --> 00:19:16.510
not be less than one pound for each six
knots. And it's quite interesting, if you

00:19:16.510 --> 00:19:21.810
look at the European certification
criteria, is that they took this exact

00:19:21.810 --> 00:19:28.680
paragraph and just translated the US units
into metric units, but really calculated

00:19:28.680 --> 00:19:33.730
the new value. So the European
certification have now very strange values

00:19:33.730 --> 00:19:41.590
like, I don't know, 11.79 kilometers per
hour, per second or something like that.

00:19:41.590 --> 00:19:45.120
It's really strange. So you can see where
it comes from. But they said we can't have

00:19:45.120 --> 00:19:49.910
knots even though the entire world except
Russia and China basically flies in knots,

00:19:49.910 --> 00:19:56.060
even Western Europe. But the criteria in
the certification specification need to be

00:19:56.060 --> 00:20:02.270
in kilometers per hour. Well, I would have
thought that you would even - if you do

00:20:02.270 --> 00:20:06.610
the conversion, you would use meters per
second, but it used kilometers per hour

00:20:06.610 --> 00:20:14.130
for whatever reason. So due to the
aerodynamic changes that were made, the

00:20:14.130 --> 00:20:19.760
Max did not quite fulfill the criteria to
the letter. So something had to be done.

00:20:19.760 --> 00:20:24.080
And as I said, mechanical redesign was out
of the question because it would have

00:20:24.080 --> 00:20:28.450
taken too long, would have been too
expensive, and maybe would have broken the

00:20:28.450 --> 00:20:33.910
type certificate commonality. So they
introduced just this little additional

00:20:33.910 --> 00:20:40.180
software in a computer that also existed
already. And so it measures angle of

00:20:40.180 --> 00:20:44.891
attack, it measures airspeed and a few
other parameters, flap configuration, for

00:20:44.891 --> 00:20:52.060
example, and then it applies nose down
pitch trim as it sees fit. But it has a

00:20:52.060 --> 00:20:57.150
rather interesting design from a software
engineering point of view. Can you read

00:20:57.150 --> 00:21:04.030
that? Is that... They are flight control
computers. And one part of this flight

00:21:04.030 --> 00:21:09.160
control computer, one additional piece of
software, is called the MCAS, the

00:21:09.160 --> 00:21:12.870
Maneuvering Characteristics Augmentation
System. And the flight control computer

00:21:12.870 --> 00:21:17.010
actually gets input from both angle of
attack sensors. It has two, one on each

00:21:17.010 --> 00:21:25.300
side for redundancy, but the MCAS
algorithm only uses one of them, at least

00:21:25.300 --> 00:21:29.120
in the old version. In the new version, it
will probably use both if it ever gets

00:21:29.120 --> 00:21:36.230
recertificated. And then if that angle of
attack sensor senses a value that is too

00:21:36.230 --> 00:21:42.950
high, then it introduces nose down trim
and it may switch between flights between

00:21:42.950 --> 00:21:46.990
the left and the right sensor. But at any
given time for any given flight, it only

00:21:46.990 --> 00:21:55.270
ever uses one. So what could possibly go
wrong here? Here we can see what went

00:21:55.270 --> 00:22:01.830
wrong. It's the same graph as before, and
I may direct your attention to this red

00:22:01.830 --> 00:22:06.710
line that says angle of attack indicated
left and the green line which says angle

00:22:06.710 --> 00:22:12.030
of attack indicated right. So that is the
data that the computer got from the angle

00:22:12.030 --> 00:22:17.870
of attack sensors. Both are recorded in
the data recorder, but only one is

00:22:17.870 --> 00:22:24.130
evaluated by the MCAS. And you can see
here's the scale on the right. You can see

00:22:24.130 --> 00:22:30.480
that one is indicating relatively normally
around zero, a bit above zero, which is to

00:22:30.480 --> 00:22:37.940
be expected during takeoff and climb. And
the red value is about 20 degrees higher.

00:22:37.940 --> 00:22:42.980
And of course, that is above the threshold
at which the MCAS activates. So it

00:22:42.980 --> 00:22:46.910
activates. Right. And apparently in the
old version of the software, there were no

00:22:46.910 --> 00:22:54.630
sanity checks, no cross checks with other
air data values like airspeed and altitude

00:22:54.630 --> 00:22:59.580
or other things. And it would be
relatively easy to do. Not quite trivial.

00:22:59.580 --> 00:23:04.460
You have to get it right in these kinds of
things which influence flight controls,

00:23:04.460 --> 00:23:14.110
but nothing too fancy. But apparently that
was also not done. So the MCAS became

00:23:14.110 --> 00:23:21.070
active. So how could it happen? And it's
still to me, a bit of a mystery how it

00:23:21.070 --> 00:23:27.720
could actually get so far that it could be
certified with this kind of system. And

00:23:27.720 --> 00:23:33.650
the severity of each failure, the possible
consequences have to be evaluated. And the

00:23:33.650 --> 00:23:39.990
certification criteria specify five
severities: catastrophic, hazardous,

00:23:39.990 --> 00:23:45.390
major, minor and no safety effect, and
that doesn't have to be analyzed any

00:23:45.390 --> 00:23:50.540
further, but for catastrophic failures,
you have to do a very, very complex risk

00:23:50.540 --> 00:23:57.140
assessment and see what you can do and
what needs to be done to bring it in line,

00:23:57.140 --> 00:24:02.970
to make it either mitigate the
consequences or make it so extremely

00:24:02.970 --> 00:24:10.440
improbable that it is not going to happen.
So here are the probabilities with which

00:24:10.440 --> 00:24:15.810
the certification criteria deal and its
different orders of magnitude. There are

00:24:15.810 --> 00:24:20.440
usually two orders of magnitude between
them. It's from a probability of 1 times

00:24:20.440 --> 00:24:27.810
10 to the minus 5 per hour to 1 times 10
to the minus 9 for operating hour. And

00:24:27.810 --> 00:24:32.580
this is the risk matrix. Many of you are
probably familiar with those. And it

