Boeing 737 Max Software Fixes Due to Lion Air Crash Delayed
Join Date: Mar 2010
Location: LHR 09L. 6 miles out
Age: 62
Posts: 50
Likes: 0
Received 0 Likes
on
0 Posts
A question or two.
If you "reset" the trim switches, I take it that the pitch trim would then have to be manually adjusted for the remainder of the flight?
If the MCAS activates for a few second and the PF pulls back on the control column I understand that the pitch trim stays where it is, so a second activation a few second later would have an even more aggressive effect.
Does the MCAS have any effect on the thrust?
After the MCAS is countered by the PF could the autopilot be activated before MCAS activates again?
Could the Autopilot be activated in the gaps between the MCAS "working"?
If you "reset" the trim switches, I take it that the pitch trim would then have to be manually adjusted for the remainder of the flight?
If the MCAS activates for a few second and the PF pulls back on the control column I understand that the pitch trim stays where it is, so a second activation a few second later would have an even more aggressive effect.
Does the MCAS have any effect on the thrust?
After the MCAS is countered by the PF could the autopilot be activated before MCAS activates again?
Could the Autopilot be activated in the gaps between the MCAS "working"?
Last edited by Helix Von Smelix; 26th Mar 2019 at 22:37.
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 788
Likes: 0
Received 0 Likes
on
0 Posts
NY Times: After Boeing Crashes, Sharp Questions About Industry Regulating Itself
After Boeing Crashes, Sharp Questions About Industry Regulating Itself
WASHINGTON — Seven years ago, an internal government watchdog took a hard look at the part of the Federal Aviation Administration responsible for certifying new Boeing jetliners. The watchdog’s investigation came to some alarming conclusions.F.A.A. employees viewed their management, the inquiry by the Transportation Department’s inspector general found, as “having too close a relationship with Boeing officials.” F.A.A. managers, the report said, had not always backed efforts by agency employees “to hold Boeing accountable,” and employees feared retaliation for trying to do so.More
(Not sure whether this is the best thread for this. Please move if it's not.)
Join Date: Sep 2011
Location: Belgium
Age: 64
Posts: 138
Likes: 0
Received 0 Likes
on
0 Posts
You can update the software from now till eternity.
The main issue remains.
These "events" are triggered by failing AOA sensor/systems. => That is where the main focus should be => Why is the AOA probe/system failing.
That MCAS was single probe only is an error, but secondary and wat MCAS is/was trying to do is third.
But, and this should be the main focus point => With a solid AOA signal, nothing of this would have happened in the first place.
The main issue remains.
These "events" are triggered by failing AOA sensor/systems. => That is where the main focus should be => Why is the AOA probe/system failing.
That MCAS was single probe only is an error, but secondary and wat MCAS is/was trying to do is third.
But, and this should be the main focus point => With a solid AOA signal, nothing of this would have happened in the first place.
You can update the software from now till eternity.
The main issue remains.
These "events" are triggered by failing AOA sensor/systems. => That is where the main focus should be => Why is the AOA probe/system failing.
That MCAS was single probe only is an error, but secondary and wat MCAS is/was trying to do is third.
But, and this should be the main focus point => With a solid AOA signal, nothing of this would have happened in the first place.
The main issue remains.
These "events" are triggered by failing AOA sensor/systems. => That is where the main focus should be => Why is the AOA probe/system failing.
That MCAS was single probe only is an error, but secondary and wat MCAS is/was trying to do is third.
But, and this should be the main focus point => With a solid AOA signal, nothing of this would have happened in the first place.
Join Date: Feb 2009
Location: Seattle
Posts: 379
Likes: 0
Received 0 Likes
on
0 Posts
You can update the software from now till eternity.
The main issue remains.
These "events" are triggered by failing AOA sensor/systems. => That is where the main focus should be => Why is the AOA probe/system failing.
That MCAS was single probe only is an error, but secondary and wat MCAS is/was trying to do is third.
But, and this should be the main focus point => With a solid AOA signal, nothing of this would have happened in the first place.
The main issue remains.
