1 00:00:00,000 --> 00:00:20,310 *36C3 preroll music* 2 00:00:20,310 --> 00:00:25,860 Herald: In the following talk Mr. Bernd Sieker will speak about the crashes and 3 00:00:25,860 --> 00:00:33,930 what led to the crashes of the most recent 737 model. He is a flight safety 4 00:00:33,930 --> 00:00:38,320 engineer and he also worked on flight safety and he analyzed the plane 5 00:00:38,320 --> 00:00:43,940 crashes for a lot of time and a long time. And you have to keep in mind that this 6 00:00:43,940 --> 00:00:49,620 737, although multiple models have been built, can be flown. All models can be 7 00:00:49,620 --> 00:00:55,950 flown with the same type rating since 1967, which is one of the many root causes 8 00:00:55,950 --> 00:01:02,210 of the issues that led to the disaster that killed 346 people. Let's listen to a 9 00:01:02,210 --> 00:01:04,980 Bernd and he'll enlighten us, what else went wrong? 10 00:01:04,980 --> 00:01:13,700 *applause* 11 00:01:13,700 --> 00:01:17,020 Bernd Sieker: Yes, thank you very much for the introduction. I see they are not quite 12 00:01:17,020 --> 00:01:22,021 as many people as with the Edward Snowden talk, but I'm not disappointed. Aviation 13 00:01:22,021 --> 00:01:25,420 safety has always been very important to me and I've done a lot of work on it and I 14 00:01:25,420 --> 00:01:30,900 am happy to share my passion with so many of you. Thank you. 15 00:01:30,900 --> 00:01:36,439 *applause* So it's basically the outline of what I'm 16 00:01:36,439 --> 00:01:42,540 going to talk about. It's the Boeing 737 Max or seven thirty seven as some may say. 17 00:01:42,540 --> 00:01:47,439 I will briefly talk about the accidents, what we knew at the beginning, what went 18 00:01:47,439 --> 00:01:53,810 wrong and then what came to light. Later on I will show our causal analysis method 19 00:01:53,810 --> 00:02:00,280 that we use very shortly, very briefly and the analysis and overview of the analysis 20 00:02:00,280 --> 00:02:05,390 that I did of these accidents. Then talk about the infamous MCAS system, the 21 00:02:05,390 --> 00:02:11,230 Maneuvering Characteristics Augmentation System, as it's called, by its full name. 22 00:02:11,230 --> 00:02:15,480 Then I'll talk about certification, how certain aircraft certification works in 23 00:02:15,480 --> 00:02:18,870 the United States. It's very similar in Europe, although there are some 24 00:02:18,870 --> 00:02:22,650 differences. But I'm not going to talk about European details in this talk. So 25 00:02:22,650 --> 00:02:29,540 it's mostly about the FAA and aircraft certification across the pond. Some other 26 00:02:29,540 --> 00:02:38,670 things and an outlook, how it is going to go on with the Boeing 737 Max. We 27 00:02:38,670 --> 00:02:42,940 currently don't know exactly what's going to happen, but we'll see. And if we have 28 00:02:42,940 --> 00:02:51,069 time, they have a few bonus slides later on. So the Boeing 737 Max - the star of 29 00:02:51,069 --> 00:02:54,920 the show, as you may say, it's the fourth iteration, as the Herald already 30 00:02:54,920 --> 00:03:02,200 indicated, of the world's best selling airliner. I think I looked it up just 31 00:03:02,200 --> 00:03:07,799 recently. I think there are almost 15,000 orders that have been for the 737 of all 32 00:03:07,799 --> 00:03:14,450 the series, the original, the classic, the NG and now the Max. And the Max itself is 33 00:03:14,450 --> 00:03:19,459 the fastest selling airliner of all time. So within months, it had literally 34 00:03:19,459 --> 00:03:24,950 thousands of orders. It has now almost 5,000 orders. The 737 Max, and all the 35 00:03:24,950 --> 00:03:29,290 airlines in the world are waiting for the grounding to be lifted so they can receive 36 00:03:29,290 --> 00:03:40,019 and fly the aircraft. So the first accident was last year. It was a Lion Air, 37 00:03:40,019 --> 00:03:46,030 an Indonesian flag carrier. Actually, I think the second or third largest Boeing 38 00:03:46,030 --> 00:03:51,541 737 Max customer in the world with a couple of hundred, 250 or something 39 00:03:51,541 --> 00:04:01,969 aircraft and it crashed relatively shortly after it entered service. And so we've heard 40 00:04:01,969 --> 00:04:08,840 some strange things in the news and on the forums that deal with aviation safety. It 41 00:04:08,840 --> 00:04:15,549 seems that there had been uncommanded nose down trim. So the tail plane is moved by 42 00:04:15,549 --> 00:04:21,150 an electric motor and it forces the nose of the aircraft down. The pilot can 43 00:04:21,150 --> 00:04:27,670 counter that movement with some switches on his control column. And apparently the 44 00:04:27,670 --> 00:04:32,940 stick shaker was active during the flight and there were difficulties in controlling 45 00:04:32,940 --> 00:04:37,540 the aircraft. We didn't know at the time exactly what it was. And then for the 46 00:04:37,540 --> 00:04:46,220 first time, the abbreviation MCAS surfaced and even 737 pilots, even 737 Max pilots, 47 00:04:46,220 --> 00:04:50,880 at least some of them said they'd never heard of it. It was a mystery. We later 48 00:04:50,880 --> 00:04:55,230 found that actually in some documentation, it was very briefly mentioned that such a 49 00:04:55,230 --> 00:05:00,080 system existed, but not exactly why it was there. And I guess Boeing knew and the 50 00:05:00,080 --> 00:05:05,680 certification authorities, as it turned out, sort of knew a bit of the story, but 51 00:05:05,680 --> 00:05:11,440 not the whole story. But especially people in the West, in the US and in other 52 00:05:11,440 --> 00:05:19,230 countries said: Oh, these are just poorly trained Third World pilots. And we expect 53 00:05:19,230 --> 00:05:24,600 that. And they weren't completely wrong. Lion Air has a particularly bad safety 54 00:05:24,600 --> 00:05:29,030 record. And it wasn't unknown to aviation safety investigators. There have been a 55 00:05:29,030 --> 00:05:36,380 number of crashes with Lion Air. So in the beginning, we thought, OK, maybe it's a 56 00:05:36,380 --> 00:05:41,510 fluke, it's a one off or maybe it's caused by poor maintenance or bad pilots or 57 00:05:41,510 --> 00:05:47,940 whatever. So several people, on the other hand, already began worrying because some 58 00:05:47,940 --> 00:05:53,600 flight data recorder traces became public. And there was some very strange things 59 00:05:53,600 --> 00:05:59,830 which we will see shortly. And then only a few months later, the second aircraft of 60 00:05:59,830 --> 00:06:06,173 exactly the same type and the same variant, Boeing 737 Max 8, also crashed. 61 00:06:06,173 --> 00:06:11,560 And you can see maybe on the picture on the left, it left a rather big crater. It 62 00:06:11,560 --> 00:06:17,930 really dove into the earth quite fast. It turned out, I think, about between seven 63 00:06:17,930 --> 00:06:25,000 and eight hundred kilometers per hour. So, so really fast and not much left. Not much 64 00:06:25,000 --> 00:06:30,630 was left. I think the biggest parts were about this size, I guess. So all small 65 00:06:30,630 --> 00:06:38,540 pieces of debris and the engine cores, which are a bit bigger. And from that as 66 00:06:38,540 --> 00:06:45,520 well, flight data recorder traces became public. The recorders had survived at 67 00:06:45,520 --> 00:06:51,740 least the memory in them and were readable. So we finally found out 68 00:06:51,740 --> 00:06:57,780 something and found some similarities, some rather disturbing similarities. We 69 00:06:57,780 --> 00:07:03,210 come to that in a moment, but I'll talk a little bit about the Boeing 737 family in 70 00:07:03,210 --> 00:07:08,340 general. So there were four, as I said, models. That was the original, which had 71 00:07:08,340 --> 00:07:14,050 narrow engines under the wings. Not a lot of room between the ground and the 72 00:07:14,050 --> 00:07:20,370 engines, but it looked quite normal. You could say it was one of the first short- 73 00:07:20,370 --> 00:07:27,020 haul airliners with under slung engines, under the wings and then new high bypassed 74 00:07:27,020 --> 00:07:31,240 turbo fire engines entered the market, which were much more fuel efficient. We're 75 00:07:31,240 --> 00:07:36,360 talking about maybe some 15 to 20 percent lower fuel consumption. So it was a big 76 00:07:36,360 --> 00:07:42,610 deal. And the Boeing 737 was reengined and became known as the classic, bigger 77 00:07:42,610 --> 00:07:47,051 engines, but still mostly analog mechanical instruments. And it was 78 00:07:47,051 --> 00:07:51,930 basically the same as the original, instead that it had some bigger engines 79 00:07:51,930 --> 00:07:55,540 and they had to shape the cowling a little differently to accommodate the bigger 80 00:07:55,540 --> 00:08:02,890 engines. But more or less, it worked for a while. And then as airlines demanded