00:24:32.580 --> 00:24:39.130
basically says if something is major, then
it may not happen with a probability of

00:24:39.130 --> 00:24:44.290
probable. And if its catastrophic the only
probability that is allowed for that is

00:24:44.290 --> 00:24:51.781
extremely improbable. Which is less than
once in a billion flight hours. Right. And

00:24:51.781 --> 00:24:57.060
to put that into perspective, the fleets
with the most flight hours to date, I

00:24:57.060 --> 00:25:01.950
think, are in the low hundreds of millions
of flight hours combined. So we're still

00:25:01.950 --> 00:25:06.850
even for the 737 or the A320. We're still
quite far away from a billion flight

00:25:06.850 --> 00:25:16.510
hours. So you might have expected perhaps
one of these events because statistical

00:25:16.510 --> 00:25:23.950
distribution being what it is, the one
event might happen, of course, and but

00:25:23.950 --> 00:25:32.470
certainly not two in less than two years.
And quite obviously, the severity of these

00:25:32.470 --> 00:25:40.090
failures was catastrophic. I think there's
no - there's no discussion about that. And

00:25:40.090 --> 00:25:43.610
here's the relevant part, actually,
about flight controls and the

00:25:43.610 --> 00:25:48.040
certification criteria, which was clearly
violated. It says the airplane must be

00:25:48.040 --> 00:25:53.910
shown to be capable of continued safe
flight for any single failure. Without

00:25:53.910 --> 00:25:59.400
further qualification, any single system
that can break must not make the plane

00:25:59.400 --> 00:26:05.840
unflyable or any combination of failures
not shown to be extremely improbable - and

00:26:05.840 --> 00:26:12.040
extremely improbable is these 10 to the
minus 9 per hour. And this hazard

00:26:12.040 --> 00:26:16.830
assessment must be performed for all
systems, of course, and severity must be

00:26:16.830 --> 00:26:27.540
assigned to all these. And the unintended
MCAS activation was classified as major.

00:26:27.540 --> 00:26:32.810
And let's briefly look at that. What's
major? Reduction in capability, maybe some

00:26:32.810 --> 00:26:38.300
injuries, major damage. So nothing you can
just shrug off, but certainly not an

00:26:38.300 --> 00:26:48.070
accident with hundreds of dead. So and
therefore, there are some regulations

00:26:48.070 --> 00:26:56.270
which say which kinds of specific analysis
you have to do for the various categories.

00:26:56.270 --> 00:27:02.650
And for major no big failure modes and
effects analysis FMEA, was required. And

00:27:02.650 --> 00:27:07.400
these are all findings from the Indonesian
investigation board. And they're all in

00:27:07.400 --> 00:27:11.700
the report that is publicly downloadable.
In the final version of the slides, I'll

00:27:11.700 --> 00:27:16.720
probably put some of the sources and links
in there so you can read it for

00:27:16.720 --> 00:27:23.650
yourselves. It's quite eye opening. So
only a very small failure in failure

00:27:23.650 --> 00:27:30.370
analysis was made, comparatively small. It
probably took a few man hours, but not as

00:27:30.370 --> 00:27:36.530
extensive as it should have been for the
event had it been correctly classified as

00:27:36.530 --> 00:27:44.240
catastrophic. And some of these things
that could happen were not at all

00:27:44.240 --> 00:27:50.400
considered, such as large stabilizer
deflection. So continued trim movement in

00:27:50.400 --> 00:27:55.211
the same direction or a repeated
activation of the MCAS system, because

00:27:55.211 --> 00:28:05.640
apparently the only design of the MCAS
system that the FAA saw was limited to a

00:28:05.640 --> 00:28:11.600
0.6 degree deflection at high speeds and
to one single activation only. And that

00:28:11.600 --> 00:28:18.290
was changed. And it is still unclear how
that could happen. It was changed to

00:28:18.290 --> 00:28:22.730
multiple activations, even at high speed.
And each activation could move the

00:28:22.730 --> 00:28:27.820
stabilizer as much as almost 2.5 degrees.
And there was no limit to how often it

00:28:27.820 --> 00:28:35.310
could activate. And what was also not
considered was the effect of the flight

00:28:35.310 --> 00:28:41.080
characteristics caused by large movements
of the stabilizer or movement of the

00:28:41.080 --> 00:28:47.280
stabilizer to the limit of the MCAS
authority. The MCAS doesn't have authority

00:28:47.280 --> 00:28:52.690
to move the stabilizer all the way to the
mechanical stop, but only a bit short of

00:28:52.690 --> 00:28:57.520
that, much more than the manual electric
trim is capable of trimming the airplane

00:28:57.520 --> 00:29:03.190
on the aircraft. You can always trim back
with a manual electric trim switches on

00:29:03.190 --> 00:29:09.350
the yoke, but you cannot trim it nose down
as far as MCAS can. So that's quite

00:29:09.350 --> 00:29:15.300
interesting. That was not considered. What
was also not considered, at least it

00:29:15.300 --> 00:29:21.130
wasn't in the report apparently that the
Indonesian agency had seen, was that

00:29:21.130 --> 00:29:26.401
flight crew workload increases
dramatically if you have to pull on the

00:29:26.401 --> 00:29:34.390
yoke continuously with about, let's say, a
force equivalent of 40 kilograms of 50

00:29:34.390 --> 00:29:37.810
kilograms continuously, otherwise if you
let go, you're going to go into a very

00:29:37.810 --> 00:29:43.380
steep nosedive. And at that short, it is
at a low altitude that they were they

00:29:43.380 --> 00:29:50.420
would not have been able to recover the
aircraft. And in fact, they weren't. What

00:29:50.420 --> 00:29:54.970
was also not considered was an AOA sensor
failure in the way that we have seen it in

00:29:54.970 --> 00:29:59.990
these two accidents, although apparently
they those had different causes. The

00:29:59.990 --> 00:30:04.091
effect for the MCAS was the same, that one
of the sensors showed a value that was

00:30:04.091 --> 00:30:12.310
about 22 and a half degrees too high. And
that was not considered in the analysis of