These "events" are triggered by failing AOA sensor/systems. => That is where the main focus should be => Why is the AOA probe/system failing.
That MCAS was single probe only is an error, but secondary and wat MCAS is/was trying to do is third.
But, and this should be the main focus point => With a solid AOA signal, nothing of this would have happened in the first place.
The MCAS idea has been around for some time apparently. Boeing were going to fit it to the 767 originally, but were able to get the job done with vortex generators. Both the KC-46 and KC-767 have a MCAS system.
https://aviationweek.com/defense/boe...cd1cc979ac68a7
FAA doesn't want to be the first to lift the MAX ban.
https://aviationweek.com/commercial-...cd1cc979ac68a7
https://aviationweek.com/defense/boe...cd1cc979ac68a7
FAA doesn't want to be the first to lift the MAX ban.
https://aviationweek.com/commercial-...cd1cc979ac68a7
Originally Posted by Infrequent Flyer
Pilots will be required to complete a training on the updated system on their iPads. 
I really don't know what to say.
I'm sure plaintiffs lawyers will though - they're going to have a ****ing field day in court with this.
I really don't know what to say.I'm sure plaintiffs lawyers will though - they're going to have a ****ing field day in court with this.
Join Date: May 2010
Location: Boston
Age: 73
Posts: 443
Likes: 0
Received 0 Likes
on
0 Posts
...
...
One of the key elements to the baseline MCAS logic is that it will only put in a single increment of stabilizer motion as long as no pilot trim command is given. This goes in over no more than 10 seconds (less if operating at Mach number greater than 0.4 where MCAS single increment authority is less than 2.5 degrees).
...
FCeng84 provides clarity ...
...
One of the key elements to the baseline MCAS logic is that it will only put in a single increment of stabilizer motion as long as no pilot trim command is given. This goes in over no more than 10 seconds (less if operating at Mach number greater than 0.4 where MCAS single increment authority is less than 2.5 degrees).
...
FCeng84 provides clarity ...
Is it possible for sts trim inputs to reset the MCAS logic, is it known with certainty that only pilot switches will do this?
(Assuming my understanding of sts is anywhere close to correct)
Join Date: Feb 2009
Location: Seattle
Posts: 379
Likes: 0
Received 0 Likes
on
0 Posts
(See detailed MCAS description that I added to the Ethiopian accident thread today.)
Why AoA fails
Vilters,
#405, “The main issue remains.
These "events" are triggered by failing AOA sensor/systems. => That is where the main focus should be => Why is the AOA probe/system failing.”
Boeing 737 Max Software Fixes Due to Lion Air Crash Delayed
I agree; see related questions in https://www.pprune.org/rumours-news/618252-boeing-737-max-software-fixes-due-lion-air-crash-delayed.html#post10429320 (#381)
Also see the links giving a technical basis for a software ‘glitch’; AoA value in error.
However, as yet the answered question is:-
“Would such a ‘failure’ (glitch) be a random, probabilistic occurrence - just chance, or require an external disturbance - elect spike (FDR AoA error seen during taxi - generator switching?)”
Continuing with this hypothesis, then the focus of the investigation should be to confirm or refute the need of at least two contributing factors, what are they, and the circumstances which result in AoA error - MCAS does the rest.
If electrical, then follow-on questions should consider if any abnormal ground or in-flight switching or alternate power supply could similarly reset / trigger the initiating conditions - which could also relate to the proposed modifications.
/hypothesis.
Additionally, and perhaps the key to understanding, is why only two aircraft have exhibited the fault, and the many others in service apparent not. Noting previous linked comments about ground reset, maintenance test, and before flight electrical checks.
As a far-out thought; is the order of after-start generator or bus tie checks an option, 1 before 2, etc, is this before flight or after landing as in some other aircraft types.
Hmm. If an MCAS situation results in an altitude loss in the region 2000-3000ft for a crew consisting of manufacturer test pilots who know what's going to happen, what will that mean for commercial operation by an "average" crew? Keeping flaps down until passing 5000ft AGL after take-off? Having to select flaps down before descending through 5000ft AGL? If so, what challenges will that bring operationally and economically?