more 81 00:08:02,890 --> 00:08:08,340 modern avionics, so the cockpit electronics in aircraft, the next 82 00:08:08,340 --> 00:08:14,620 generation was conceived. It also got a new wing, new winglets, which again saved 83 00:08:14,620 --> 00:08:19,590 a lot of fuel. It had basically the same engines, except that the engines now were 84 00:08:19,590 --> 00:08:24,820 also computer controlled by what we call FADEC full authority, digital engine 85 00:08:24,820 --> 00:08:31,310 control. And Boeing said, well, that's probably going to be the last one. And in 86 00:08:31,310 --> 00:08:36,149 the next few years, we are going to develop an all new, short and medium haul 87 00:08:36,149 --> 00:08:43,120 single aisle aircraft which will be all new and super efficient and super cheap to 88 00:08:43,120 --> 00:08:49,830 operate - all the promises that manufacturers always make. In the 89 00:08:49,830 --> 00:08:56,410 meantime, Airbus was becoming a major player with the A320. It was overall a 90 00:08:56,410 --> 00:09:00,470 much more modern aircraft. It had digital fly by wire. It always had digitally 91 00:09:00,470 --> 00:09:04,940 controlled engines. It had much higher ground clearance. So it was no problem to 92 00:09:04,940 --> 00:09:10,440 accommodate the larger engines in the A320. And Airbus then announced that it 93 00:09:10,440 --> 00:09:14,990 was going to reengine the A320. And for the A320, that was the first time it got 94 00:09:14,990 --> 00:09:19,830 new engines. It for a long time it had you had the choice of two types of engines for 95 00:09:19,830 --> 00:09:25,410 the A320 And then they said, we're going to install these new super efficient 96 00:09:25,410 --> 00:09:32,029 engines, which brought with it another optimization of fuel consumption. That was 97 00:09:32,029 --> 00:09:37,529 another 15 percent fuel saved per mile traveled something on the order of that. 98 00:09:37,529 --> 00:09:42,910 So it was a huge improvement again. And many Airbus customers immediately ordered 99 00:09:42,910 --> 00:09:49,050 the so-called A320neo and some Boeing customers also thought, well, this one is 100 00:09:49,050 --> 00:09:55,670 going to consume so much less fuel that we might consider switching to Airbus, even 101 00:09:55,670 --> 00:09:59,810 though it's a major hassle if you have fleet entirely consisting of Boeing 102 00:09:59,810 --> 00:10:03,830 aircraft, if you then switch to Airbus, it's a huge hassle and nobody really wants 103 00:10:03,830 --> 00:10:08,310 that unless they're really forced to. But the promised fuel savings were so big that 104 00:10:08,310 --> 00:10:13,079 companies actually considered this and lots of them. And so Boeing said we need 105 00:10:13,079 --> 00:10:20,830 something very quickly, preferably within two years I think. For airline 106 00:10:20,830 --> 00:10:26,839 development, that's very, very, very, very quickly. And they said, well, scrap all 107 00:10:26,839 --> 00:10:33,550 the plans about the new small airliner. We're going to change the 737 again. And 108 00:10:33,550 --> 00:10:38,800 now the new engines, were going to be bigger, again. And so actually, there was 109 00:10:38,800 --> 00:10:45,339 no ground clearance to move them in the same way as on the on the NG. So there to 110 00:10:45,339 --> 00:10:50,339 modify the landing gear, to mount the engines even further forward and higher. 111 00:10:50,339 --> 00:10:55,410 And the engines were bigger. But the engines were, on the whole, they were very 112 00:10:55,410 --> 00:10:58,731 good new development. The same type of engines that you could get for the new 113 00:10:58,731 --> 00:11:08,480 Airbus - CFM international. And so we decided to make the Boeing 737 4th 114 00:11:08,480 --> 00:11:17,819 generation and call it "the Max".So when we analyze accidents, we use a causal 115 00:11:17,819 --> 00:11:22,199 analysis method called Why-Because analysis. And we have some counterfactual 116 00:11:22,199 --> 00:11:26,709 tests which determines if something is a cause of something else. We call it a 117 00:11:26,709 --> 00:11:32,839 necessary causal factor. And it's very simple. A is a causal factor of B, if you 118 00:11:32,839 --> 00:11:36,990 can say had A not happened, then B would not have happened either. So, I mean, you 119 00:11:36,990 --> 00:11:41,279 need to show for everything that there is a causal relationship and that all the 120 00:11:41,279 --> 00:11:48,449 factors that you have found actually sufficient to cause the other event. So 121 00:11:48,449 --> 00:11:51,819 you can probably not read everything of it, but it's not really important. This is 122 00:11:51,819 --> 00:11:57,960 a simplified graph and I will show the relevant details later.And this is the 123 00:11:57,960 --> 00:12:02,879 analysis that I made of these accidents. And you can see it's not a simple tree; as 124 00:12:02,879 --> 00:12:06,589 computer scientists, many of you are familiar with trees and this is just a 125 00:12:06,589 --> 00:12:15,110 directed graph and it can have branches and so on. And so some things are causal 126 00:12:15,110 --> 00:12:19,519 influence, causal effect of several different things. So some of the factors 127 00:12:19,519 --> 00:12:24,130 actually have an influence on multiple levels. For example, the airspeed 128 00:12:24,130 --> 00:12:29,819 influences the control forces and it also influences the time the crew had to 129 00:12:29,819 --> 00:12:36,910 recover the aircraft before impact with the ground. So these are some of the 130 00:12:36,910 --> 00:12:42,829 things that I will look at in a bit more detail. So here is one of them: 131 00:12:42,829 --> 00:12:47,249 Uncommanded nose down trim. So what happened apparently on these accident 132 00:12:47,249 --> 00:12:54,279 flights was that you can see it in the flight data recorder traces. I don't know. 133 00:12:54,279 --> 00:13:00,339 Can you see the mouse pointer? Here, that's the blue line. And that is labeled 134 00:13:00,339 --> 00:13:06,029 trim manual. And there's the orange line that is labeled Trim Automatic. And if 135 00:13:06,029 --> 00:13:14,240 they have, do displacement to the bottom, that means that the aircraft is being 136 00:13:14,240 --> 00:13:20,059 trimmed nose down, which means in order to continue to fly level, you have to pull 137 00:13:20,059 --> 00:13:25,309 the control column with more force towards you. And what you can see is in the 138 00:13:25,309 --> 00:13:28,600 beginning, there are a few trim, trim movements. And on this type, they are 139 00:13:28,600 --> 00:13:33,519 expected it has an automatic trim system for some phases of flight which trims the 140 00:13:33,519 --> 00:13:41,110 aircraft to keep it flying stable. And then after a while, it started doing many 141 00:13:41,110 --> 00:13:47,009 automatic nose down trim movements. Each of these lasts almost 10 seconds and there 142 00:13:47,009 --> 00:13:52,339 is a pause between them. And in every case, the pilots counter the nose down 143 00:13:52,339 --> 00:13:56,649 trim movement with the nose up trim movement on the control yoke. There are 144 00:13:56,649 --> 00:14:02,720 switches that you operate with your thumb and you can trim the aircraft that way and 145 00:14:02,720 --> 00:14:07,300 change the control forces and cause the aircraft nose to go up or down. So for a 146 00:14:07,300 --> 00:14:11,160 very long time, this went on: The computer trimmed the aircraft nose down, the pilots 147 00:14:11,160 --> 00:14:18,779 trimmed the aircraft nose up, and so on. Until at the very end, you can see that 148 00:14:18,779 --> 00:14:23,309 the trim, the nose up trim movements that the pilots made, become shorter and 149 00:14:23,309 --> 00:14:29,389 shorter. And this line here, it says pitch trim position. That is the resulting 150 00:14:29,389 --> 00:14:34,309 position of the trim control surface, which is the entire horizontal stabilizer 151 00:14:34,309 --> 00:14:39,490 on the aircraft. And it moves down and it doesn't really go up anymore because the 152 00:14:39,490 --> 00:14:44,009 pilot inputs become very short. And that means the control forces to keep the 153 00:14:44,009 --> 00:14:48,459 aircraft flying level become extremely high. And in the end, it became 154 00:14:48,459 --> 00:14:55,199 uncontrollable and crashed, as you can see here. So the pilots, for various reasons, 155 00:14:55,199 --> 00:14:59,759 which I will highlight later, the pilots were unable to trim the aircraft manually 156 00:14:59,759 --> 00:15:05,999 and the nose down trim persisted and the aircraft crashed. And this is only the 157 00:15:05,999 --> 00:15:10,660 graph of one of the accidents. But the other one is very similar. And so that's 158 00:15:10,660 --> 00:15:15,990 what we see. There is a known system, which was already known before on the 159 00:15:15,990 --> 00:15:21,350 Boeing 