Back to Squawk list
  • 35

Broken AOA sensor in Lion Air 737 MAX 8 crash linked to a Florida-based aerospace company

Jakarta - A faulty AOA (Angle of attack) sensor that caused a Lion Air Boeing 737 MAX 8 to crash in Jakarta last year was linked to a Florida-based aerospace company in the investigation report. ( 기타...

Sort type: [Top] [Newest]

As a robotics engineer, I am constantly tweaking programs to monitor for sensors that might be in the incorrect state based on the machine's state, and then notify an operator or maintenance to take a look. I am utterly baffled how there appears to be no backup for a failed AOA sensor - another AOA sensor, altitude signal from GPS that indicates "Um, you are heading into the ground rapidly". Frozen pitot tubes also make me wonder why modern GPS velocity signals are not used in conjunction with the pito's signal to determine if one of them is out of whack. I am fascinated by this lack of backup via signals that are trivial on a modern GPS. I would love to hear from engineers and/or pilots where my thinking is incorrect, because it must be incorrect.
The simple fact is that dual-redundancy does not work. Without a third input, one is as likely to ignore the correct sensor as the faulty one. Normally, the crew is that third input, judging that an AOA is out of whack if it conflicts markedly with other indications of aircraft attitude such as the horizon, artificial or real. The 737MAX8 MCAS does not appear to have a tie-breaker for the computer to determine which sensor has gone bad. Boeing should perhaps consider adding a third AOA or at least implementing an algorithm to compare the AOA data with that from the artificial horizon gyros for reasonableness.
This is not correct. A two sensor voting system does not provide the same type of voting as a 2oo3 system does, and the designer has options.

If there is "significant" disagreement between the sensors and one is in alarm, the system can be designed to execute the protection logic; the logic activates on a 1oo2 basis. This would actually make the aircraft twice as vulnerable to a sensor failure. Either sensor can cause a false activation. But it provides a backup activation of the logic by allowing either sensor to initiate it.

The other option is to require a 2oo2 vote on the sensors. BOTH sensors have to agree to activate the logic. This means that a failed safe sensor will cause the logic to never activate. But it provides protection against a single sensor failure.

The choice between these two options for a 2 sensor system depends on the consequence of failure in each case. Is it safer to require activation the logic on a failed sensor or to minimize activation of the logic on a failed sensor?
That is pretty much what I said. Dual redundancy works if one sensor simply stops working but fails when one produces incorrect data as was the case in these crashes. Perhaps the real issue is not software, per se, but that the sensor suite on the aircraft if not adequate to the needs of a semi-autonomous system.
No. Dual sensor redundancy DOES work. The user has to decide between Type I and Type II error vulnerability.

If the system is designed to require a 2oo2 vote to activate MCAS, a single sensor failure would disable MCAS, not activate it.The pilot would assume manual control and responsibility to correct for any unintended nose up condition.
In the case you describe, the pilot consults other sensors to decide which of the dual-redundant sensors is in error. My statement stands: dual redundancy alone does not work.
You keep describing a dual sensor Safety Integrity Function as if it is a singular configuration. You are wrong.

There are two possible configurations that can be assembled from a dual sensor design.
1) A ONE OUT OF TWO voting configuration (1oo2).
2) A TWO OUT OF TWO voting configuration (2oo2).

Once this makes sense, please reread my earlier posts to develop an understanding in how they work and what the limitations are of each.

BOTH configurations of a two sensor SIF work, and are in use all over the world.
I am talking about redundancy management in autonomous systems. What you describe is just fine when there is a pilot in the loop, or at least ready to jump into the loop. But in the crashes, the MCAS operated autonomously. In other incidents that did not result in crashes the pilots disengaged it. So, either the automation needs to be programmed to shut off in the case of a sensor conflict, or be designed so as to resolve that conflict on its own. It is nearly impossible to resolve a conflict in a 1oo2 configuration. Again, human pilots resolve them using other sensors. The question comes down to whether we want the aircraft to be autonomous or pilot in the loop. Boeing appears to have handled the interface between the two rather poorly. Of course, I may be simply seeing the problem through eyes of someone with a space background where autonomy is the rule.
If a dual sensor SIF is designed as 1oo2, you are not leaving the system up to the operator. Just the opposite. You are designing the system to default to taking autonomous action, and willing to accept twice the chance of a spurious trip due to a sensor malfunction in the trip direction. This is a Type I error, a false activation.

If a dual sensor SIF is designed as 2oo2, you are minimizing a spurious trip due to a sensor malfunction in the trip direction by requiring agreement of two sensors, just like in a 2oo3 voting system. But you are willing to accept a much greater chance of NOT acting when needed. This is a Type II error, failure to activate.