00:30:12.310 --> 00:30:17.490
the MCAS system. So I hope that is
readable. That is a simplified state

00:30:17.490 --> 00:30:24.330
machine of the MCAS system. And what we
can see is that it can indeed activate

00:30:24.330 --> 00:30:32.720
repeatedly, but only if the pilot uses the
manual electric trim in between. It will

00:30:32.720 --> 00:30:38.440
go into a dormant state if the pilot trims
manually with the hand wheel or if the

00:30:38.440 --> 00:30:42.980
pilot doesn't use the trim at all, it will
go dormant after a single activation and

00:30:42.980 --> 00:30:49.100
stay that way until electric trim is used.
So that's the basic upshot of this state

00:30:49.100 --> 00:30:56.190
machine. So when the pilot thinks he's
doing something to counter the MCAS and

00:30:56.190 --> 00:31:03.010
he's actually making it worse. But this
isn't documented in any pilot

00:31:03.010 --> 00:31:07.460
documentation anywhere. It will probably
be in the next way. If it's still working

00:31:07.460 --> 00:31:15.730
like that. But so far it wasn't. So
Boeing was under a lot of pressure to try

00:31:15.730 --> 00:31:24.310
to sell a new, more fuel efficient version
of their 737. And so I can't say for sure

00:31:24.310 --> 00:31:29.480
how it was internally between the FAA and
Boeing, but it's not unreasonable to

00:31:29.480 --> 00:31:33.680
assume that they were under a lot of
pressure from management to accelerate

00:31:33.680 --> 00:31:41.890
certification and possibly take shortcuts.
I can't make any accusations here, but it

00:31:41.890 --> 00:31:47.160
looks that not all is well in the
certification department between Boeing

00:31:47.160 --> 00:31:54.520
and the Federal Aviation Authority. So
originally, the idea, of course, is the

00:31:54.520 --> 00:32:00.270
manufacture builds the aircraft, analyzes
everything, documents everything, and the

00:32:00.270 --> 00:32:06.730
FAA checks all the documentation and maybe
even looks at original data and maybe

00:32:06.730 --> 00:32:11.280
looks at the physical pieces that are
being made for the prototype and approves

00:32:11.280 --> 00:32:19.170
or rejects the documentation. There is
already a potential conflict that is not

00:32:19.170 --> 00:32:24.050
there in most other countries because they
have separate agencies. But the FAA has a

00:32:24.050 --> 00:32:30.840
dual mandate. It is supposed to promote
aviation, to make it more efficient, but

00:32:30.840 --> 00:32:40.000
also to ensure aviation safety. And there
may be conflicts of interests, I think. So

00:32:40.000 --> 00:32:47.640
here's what this certification has been up
until not quite sure, 10, 15 years ago. So

00:32:47.640 --> 00:32:57.120
the FAA, the actual government agency, the
Aviation Authority, appoints a designated

00:32:57.120 --> 00:33:03.240
engineering representative. The DER is
employed and paid by Boeing, but is

00:33:03.240 --> 00:33:12.690
accountable only to the FAA. And the DER
checks and documents everything that is

00:33:12.690 --> 00:33:20.410
being done. There's usually more than one,
thatt for simplicity's sake, let's say. And

00:33:20.410 --> 00:33:24.630
the DER then reports the findings and all
the documentation, all the low level

00:33:24.630 --> 00:33:30.360
engineering and analysis documentation
that has been done to the FAA, and the FAA

00:33:30.360 --> 00:33:35.720
signs off on that or asks questions and
visits the company and looks at things and

00:33:35.720 --> 00:33:41.630
makes audits and everything like that. And
so that usually has been working more or

00:33:41.630 --> 00:33:47.090
less and has certainly improved the
overall safety of airliners that have been

00:33:47.090 --> 00:33:57.520
built in the last decades. And this is the
new version. And the person is

00:33:57.520 --> 00:34:03.430
now not called DER, but it's called AR,
the authorized representative, is still

00:34:03.430 --> 00:34:08.070
employed and paid by Boeing. That hasn't
changed, but is appointed by Boeing

00:34:08.070 --> 00:34:13.419
management and reports to Boeing
management. And the Boeing management

00:34:13.419 --> 00:34:19.899
compiles a report and sends that to the
FAA and the FAA then signs off on the

00:34:19.899 --> 00:34:25.859
report. They hopefully at least read it,
but they don't have all the low level

00:34:25.859 --> 00:34:31.859
engineering details readily available and
only rarely speak to the actual engineers.

00:34:31.859 --> 00:34:42.280
So anyone seeing a problem here? Well, you
have to say that most aircraft that are

00:34:42.280 --> 00:34:48.419
being built have been built in the last
years aren't really terrible. Right. The

00:34:48.419 --> 00:34:55.470
787 is a new aircraft. The 777
has been one of the safest aircraft

00:34:55.470 --> 00:35:03.499
around, at least looking at the flight
hours that it has accumulated. So it's not

00:35:03.499 --> 00:35:11.380
all bad, but there's potential for real,
really bad screw ups. I guess. There's

00:35:11.380 --> 00:35:17.560
another factor maybe that I've briefly
mentioned is that the Boeing 737, even in

00:35:17.560 --> 00:35:21.951
its latest version, is not computer
controlled. It's not fly by wire, although

00:35:21.951 --> 00:35:27.940
it has some computers as we have seen,
that can move some control surfaces. But

00:35:27.940 --> 00:35:31.269
mostly it's really, it really looks like
that. I think that's an actual photo from

00:35:31.269 --> 00:35:36.910
a 737 has some corrosion on it. So it's
probably not a max an older version, but

00:35:36.910 --> 00:35:41.550
it's basically the same, which is also why
the grandfathering certification still

00:35:41.550 --> 00:35:47.150
works. So it's all cables and pulleys and
even if both hydraulic systems fails - so,

00:35:47.150 --> 00:35:51.480
yes, it is hydraulically assisted, the
flight controls - but if both hydraulic