737. I think it's available on all the old versions as well, which is 160 00:15:21,350 --> 00:15:25,110 called the speed trim system, which in some circumstances trims the aircraft 161 00:15:25,110 --> 00:15:32,930 automatically. But the inputs that we see, the automatic trim inputs don't really fit 162 00:15:32,930 --> 00:15:41,740 the so-called speed trim system. And so for the first time, we hear the word MCAS. 163 00:15:41,740 --> 00:15:47,019 And we'll talk a bit more about what made the Boeing 737 different from all the 164 00:15:47,019 --> 00:15:52,410 previous models. And that is the bigger engines. As I said, the engines were much 165 00:15:52,410 --> 00:15:57,910 bigger. And to achieve the necessary ground clearance, they had to be 166 00:15:57,910 --> 00:16:03,209 mounted further forward. And there are also a lot bigger, which means at high 167 00:16:03,209 --> 00:16:06,869 angles of attack, when the aircraft is flying against the stream of the oncoming 168 00:16:06,869 --> 00:16:13,080 air at a higher angle, these engine cells produce additional lift in front of the 169 00:16:13,080 --> 00:16:18,709 center of gravity, which creates a pitch up moment. And the certification criteria 170 00:16:18,709 --> 00:16:25,990 are quite strict in that and say exactly what the forces on the 171 00:16:25,990 --> 00:16:34,130 flight controls must be to be certified. And due to the bigger engines, there was 172 00:16:34,130 --> 00:16:41,149 some phases or some angles of attack at which these certification criteria were no 173 00:16:41,149 --> 00:16:46,630 longer met. And so it was decided to introduce a small piece of software which 174 00:16:46,630 --> 00:16:51,999 would just introduce a small trim movement to bring it in line with certification 175 00:16:51,999 --> 00:16:59,319 criteria again. And one of the reasons this was done was probably so the aircraft 176 00:16:59,319 --> 00:17:04,390 could retain the same type certificate as was mentioned in the introduction. So 177 00:17:04,390 --> 00:17:10,350 pilots can change within one airline, between the aircraft, between the 737 NG 178 00:17:10,350 --> 00:17:15,130 and the 737 Max. They have the same type certificate. There's a very brief 179 00:17:15,130 --> 00:17:18,720 differences training, but they can switch even in line operations between the 180 00:17:18,720 --> 00:17:27,950 aircraft from day to day. And another reason. No other changes were made. Boeing 181 00:17:27,950 --> 00:17:32,950 could, for example, have made a longer main landing gear to create additional 182 00:17:32,950 --> 00:17:38,070 ground clearance to move the engines in a more traditional position, that would have 183 00:17:38,070 --> 00:17:44,210 probably made it more aerodynamically in line with certification criteria. I 184 00:17:44,210 --> 00:17:49,500 hesitate to say the word "to make it more stable" because even as it is, the Boeing 185 00:17:49,500 --> 00:17:56,640 737 Max is not inherently aerodynamically unstable. If all these electronic gimmicks 186 00:17:56,640 --> 00:18:01,390 fail, it will just fly like an airplane and it is probably in the normal flight 187 00:18:01,390 --> 00:18:09,420 envelope easily controllable. But to make big mechanical changes would have delayed 188 00:18:09,420 --> 00:18:14,060 the project a lot and would have required recertification and what instead could be 189 00:18:14,060 --> 00:18:18,970 done with the airframe essentially the same. The certification could be what is 190 00:18:18,970 --> 00:18:26,060 known as grandfathered: so it doesn't need to fulfill all the current criteria of 191 00:18:26,060 --> 00:18:31,830 certification, because the aircraft has been certified and has been proven in 192 00:18:31,830 --> 00:18:36,700 service. And so only some of the modifications need to be recertified, 193 00:18:36,700 --> 00:18:45,090 which is much easier and much cheaper and much quicker. So this is one of the 194 00:18:45,090 --> 00:18:50,240 certification criteria that must be fulfilled. It's even though I have removed 195 00:18:50,240 --> 00:18:54,530 some of the additional stuff that doesn't really add anything useful, it's still 196 00:18:54,530 --> 00:19:00,200 rather complicated. It's a procedure that you have to do where you slow down one 197 00:19:00,200 --> 00:19:04,550 knot per second. And the stick forces need to increase with every knot of speed that 198 00:19:04,550 --> 00:19:10,250 you lose and things like that. And it says it this stick force versus speed curve may 199 00:19:10,250 --> 00:19:16,510 not be less than one pound for each six knots. And it's quite interesting, if you 200 00:19:16,510 --> 00:19:21,810 look at the European certification criteria, is that they took this exact 201 00:19:21,810 --> 00:19:28,680 paragraph and just translated the US units into metric units, but really calculated 202 00:19:28,680 --> 00:19:33,730 the new value. So the European certification have now very strange values 203 00:19:33,730 --> 00:19:41,590 like, I don't know, 11.79 kilometers per hour, per second or something like that. 204 00:19:41,590 --> 00:19:45,120 It's really strange. So you can see where it comes from. But they said we can't have 205 00:19:45,120 --> 00:19:49,910 knots even though the entire world except Russia and China basically flies in knots, 206 00:19:49,910 --> 00:19:56,060 even Western Europe. But the criteria in the certification specification need to be 207 00:19:56,060 --> 00:20:02,270 in kilometers per hour. Well, I would have thought that you would even - if you do 208 00:20:02,270 --> 00:20:06,610 the conversion, you would use meters per second, but it used kilometers per hour 209 00:20:06,610 --> 00:20:14,130 for whatever reason. So due to the aerodynamic changes that were made, the 210 00:20:14,130 --> 00:20:19,760 Max did not quite fulfill the criteria to the letter. So something had to be done. 211 00:20:19,760 --> 00:20:24,080 And as I said, mechanical redesign was out of the question because it would have 212 00:20:24,080 --> 00:20:28,450 taken too long, would have been too expensive, and maybe would have broken the 213 00:20:28,450 --> 00:20:33,910 type certificate commonality. So they introduced just this little additional 214 00:20:33,910 --> 00:20:40,180 software in a computer that also existed already. And so it measures angle of 215 00:20:40,180 --> 00:20:44,891 attack, it measures airspeed and a few other parameters, flap configuration, for 216 00:20:44,891 --> 00:20:52,060 example, and then it applies nose down pitch trim as it sees fit. But it has a 217 00:20:52,060 --> 00:20:57,150 rather interesting design from a software engineering point of view. Can you read 218 00:20:57,150 --> 00:21:04,030 that? Is that... They are flight control computers. And one part of this flight 219 00:21:04,030 --> 00:21:09,160 control computer, one additional piece of software, is called the MCAS, the 220 00:21:09,160 --> 00:21:12,870 Maneuvering Characteristics Augmentation System. And the flight control computer 221 00:21:12,870 --> 00:21:17,010 actually gets input from both angle of attack sensors. It has two, one on each 222 00:21:17,010 --> 00:21:25,300 side for redundancy, but the MCAS algorithm only uses one of them, at least 223 00:21:25,300 --> 00:21:29,120 in the old version. In the new version, it will probably use both if it ever gets 224 00:21:29,120 --> 00:21:36,230 recertificated. And then if that angle of attack sensor senses a value that is too 225 00:21:36,230 --> 00:21:42,950 high, then it introduces nose down trim and it may switch between flights between 226 00:21:42,950 --> 00:21:46,990 the left and the right sensor. But at any given time for any given flight, it only 227 00:21:46,990 --> 00:21:55,270 ever uses one. So what could possibly go wrong here? Here we can see what went 228 00:21:55,270 --> 00:22:01,830 wrong. It's the same graph as before, and I may direct your attention to this red 229 00:22:01,830 --> 00:22:06,710 line that says angle of attack indicated left and the green line which says angle 230 00:22:06,710 --> 00:22:12,030 of attack indicated right. So that is the data that the computer got from the angle 231 00:22:12,030 --> 00:22:17,870 of attack sensors. Both are recorded in the data recorder, but only one is 232 00:22:17,870 --> 00:22:24,130 evaluated by the MCAS. And you can see here's the scale on the right. You can see 233 00:22:24,130 --> 00:22:30,480 that one is indicating relatively normally around zero, a bit above zero, which is to 234 00:22:30,480 --> 00:22:37,940 be expected during takeoff and climb. And the red value is about 20 degrees higher. 