The existing 1oo1 system acted just like a 1oo2 system, but if it had been 1oo2 either AOA sensor could have caused MCAS to activate, so there would have been twice the exposure to a sensor failure in the trip direction, which is what happened to Lion and Ethiopian. With either a 1oo1 or a 1oo2 design pilot has to respond to a false trip, deactivate MCAS, and then fly the plan himself.

A 2oo2 system would have ignored the bad sensor on both Lion and Ethiopian because both sensors would have had to read high AOA to activate MCAS. But if an AOA sensor had failed in the safe direction, the MCAS would not have activated even if needed because the bad sensor would have never voted to trip. A pilot would have to respond to the stall condition himself as if MCAS did not exist.

It is also common with the design of 2oo2 SIFs to deactivate the SIF on high deviation between sensors. If a false trip is highly hazardous, this design prevents a false vote to trip from reducing the logic to 1oo1. Both sensors must stay in agreement, and both sensors must vote to trip.

Depending on the hazards associated with a false trip (Type I) and the hazards associated with not tripping when required (Type II), the designer selects the appropriate voting scheme. In this case, I think it is obvious that a 2oo2 design would be much preferred over a 1oo1 or 1oo2 design.

BOTH dual redundancy voting schemes are legitimate. Each provides additional protection over a 1oo1 sensor design for certain hazards. Both work.
Ok, now I see what you were driving at. But there is a flaw in your logic. You argue that unless both show a nose-high condition, you ignore the one that does. But what happens if the one reading nose-high is correct and you ignore it? The plane falls out of the sky. When you have only two sensors and they disagree, choosing to believe one is, at best, a risky proposition. There is no reason for the flight control system not to compare AOA data with other sensors. What you describe is the reason why fly-by-wire systems fail.
I'm not claiming that a two sensor system is best. A 2oo3 array corrects for the liabilities of both 1oo2 and 2oo2.

But for this system, the hazard is MCAS acting when it shouldn't. Not acting when it should is less of a hazard.

First pilot response in an emergency: Fly the plane. And even of the 2oo2 system fails to act automatically, a single sensor high should be providing an alarm to the pilots so that they can respond. That is the backup to a single sensor failed low.

So for existing hardware, a 2oo2 SIF design would be the safest alternative and would provide effective redundancy.
You are entirely correct. Given the necessary information, the pilot usually can determine which sensor is operating properly. The underlying issue, it seems to me is human factors engineering. Withholding critical information, like sensor disagreement, from the pilot is a recipe for disaster. Boeing does not appear to have done an adequate job integrating the human into the fly-by-wire system. Neither has Airbus, for that matter, as AF447 showed.
I'll take a stab at this Bill, as in my opinion your logic is sound and your thinking is not entirely incorrect, just incomplete. When GPS was in its infancy it only knew basic navigation functions such as location, i.e. lat., longs., speed over ground and altitude with a much less accurate degree of certainty. The modern GPS FMS systems are integrated to a degree once unimaginable and require inputs from multiple sensors and data processors that enable the FMS GPS combo to tell us all kinds of things that are not available with multiple sensor and system failures up stream. Ergo, given the loss of certain upstream info a GPS in a modern aircraft reverts to what it did in the beginning, if the GPS itself hasn't failed. And that is not enough info. to maintain aircraft control, or regain same in IMC conditions when the rest of the whiz bang stuff has a fatal error. In the sim. when all that stuff starts failing, we call it a "bad day". In the airplane it is becoming an ever more complex tragedy. my 2cts.
In principle, GPS interferometry could provide pitch and roll angles relative to the ground, but airplanes really don't care about the ground, they care about their motion relative to the air mass. GPS is useless for that.
“Airplanes really don’t care about the ground, they care about their motion relative to the air mass” is not entirely accurate, is it? While the wings - not the fuselage - of the aircraft is where lift occurs, the relationship of the wings relative to the ground matters because if your nose-up pitch exceeds 15-20 degrees without an increase in thrust an aerodynamic stall can result. Therefore, would the combination of GPS data as suggested by Bill coupled with data from an onboard gyroscope not provide more reliable information about the wings’ true AOA?
I overstated the case a bit. GPS interferometry can provide the direction cosines between the aircraft frame of reference and gravity vector, thus the roll and pitch angles. In the absence of an up- or downdraft, the angle of attack is a function of the pitch angle. The gyros in the artificial horizon provide the same information with far less complexity. Ultimately, however, it is the alpha and beta angles--angles of attack and yaw--relative to the air speed that determine whether a plane flys or not.
lvenable 7
For a very long time there has been a perception that Boeing leaned toward the pilot first and the software second, and that Airbus used the opposite philosophy. Boeing now seems to have changed their approach, by implementing flight software that cannot be easily overridden. If you don't trust a pilot's ability to fly the airplane, why is he there?
In this case it seems to have been a marketing decision. They wanted to sell the MAX as not requiring those expensive simulator hours so came up with a system to take over when things went south.
lvenable 1
I think the root of the problem lies in the decision to put the larger engines on an airframe with insufficient ground clearance without changing the landing gear. Tucking the engines tighter to the wing seems to have changed the stall characteristic of the old wing design. Definitely an economic decision which seems to have backfired for now.
The stall characteristics of the aircraft are not at issue. The problem is that the MCAS software failed to identify the faulty AOA sensor or to alert the crew that the two sensors disagreed.
lvenable 1
I don't disagree with your point, but there are other factors involved with the design of the MAX.
lvenable 1
From the article:

To fit the Max's larger, more fuel-efficient engines, Boeing had to position the engine farther forward and up. This change disrupted the plane's center of gravity and caused the Max to have a tendency to tip its nose upward during flight, increasing the likelihood of a stall. MCAS is designed to automatically counteract that tendency and point the nose of the plane down when the plane's angle-of-attack (AOA) sensor triggers a warning.
A photo released after the Lion Air crash showed an AOA sensor manufactured by Minnesota-based Rosemount Aerospace, a subsidiary of United Technologies Aerospace that has undergone at least three corporate ownership changes over the past several years. Perhaps it is time to examine the impact of aerospace industry consolidation on quality control. Furthermore, the company that this report says repaired that sensor was acquired by Wencor Group in 2014. The same year Wencor was acquired by Warburg Pincus, a NYC-based equity firm whose president is former Treasury Secretary Tim Geithner.
Another version of the Article:
Hey Sparkie
You normally tolerate some of my "stupid" comments so what do you think about this one which may sound stupid but is actually serious.

It seems to me that a metal triangle to sense the airflow at the nose is a really crude way to assess whether (and where along them) either of the two wings, way aft and outboard of the nose AOA indicator, is stalling, especially if you sometimes significantly alter the chord of the wing with slats, flaps etc, or in a steep turn with one wing moving slower relative to the airflow than the other and dozens of feet away, where the actual wind might be different.

Why not have a series of pressure sensors along the underside of each wing to detect the lift being generated ? That way as a stall begins, the points where it is beginning would be identified by the drop in lift (ie pressure) relative to adjacent sensors. Alternatively along the top of the wing some sort of sensor array could be used to detect the region of disturbance or turbulence which develops with the onset of separation preceding a stall. I know pilots might not like adding another instrument but a horizontal bar with a series of tricolor LEDs (red, orange, green) could be tied to each sensor to indicate an incipient stall (orange) or actual stall (red) at that sensor's location.
The AOA sensor does not detect a stall. It simply measures the angle of the wing with respect to the flow of air. The stall-prevention software infers that a stall is imminent if that angle and airspeed are outside certain parameters.
Wow.. Very interesting.
We used to tape 4 inch long pieces of wool to the about 3/4 the way along the wing, just behind the main spar. The wool normally is straight back but when you raise the nose too far and a stall begins the wool starts twisting around all over the place and you feel the a/c buffetting.
What I wrote was misleading, sorry. "We" didn't do this all the time. It was done by an instructor at our gliding club to demonstrate stalls and "we" were supposed to learn what the buffet felt like and and correlate what it meant in severity with what was going on along the wing. Where we did use wool "all the time" was on the canopy to balance turns instead of looking at the ball in the u-tube. I used to glance at the ball in the tube anyway to confirm which side of the rudder bar to kick.
Just like telltales in sailing. You know when your stalling. Same principle
btweston 1
I think the real issue is that when this part failed the airplane decided to smash itself into the ground.
totally.. *sarcasm*
A photo released after the Lion Air crash showed an AOA sensor manufactured by Minnesota-based Rosemount Aerospace, a subsidiary of United Technologies that has undergone at least three changes of ownership over the past several years. Perhaps the impact of aerospace industry consolidation on quality control should be examined.
I agree. We have the same problem in medicine. Your generic drug had A test to determine product equivalency when company A applied to release it to the public, then company A got bought by company B, who now holds the license and contracts with company C to make the drug in China. Is the drug still the bioequivalent of the branded version? Who knows. We gave up that oversight decades ago when we bought the lie that regulations were bad because they cut into multimillionaires' profit margins.

The Parts Manufacturer Approval process has been around for decades and in fact enables many older aircraft to remain viable (flying) when the OEM (original equipment manufacturer) goes bust or no longer produces the part or has exhausted their original complement of replacement parts. In the aftermarket car parts bidness, there is NO accountability for quality! If the offending part didn't have either a PMA authorization, or a TSO approval, Boeing couldn't install it on the original airplane nor could a repair facility install it later. Part of proper MX is parts tracking and accountability and the paperwork that accompanies an installed PMA part becomes a permanent part of the aircraft maintenance records until it is replaced.