00:35:51.480 --> 00:35:57.079
systems fail with the combined forces of
both pilots, you can you can still fly it

00:35:57.079 --> 00:36:03.711
and you can still land it. That usually
works, except when it doesn't. And the

00:36:03.711 --> 00:36:11.210
cases where it doesn't work are when the
aircraft is going very fast and has a very

00:36:11.210 --> 00:36:15.700
high stabilizer deflection. And this is
from a video some of you may have seen

00:36:15.700 --> 00:36:21.759
there, it's from Mentour Pilot. And he has
actually tested that in a full flight

00:36:21.759 --> 00:36:27.660
simulator, which represents realistic
forces on all flight controls, including

00:36:27.660 --> 00:36:32.960
the trim wheel. You can be in the center
console under the thrust levers, there are

00:36:32.960 --> 00:36:37.780
these two shiny black wheels and they are
the trim wheels. You can move them

00:36:37.780 --> 00:36:42.499
manually in all phases of flight to trim
the aircraft. If electric trim is not

00:36:42.499 --> 00:36:45.420
available.
Pilot: in the normal trim system would not

00:36:45.420 --> 00:36:50.950
do this. OK. It would require manual
trimming to get it away from this. That's

00:36:50.950 --> 00:36:55.940
fine, it's fine, trim it backwards. Trim
it backwards again

00:36:55.940 --> 00:37:00.510
Bernd: So now he is trying to trim it nose
up again after he has manually trimmed it

00:37:00.510 --> 00:37:06.170
nose down because the normal electric trim
system cannot trim it so far nose down.

00:37:06.170 --> 00:37:10.130
They have to do it manually. And now he is
trying to trim it back nose up from the

00:37:10.130 --> 00:37:15.650
position which is known from the flight
data recorder that it was in the

00:37:15.650 --> 00:37:20.749
accident flight and is trying to trim it
manually because some people said: "oh,

00:37:20.749 --> 00:37:24.509
turn off the electric trim, the electric
trim system and trim it manually. That

00:37:24.509 --> 00:37:27.700
will always work." And they're trying to
do that. And it has representative forces

00:37:27.700 --> 00:37:34.539
to the real aircraft.
Copilot: Oh my god.

00:37:34.539 --> 00:37:41.230
<i>heavy breathing</i>
Pilot: Ok, pause the rec...

00:37:41.230 --> 00:37:46.119
Bernd: and you can see that the pilot on
the left, the captain, can't even help

00:37:46.119 --> 00:37:50.960
him. In theory, both could turn the crank
at the same time. And they have a handle

00:37:50.960 --> 00:37:56.310
on both sides because he has to hold the
control column with all his force. So you

00:37:56.310 --> 00:38:00.380
can't let go. He must hold it with both
arms. Otherwise, it would go into a

00:38:00.380 --> 00:38:04.619
nosedive immediately. And this is the
physical situation with which the pilots

00:38:04.619 --> 00:38:09.849
were confronted in the accident flight.
And he now says: "press the red button in

00:38:09.849 --> 00:38:23.640
the simulator." So end the simulation
because it's clear that they're going to crash.

00:38:23.640 --> 00:38:28.120
So there is another thing that came
that came up after the accidents and 737

00:38:28.120 --> 00:38:33.080
pilot said: "oh, it's just a runaway trim,
runaway stabilizer trim, there's a

00:38:33.080 --> 00:38:37.660
procedure for that and just do the
procedure and you'll be fine." Well,

00:38:37.660 --> 00:38:43.750
runaway stabilizer trim is one of the
emergency procedures that is trained ad

00:38:43.750 --> 00:38:49.520
infinitum. Right. That's something that
every 737 pilot is aware of because there

00:38:49.520 --> 00:38:55.380
are some conditions under which the trim
motor always gets electric current and

00:38:55.380 --> 00:38:59.641
doesn't stop running. That just happens
occasionally, not very often, but

00:38:59.641 --> 00:39:03.740
occasionally. And every pilot is primed to
recognize the symptoms. Oh, this is one of

00:39:03.740 --> 00:39:10.240
a runaway stabilizer. And you turn off the
electric motors for the stabilizer trim

00:39:10.240 --> 00:39:16.789
and trim manually and that'll work. But if
you look at what are the actual symptoms

00:39:16.789 --> 00:39:21.700
of runaway stabilizer, it says uncommanded
stabilizer trim movement occurs

00:39:21.700 --> 00:39:27.970
continuously. And MCAS movement isn't
continuously, MCAS trim movement is more

00:39:27.970 --> 00:39:34.010
like the speed trim system, which occurs
intermittently and then stops and then

00:39:34.010 --> 00:39:38.510
trims again for a bit and then stops
again. So most pilots wouldn't recognize

00:39:38.510 --> 00:39:42.259
this as a runaway trim, because the
symptoms are very different. The

00:39:42.259 --> 00:39:47.109
circumstances are different. So I guess
some pilots might have recognized that

00:39:47.109 --> 00:39:51.769
there's something going on with the trim
that is not right and will have turned it

00:39:51.769 --> 00:39:57.550
off. But some didn't, even though they
know they all know about runaway

00:39:57.550 --> 00:40:07.460
stabilizer. And yeah, that's the second
file that I have.

00:40:07.460 --> 00:40:16.400
<i>loud rattling noise</i>
So that's the sound. The stick shaker

00:40:16.400 --> 00:40:21.440
makes on a Boeing 737. And now imagine
flying with that sound all the while

00:40:21.440 --> 00:40:27.830
shaking the control column violently,
flying with that going on for an hour. And

00:40:27.830 --> 00:40:32.670
that's what the crew on the previous
flight did. They flew the entire flight of

00:40:32.670 --> 00:40:37.170
about an hour with a stick shaker going. I
mean, that's quite that's quite

00:40:37.170 --> 00:40:44.460
interesting because the stick shaker says
your wing is about to stall. Right. But on

00:40:44.460 --> 00:40:47.650
the other hand, they knew they were flying
level. They were flying fast enough.