Furthermore, if an MCAS situation is so forceful as described in the sim sessions where airline pilots participated, can the training be satisfactorily addressed by CBT only, or will the regulators mandate time in a SIM properly configured for MCAS events? If so, that kind of kills the idea that a NG pilot can breeze into the cockpit of a MAX with just a couple of hours of CBT under his belt. And that, in turn, will undermine Boeings marketing blurb, and thus make the aircraft somewhat less attractive to current and prospective customers.
Perhaps it should be renamed the 737 Kludge?
Furthermore, if an MCAS situation is so forceful as described in the sim sessions where airline pilots participated, can the training be satisfactorily addressed by CBT only, or will the regulators mandate time in a SIM properly configured for MCAS events? If so, that kind of kills the idea that a NG pilot can breeze into the cockpit of a MAX with just a couple of hours of CBT under his belt. And that, in turn, will undermine Boeings marketing blurb, and thus make the aircraft somewhat less attractive to current and prospective customers.
Perhaps it should be renamed the 737 Kludge?
Join Date: Sep 2007
Location: EU
Posts: 155
Likes: 0
Received 0 Likes
on
0 Posts
Hmm. If an MCAS situation results in an altitude loss in the region 2000-3000ft for a crew consisting of manufacturer test pilots who know what's going to happen, what will that mean for commercial operation by an "average" crew? Keeping flaps down until passing 5000ft AGL after take-off? Having to select flaps down before descending through 5000ft AGL? If so, what challenges will that bring operationally and economically?
Which will work wonders addressing the issue of, alleged, insufficient manual handling exposure. Is this really the direction we want to go, pilots only there to manually handle the aircraft for t/o and landing? A world of pilots SOP bound to turn George on and off with the gear going up and down? That'll be a big, fat, no thank you from me.
Join Date: Dec 2015
Location: Cape Town, ZA
Age: 62
Posts: 424
Likes: 0
Received 0 Likes
on
0 Posts
Join Date: Sep 2007
Location: EU
Posts: 155
Likes: 0
Received 0 Likes
on
0 Posts
Which will work wonders addressing the issue of, alleged, insufficient manual handling exposure. Is this really the direction we want to go, pilots only there to manually handle the aircraft for t/o and landing? A world of pilots SOP bound to turn George on and off with the gear going up and down? That'll be a big, fat, no thank you from me.
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 788
Likes: 0
Received 0 Likes
on
0 Posts
Join Date: Jan 2008
Location: uk
Posts: 857
Likes: 0
Received 0 Likes
on
0 Posts
Furthermore, if an MCAS situation is so forceful as described in the sim sessions where airline pilots participated, can the training be satisfactorily addressed by CBT only, or will the regulators mandate time in a SIM properly configured for MCAS events? If so, that kind of kills the idea that a NG pilot can breeze into the cockpit of a MAX with just a couple of hours of CBT under his belt. And that, in turn, will undermine Boeings marketing blurb, and thus make the aircraft somewhat less attractive to current and prospective customers.
Perhaps it should be renamed the 737 Kludge?
Perhaps it should be renamed the 737 Kludge?
To quote (my emphasis):
Rick Ludtke, a former Boeing engineer who worked on designing the interfaces on the MAX’s flight deck, said managers mandated that any differences from the previous 737 had to be small enough that they wouldn’t trigger the need for pilots to undergo new simulator training.
“It’s become such a kludge, that we started to speculate and wonder whether it was safe to do the MAX,” Ludtke said.
Ludtke didn’t work directly on the MCAS, but he worked with those who did. He said that if the group had built the MCAS in a way that would depend on two sensors, and would shut the system off if one fails, he thinks the company would have needed to install an alert in the cockpit to make the pilots aware that the safety system was off.
And if that happens, Ludtke said, the pilots would potentially need training on the new alert and the underlying system. That could mean simulator time, which was off the table.
And if that happens, Ludtke said, the pilots would potentially need training on the new alert and the underlying system. That could mean simulator time, which was off the table.
AOA input.
Join Date: Feb 2006
Location: USA
Posts: 487
Likes: 0
Received 0 Likes
on
0 Posts
"One off occurrences happen..."