235 00:22:37,940 --> 00:22:42,980 And of course, that is above the threshold at which the MCAS activates. So it 236 00:22:42,980 --> 00:22:46,910 activates. Right. And apparently in the old version of the software, there were no 237 00:22:46,910 --> 00:22:54,630 sanity checks, no cross checks with other air data values like airspeed and altitude 238 00:22:54,630 --> 00:22:59,580 or other things. And it would be relatively easy to do. Not quite trivial. 239 00:22:59,580 --> 00:23:04,460 You have to get it right in these kinds of things which influence flight controls, 240 00:23:04,460 --> 00:23:14,110 but nothing too fancy. But apparently that was also not done. So the MCAS became 241 00:23:14,110 --> 00:23:21,070 active. So how could it happen? And it's still to me, a bit of a mystery how it 242 00:23:21,070 --> 00:23:27,720 could actually get so far that it could be certified with this kind of system. And 243 00:23:27,720 --> 00:23:33,650 the severity of each failure, the possible consequences have to be evaluated. And the 244 00:23:33,650 --> 00:23:39,990 certification criteria specify five severities: catastrophic, hazardous, 245 00:23:39,990 --> 00:23:45,390 major, minor and no safety effect, and that doesn't have to be analyzed any 246 00:23:45,390 --> 00:23:50,540 further, but for catastrophic failures, you have to do a very, very complex risk 247 00:23:50,540 --> 00:23:57,140 assessment and see what you can do and what needs to be done to bring it in line, 248 00:23:57,140 --> 00:24:02,970 to make it either mitigate the consequences or make it so extremely 249 00:24:02,970 --> 00:24:10,440 improbable that it is not going to happen. So here are the probabilities with which 250 00:24:10,440 --> 00:24:15,810 the certification criteria deal and its different orders of magnitude. There are 251 00:24:15,810 --> 00:24:20,440 usually two orders of magnitude between them. It's from a probability of 1 times 252 00:24:20,440 --> 00:24:27,810 10 to the minus 5 per hour to 1 times 10 to the minus 9 for operating hour. And 253 00:24:27,810 --> 00:24:32,580 this is the risk matrix. Many of you are probably familiar with those. And it 254 00:24:32,580 --> 00:24:39,130 basically says if something is major, then it may not happen with a probability of 255 00:24:39,130 --> 00:24:44,290 probable. And if its catastrophic the only probability that is allowed for that is 256 00:24:44,290 --> 00:24:51,781 extremely improbable. Which is less than once in a billion flight hours. Right. And 257 00:24:51,781 --> 00:24:57,060 to put that into perspective, the fleets with the most flight hours to date, I 258 00:24:57,060 --> 00:25:01,950 think, are in the low hundreds of millions of flight hours combined. So we're still 259 00:25:01,950 --> 00:25:06,850 even for the 737 or the A320. We're still quite far away from a billion flight 260 00:25:06,850 --> 00:25:16,510 hours. So you might have expected perhaps one of these events because statistical 261 00:25:16,510 --> 00:25:23,950 distribution being what it is, the one event might happen, of course, and but 262 00:25:23,950 --> 00:25:32,470 certainly not two in less than two years. And quite obviously, the severity of these 263 00:25:32,470 --> 00:25:40,090 failures was catastrophic. I think there's no - there's no discussion about that. And 264 00:25:40,090 --> 00:25:43,610 here's the relevant part, actually, about flight controls and the 265 00:25:43,610 --> 00:25:48,040 certification criteria, which was clearly violated. It says the airplane must be 266 00:25:48,040 --> 00:25:53,910 shown to be capable of continued safe flight for any single failure. Without 267 00:25:53,910 --> 00:25:59,400 further qualification, any single system that can break must not make the plane 268 00:25:59,400 --> 00:26:05,840 unflyable or any combination of failures not shown to be extremely improbable - and 269 00:26:05,840 --> 00:26:12,040 extremely improbable is these 10 to the minus 9 per hour. And this hazard 270 00:26:12,040 --> 00:26:16,830 assessment must be performed for all systems, of course, and severity must be 271 00:26:16,830 --> 00:26:27,540 assigned to all these. And the unintended MCAS activation was classified as major. 272 00:26:27,540 --> 00:26:32,810 And let's briefly look at that. What's major? Reduction in capability, maybe some 273 00:26:32,810 --> 00:26:38,300 injuries, major damage. So nothing you can just shrug off, but certainly not an 274 00:26:38,300 --> 00:26:48,070 accident with hundreds of dead. So and therefore, there are some regulations 275 00:26:48,070 --> 00:26:56,270 which say which kinds of specific analysis you have to do for the various categories. 276 00:26:56,270 --> 00:27:02,650 And for major no big failure modes and effects analysis FMEA, was required. And 277 00:27:02,650 --> 00:27:07,400 these are all findings from the Indonesian investigation board. And they're all in 278 00:27:07,400 --> 00:27:11,700 the report that is publicly downloadable. In the final version of the slides, I'll 279 00:27:11,700 --> 00:27:16,720 probably put some of the sources and links in there so you can read it for 280 00:27:16,720 --> 00:27:23,650 yourselves. It's quite eye opening. So only a very small failure in failure 281 00:27:23,650 --> 00:27:30,370 analysis was made, comparatively small. It probably took a few man hours, but not as 282 00:27:30,370 --> 00:27:36,530 extensive as it should have been for the event had it been correctly classified as 283 00:27:36,530 --> 00:27:44,240 catastrophic. And some of these things that could happen were not at all 284 00:27:44,240 --> 00:27:50,400 considered, such as large stabilizer deflection. So continued trim movement in 285 00:27:50,400 --> 00:27:55,211 the same direction or a repeated activation of the MCAS system, because 286 00:27:55,211 --> 00:28:05,640 apparently the only design of the MCAS system that the FAA saw was limited to a 287 00:28:05,640 --> 00:28:11,600 0.6 degree deflection at high speeds and to one single activation only. And that 288 00:28:11,600 --> 00:28:18,290 was changed. And it is still unclear how that could happen. It was changed to 289 00:28:18,290 --> 00:28:22,730 multiple activations, even at high speed. And each activation could move the 290 00:28:22,730 --> 00:28:27,820 stabilizer as much as almost 2.5 degrees. And there was no limit to how often it 291 00:28:27,820 --> 00:28:35,310 could activate. And what was also not considered was the effect of the flight 292 00:28:35,310 --> 00:28:41,080 characteristics caused by large movements of the stabilizer or movement of the 293 00:28:41,080 --> 00:28:47,280 stabilizer to the limit of the MCAS authority. The MCAS doesn't have authority 294 00:28:47,280 --> 00:28:52,690 to move the stabilizer all the way to the mechanical stop, but only a bit short of 295 00:28:52,690 --> 00:28:57,520 that, much more than the manual electric trim is capable of trimming the airplane 296 00:28:57,520 --> 00:29:03,190 on the aircraft. You can always trim back with a manual electric trim switches on 297 00:29:03,190 --> 00:29:09,350 the yoke, but you cannot trim it nose down as far as MCAS can. So that's quite 298 00:29:09,350 --> 00:29:15,300 interesting. That was not considered. What was also not considered, at least it 299 00:29:15,300 --> 00:29:21,130 wasn't in the report apparently that the Indonesian agency had seen, was that 300 00:29:21,130 --> 00:29:26,401 flight crew workload increases dramatically if you have to pull on the 301 00:29:26,401 --> 00:29:34,390 yoke continuously with about, let's say, a force equivalent of 40 kilograms of 50 302 00:29:34,390 --> 00:29:37,810 kilograms continuously, otherwise if you let go, you're going to go into a very 303 00:29:37,810 --> 00:29:43,380 steep nosedive. And at that short, it is at a low altitude that they were they 304 00:29:43,380 --> 00:29:50,420 would not have been able to recover the aircraft. And in fact, they weren't. What 305 00:29:50,420 --> 00:29:54,970 was also not considered was an AOA sensor failure in the way that we have seen it in 306 00:29:54,970 --> 00:29:59,990 these two accidents, although apparently they those had different causes. The 307 00:29:59,990 --> 00:30:04,091 effect for the MCAS was the same, that one of the sensors showed a value that was 308 00:30:04,091 --> 00:30:12,310 about 22 and a half degrees too high. And that was not considered in the analysis of 309 00:30:12,310 --> 00:30:17,490 the MCAS system. So I hope that is readable. That is a simplified state 310 00:30:17,490 --> 00:30:24,330 machine of the MCAS system. And what we can see is that it can indeed activate 311 00:30:24,330 --> 00:30:32,720 repeatedly, but only if the pilot uses the manual electric trim in between. It will 312 00:30:32,720 --> 00:30:38,440 go into a dormant state if the pilot trims manually with the hand wheel or if the 313 00:30:38,440 --> 00:30:42,980 pilot doesn't use the trim at all, it will go dormant after a single activation and 314 00:30:42,980 --> 00:30:49,100 stay that way until electric trim is used. So that's the