00:40:47.650 --> 00:40:51.809
Everything was fine. The aircraft wasn't
about to stall because it was going fast

00:40:51.809 --> 00:40:58.170
and. Right. So from an aerodynamics
perspective, of course, they could fly the

00:40:58.170 --> 00:41:03.309
airplane because they knew it was nowhere
near a stall. But still, I think in most

00:41:03.309 --> 00:41:07.029
countries and most airlines, they would
have just turned around and landed again

00:41:07.029 --> 00:41:13.420
and saying the aircraft is broken, please
fix it. Something is wrong. But yeah. So

00:41:13.420 --> 00:41:19.359
the stick shaker is activated by the angle
of attack reading on each side and it

00:41:19.359 --> 00:41:24.460
sticks out mechanically coupled of both of
them will shake with activation from

00:41:24.460 --> 00:41:31.570
either side. So is it going to fly again?
It's still somewhat of an open question,

00:41:31.570 --> 00:41:38.220
but I suspect that it will because it's
it's hard to imagine that letting these

00:41:38.220 --> 00:41:43.869
460 airplanes or some something like that
that have been built sometimes sitting

00:41:43.869 --> 00:41:50.239
around on an employee parking lots like
here, just letting them be scrapped or

00:41:50.239 --> 00:41:56.210
whatever. I don't know. Almost 5000 have
been ordered. As I said, neither airlines

00:41:56.210 --> 00:42:04.170
nor Boeing will be happy. But it's not
quite clear. It's not yet being certified

00:42:04.170 --> 00:42:13.109
again. So it's still unairworthy. So
there's another little thing,

00:42:13.109 --> 00:42:16.880
certification issues with new Boeing
aircraft. Reminded me of this. Have you

00:42:16.880 --> 00:42:23.830
ever seen that? So battery exhaust, which
the aircraft has a battery exhaust? I

00:42:23.830 --> 00:42:31.760
mean, what did you do with that? Does
anybody know? Yeah, of course some know.

00:42:31.760 --> 00:42:38.069
Yeah. Boeing 787 Dreamliner. Less than two
years after introduction. Now, after

00:42:38.069 --> 00:42:44.180
entering the service, actually had two
major battery fires. They have two big

00:42:44.180 --> 00:42:51.380
lithium ion batteries. Lithium, lithium,
cobalt. I think, not sure. The one that

00:42:51.380 --> 00:42:55.809
burns the brightest.
<i>laughter</i>

00:42:55.809 --> 00:43:00.819
Bernd: Because they wanted the energy
density, really, and that wasn't available

00:43:00.819 --> 00:43:06.170
in other packages. If they had used nickel
cadmium batteries instead, they would have

00:43:06.170 --> 00:43:12.180
been like 40 kilograms heavier for two
batteries. That's almost a passenger. So

00:43:12.180 --> 00:43:18.359
yeah, they were onboard fires. And if you
ask pilots what's your worst fear of

00:43:18.359 --> 00:43:25.880
something happening in flight, they'll
say: flight control failure and fire. So

00:43:25.880 --> 00:43:32.099
you don't want to have a fire in the air,
absolutely not. And one of the fires was

00:43:32.099 --> 00:43:36.330
actually in-flight with passengers on
board. One was on the ground shortly after

00:43:36.330 --> 00:43:41.569
disembarking and the lithium ion
batteries, because they are unusual and a

00:43:41.569 --> 00:43:45.819
novel feature, as it's called, have
special certification conditions because

00:43:45.819 --> 00:43:52.009
they are not covered by the original
certification criteria, and it says here:

00:43:52.009 --> 00:43:55.869
Safe cell temperatures and pressures must
be maintained during any foreseeable

00:43:55.869 --> 00:44:01.599
condition and during any failure of the
charging system, not shown to be extremely

00:44:01.599 --> 00:44:07.569
improbable... extremely remote, sorry, and
extremely remote is actually two orders of

00:44:07.569 --> 00:44:13.299
magnitude more frequent than extremely
improbable. Extremely remote is only less

00:44:13.299 --> 00:44:18.400
than once every 10 million flight hours.
But I think the combined flight hours for

00:44:18.400 --> 00:44:26.619
the 787 at that time were, not quite sure,
maybe a few hundred thousand at most. So

00:44:26.619 --> 00:44:32.220
and also happened two times. There was not
really not really fun. And then it says no

00:44:32.220 --> 00:44:37.609
explosive or toxic gases emitted as the
result of any failure may accumulate in

00:44:37.609 --> 00:44:43.140
hazardous quantities within the airplane.
I think they've neatly solved the third

00:44:43.140 --> 00:44:48.130
point by putting the battery in a
stainless steel box, really thick walls

00:44:48.130 --> 00:44:53.990
maybe, I don't know, eight millimeters or
something like that. And piping them to

00:44:53.990 --> 00:45:00.340
this hole in the bottom of the aircraft.
So the gases cannot accumulate in the

00:45:00.340 --> 00:45:05.880
aircraft, obviously. So, yes. And with
that, I'm at the end of my talk and

00:45:05.880 --> 00:45:12.650
there's now, I think quite some time for
questions. Thank you.

00:45:12.650 --> 00:45:22.419
<i>applause</i>

00:45:22.419 --> 00:45:26.410
Herald: Extremely punctual, I have to say.
Thank you for this interesting talk. We do

00:45:26.410 --> 00:45:31.681
have the opportunity for quite some
questions and a healthy discussion. Please

00:45:31.681 --> 00:45:36.529
come to the microphones that we have
distributed through the hall. And while

00:45:36.529 --> 00:45:46.090
you queue up behind them: Do we have a
question from the Internet already? Dear

00:45:46.090 --> 00:45:50.299
signal Angel. Is your microphone working?
Signal Angel: No.

00:45:50.299 --> 00:45:53.819
Herald: Yes.
Signal Angel: Yes. Do you think extensive

00:45:53.819 --> 00:45:57.450
software tests could have solved this
situation?