Boeing details its fix for the 737 MAX, but defends the original design
[emphasis mine]
March 27, 2019 at 11:00 am
Updated March 27, 2019 at 12:04 pm
Dominic Gates By Dominic Gates
Seattle Times aerospace reporter
Boeing on Wednesday mounted an effort to win back the trust of airlines, safety regulators and the flying public and get its 737 MAX back in the air.
The company described detailed changes to the jet’s flight-control software and what its engineers have been doing since the recent fatal crashes of two airplanes.
While declaring that will make the system “more robust,” it denied that the changes mean the original design was inadequate.
At a news conference at an airline customer facility in Renton, Mike Sinnett, Boeing vice president of product strategy and development, presented the details of the planned software update.
As expected, the changes to the suspect flight-control system known as the Maneuvering Characteristics Augmentation System, or MCAS, mean that it will be activated by input from two sensors instead of a single one; that it will operate only once, not multiple times, if the sensor reading remains stuck at a high value; and the power of the system will be limited so that the pilot will always pull back on the control column with enough force to counteract any automatic nose-down movement MCAS causes.
Boeing will also introduce training for pilots on the changes to the MCAS system. This training, which Sinnett said is “provisionally approved,” will consist of about a half-hour of computer-based training. He said that since the MAX will handle exactly the same as the older model 737, no simulator training will be required.
Boeing clearly hopes that the grounding can be lifted quickly. The company said it will take only a day to deploy the software once it is approved by safety regulators and that upgrading a specific airplane will take “an hour or so.”
However, it’s up to the Federal Aviation Administration (FAA) and foreign regulators to determine when the plane will be allowed to return to service. And then each airline operator will have to run its flight crews through the new MCAS training.
In a separate part of the news conference, Boeing answered questions from reporters on condition that the person speaking not be named.
In the Lion Air crash last October, black-box data released in the preliminary investigation shows that MCAS was triggered by a single faulty sensor and repeatedly pushed the nose of the jet down as the pilots struggled to pull it back up before losing control.
Initial indications that the Ethiopian Airlines crash earlier this month might also involve MCAS were enough for regulators around the world to order the fleet grounded.
“One-off occurrences happen, like the accidents we have just experienced, and cause us to always go back and question our basic assumptions and look at our design processes,” Boeing said in answer to questioning about why the change has been made.
“Every time something happens we learn from it,” Boeing said. “We do not know the ultimate cause of the accidents. MCAS is just one independent link in the chain. We can make that more robust.”
“As tragic as this is — and these two accidents are terribly tragic, and we understand the gravity of that — we do learn from it,” Boeing said.
The company said it has conducted audits on all the MAX systems since the accident, taking a close look at the system safety assessments, including analyses of different possible failure modes and the hazard each would cause, and “uncovered nothing that concerns us.”
“The process we follow with the regulators and with the (airplane) designs has continued to lead to safer and safer airplanes,” Boeing said. “We can question our assumptions, but in general the process has worked and continues to work and we see no reason to overhaul the process.”
Reporters asked whether increased cockpit automation, combined with pilots around the world becoming less familiar with manual flying techniques, is introducing new hazards that the industry needs to address. Boeing countered that the recent history of aviation safety has been stellar and does not indicate “any systemic failure in how the world designs, builds and tests airplanes and trains flight crews.”
Boeing defended the original design of MCAS as dependent on a single sensor, saying that industry practice allows such single points of failure provided corrective action “can be quickly performed by a trained pilot using established procedures.”
Boeing points out that MCAS can be countered by the pilots and, if all else fails, can be turned off by flipping two cutoff switches.
Boeing has been conducting flight tests of the MCAS software fix over the past two weeks, since just before the worldwide fleet was grounded.
The company said getting the software fix out and presenting it to the world “took until now because we wanted to get it right. Rushing it is the wrong thing to do.”
Sinnett defended the original certification of the airplane and of MCAS.
He said the 737 MAX builds on the “tremendous history of safety” of the 737 program and said Boeing is introducing the proposed software changes because aviation is “an industry that is continuously learning” from airplane accidents.
