转载: 埃航事故报告的分析

Tips:点击图片进入下一页

http://www.aswetalk.net/bbs/forum.php?mod=viewthread&tid=142371

标题是神牛六年前初入爱坛时写的某篇连载的结束语。
那篇写的是1994年的空客。二十五年后,波音掉进了同一个坑。

上个星期埃塞俄比亚调查当局发布了ET302的初步调查报告,神牛在西雅图把那玩意粗粗看了一遍,回来又看了一遍,写个感想。

这篇的结构是逐段摘抄报告中重要部分,下面加上评论。重要注解:AND, Nose Down向下配平; ANU, Nose Up向上配平

At 05:38:44, shortly after liftoff, the left and right recorded AOA values deviated. Left AOA decreased to 11.1° then increased to 35.7° while value of right AOA indicated 14.94°. Then after, the left AOA value reached 74.5° in ¾ seconds while the right AOA reached a maximum value of 15.3°. At this time, the left stick shaker activated and remained active until near the end of the recording. Also, the airspeed, altitude and flight director pitch bar values from the left side noted deviating from the corresponding right side values. The left side values were lower than the right side values until near the end of the recording.

转载: 埃航事故报告的分析

上图一个格子是三秒钟。左AoA读数在两秒钟内从11.1度跳到74.5度,就算左右两个传感器不互相校验,左传感器自己的读数不需要过滤吗?什么样的民航机能够飞出74.5度的攻角?什么样的民航机能在两秒钟内攻角跳升60多度?这又不是普加乔夫眼镜蛇。74度AoA的输入能够不加过滤照单全收,这个飞控逻辑实在是雷得人外焦里嫩。只需要一个简单的过滤逻辑,就能发现这个AoA读数完全不可靠,不能采纳,那么下面所有的一切都不会发生。

这还不光是MCAS的问题,所有空速,高度等需要用AoA读数来修正的飞行数据从这一时间点开始全都左右不符。说明这个明显错误的AoA度数,一路长驱直入被飞控计算机所有的子系统采用了。

At 05:38:58 and about 400 ft radio altitude, the flight director pitch mode changed to VNAV SPEED and Captain called out “Command” (standard call out for autopilot engagement) and an autopilot warning is recorded.

"Command"是接通自动驾驶的口令,然后自动驾驶警告,说明第一次试图接通自动驾驶失败。

At 05:39:00, Captain called out “Command”
At 05:39:01 and about 630 ft radio altitude, a second autopilot warning is recorded.4

两秒钟后第二次试图接通自动驾驶,又失败。

机长这是想干啥呢?刚离地就失速震杆,空速左右不符合,这时候不去手动处理,反而想接通自动驾驶?

At 05:39:22 and about 1,000 feet the left autopilot (AP) was engaged (it disengaged about 33 seconds later), the flaps were retracted and the pitch trim position decreased to 4.6 units.、

第三次,居然莫名奇妙地接通成功了,虽然只有短短的33秒,但也种下了下面的祸根$

At 05:39:42, Level Change mode was engaged. The selected altitude was 32000 ft. Shortly after the mode change, the selected airspeed was set to 238 kt.

既然自动驾驶已经接通,试图依靠自动驾驶将空速保持在238节

At 05:39:45, Captain requested flaps up and First-Officer acknowledged. One second later, flap handle moved from 5 to 0 degrees and flaps retraction began.

At 05:39:55, Autopilot disengaged

襟翼收上,自动驾驶解除,麦帅出场的条件满足了。而且空速也不会保持在238节了,后面可以看出来,机组把这条完全忘了。

At 05:40:00 shortly after the autopilot disengaged, the FDR recorded an automatic aircraft nose down (AND) activated for 9.0 seconds and pitch trim moved from 4.60 to 2.1 units. The climb was arrested and the aircraft descended slightly.

麦帅第一次出场,9秒之内低头2.5度,完全符合麦帅的行事风格。


At 05:40:12, approximately three seconds after AND stabilizer motion ends, electric trim (from pilot activated switches on the yoke) in the Aircraft nose up (ANU) direction is recorded on the DFDR and the stabilizer moved in the ANU direction to 2.4 units. The Aircraft pitch attitude remained about the same as the back pressure on the column increased.;

机长手动操控,但是只调回去0.3度

At 05:40:20, approximately five seconds after the end of the ANU stabilizer motion, a second instance of automatic AND stabilizer trim occurred and the stabilizer moved down and reached 0.4 units.