00:45:57.450 --> 00:46:02.380
Bernd: Software tests in this case,
perhaps? Yes. Although software tests are

00:46:02.380 --> 00:46:09.099
really a problematic thing because to test
software to these extreme reliability is

00:46:09.099 --> 00:46:13.230
required. You really have to test them for
a very, very, very, very long time indeed.

00:46:13.230 --> 00:46:17.839
So to achieve some confidence, they have
99 percent that a failure will not occur

00:46:17.839 --> 00:46:23.670
in, say, 10 million hours, you will have
to test it for 45 million hours. Really.

00:46:23.670 --> 00:46:26.579
And you have to test it with the exact
conditions that will occur in flight. And

00:46:26.579 --> 00:46:33.930
apparently nobody's thought of an angle of
attack failure, angle of attack sensor

00:46:33.930 --> 00:46:38.170
failure. So maybe testing wouldn't have
done a lot in this case.

00:46:38.170 --> 00:46:44.250
Herald: Thank you. Microphone number four.
Mic4: Yes. Thank you for the talk. I've

00:46:44.250 --> 00:46:49.809
got a question concerning the grounding.
So what is your view that the FAA waited

00:46:49.809 --> 00:46:55.970
so long until they finally ground the
aircraft a week after the Chinese started

00:46:55.970 --> 00:46:58.381
with grounding.
Bernd: Yes, that's a good point. And I

00:46:58.381 --> 00:47:02.549
think it's an absolute disgrace that they
waited so long. Even after the first

00:47:02.549 --> 00:47:06.140
crash. They made an internal study and it
was reported in the news some some weeks

00:47:06.140 --> 00:47:13.239
ago and estimated that during the lifetime
of the 737 max, probably around 15

00:47:13.239 --> 00:47:17.869
aircraft would crash. So I say every two
to three years, one of them would crash

00:47:17.869 --> 00:47:22.720
and they still didn't ground it and waited
until four days after the second accident.

00:47:22.720 --> 00:47:27.900
Yes, it's a shame, really.
Herald: Thank you. Microphone number

00:47:27.900 --> 00:47:31.089
seven, please.
Mic7: Thank you for your talk. I have a

00:47:31.089 --> 00:47:38.670
question regarding the design decision to
only use one AOA sensor. So I've read that

00:47:38.670 --> 00:47:43.480
Boeing used the MCAS system before on a
military aircraft and that used both

00:47:43.480 --> 00:47:46.549
sensors. So why was that decision made to
downgrade?

00:47:46.549 --> 00:47:51.619
Bernd: Yeah, that's a good question. I'm
not aware of that military system. If that

00:47:51.619 --> 00:47:56.450
was really exactly the same. But if that's
the case, yes, that makes it even stranger

00:47:56.450 --> 00:48:00.160
that they chose to use only one in this
case. Yes. Thank you.

00:48:00.160 --> 00:48:04.950
Herald: Okay, Microphone number two,
please.

00:48:04.950 --> 00:48:10.619
Mic2: Yeah. Thank you for your talk. 
So how do you actually test these

00:48:10.619 --> 00:48:15.200
requirements in practice? So how you
determine in practice if something is

00:48:15.200 --> 00:48:19.809
likely to fail every ten to the minus nine
as opposed to every ten to the minus

00:48:19.809 --> 00:48:22.440
eight?
Bernd: No, that's that's obviously

00:48:22.440 --> 00:48:27.150
practically completely impossible. You
can't. As I said, if you want to have a

00:48:27.150 --> 00:48:31.770
reasonable confidence that it's really the
error rate is really so low, you'd have to

00:48:31.770 --> 00:48:37.380
test it for four and a half billion hours
in operation, which is just impossible.

00:48:37.380 --> 00:48:42.990
What instead is done: there are some,
industry standards for aviation that is

00:48:42.990 --> 00:48:49.200
DEO178 currently in revision C, and that
says if you have software that if it

00:48:49.200 --> 00:48:53.529
fails, may have consequences of
this severity, then you have to use these

00:48:53.529 --> 00:48:59.670
very strict, very formal methods for
developing the software, like doing very

00:48:59.670 --> 00:49:05.489
strict and formal requirements analysis
specification in a formal language,

00:49:05.489 --> 00:49:12.720
preferably. And um, if possible, and some
some companies actually do that, formally

00:49:12.720 --> 00:49:16.680
prove your source code correct. And in
some languages that can be done. But it's

00:49:16.680 --> 00:49:21.960
it's very, it's a lot of effort. And
that's how this should be done. And this

00:49:21.960 --> 00:49:25.769
software obviously should have been
developed to the highest level according

00:49:25.769 --> 00:49:31.150
to the DEO178, which is level A and quite
obviously it wasn't.

00:49:31.150 --> 00:49:35.940
Herald: Thank you. Signal Angel, please.
The next question from the Internet.

00:49:35.940 --> 00:49:40.400
Signal Angel: The talk focused most on
MCAS, but someone noted that the plane was

00:49:40.400 --> 00:49:45.559
actually designed for engines below the
wings and the NG model, so the one before,

00:49:45.559 --> 00:49:49.039
already had problems of the wing mounts
and engine mounts. Do you think there will

00:49:49.039 --> 00:49:53.160
be mechanical problems with Max, too?
Bernd: I'm not sure there were really

00:49:53.160 --> 00:49:56.269
mechanical problems. There were
aerodynamic problems. And apparently.

00:49:56.269 --> 00:50:00.569
Well, I'm sure they have tested the NG to
the same standards, to the same

00:50:00.569 --> 00:50:04.559
certification standards, because obviously
there were aerodynamic changes even with

00:50:04.559 --> 00:50:10.069
the NG. And the NG apparently still
fulfilled the formal criteria of the

00:50:10.069 --> 00:50:15.329
certification. There are some acceptable
means of compliance and quite specific

00:50:15.329 --> 00:50:20.670
descriptions, how you test these stick
forces versus airspeed. And as far as I

00:50:20.670 --> 00:50:25.441
know, the NG just fulfilled them. And the
Max just didn't. So for the Max, something

00:50:25.441 --> 00:50:29.910
was required, although even the
classic, which basically at the same

00:50:29.910 --> 00:50:35.160
engine as the NG. Even the classic had
some problems there. That's where the

00:50:35.160 --> 00:50:41.410
speed trim system was introduced. And so
it has a similar system and actually the

00:50:41.410 --> 00:50:45.779
MCAS is just another little algorithm in
the computer that also does the speed trim

00:50:45.779 --> 00:50:48.549
system.
Herald: Please stay seated and buckled up

00:50:48.549 --> 00:50:54.099
until we reach our parking position. No.
We are still in the Q&amp;A phase. Please

00:50:54.099 --> 00:50:59.579
stay seated and please be quiet so we can
enjoy all of this talk. And if you have to

00:50:59.579 --> 00:51:04.259
have to leave, then be super quiet right
now. It is a way too loud in here, please.