“The rigor and thoroughness of the design and testing that went into the MAX gives us complete confidence that the changes we are making would address any of these accidents,” Sinnett said.
Meanwhile, more than 200 airline pilots, officials and safety regulators gathered at the 737 assembly plant nearby for briefings and sessions testing the new software upgrade in a MAX simulator.
Attendees will be able to watch Boeing pilots sitting in a simulator and talk to them at the same time so that they can request simulated flights with specific scenarios.
Dominic Gates: 206-464-2963 or [email protected]; on Twitter: @dominicgates.
Updated March 27, 2019 at 12:04 pm
Dominic Gates By Dominic Gates
Seattle Times aerospace reporter
Boeing on Wednesday mounted an effort to win back the trust of airlines, safety regulators and the flying public and get its 737 MAX back in the air.
The company described detailed changes to the jet’s flight-control software and what its engineers have been doing since the recent fatal crashes of two airplanes.
While declaring that will make the system “more robust,” it denied that the changes mean the original design was inadequate.
At a news conference at an airline customer facility in Renton, Mike Sinnett, Boeing vice president of product strategy and development, presented the details of the planned software update.
As expected, the changes to the suspect flight-control system known as the Maneuvering Characteristics Augmentation System, or MCAS, mean that it will be activated by input from two sensors instead of a single one; that it will operate only once, not multiple times, if the sensor reading remains stuck at a high value; and the power of the system will be limited so that the pilot will always pull back on the control column with enough force to counteract any automatic nose-down movement MCAS causes.
Boeing will also introduce training for pilots on the changes to the MCAS system. This training, which Sinnett said is “provisionally approved,” will consist of about a half-hour of computer-based training. He said that since the MAX will handle exactly the same as the older model 737, no simulator training will be required.
Boeing clearly hopes that the grounding can be lifted quickly. The company said it will take only a day to deploy the software once it is approved by safety regulators and that upgrading a specific airplane will take “an hour or so.”
However, it’s up to the Federal Aviation Administration (FAA) and foreign regulators to determine when the plane will be allowed to return to service. And then each airline operator will have to run its flight crews through the new MCAS training.
In a separate part of the news conference, Boeing answered questions from reporters on condition that the person speaking not be named.
In the Lion Air crash last October, black-box data released in the preliminary investigation shows that MCAS was triggered by a single faulty sensor and repeatedly pushed the nose of the jet down as the pilots struggled to pull it back up before losing control.
Initial indications that the Ethiopian Airlines crash earlier this month might also involve MCAS were enough for regulators around the world to order the fleet grounded.
“One-off occurrences happen, like the accidents we have just experienced, and cause us to always go back and question our basic assumptions and look at our design processes,” Boeing said in answer to questioning about why the change has been made.
“Every time something happens we learn from it,” Boeing said. “We do not know the ultimate cause of the accidents. MCAS is just one independent link in the chain. We can make that more robust.”
“As tragic as this is — and these two accidents are terribly tragic, and we understand the gravity of that — we do learn from it,” Boeing said.
The company said it has conducted audits on all the MAX systems since the accident, taking a close look at the system safety assessments, including analyses of different possible failure modes and the hazard each would cause, and “uncovered nothing that concerns us.”
“The process we follow with the regulators and with the (airplane) designs has continued to lead to safer and safer airplanes,” Boeing said. “We can question our assumptions, but in general the process has worked and continues to work and we see no reason to overhaul the process.”
Reporters asked whether increased cockpit automation, combined with pilots around the world becoming less familiar with manual flying techniques, is introducing new hazards that the industry needs to address. Boeing countered that the recent history of aviation safety has been stellar and does not indicate “any systemic failure in how the world designs, builds and tests airplanes and trains flight crews.”
Boeing defended the original design of MCAS as dependent on a single sensor, saying that industry practice allows such single points of failure provided corrective action “can be quickly performed by a trained pilot using established procedures.”
Boeing points out that MCAS can be countered by the pilots and, if all else fails, can be turned off by flipping two cutoff switches.
Boeing has been conducting flight tests of the MCAS software fix over the past two weeks, since just before the worldwide fleet was grounded.