麦帅第二次出场,一把子又干下去2度

At 05:40:28 Manual electric trim in the ANU direction was recorded and the stabilizer reversed moving in the ANU direction and then the trim reached 2.3 units.

第二次手动超控,这次几乎抵消了麦帅的第二次发功

At 05:40:35, the First-Officer called out “stab trim cut-out” two times. Captain agreed and First-Officer confirmed stab trim cut-out.

这时候副驾驶已经意识到麦帅出马了,立**议拔插头,机长批准
At 05:40:41, approximately five seconds after the end of the ANU stabilizer motion, a third instance of AND automatic trim command occurred without any corresponding motion of the stabilizer, which is consistent with the stabilizer trim cutout switches were in the ‘’cutout’’ position

就算拔了插头,麦帅还是可以在背后发功的。只不过通往伺服电机的电路已经被切断,所以再发命令都没用

From 05:40:42 to 05:43:11 (about two and a half minutes), the stabilizer position gradually moved in the AND direction from 2.3 units to 2.1 units. During this time, aft force was applied to the control columns which remained aft of neutral position. The left indicated airspeed increased from approximately 305 kt to approximately 340 kt (VMO). The right indicated airspeed was approximately 20-25 kt higher than the left.

就算切断了伺服电机,下面的两分半钟内配平仍然低头了0.2度。由于电动配平已经被拔了插头,这期间的配平变化只可能来自两个来源:1. 手动配平轮 -- 机组试图手动配平向上,但向上的方向卡住了转不动,于是试着把配平轮向反方向稍转一点,验证是不是两个方向都卡住了;2. 在空气动力的作用下水平尾翼自己在缓慢偏转

第二件事情就是速度已经完全失控,和麦帅搏斗期间机组已经忘了监控速度,也忘了自动驾驶已经解除,速度不会自动保持了。

At 05:41:20, the right overspeed clacker was recorded on CVR. It remained active until the end of the recording.4 O; r( j( c8 o

At 05:41:32, the left overspeed warning activated and was active intermittently until the end of the recording.

超速警告,机组居然毫无反应

At 05:41:46, the Captain asked the First-Officer if the trim is functional. The First-Officer has replied that the trim was not working and asked if he could try it manually. The Captain told him to try. At 05:41:54, the First-Officer replied that it is not working.

这是一段很说明问题的对话。737有三种配平方式:飞控计算机指令的配平,飞行员通过驾驶杆拨轮的手控电动配平,全手工转配平轮配平。在MAX上,拔了飞控计算机指令配平的插头也就拔了驾驶杆拨轮手控电动配平的插头,因此只剩下配平轮一条路了。而副驾驶的答案,明显是一个二选一的回答:第二条路不行,我试试第三个办法吧?为什么会有这种错误的认识?因为在737NG上,第一条路和第二条路是两个开关分别控制,可以分别拔插头的,机组把NG的老经验一直记着,感情前面一直在试着用驾驶杆拨轮手控电动配平。

既然是这样,我们可以推论机组前面根本没有去转配平轮,那么前面两分半钟里配平缓慢跑偏只可能是空气动力的作用。

那么现在终于想起来去转手动配平轮了,At 05:41:54, the First-Officer replied that it is not working. 为什么又没用呢?

转载: 埃航事故报告的分析

现在的俯仰操控是水平尾翼上仰,向下配平,平尾后缘的升降舵上翻,压机尾向下,使机头向上。作用在升降舵上的下压力使得平尾后缘下压,前缘抬起,制止了手动配平轮让平尾前缘下压的企图。在340节以上的空速下,空气动力已经锁死了平尾的角度,凭人力不能克服

其实这种情况波音在设计737-100/200的时候就知道。这一代的737侏罗纪产品(300/400/500是古典型,下面才是NG和MAX)手册里,特别提到了“过山车式卸载平尾压力的技术”。要点就是平尾卡住时,暂时不要拉杆,放手让升降舵回中,这样就解除了锁定平尾的外力。此时趁着这几秒钟的窗口,快速转动配平轮。为什么说几秒钟窗口呢?因为几秒钟之后就大头向下了。抢在这个发生之前,重新拉杆使机头向上,稳住之后再放手,转轮,拉杆。道理和钓鱼是一样的,收线不提杆,提杆不收线。这几个循环下来,飞机就跟过山车一样,而且会损失一定高度,但最终能把配平调回来。

侏罗纪产品退役后,由于平尾可靠性大增,平尾失控的事件几乎为零,这个处理程序从波音手册中消失了,新一代飞行员里没人知道。如果不是这次麦帅出马,老司机从故纸堆里翻出来,估计以后都不会有人知道

At 05:43:11, about 32 seconds before the end of the recording, at approximately 13,4002 ft, two momentary manual electric trim inputs are recorded in the ANU direction. The stabilizer moved in the ANU direction from 2.1 units to 2.3 units.