00:51:04.259 --> 00:51:07.200
The next question from microphone number
one.

00:51:07.200 --> 00:51:13.369
Mic1: So considering lessons learned from
this accident, has the FAA already changed

00:51:13.369 --> 00:51:17.839
the certification process or are they
about to change it? Or on what about other

00:51:17.839 --> 00:51:21.430
agencies worldwide?
Bernd: The FAA is probably going to move

00:51:21.430 --> 00:51:26.049
very slow. And I'm not aware of any
specific changes yet, but I haven't looked

00:51:26.049 --> 00:51:32.869
into too much detail in that. Other
certification agencies work somewhat

00:51:32.869 --> 00:51:37.500
different. And at least the EASA in Europe
and the Chinese authorities have already

00:51:37.500 --> 00:51:41.690
indicated that in this case they are not
going to follow the FAA certification, but

00:51:41.690 --> 00:51:46.839
going to do their own. And until now, it
was usually the case that if the FAA

00:51:46.839 --> 00:51:50.971
certified the airplane, everybody else in
the world just took that certification and

00:51:50.971 --> 00:51:55.819
said what the FAA did is probably fine and
vise versa. When the EASA certified a

00:51:55.819 --> 00:52:00.720
Boeing airplane, then the FAA would also
certify it. And that is probably changing

00:52:00.720 --> 00:52:04.750
now.
Herald: Thank you. Microphone number 3.

00:52:04.750 --> 00:52:11.210
Mic3: So, hi. Thank you for this talk.
Two questions, please. Were you part of an

00:52:11.210 --> 00:52:18.450
official investigation or is this your own
analysis of the facts? Here's the other

00:52:18.450 --> 00:52:24.700
one. I heard something about this software
being outsourced to India. Can you comment

00:52:24.700 --> 00:52:27.829
on that, please?
Bernd: The first one: no, this is my own

00:52:27.829 --> 00:52:36.040
private analysis. I have been doing some
accident analysis for a living for a

00:52:36.040 --> 00:52:41.369
while, but not for any official agency,
but always for private customers.

00:52:41.369 --> 00:52:46.809
And about outsourcing to India, I'm
not quite sure about that. I've read

00:52:46.809 --> 00:52:51.840
something like that. And what I've read is
that it was produced by Honeywell. I

00:52:51.840 --> 00:52:57.450
think. I may be wrong about that, but I
think it was Honeywell. And who the actual

00:52:57.450 --> 00:53:04.920
programmers were sitting. If it's done
properly, according to the methodologies

00:53:04.920 --> 00:53:09.589
prescribed by DO178 and fulfilling all
those requirements, then where the

00:53:09.589 --> 00:53:15.049
programmer sit is actually not that
important. And I don't want to deride

00:53:15.049 --> 00:53:21.140
Indian programmers, and I think if it's
done according to specification and

00:53:21.140 --> 00:53:27.119
analyzed with study code analyses and
everything else vis a vis the

00:53:27.119 --> 00:53:31.900
specification, then that would also be
fine, I guess. But the problem is not so

00:53:31.900 --> 00:53:35.599
much really in the implementation, but in
the design of the system, in the

00:53:35.599 --> 00:53:40.059
architecture.
Herald: Thank you. Microphone number 5

00:53:40.059 --> 00:53:45.240
please.
Mic5: Hello. I may go to your

00:53:45.240 --> 00:53:50.479
presentation wrong, but for me, the real
root cause of the problem is the

00:53:50.479 --> 00:53:58.920
competition and high deadline from the
management. So the question for you is: is

00:53:58.920 --> 00:54:05.759
there any suggestions from you that
process could be, I dunno, maybe changed

00:54:05.759 --> 00:54:18.779
in order to avoid the bugs in the 
software and have the mission

00:54:18.779 --> 00:54:24.019
critical systems saved?
Bernd: Yeah. So we don't normally just

00:54:24.019 --> 00:54:29.069
talk about THE cause or THE root cause,
but there are always several causes.

00:54:29.069 --> 00:54:35.339
Basically you can say depending on where
you stop with the graph - where is it? -

00:54:35.339 --> 00:54:40.979
where you stop with the graph all the
leaves on the graph are root causes and

00:54:40.979 --> 00:54:46.779
but I've stopped relatively early and not
not I'm not gone into any more detail on

00:54:46.779 --> 00:54:51.019
that, but yeah. The competition between
Airbus and Boeing, obviously it was a big

00:54:51.019 --> 00:54:57.940
factor in this. And I don't suppose you do
suggest that we abolish competition in the

00:54:57.940 --> 00:55:04.460
market. But what needs to be changed, I
think, is the way certification is done.

00:55:04.460 --> 00:55:10.270
And that requires the FAA reasserting its
authority much more. And that will

00:55:10.270 --> 00:55:16.710
probably require a lot more personnel with
good engineering background, and maybe

00:55:16.710 --> 00:55:22.349
that would require the FAA paying better
wages. So I don't know, because currently

00:55:22.349 --> 00:55:27.489
probably all the good engineers will go to
Boeing instead of the FAA. But the FAA

00:55:27.489 --> 00:55:31.279
dearly needs engineering expertise and
lots of it.

00:55:31.279 --> 00:55:35.661
Herald: Thank you. The next question we
hear from microphone number 4.