basic upshot of this state 315 00:30:49,100 --> 00:30:56,190 machine. So when the pilot thinks he's doing something to counter the MCAS and 316 00:30:56,190 --> 00:31:03,010 he's actually making it worse. But this isn't documented in any pilot 317 00:31:03,010 --> 00:31:07,460 documentation anywhere. It will probably be in the next way. If it's still working 318 00:31:07,460 --> 00:31:15,730 like that. But so far it wasn't. So Boeing was under a lot of pressure to try 319 00:31:15,730 --> 00:31:24,310 to sell a new, more fuel efficient version of their 737. And so I can't say for sure 320 00:31:24,310 --> 00:31:29,480 how it was internally between the FAA and Boeing, but it's not unreasonable to 321 00:31:29,480 --> 00:31:33,680 assume that they were under a lot of pressure from management to accelerate 322 00:31:33,680 --> 00:31:41,890 certification and possibly take shortcuts. I can't make any accusations here, but it 323 00:31:41,890 --> 00:31:47,160 looks that not all is well in the certification department between Boeing 324 00:31:47,160 --> 00:31:54,520 and the Federal Aviation Authority. So originally, the idea, of course, is the 325 00:31:54,520 --> 00:32:00,270 manufacture builds the aircraft, analyzes everything, documents everything, and the 326 00:32:00,270 --> 00:32:06,730 FAA checks all the documentation and maybe even looks at original data and maybe 327 00:32:06,730 --> 00:32:11,280 looks at the physical pieces that are being made for the prototype and approves 328 00:32:11,280 --> 00:32:19,170 or rejects the documentation. There is already a potential conflict that is not 329 00:32:19,170 --> 00:32:24,050 there in most other countries because they have separate agencies. But the FAA has a 330 00:32:24,050 --> 00:32:30,840 dual mandate. It is supposed to promote aviation, to make it more efficient, but 331 00:32:30,840 --> 00:32:40,000 also to ensure aviation safety. And there may be conflicts of interests, I think. So 332 00:32:40,000 --> 00:32:47,640 here's what this certification has been up until not quite sure, 10, 15 years ago. So 333 00:32:47,640 --> 00:32:57,120 the FAA, the actual government agency, the Aviation Authority, appoints a designated 334 00:32:57,120 --> 00:33:03,240 engineering representative. The DER is employed and paid by Boeing, but is 335 00:33:03,240 --> 00:33:12,690 accountable only to the FAA. And the DER checks and documents everything that is 336 00:33:12,690 --> 00:33:20,410 being done. There's usually more than one, thatt for simplicity's sake, let's say. And 337 00:33:20,410 --> 00:33:24,630 the DER then reports the findings and all the documentation, all the low level 338 00:33:24,630 --> 00:33:30,360 engineering and analysis documentation that has been done to the FAA, and the FAA 339 00:33:30,360 --> 00:33:35,720 signs off on that or asks questions and visits the company and looks at things and 340 00:33:35,720 --> 00:33:41,630 makes audits and everything like that. And so that usually has been working more or 341 00:33:41,630 --> 00:33:47,090 less and has certainly improved the overall safety of airliners that have been 342 00:33:47,090 --> 00:33:57,520 built in the last decades. And this is the new version. And the person is 343 00:33:57,520 --> 00:34:03,430 now not called DER, but it's called AR, the authorized representative, is still 344 00:34:03,430 --> 00:34:08,070 employed and paid by Boeing. That hasn't changed, but is appointed by Boeing 345 00:34:08,070 --> 00:34:13,419 management and reports to Boeing management. And the Boeing management 346 00:34:13,419 --> 00:34:19,899 compiles a report and sends that to the FAA and the FAA then signs off on the 347 00:34:19,899 --> 00:34:25,859 report. They hopefully at least read it, but they don't have all the low level 348 00:34:25,859 --> 00:34:31,859 engineering details readily available and only rarely speak to the actual engineers. 349 00:34:31,859 --> 00:34:42,280 So anyone seeing a problem here? Well, you have to say that most aircraft that are 350 00:34:42,280 --> 00:34:48,419 being built have been built in the last years aren't really terrible. Right. The 351 00:34:48,419 --> 00:34:55,470 787 is a new aircraft. The 777 has been one of the safest aircraft 352 00:34:55,470 --> 00:35:03,499 around, at least looking at the flight hours that it has accumulated. So it's not 353 00:35:03,499 --> 00:35:11,380 all bad, but there's potential for real, really bad screw ups. I guess. There's 354 00:35:11,380 --> 00:35:17,560 another factor maybe that I've briefly mentioned is that the Boeing 737, even in 355 00:35:17,560 --> 00:35:21,951 its latest version, is not computer controlled. It's not fly by wire, although 356 00:35:21,951 --> 00:35:27,940 it has some computers as we have seen, that can move some control surfaces. But 357 00:35:27,940 --> 00:35:31,269 mostly it's really, it really looks like that. I think that's an actual photo from 358 00:35:31,269 --> 00:35:36,910 a 737 has some corrosion on it. So it's probably not a max an older version, but 359 00:35:36,910 --> 00:35:41,550 it's basically the same, which is also why the grandfathering certification still 360 00:35:41,550 --> 00:35:47,150 works. So it's all cables and pulleys and even if both hydraulic systems fails - so, 361 00:35:47,150 --> 00:35:51,480 yes, it is hydraulically assisted, the flight controls - but if both hydraulic 362 00:35:51,480 --> 00:35:57,079 systems fail with the combined forces of both pilots, you can you can still fly it 363 00:35:57,079 --> 00:36:03,711 and you can still land it. That usually works, except when it doesn't. And the 364 00:36:03,711 --> 00:36:11,210 cases where it doesn't work are when the aircraft is going very fast and has a very 365 00:36:11,210 --> 00:36:15,700 high stabilizer deflection. And this is from a video some of you may have seen 366 00:36:15,700 --> 00:36:21,759 there, it's from Mentour Pilot. And he has actually tested that in a full flight 367 00:36:21,759 --> 00:36:27,660 simulator, which represents realistic forces on all flight controls, including 368 00:36:27,660 --> 00:36:32,960 the trim wheel. You can be in the center console under the thrust levers, there are 369 00:36:32,960 --> 00:36:37,780 these two shiny black wheels and they are the trim wheels. You can move them 370 00:36:37,780 --> 00:36:42,499 manually in all phases of flight to trim the aircraft. If electric trim is not 371 00:36:42,499 --> 00:36:45,420 available. Pilot: in the normal trim system would not 372 00:36:45,420 --> 00:36:50,950 do this. OK. It would require manual trimming to get it away from this. That's 373 00:36:50,950 --> 00:36:55,940 fine, it's fine, trim it backwards. Trim it backwards again 374 00:36:55,940 --> 00:37:00,510 Bernd: So now he is trying to trim it nose up again after he has manually trimmed it 375 00:37:00,510 --> 00:37:06,170 nose down because the normal electric trim system cannot trim it so far nose down. 376 00:37:06,170 --> 00:37:10,130 They have to do it manually. And now he is trying to trim it back nose up from the 377 00:37:10,130 --> 00:37:15,650 position which is known from the flight data recorder that it was in the 378 00:37:15,650 --> 00:37:20,749 accident flight and is trying to trim it manually because some people said: "oh, 379 00:37:20,749 --> 00:37:24,509 turn off the electric trim, the electric trim system and trim it manually. That 380 00:37:24,509 --> 00:37:27,700 will always work." And they're trying to do that. And it has representative forces 381 00:37:27,700 --> 00:37:34,539 to the real aircraft. Copilot: Oh my god. 382 00:37:34,539 --> 00:37:41,230 *heavy breathing* Pilot: Ok, pause the rec... 383 00:37:41,230 --> 00:37:46,119 Bernd: and you can see that the pilot on the left, the captain, can't even help 384 00:37:46,119 --> 00:37:50,960 him. In theory, both could turn the crank at the same time. And they have a handle 385 00:37:50,960 --> 00:37:56,310 on both sides because he has to hold the control column with all his force. So you 386 00:37:56,310 --> 00:38:00,380 can't let go. He must hold it with both arms. Otherwise, it would go into a 387 00:38:00,380 --> 00:38:04,619 nosedive immediately. And this is the physical situation with which the pilots 388 00:38:04,619 --> 00:38:09,849 were confronted in the accident flight. And he now says: "press the red button in 389 00:38:09,849 --> 00:38:23,640 the simulator." So end the simulation because it's clear that they're going to crash. 