Once again, more than one side to every tale there Robert.
Sure, I understand, but how did a clearly defective part end up on a crashed plane? How did a sensor from a fairly new plane model end up being 'repaired'? Is that a sensor used in other models of plane?

I guess I was going to 'suitability' and 'durability'. And yes, I've had 'non-OEM' parts used in cars in the past, and have had mixed luck with them. Anything from computer modules to alternators, and clutch and brake discs. Not to mention body panels that hardly fit and look fake.

So is the part that fragile? Was if not repaired properly? Not shipped properly? Should the sensor be redesigned to make it more durable, and easier to repair properly? The whole 'Boeing is their own inspector' idea has me spooked. What else did the FAA do that was 'expedient', and foolhardy...

And the CPSC was caught siding with a stroller company that put out a bad stroller, so who can we trust, and who represents us, the consumer. I don't feel comfortable trusting the government that is developing lately...
AOA sensors are about as simple as sneakers and I believe I read something about one blowing out on an NBA star about a month ago. They are essentially a voltage potentiometer or "pot" as we call them and send a reference voltage to the downstream system to indicate the AOA presented to the leading edge of the wing. May seem an over simplification but this ain't MIT and I am not a lawyer or reporter out for the bucks or the clicks. As Torsten sorta says below, who really said the AOA sensors were at fault with any credibility. The empirical evidence will be gleaned from a review of the reported incidents by US crews that didn't crash and were submitted to MX for analysis. Bet they were talkin to Boeing!

Baby strollers? Talk about an over simplification. And I completely agree with your last sentence, "I don't feel comfortable trusting the government that is developing lately...", and I would add, their complete disregard of the visions of the founding fathers and framers of "The Constitution" that they so readily ignore.
it wasnt a NBA star, it was #1 Draft pick zion williamson in college.. :) - totally get your point though..
Potential #1 draft pick.
90 percent certain..
LOL. An ahistorical vision of both the Founding Fathers and the Constitution. Thomas Jefferson himself thought we'd have a Constitutional Convention every 20 years or so to rewrite the thing. As GWB said, it is nothing but a G-d piece of paper....
it was Lion air bad fortune to have a mystery MCAS system over-ride any ideas the pilots had to save themselves and their passengers, that had possibly a defective or underperforming sensor, which operated without benefit of backup.
Those (suggested) wing pressure parts can become clogged with ice, insects, dirt. The rotary AOA vane sensor as about as simple as one can get. BTW, "we" performed stall "tuft tests" on the B7171 and the G650.
obviously not tough enough!
That company sounds like a scam! Apparently the FAA appointed 'Xtra Aerospace' the first company to provide 'almost like original' parts, that THEY THEMSELVES get to certify, from what I can tell. And their main page says they 'warrant' their parts to be 'defect free'. Does that mean Lion Air gets their money back?

PMA sounds like a nightmare. How many planes are flying around with 'just as good as OEM' parts? How the hell did that happen? First Boeing gets to inspect their own work, and now parts suppliers can too? Should we be flying these planes? Should we be flying IN these planes?

If it's not as bad as I'm thinking, at least it presents some questions about who is fixing, and supplying parts that keep planes in the air.

Their webpage on 'PMA parts':
I think it may be a bit premature to call the company a scam.

I find it curious that a faulty sensor is repaired and tested, installed in a nearly new aircraft with a bad sensor, and the next day the aircraft crashes due to an apparent sensor fault. What if the sensors themselves weren’t faulty? Maybe the problem was with the wiring or connectors, or something else entirely.
I agree. Bad sensor readings in the cockpit could be caused by anything in between, not necessarily the AOA device.


계정을 가지고 계십니까? 사용자 정의된 기능, 비행 경보 및 더 많은 정보를 위해 지금(무료) 등록하세요!
이 웹 사이트는 쿠키를 사용합니다. 이 웹 사이트를 사용하고 탐색함으로써 귀하는 이러한 쿠기 사용을 수락하는 것입니다.
FlightAware 항공편 추적이 광고로 지원된다는 것을 알고 계셨습니까?
FlightAware.com의 광고를 허용하면 FlightAware를 무료로 유지할 수 있습니다. Flightaware에서는 훌륭한 경험을 제공할 수 있도록 관련성있고 방해되지 않는 광고를 유지하기 위해 열심히 노력하고 있습니다. FlightAware에서 간단히 광고를 허용 하거나 프리미엄 계정을 고려해 보십시오..