Jump to content

A scary ESP bug like the 737Max?


Recommended Posts

So the entire Cirrus jet fleet was just grounded by emergency AD due to malfunctions of the Garmin ESP functionality that is engaging pitch down commands inappropriately in at least 3 incidents now:

https://www.flyingmag.com/faa-grounds-cirrus-vision-jets

and so perhaps this is plausibly relevant to some of our Mooney fleet with the GFC700?  Or perhaps for new installs of the GFC500?  Clearly it reminds of the 737Max even if the details are all different.

E

Link to comment
Share on other sites

6 minutes ago, aviatoreb said:

So the entire Cirrus jet fleet was just grounded by emergency AD due to malfunctions of the Garmin ESP functionality that is engaging pitch down commands inappropriately in at least 3 incidents now:

https://www.flyingmag.com/faa-grounds-cirrus-vision-jets

and so perhaps this is plausibly relevant to some of our Mooney fleet with the GFC700?  Or perhaps for new installs of the GFC500?  Clearly it reminds of the 737Max even if the details are all different.

E

they were grounded because of a bad AOA probe causing the nose to drop. I got that info from beech talk. Also believe it was a mandatory SB. not an AD

http://servicecenters.cirrusdesign.com/tech_pubs/sf50/pdf/SB/SF5XBulletins/SB5X-34-03/SB5X-34-03.pdf

 

Edit: Just saw the AD on beechtalk. but these issue is with the AOA, so it is very doubtful that anything can happen on our Mooney's since we don't have that.

Link to comment
Share on other sites

15 minutes ago, Niko182 said:

they were grounded because of a bad AOA probe causing the nose to drop. I got that info from beech talk. Also believe it was a mandatory SB. not an AD

http://servicecenters.cirrusdesign.com/tech_pubs/sf50/pdf/SB/SF5XBulletins/SB5X-34-03/SB5X-34-03.pdf

 

Edit: Just saw the AD on beechtalk. but these issue is with the AOA, so it is very doubtful that anything can happen on our Mooney's since we don't have that.

Right - I understand.  The probe is incorrectly informing the AP that is commanding an innaporpriate nose down.  So this specific failure mode cannot happen in the Mooney install, but I still find this closer strike to home much more Mooney relevant than the 737 problem, as this error specifically involves the Garmin ESP.

From my reading of the flyingmag article I thought they were now up to mandatory grounding on the Cirrus SF50 jet fleet.

Link to comment
Share on other sites

We can get a bit edgy, and rightly so...

I see three levels of automation at work.... A-C below.... related to Mooney automation... not the other guys...

 

A) Mostly manual, but electric powered....

1) When the machine can continue to push controls on its own, like a Stuck trim switch.  Or anything similar that causes the trim to go to its stops..,.

2) This doesn’t normally happen without us being a little aware.... we were probably holding the trim switch when it stuck...

 

B ) Activated manually, but computer is logically making decisions...

3) the latest versions of APs have a ‘level’ button that we would like to have...

4) Again, we activate it by pushing a button... if it doesn’t work correctly, we might be in a world of hurt and getting worse....

5) If we were using it out of convenience, and it responded improperly... we pull the CB, turn it off, and fly the plane.

 

C) Running automatically all the time....

6) This is probably called envelope protection... it senses AOA and then does what it is supposed to do when the AOA exceeds cautionary levels....

7) in this case an errant sensor behavior initiates control outputs that can be wildly improper...

8) be sure to have the important sensor monitored to sense failure... a sensor for the sensor?

 

 

Hey wait a minute....

Failures are part of the logic in all control system design....

1) Our relays are selected to fail open or closed, depending on what is best or least deadly... they can be set up in tandem to be fail proof like our radio master switch....  not perfect.

2) Our APs already run through extensive sensor tests before being allowed to operate... still not perfect.

3) The AP, When it senses a failure, it shuts-down and gives its best scream to let the pilot know he is on his own.... unperfect at best.

 

Where the wheels seem to fall off.... (for the Mooney system...)

Whether it was manual or automation that caused the initial challenge.... (trim going down)

the trim ended up jammed in a location, that the pilot was not able to undo... either electrically or manually...

 

Where we can go from here... don’t allow controls to jam...

like valves, engineers are trained to open and close them... when they reach the end, full open or full closed... they turn the control back about a quarter turn...the valve is designed with the extra reverse allowed and still have the valve opened or closed....(sound familiar? A lesson from dad regarding the garden hose? :))

This is done for a couple of interesting reasons... mostly the threads don’t have a stop designed or machined into them... when they get to the end... they bind up on their own mechanical design... if poorly lubricated or have an oxidized surface, they can really get stuck...

 

Dissapointedly.... sensors fail... systems with sensors fail... how they are designed, built, maintained...is important...

 

I did find an AOA sensor on my plane failed in flight once.... the stall horn magically stopped reporting.

I would often have the stall horn bump on while descending on final, above some buildings... feel the bump, hear the horn, continue the landing sequence...

A couple of landings without hearing the horn.... it was time to put check stall horn back on the checklist...

Sensors do fail... important ones are not allowed to fail without alerting the pilot properly...

 

If this topic is uncomfortable... consider this situation...

  • you have had the failed stall horn experience...
  • then one day, you have the stall horn go off in flight, reacted properly, continued around the traffic pattern...
  • What if the horn wasn’t working on that flight..?
  • Traffic pattern at S. Jersey regional is about 800’ agl... pilot misery will last only a moment... ugh.