390 00:38:23,640 --> 00:38:28,120 So there is another thing that came that came up after the accidents and 737 391 00:38:28,120 --> 00:38:33,080 pilot said: "oh, it's just a runaway trim, runaway stabilizer trim, there's a 392 00:38:33,080 --> 00:38:37,660 procedure for that and just do the procedure and you'll be fine." Well, 393 00:38:37,660 --> 00:38:43,750 runaway stabilizer trim is one of the emergency procedures that is trained ad 394 00:38:43,750 --> 00:38:49,520 infinitum. Right. That's something that every 737 pilot is aware of because there 395 00:38:49,520 --> 00:38:55,380 are some conditions under which the trim motor always gets electric current and 396 00:38:55,380 --> 00:38:59,641 doesn't stop running. That just happens occasionally, not very often, but 397 00:38:59,641 --> 00:39:03,740 occasionally. And every pilot is primed to recognize the symptoms. Oh, this is one of 398 00:39:03,740 --> 00:39:10,240 a runaway stabilizer. And you turn off the electric motors for the stabilizer trim 399 00:39:10,240 --> 00:39:16,789 and trim manually and that'll work. But if you look at what are the actual symptoms 400 00:39:16,789 --> 00:39:21,700 of runaway stabilizer, it says uncommanded stabilizer trim movement occurs 401 00:39:21,700 --> 00:39:27,970 continuously. And MCAS movement isn't continuously, MCAS trim movement is more 402 00:39:27,970 --> 00:39:34,010 like the speed trim system, which occurs intermittently and then stops and then 403 00:39:34,010 --> 00:39:38,510 trims again for a bit and then stops again. So most pilots wouldn't recognize 404 00:39:38,510 --> 00:39:42,259 this as a runaway trim, because the symptoms are very different. The 405 00:39:42,259 --> 00:39:47,109 circumstances are different. So I guess some pilots might have recognized that 406 00:39:47,109 --> 00:39:51,769 there's something going on with the trim that is not right and will have turned it 407 00:39:51,769 --> 00:39:57,550 off. But some didn't, even though they know they all know about runaway 408 00:39:57,550 --> 00:40:07,460 stabilizer. And yeah, that's the second file that I have. 409 00:40:07,460 --> 00:40:16,400 *loud rattling noise* So that's the sound. The stick shaker 410 00:40:16,400 --> 00:40:21,440 makes on a Boeing 737. And now imagine flying with that sound all the while 411 00:40:21,440 --> 00:40:27,830 shaking the control column violently, flying with that going on for an hour. And 412 00:40:27,830 --> 00:40:32,670 that's what the crew on the previous flight did. They flew the entire flight of 413 00:40:32,670 --> 00:40:37,170 about an hour with a stick shaker going. I mean, that's quite that's quite 414 00:40:37,170 --> 00:40:44,460 interesting because the stick shaker says your wing is about to stall. Right. But on 415 00:40:44,460 --> 00:40:47,650 the other hand, they knew they were flying level. They were flying fast enough. 416 00:40:47,650 --> 00:40:51,809 Everything was fine. The aircraft wasn't about to stall because it was going fast 417 00:40:51,809 --> 00:40:58,170 and. Right. So from an aerodynamics perspective, of course, they could fly the 418 00:40:58,170 --> 00:41:03,309 airplane because they knew it was nowhere near a stall. But still, I think in most 419 00:41:03,309 --> 00:41:07,029 countries and most airlines, they would have just turned around and landed again 420 00:41:07,029 --> 00:41:13,420 and saying the aircraft is broken, please fix it. Something is wrong. But yeah. So 421 00:41:13,420 --> 00:41:19,359 the stick shaker is activated by the angle of attack reading on each side and it 422 00:41:19,359 --> 00:41:24,460 sticks out mechanically coupled of both of them will shake with activation from 423 00:41:24,460 --> 00:41:31,570 either side. So is it going to fly again? It's still somewhat of an open question, 424 00:41:31,570 --> 00:41:38,220 but I suspect that it will because it's it's hard to imagine that letting these 425 00:41:38,220 --> 00:41:43,869 460 airplanes or some something like that that have been built sometimes sitting 426 00:41:43,869 --> 00:41:50,239 around on an employee parking lots like here, just letting them be scrapped or 427 00:41:50,239 --> 00:41:56,210 whatever. I don't know. Almost 5000 have been ordered. As I said, neither airlines 428 00:41:56,210 --> 00:42:04,170 nor Boeing will be happy. But it's not quite clear. It's not yet being certified 429 00:42:04,170 --> 00:42:13,109 again. So it's still unairworthy. So there's another little thing, 430 00:42:13,109 --> 00:42:16,880 certification issues with new Boeing aircraft. Reminded me of this. Have you 431 00:42:16,880 --> 00:42:23,830 ever seen that? So battery exhaust, which the aircraft has a battery exhaust? I 432 00:42:23,830 --> 00:42:31,760 mean, what did you do with that? Does anybody know? Yeah, of course some know. 433 00:42:31,760 --> 00:42:38,069 Yeah. Boeing 787 Dreamliner. Less than two years after introduction. Now, after 434 00:42:38,069 --> 00:42:44,180 entering the service, actually had two major battery fires. They have two big 435 00:42:44,180 --> 00:42:51,380 lithium ion batteries. Lithium, lithium, cobalt. I think, not sure. The one that 436 00:42:51,380 --> 00:42:55,809 burns the brightest. *laughter* 437 00:42:55,809 --> 00:43:00,819 Bernd: Because they wanted the energy density, really, and that wasn't available 438 00:43:00,819 --> 00:43:06,170 in other packages. If they had used nickel cadmium batteries instead, they would have 439 00:43:06,170 --> 00:43:12,180 been like 40 kilograms heavier for two batteries. That's almost a passenger. So 440 00:43:12,180 --> 00:43:18,359 yeah, they were onboard fires. And if you ask pilots what's your worst fear of 441 00:43:18,359 --> 00:43:25,880 something happening in flight, they'll say: flight control failure and fire. So 442 00:43:25,880 --> 00:43:32,099 you don't want to have a fire in the air, absolutely not. And one of the fires was 443 00:43:32,099 --> 00:43:36,330 actually in-flight with passengers on board. One was on the ground shortly after 444 00:43:36,330 --> 00:43:41,569 disembarking and the lithium ion batteries, because they are unusual and a 445 00:43:41,569 --> 00:43:45,819 novel feature, as it's called, have special certification conditions because 446 00:43:45,819 --> 00:43:52,009 they are not covered by the original certification criteria, and it says here: 447 00:43:52,009 --> 00:43:55,869 Safe cell temperatures and pressures must be maintained during any foreseeable 448 00:43:55,869 --> 00:44:01,599 condition and during any failure of the charging system, not shown to be extremely 449 00:44:01,599 --> 00:44:07,569 improbable... extremely remote, sorry, and extremely remote is actually two orders of 450 00:44:07,569 --> 00:44:13,299 magnitude more frequent than extremely improbable. Extremely remote is only less 451 00:44:13,299 --> 00:44:18,400 than once every 10 million flight hours. But I think the combined flight hours for 452 00:44:18,400 --> 00:44:26,619 the 787 at that time were, not quite sure, maybe a few hundred thousand at most. So 453 00:44:26,619 --> 00:44:32,220 and also happened two times. There was not really not really fun. And then it says no 454 00:44:32,220 --> 00:44:37,609 explosive or toxic gases emitted as the result of any failure may accumulate in 455 00:44:37,609 --> 00:44:43,140 hazardous quantities within the airplane. I think they've neatly solved the third 456 00:44:43,140 --> 00:44:48,130 point by putting the battery in a stainless steel box, really thick walls 457 00:44:48,130 --> 00:44:53,990 maybe, I don't know, eight millimeters or something like that. And piping them to 458 00:44:53,990 --> 00:45:00,340 this hole in the bottom of the aircraft. So the gases cannot accumulate in the 459 00:45:00,340 --> 00:45:05,880 aircraft, obviously. So, yes. And with that, I'm at the end of my talk and 460 00:45:05,880 --> 00:45:12,650 there's now, I think quite some time for questions. Thank you. 461 00:45:12,650 --> 00:45:22,419 *applause* 462 00:45:22,419 --> 00:45:26,410 Herald: Extremely punctual, I have to say. Thank you for this interesting talk. We do 463 00:45:26,410 --> 00:45:31,681 have the opportunity for quite some questions and a healthy discussion. Please 464 00:45:31,681 --> 00:45:36,529 come to the microphones that we have distributed through the hall. And while 465 00:45:36,529 --> 00:45:46,090 you queue up behind them: Do we have a question from the Internet already? Dear 466 00:45:46,090 --> 00:45:50,299 signal Angel. Is your microphone working? Signal Angel: No. 467 00:45:50,299 --> 00:45:53,819 Herald: Yes. Signal Angel: Yes. Do you think extensive 468 00:45:53,819 --> 00:45:57,450 software tests could have solved this situation? 469 00:45:57,450 --> 00:46:02,380 Bernd: Software tests in this case, perhaps? Yes. Although software tests are 470 00:46:02,380 --> 00:46:09,099 really a problematic thing because to test software to these extreme reliability is 471 00:46:09,099 --> 00:46:13,230 required. You really have to test them for a very, very, very, very long time indeed. 472 00:46:13,230 --> 00:46:17,839 So to achieve some confidence, they have 99 percent that a failure will not occur 473 00:46:17,839 --> 00:46:23,670 in, say, 10 million hours, you will have to test it for 45 million hours. Really. 