00:55:35.661 --> 00:55:40.249
Mic4: Hi. Thank you for the talk. I've
heard that there is - I've heard - I've

00:55:40.249 --> 00:55:47.349
read that there's a version of the 737 Max
8 that did allow for a third airway

00:55:47.349 --> 00:55:52.729
sensitivity present that served as a
backup for either sensors but that this

00:55:52.729 --> 00:55:56.910
was a paid option. And I have not found
confirmation of this. Do you know anything

00:55:56.910 --> 00:56:00.999
about this?
Bernd: No, I'm not aware of that

00:56:00.999 --> 00:56:10.089
as a paid option. There was something
about an optional feature that was called

00:56:10.089 --> 00:56:13.750
a safety feature, but I can't exactly
remember what that was. Maybe it was and

00:56:13.750 --> 00:56:18.470
angle of attack indicator in the cockpit
that is available as an option, I think,

00:56:18.470 --> 00:56:26.839
for this 737 for most models, because the
sensor is there anyway. As for a third AOA

00:56:26.839 --> 00:56:31.710
sensor, I'd be surprised if that was an
option because that is a major change and

00:56:31.710 --> 00:56:36.259
requires a major change to all the system
layout. Then you'd need an additional a

00:56:36.259 --> 00:56:41.259
data inertial reference unit, which is a
big computer box in the aircraft of which

00:56:41.259 --> 00:56:46.440
there are only two. And that would've
taken a long, long time in addition to

00:56:46.440 --> 00:56:51.609
develop. So I'm skeptical about that third
angle of attack sensor. At least I've not

00:56:51.609 --> 00:56:56.070
heard of it.
Herald: Thank you. Signal angel, do we

00:56:56.070 --> 00:56:58.359
have more from the internet? Please one
quick one.

00:56:58.359 --> 00:57:03.390
Signal angel: If you need a quick one,
would you ever fly with a 737 Max again if

00:57:03.390 --> 00:57:05.970
it was ever cleared again?
<i>applause</i>

00:57:05.970 --> 00:57:10.750
Bernd: I was expecting that question. And
actually I don't have an answer yet for

00:57:10.750 --> 00:57:18.040
that. And that maybe would depend on how I
see the FAA and the EASA doing the

00:57:18.040 --> 00:57:23.349
certification. I've seen some people
saying that the 737 Max should never be

00:57:23.349 --> 00:57:31.310
recertified. I think that it will be. And
I look at it in some detail, seeing how

00:57:31.310 --> 00:57:37.290
the FAA develops and how the EASA is
handling it. And then maybe. Yes.

00:57:37.290 --> 00:57:43.259
Herald: Great. Okay, in that case, we
would take one more very short question

00:57:43.259 --> 00:57:48.769
from microphone number 5.
Mic5: Do you know why the important AOA

00:57:48.769 --> 00:57:53.779
sensor failed to give the correct values?
Bernd: There are some theories about that, but

00:57:53.779 --> 00:57:58.469
I haven't investigated that in any more
detail now. There were some stories that

00:57:58.469 --> 00:58:05.029
in the case of the Indonesian, the Lion
Air, that it was actually mounted or

00:58:05.029 --> 00:58:12.599
reassembled incorrectly. That would
explain why there was a constant offset.

00:58:12.599 --> 00:58:17.969
It may also have been somebody calculated
that it was actually, exactly - if you

00:58:17.969 --> 00:58:21.390
look at the raw data that is being
delivered on the bus -, there was exactly

00:58:21.390 --> 00:58:26.049
one flipped bit, which is also a
possibility. But I I don't really know.

00:58:26.049 --> 00:58:29.000
But there were some implications in the
report. Maybe I have to read that section

00:58:29.000 --> 00:58:34.869
again from the Indonesian authorities
about substandard maintenance, as it is

00:58:34.869 --> 00:58:39.400
euphemistically called.
Herald: OK. We have two more minutes. So I

00:58:39.400 --> 00:58:42.109
will take another question from microphone
number 1.

00:58:42.109 --> 00:58:49.509
Mic1: Hey, I would have expected that
modern aircraft would have some plug,

00:58:49.509 --> 00:58:54.829
physical plug, hermetic one that would
disconnect any automated system. Isn't

00:58:54.829 --> 00:58:58.070
this something that exist in our planes
today?

00:58:58.070 --> 00:59:02.390
Bernd: Now, and especially modern aircraft
can't just disconnect the automatics,

00:59:02.390 --> 00:59:06.880
because if you look at modern fly by wire
aircraft, there is no connection between

00:59:06.880 --> 00:59:11.420
the flight controls and the control
surfaces. There's only a computer and the

00:59:11.420 --> 00:59:16.450
flight controls that the pilots handle are
only inputs to the computer and there's no

00:59:16.450 --> 00:59:23.170
direct connection. That is true for every
Airbus since the A320, for every Boeing

00:59:23.170 --> 00:59:28.950
since the triple 7, so the triple 7 and
the 787 are totally 100 percent fly by

00:59:28.950 --> 00:59:33.160
wire. Well, I think 95 percent because
there's one control service that is

00:59:33.160 --> 00:59:38.609
directly connected, one spoiler on each
side. But basically, there's there's no

00:59:38.609 --> 00:59:43.280
way. And so you have to make sure that
flight control software is developed to

00:59:43.280 --> 00:59:47.740
the highest possible standards. Because
you can't turn it off, because that's

00:59:47.740 --> 00:59:53.200
everything. That's, Well, let me put it
this way: On the fly by wire aircraft,

00:59:53.200 --> 01:00:00.640
only the computer can control the flight,
the flight control surfaces know. So I

01:00:00.640 --> 01:00:03.910
just hope that it's good.
Herald: Think about that when you next

01:00:03.910 --> 01:00:08.840
enter a plane. And also, please give a big
round of applause for our speaker Bernd.

01:00:08.840 --> 01:00:21.142
<i>applause</i>

01:00:21.142 --> 01:00:31.720
<i>36c3 postroll music</i>

01:00:31.720 --> 01:00:48.000
Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!