 

PP Thoughts only...  the jamming that I have covered here is for things that have threaded surfaces, like screws, as the key to their operation...

We might be seeing a strong and proper response to a challenge that has come to light... but, the challenge isn’t a very new one or unheard of... the solutions probably won’t be very technically surprising either...

Fortunately, it is in the best interest of everyone involved to find and fix the challenges.... we are all on the same team.

That beer in Dayton is sounding really good right now... :)

Best regards,

-a-

  • Like 2
Link to comment
Share on other sites

Interesting.

a friend of mine, who has about Zero aviation background, asked me about the 737max incidents a few months back.  My response was something to the effect of this: I can’t believe a company would design an automatic stall margin system that relied on a single AoA probe: that seems like a terrible design- AoA probes- while a very simple mechanical system, are known to fail (bird strikes, icing.. heck- enough bugs that distort the sensor...) so driving flight control inputs based on a single sensor, is not a sound decision.

I’ve flown 2 fly by wire jets.  The F/A-18 uses four independent flight control computers, running off 2 physical Angle of attack probes and a third, digitally derived (gps+ins) angle of attack input to compute a smoothed, error checked input.  The F-35 has multiple computer/ins derived AoA sources, as well.  The  common point is this: if two inputs disagree, a third is compared to figure out which is most accurate- and that’s the solution.  The redundant flight control computers work the same way.  If all of them disagree (in the F-18)- the pilot can manually select the what he/she believes is the correct input based on observed flight conditions.  In the F-35- the computers do all the deciding for you.  But the redundancy still exists.

 

ive seen them.  Bent probes, stuck probes, iced over probes.  Hell- I’ve seen two AoA probes ripped off the jet by a refueling basket on a dark, turbulent night (it wasn’t me flying, thankfully- that pilot earned his flight pay coming back aboard the ship that night).

Boeing knows better- I’m surprised they didn’t have a redundancy built into the system.  But the pilots bear some of the blame as well.

All those thoughts to say this: any system that can take over control of your aircraft will only ever be as good as the inputs and error checking that occur within.  I know absolutely nothing of the garmin or trutrack autopilot safety systems, or what their inputs are- but before I install one- I’ll be diligently researching and understanding all the possible points of failure and the logic that they have programmed.

Edited by M016576
  • Like 1
Link to comment
Share on other sites

Random musings:  It is interesting to see this issue come up with the Garmin system in the Cirrus Jet.  One of the first things I did when the 737 Max news started implicating the MCAS was to review all the runaway trim procedures for my current autopilot and other automation failures, learn the electrical setup of the system (how the disconnects and breakers were wired) and then start investigating how they are set up for the GFC 500.  I'm not unfamiliar with my KFC 200 trying to kill me completely at random, so I'm familiar enough with the red button on the yoke.  (Unlike a lot of people I only use it for disconnect in emergencies, preferring to simply switch the main switch off when I'm done letting it fly.  Probably from being a computer person and knowing not to just switch them off using the power switch from back before the power switch was converted to a software controlled graceful shutdown switch because everyone insisted on using them to switch them off anyway.) In particular the envelope protection made me nervous because it's never really off.  If something goes completely haywire, depending on the software that's gone haywire to correctly disable that feature because you've told the software (that's gone haywire) to is probably not reliable, which is probably why the procedures call for pulling the breaker.  One minor drawback to the GFC 500 is that if something goes wrong enough that envelope protection is trying to kill you and you do pull the breaker, you lose electric trim, which begins to sound a little familiar.  Kinda wish there were a separate electrical (open circuit, not software) off switch to depower the other AP servos independent of the trim servo, the same way a lot of 737 Max pilots would probably prefer that there was a cutout switch for the MCAS and speed trim that left them manual electric trim control. 

At least in my plane it is just me and I know what risks are involved with my avionics choices.  I'm definitely having my yoke buttons reconfigured to put the autopilot cutout on the left horn over by the trim when I have the GFC installed, though.  That was the single biggest action item that came out of the 737 MAX and now Cirrus issues that I can apply to my aircraft to enhance safety.

  • Like 2
Link to comment
Share on other sites

I am not that familiar with the GFC 500/G5 system and the ESP system but from the AFM supplements I have read is that you can certainly disable it any time by either holding the A/P disconnect button or on the G5 by selecting it off. I don't think that affects the trim system but I could be wrong. 

Anytime an ESP mode is active, the pilot can interrupt ESP by using the Autopilot Disconnect (AP DISC / TRIM INT) switch, or simply override ESP by overpowering the autopilot servos. The pilot may also disable ESP through the G5 menu. 

Link to comment
Share on other sites

I am not that familiar with the GFC 500/G5 system and the ESP system but from the AFM supplements I have read is that you can certainly disable it any time by either holding the A/P disconnect button or on the G5 by selecting it off. I don't think that affects the trim system but I could be wrong. 
Anytime an ESP mode is active, the pilot can interrupt ESP by using the Autopilot Disconnect (AP DISC / TRIM INT) switch, or simply override ESP by overpowering the autopilot servos. The pilot may also disable ESP through the G5 menu. 

The red button cuts power to everything. Overpowering the servos is certainly an option short term. Disabling through the menu tells the software to shut ESP off. If the software is what's malfunctioning, that may not be reliable. Like I said, I wish there was an "everything but manual electric trim" switch.


Sent from my iPhone using Tapatalk
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.