474 00:46:23,670 --> 00:46:26,579 And you have to test it with the exact conditions that will occur in flight. And 475 00:46:26,579 --> 00:46:33,930 apparently nobody's thought of an angle of attack failure, angle of attack sensor 476 00:46:33,930 --> 00:46:38,170 failure. So maybe testing wouldn't have done a lot in this case. 477 00:46:38,170 --> 00:46:44,250 Herald: Thank you. Microphone number four. Mic4: Yes. Thank you for the talk. I've 478 00:46:44,250 --> 00:46:49,809 got a question concerning the grounding. So what is your view that the FAA waited 479 00:46:49,809 --> 00:46:55,970 so long until they finally ground the aircraft a week after the Chinese started 480 00:46:55,970 --> 00:46:58,381 with grounding. Bernd: Yes, that's a good point. And I 481 00:46:58,381 --> 00:47:02,549 think it's an absolute disgrace that they waited so long. Even after the first 482 00:47:02,549 --> 00:47:06,140 crash. They made an internal study and it was reported in the news some some weeks 483 00:47:06,140 --> 00:47:13,239 ago and estimated that during the lifetime of the 737 max, probably around 15 484 00:47:13,239 --> 00:47:17,869 aircraft would crash. So I say every two to three years, one of them would crash 485 00:47:17,869 --> 00:47:22,720 and they still didn't ground it and waited until four days after the second accident. 486 00:47:22,720 --> 00:47:27,900 Yes, it's a shame, really. Herald: Thank you. Microphone number 487 00:47:27,900 --> 00:47:31,089 seven, please. Mic7: Thank you for your talk. I have a 488 00:47:31,089 --> 00:47:38,670 question regarding the design decision to only use one AOA sensor. So I've read that 489 00:47:38,670 --> 00:47:43,480 Boeing used the MCAS system before on a military aircraft and that used both 490 00:47:43,480 --> 00:47:46,549 sensors. So why was that decision made to downgrade? 491 00:47:46,549 --> 00:47:51,619 Bernd: Yeah, that's a good question. I'm not aware of that military system. If that 492 00:47:51,619 --> 00:47:56,450 was really exactly the same. But if that's the case, yes, that makes it even stranger 493 00:47:56,450 --> 00:48:00,160 that they chose to use only one in this case. Yes. Thank you. 494 00:48:00,160 --> 00:48:04,950 Herald: Okay, Microphone number two, please. 495 00:48:04,950 --> 00:48:10,619 Mic2: Yeah. Thank you for your talk. So how do you actually test these 496 00:48:10,619 --> 00:48:15,200 requirements in practice? So how you determine in practice if something is 497 00:48:15,200 --> 00:48:19,809 likely to fail every ten to the minus nine as opposed to every ten to the minus 498 00:48:19,809 --> 00:48:22,440 eight? Bernd: No, that's that's obviously 499 00:48:22,440 --> 00:48:27,150 practically completely impossible. You can't. As I said, if you want to have a 500 00:48:27,150 --> 00:48:31,770 reasonable confidence that it's really the error rate is really so low, you'd have to 501 00:48:31,770 --> 00:48:37,380 test it for four and a half billion hours in operation, which is just impossible. 502 00:48:37,380 --> 00:48:42,990 What instead is done: there are some, industry standards for aviation that is 503 00:48:42,990 --> 00:48:49,200 DEO178 currently in revision C, and that says if you have software that if it 504 00:48:49,200 --> 00:48:53,529 fails, may have consequences of this severity, then you have to use these 505 00:48:53,529 --> 00:48:59,670 very strict, very formal methods for developing the software, like doing very 506 00:48:59,670 --> 00:49:05,489 strict and formal requirements analysis specification in a formal language, 507 00:49:05,489 --> 00:49:12,720 preferably. And um, if possible, and some some companies actually do that, formally 508 00:49:12,720 --> 00:49:16,680 prove your source code correct. And in some languages that can be done. But it's 509 00:49:16,680 --> 00:49:21,960 it's very, it's a lot of effort. And that's how this should be done. And this 510 00:49:21,960 --> 00:49:25,769 software obviously should have been developed to the highest level according 511 00:49:25,769 --> 00:49:31,150 to the DEO178, which is level A and quite obviously it wasn't. 512 00:49:31,150 --> 00:49:35,940 Herald: Thank you. Signal Angel, please. The next question from the Internet. 513 00:49:35,940 --> 00:49:40,400 Signal Angel: The talk focused most on MCAS, but someone noted that the plane was 514 00:49:40,400 --> 00:49:45,559 actually designed for engines below the wings and the NG model, so the one before, 515 00:49:45,559 --> 00:49:49,039 already had problems of the wing mounts and engine mounts. Do you think there will 516 00:49:49,039 --> 00:49:53,160 be mechanical problems with Max, too? Bernd: I'm not sure there were really 517 00:49:53,160 --> 00:49:56,269 mechanical problems. There were aerodynamic problems. And apparently. 518 00:49:56,269 --> 00:50:00,569 Well, I'm sure they have tested the NG to the same standards, to the same 519 00:50:00,569 --> 00:50:04,559 certification standards, because obviously there were aerodynamic changes even with 520 00:50:04,559 --> 00:50:10,069 the NG. And the NG apparently still fulfilled the formal criteria of the 521 00:50:10,069 --> 00:50:15,329 certification. There are some acceptable means of compliance and quite specific 522 00:50:15,329 --> 00:50:20,670 descriptions, how you test these stick forces versus airspeed. And as far as I 523 00:50:20,670 --> 00:50:25,441 know, the NG just fulfilled them. And the Max just didn't. So for the Max, something 524 00:50:25,441 --> 00:50:29,910 was required, although even the classic, which basically at the same 525 00:50:29,910 --> 00:50:35,160 engine as the NG. Even the classic had some problems there. That's where the 526 00:50:35,160 --> 00:50:41,410 speed trim system was introduced. And so it has a similar system and actually the 527 00:50:41,410 --> 00:50:45,779 MCAS is just another little algorithm in the computer that also does the speed trim 528 00:50:45,779 --> 00:50:48,549 system. Herald: Please stay seated and buckled up 529 00:50:48,549 --> 00:50:54,099 until we reach our parking position. No. We are still in the Q&A phase. Please 530 00:50:54,099 --> 00:50:59,579 stay seated and please be quiet so we can enjoy all of this talk. And if you have to 531 00:50:59,579 --> 00:51:04,259 have to leave, then be super quiet right now. It is a way too loud in here, please. 532 00:51:04,259 --> 00:51:07,200 The next question from microphone number one. 533 00:51:07,200 --> 00:51:13,369 Mic1: So considering lessons learned from this accident, has the FAA already changed 534 00:51:13,369 --> 00:51:17,839 the certification process or are they about to change it? Or on what about other 535 00:51:17,839 --> 00:51:21,430 agencies worldwide? Bernd: The FAA is probably going to move 536 00:51:21,430 --> 00:51:26,049 very slow. And I'm not aware of any specific changes yet, but I haven't looked 537 00:51:26,049 --> 00:51:32,869 into too much detail in that. Other certification agencies work somewhat 538 00:51:32,869 --> 00:51:37,500 different. And at least the EASA in Europe and the Chinese authorities have already 539 00:51:37,500 --> 00:51:41,690 indicated that in this case they are not going to follow the FAA certification, but 540 00:51:41,690 --> 00:51:46,839 going to do their own. And until now, it was usually the case that if the FAA 541 00:51:46,839 --> 00:51:50,971 certified the airplane, everybody else in the world just took that certification and 542 00:51:50,971 --> 00:51:55,819 said what the FAA did is probably fine and vise versa. When the EASA certified a 543 00:51:55,819 --> 00:52:00,720 Boeing airplane, then the FAA would also certify it. And that is probably changing 544 00:52:00,720 --> 00:52:04,750 now. Herald: Thank you. Microphone number 3. 545 00:52:04,750 --> 00:52:11,210 Mic3: So, hi. Thank you for this talk. Two questions, please. Were you part of an 546 00:52:11,210 --> 00:52:18,450 official investigation or is this your own analysis of the facts? Here's the other 547 00:52:18,450 --> 00:52:24,700 one. I heard something about this software being outsourced to India. Can you comment 548 00:52:24,700 --> 00:52:27,829 on that, please? Bernd: The first one: no, this is my own 549 00:52:27,829 --> 00:52:36,040 private analysis. I have been doing some accident analysis for a living for a 550 00:52:36,040 --> 00:52:41,369 while, but not for any official agency, but always for private customers. 