The company said getting the software fix out and presenting it to the world “took until now because we wanted to get it right. Rushing it is the wrong thing to do.”
Sinnett defended the original certification of the airplane and of MCAS.
He said the 737 MAX builds on the “tremendous history of safety” of the 737 program and said Boeing is introducing the proposed software changes because aviation is “an industry that is continuously learning” from airplane accidents.
“The rigor and thoroughness of the design and testing that went into the MAX gives us complete confidence that the changes we are making would address any of these accidents,” Sinnett said.
Meanwhile, more than 200 airline pilots, officials and safety regulators gathered at the 737 assembly plant nearby for briefings and sessions testing the new software upgrade in a MAX simulator.
Attendees will be able to watch Boeing pilots sitting in a simulator and talk to them at the same time so that they can request simulated flights with specific scenarios.
Dominic Gates: 206-464-2963 or [email protected]; on Twitter: @dominicgates.
The use of a single AoA sensor at a time, for a function that can do what it did in these two crash scenarios is the problem. The failure event that caused the loss of two airliners, so far, must be classified as Catastrophic, in the terms of 25.1309, and made to be Extremely Improbable (mathematically on the order of 10E-09). It was clearly not Extremely Improbable as certified. So the classification either needs to be upgraded or the system safety analysis called into question, maybe both.
Design strategies to meet this safety requirement may include redundancy (more than one AoA sensor), detection of sensor failure with corresponding steps to disable its input to the MCAS and others. Common causes that could lead to simultaneous failure of multiple AoA sensors must be avoided. As a previous poster noted, current AoA sensors can fail on the order of once every 100,000 hours, though I'm not sure that covers every failure mode. If the MCAS functionality must be assured for certification, then significant redesign of the system hardware architecture is necessary, not merely changing a few lines of code.
Furthermore, I don't know what the hazard classification was approved for MCAS, but it should be Catastrophic, which means that software associated with its function should be at Design Assurance Level A. Not sure what the software DAL is, but to modify Level A software and get the modification approved is not trivial (time-consuming and expensive).
Design strategies to meet this safety requirement may include redundancy (more than one AoA sensor), detection of sensor failure with corresponding steps to disable its input to the MCAS and others. Common causes that could lead to simultaneous failure of multiple AoA sensors must be avoided. As a previous poster noted, current AoA sensors can fail on the order of once every 100,000 hours, though I'm not sure that covers every failure mode. If the MCAS functionality must be assured for certification, then significant redesign of the system hardware architecture is necessary, not merely changing a few lines of code.
Furthermore, I don't know what the hazard classification was approved for MCAS, but it should be Catastrophic, which means that software associated with its function should be at Design Assurance Level A. Not sure what the software DAL is, but to modify Level A software and get the modification approved is not trivial (time-consuming and expensive).
Join Date: May 2017
Location: San Diego
Posts: 66
Likes: 0
Received 0 Likes
on
0 Posts
The use of a single AoA sensor at a time, for a function that can do what it did in these two crash scenarios is the problem. ......Furthermore, I don't know what the hazard classification was approved for MCAS, but it should be Catastrophic, which means that software associated with its function should be at Design Assurance Level A. Not sure what the software DAL is, but to modify Level A software and get the modification approved is not trivial (time-consuming and expensive).
As for the announced fix (summary so far), they really need to publish the source code section involved and/or block diagram schematics instead of simply trying to paraphrase ambiguously what the system is capable of doing. I know that's unprecedented, but for pete's sake, this is crazy, them running around with loose english phrasing of how persistent MCAS will be from now on, when it will re-engage, you know, all the state transition diagram logic would be nice to know. ....... For some, it may be enough to know that 2 AoA vane sensors will be compared (finally, right?!), and I might have designed it so MCAS function would still work if one AoA vane malfunctioned by using [AoA = Pitch Angle - Flight Path Angle] as a tie-breaker to determine which AoA vane is sick. I guess just getting rid of MCAS on AoA disagrees is OK here since having no MCAS isn't much of safety problem. They kill MCAS on AoA disagrees, fine.....