机组当然是不会知道上面的技巧。配平轮无效,而平尾自己逐渐在跑偏向下配平。没办法了,死马当活马医,把拔掉的插头再插上,拨轮手控电动配平吧。既然这样了,你一路拨转轮不要停呢?一停,麦帅就要出手了

At 05:43:20, approximately five seconds after the last manual electric trim input, an AND automatic trim command occurred and the stabilizer moved in the AND direction from 2.3 to 1.0 unit in approximately 5 seconds. The aircraft began pitching nose down. Additional simultaneous aft column force was applied, but the nose down pitch continues, eventually reaching 40° nose down. The stabilizer position varied between 1.1 and 0.8 units for the remainder of the recording.

麦帅这一下,向下配平1.3度。注意此时空速已经360节以上,按照波音手册,高速时麦帅配平一次只应该是0.6度,低速时才是2.5度。这高速时一把就是1.3度,说明波音的手册是在胡说八道。除了上报适航的是0.6度,真不知道它程序里到底写了啥,速度和配平幅度的对应关系是啥样的。

The left Indicated Airspeed increased, eventually reaching approximately 458 kts and the right Indicated Airspeed reached 500 kts at the end of the recording. The last recorded pressure altitude was 5,419 ft on the left and 8,399 ft on the right.

由于速度已经非常高,这把配平幅度虽然只有低速时的一半,效果却是致命的,直接拉出一个负2g的机动,人都失重了。直接就斯图卡了。

这当中机组主要犯下的错误是两个:一是没有控制速度,二是拔插头之前没有调到完全配平的状态。以至于进到了高速,低头配平的包线死角里,空气动力锁死了唯一的手动配平途径,出不来了

那为什么拔插头之前没有调到完全配平状态呢?下面是波音的紧急检查单处理步骤

转载: 埃航事故报告的分析

你看了检查单第二步会怎么理解?大多数人会认为所有缩进的段落是第二步的组成部分,如果第二步可以跳过,那么所有缩进段落都可以跳过。

当麦帅发功时,自动驾驶已经解除了,因此机组执行到第二步时直接跳过,下面第五步拔插头。


网友评论:
死于重新接自动驾驶仪时的自动配平?

对,而且和操作手册上说的不一样,高速的时候配平的角度翻了一倍,导致飞机直接拉出一个负2g的机动,斯图卡。波音这飞机真的不敢坐了,飞控程序完全是黑匣子啊。
感觉如果机组没有忽视速度控制还是有可能抢救回来的
浓浓的外包味代码逻辑,就是需求书怎么写就怎样直接实现,没有任何额外的防御性考虑。

感觉是测试的锅。一个无效的传感器输入值可以把这些问题通通暴露出来
怪不得飞行员喊上帝

—— 来自 Xiaomi MI 9, Android 9上的 v2.1.2
麦帅

这种事情verification来背锅

—— 来自 HUAWEI BKL-AL20, Android 9上的 v2.1.2

需求书都没列出来的一般测试也不会覆盖
看报道这飞机只有2个迎角传感器,装3个要大改造,所以对程序来说2个和1个没区别不能校验
就看这次波音要掉几层皮了
事情的拐点就在关掉MCAS之后的两分钟半里机组没有用手动配平轮配平而是在一直扭一个毫无作用的电配平按钮……

如果早手动配平,,怕不是就救回来了。速度也不会高到手动配平也卡住需要搞过山车配平的程度
都是草台班子

—— 来自 Essential Products PH-1, Android 9上的 v2.1.0-play

一看这发言就是没玩过硬件编程的

两边数据不对别抢飞行员操控权就行了
不用三取二  简单的差值过大数据无效就行,这飞控写的就是故意杀人

记得狮航坠机前副机长喊了阿拉胡阿克巴
波音,提交飞控给,监管验收部门。
监管部门,预算不够,将工作外包。
外包的接单公司就是波音。

谁是主犯?

按我的理解这本来737ng是三个电门,分别控制三个配平系统。但是在max上不知道为什么电配平和计算机配平的电门是串联的,一关了两个就一起关