551 00:52:41,369 --> 00:52:46,809 And about outsourcing to India, I'm not quite sure about that. I've read 552 00:52:46,809 --> 00:52:51,840 something like that. And what I've read is that it was produced by Honeywell. I 553 00:52:51,840 --> 00:52:57,450 think. I may be wrong about that, but I think it was Honeywell. And who the actual 554 00:52:57,450 --> 00:53:04,920 programmers were sitting. If it's done properly, according to the methodologies 555 00:53:04,920 --> 00:53:09,589 prescribed by DO178 and fulfilling all those requirements, then where the 556 00:53:09,589 --> 00:53:15,049 programmer sit is actually not that important. And I don't want to deride 557 00:53:15,049 --> 00:53:21,140 Indian programmers, and I think if it's done according to specification and 558 00:53:21,140 --> 00:53:27,119 analyzed with study code analyses and everything else vis a vis the 559 00:53:27,119 --> 00:53:31,900 specification, then that would also be fine, I guess. But the problem is not so 560 00:53:31,900 --> 00:53:35,599 much really in the implementation, but in the design of the system, in the 561 00:53:35,599 --> 00:53:40,059 architecture. Herald: Thank you. Microphone number 5 562 00:53:40,059 --> 00:53:45,240 please. Mic5: Hello. I may go to your 563 00:53:45,240 --> 00:53:50,479 presentation wrong, but for me, the real root cause of the problem is the 564 00:53:50,479 --> 00:53:58,920 competition and high deadline from the management. So the question for you is: is 565 00:53:58,920 --> 00:54:05,759 there any suggestions from you that process could be, I dunno, maybe changed 566 00:54:05,759 --> 00:54:18,779 in order to avoid the bugs in the software and have the mission 567 00:54:18,779 --> 00:54:24,019 critical systems saved? Bernd: Yeah. So we don't normally just 568 00:54:24,019 --> 00:54:29,069 talk about THE cause or THE root cause, but there are always several causes. 569 00:54:29,069 --> 00:54:35,339 Basically you can say depending on where you stop with the graph - where is it? - 570 00:54:35,339 --> 00:54:40,979 where you stop with the graph all the leaves on the graph are root causes and 571 00:54:40,979 --> 00:54:46,779 but I've stopped relatively early and not not I'm not gone into any more detail on 572 00:54:46,779 --> 00:54:51,019 that, but yeah. The competition between Airbus and Boeing, obviously it was a big 573 00:54:51,019 --> 00:54:57,940 factor in this. And I don't suppose you do suggest that we abolish competition in the 574 00:54:57,940 --> 00:55:04,460 market. But what needs to be changed, I think, is the way certification is done. 575 00:55:04,460 --> 00:55:10,270 And that requires the FAA reasserting its authority much more. And that will 576 00:55:10,270 --> 00:55:16,710 probably require a lot more personnel with good engineering background, and maybe 577 00:55:16,710 --> 00:55:22,349 that would require the FAA paying better wages. So I don't know, because currently 578 00:55:22,349 --> 00:55:27,489 probably all the good engineers will go to Boeing instead of the FAA. But the FAA 579 00:55:27,489 --> 00:55:31,279 dearly needs engineering expertise and lots of it. 580 00:55:31,279 --> 00:55:35,661 Herald: Thank you. The next question we hear from microphone number 4. 581 00:55:35,661 --> 00:55:40,249 Mic4: Hi. Thank you for the talk. I've heard that there is - I've heard - I've 582 00:55:40,249 --> 00:55:47,349 read that there's a version of the 737 Max 8 that did allow for a third airway 583 00:55:47,349 --> 00:55:52,729 sensitivity present that served as a backup for either sensors but that this 584 00:55:52,729 --> 00:55:56,910 was a paid option. And I have not found confirmation of this. Do you know anything 585 00:55:56,910 --> 00:56:00,999 about this? Bernd: No, I'm not aware of that 586 00:56:00,999 --> 00:56:10,089 as a paid option. There was something about an optional feature that was called 587 00:56:10,089 --> 00:56:13,750 a safety feature, but I can't exactly remember what that was. Maybe it was and 588 00:56:13,750 --> 00:56:18,470 angle of attack indicator in the cockpit that is available as an option, I think, 589 00:56:18,470 --> 00:56:26,839 for this 737 for most models, because the sensor is there anyway. As for a third AOA 590 00:56:26,839 --> 00:56:31,710 sensor, I'd be surprised if that was an option because that is a major change and 591 00:56:31,710 --> 00:56:36,259 requires a major change to all the system layout. Then you'd need an additional a 592 00:56:36,259 --> 00:56:41,259 data inertial reference unit, which is a big computer box in the aircraft of which 593 00:56:41,259 --> 00:56:46,440 there are only two. And that would've taken a long, long time in addition to 594 00:56:46,440 --> 00:56:51,609 develop. So I'm skeptical about that third angle of attack sensor. At least I've not 595 00:56:51,609 --> 00:56:56,070 heard of it. Herald: Thank you. Signal angel, do we 596 00:56:56,070 --> 00:56:58,359 have more from the internet? Please one quick one. 597 00:56:58,359 --> 00:57:03,390 Signal angel: If you need a quick one, would you ever fly with a 737 Max again if 598 00:57:03,390 --> 00:57:05,970 it was ever cleared again? *applause* 599 00:57:05,970 --> 00:57:10,750 Bernd: I was expecting that question. And actually I don't have an answer yet for 600 00:57:10,750 --> 00:57:18,040 that. And that maybe would depend on how I see the FAA and the EASA doing the 601 00:57:18,040 --> 00:57:23,349 certification. I've seen some people saying that the 737 Max should never be 602 00:57:23,349 --> 00:57:31,310 recertified. I think that it will be. And I look at it in some detail, seeing how 603 00:57:31,310 --> 00:57:37,290 the FAA develops and how the EASA is handling it. And then maybe. Yes. 604 00:57:37,290 --> 00:57:43,259 Herald: Great. Okay, in that case, we would take one more very short question 605 00:57:43,259 --> 00:57:48,769 from microphone number 5. Mic5: Do you know why the important AOA 606 00:57:48,769 --> 00:57:53,779 sensor failed to give the correct values? Bernd: There are some theories about that, but 607 00:57:53,779 --> 00:57:58,469 I haven't investigated that in any more detail now. There were some stories that 608 00:57:58,469 --> 00:58:05,029 in the case of the Indonesian, the Lion Air, that it was actually mounted or 609 00:58:05,029 --> 00:58:12,599 reassembled incorrectly. That would explain why there was a constant offset. 610 00:58:12,599 --> 00:58:17,969 It may also have been somebody calculated that it was actually, exactly - if you 611 00:58:17,969 --> 00:58:21,390 look at the raw data that is being delivered on the bus -, there was exactly 612 00:58:21,390 --> 00:58:26,049 one flipped bit, which is also a possibility. But I I don't really know. 613 00:58:26,049 --> 00:58:29,000 But there were some implications in the report. Maybe I have to read that section 614 00:58:29,000 --> 00:58:34,869 again from the Indonesian authorities about substandard maintenance, as it is 615 00:58:34,869 --> 00:58:39,400 euphemistically called. Herald: OK. We have two more minutes. So I 616 00:58:39,400 --> 00:58:42,109 will take another question from microphone number 1. 617 00:58:42,109 --> 00:58:49,509 Mic1: Hey, I would have expected that modern aircraft would have some plug, 618 00:58:49,509 --> 00:58:54,829 physical plug, hermetic one that would disconnect any automated system. Isn't 619 00:58:54,829 --> 00:58:58,070 this something that exist in our planes today? 620 00:58:58,070 --> 00:59:02,390 Bernd: Now, and especially modern aircraft can't just disconnect the automatics, 621 00:59:02,390 --> 00:59:06,880 because if you look at modern fly by wire aircraft, there is no connection between 622 00:59:06,880 --> 00:59:11,420 the flight controls and the control surfaces. There's only a computer and the 623 00:59:11,420 --> 00:59:16,450 flight controls that the pilots handle are only inputs to the computer and there's no 624 00:59:16,450 --> 00:59:23,170 direct connection. That is true for every Airbus since the A320, for every Boeing 625 00:59:23,170 --> 00:59:28,950 since the triple 7, so the triple 7 and the 787 are totally 100 percent fly by 626 00:59:28,950 --> 00:59:33,160 wire. Well, I think 95 percent because there's one control service that is 627 00:59:33,160 --> 00:59:38,609 directly connected, one spoiler on each side. But basically, there's there's no 628 00:59:38,609 --> 00:59:43,280 way. And so you have to make sure that flight control software is developed to 629 00:59:43,280 --> 00:59:47,740 the highest possible standards. Because you can't turn it off, because that's 630 00:59:47,740 --> 00:59:53,200 everything. That's, Well, let me put it this way: On the fly by wire aircraft, 631 00:59:53,200 --> 01:00:00,640 only the computer can control the flight, the flight control surfaces know. So I 632 01:00:00,640 --> 01:00:03,910 just hope that it's good. Herald: Think about that when you next 633 01:00:03,910 --> 01:00:08,840 enter a plane. And also, please give a big round of applause for our speaker Bernd. 634 01:00:08,840 --> 01:00:21,142 *applause* 635 01:00:21,142 --> 01:00:31,720 *36c3 postroll music* 636 01:00:31,720 --> 01:00:48,000 Subtitles created by c3subtitles.de in the year 2020. Join, and help us!