Go Back  PPRuNe Forums > Flight Deck Forums > Rumours & News
Reload this Page >

Boeing 737 Max Software Fixes Due to Lion Air Crash Delayed

Rumours & News Reporting Points that may affect our jobs or lives as professional pilots. Also, items that may be of interest to professional pilots.

Boeing 737 Max Software Fixes Due to Lion Air Crash Delayed

Old 27th Mar 2019, 23:55
  #421 (permalink)  
 
Join Date: Nov 2007
Location: dublin
Posts: 2
13 minutes of flight before crash - not 40 seconds

Originally Posted by infrequentflyer789 View Post
Ok, so we finally have some "we tried this in the sim and...", albeit sim and scenario were under Boeing control (but apparently not under Boeing NDA...). Apparently these were first-world pilots, forewarned, MCAS expected, and obviously with knowledge of the potential implications (smoking crater / large splash).

Things that jumped out at me (my emphasis):







So, 40 seconds to unrecoverable dive due to a system that the pilot does not know about (before), or (now) even with knowledge will not appreciate how powerful it is until they have experienced it in the sim. Which they won't have, because there are no sims outside Boeing because there don't need to be because no max-specific sim training is needed and an NG sim doesn't have MCAS. So the first time a line pilot encounters this "surprisingly powerful" control law is, inevitably, in the air with a plane load of pax behind them (WTF are sims for?), and they have 40s to figure it out - and it is not clear at what altitude that is...



So, that was before Lion Air. Now, having established in tests with line pilots (presumably not done before?) that the "surprisingly powerful" MCAS cannot be appreciated until experienced in the sim (or presumably in the a/c, however briefly), the fix is, drum roll..............:



I really don't know what to say.

I'm sure plaintiffs lawyers will though - they're going to have a ****ing field day in court with this.

yanrair is offline  
Old 28th Mar 2019, 05:55
  #422 (permalink)  
 
Join Date: Feb 2018
Location: Canberra
Posts: 1
Originally Posted by yanrair View Post



Can someone shed some light on those AoA graphs, other than what looks like some inverted graphing at the start and end of flight, the left and right sensors seem to be pretty much in agreement from a cursory glance....
Dee Vee is offline  
Old 28th Mar 2019, 06:43
  #423 (permalink)  
 
Join Date: Jul 2014
Location: Harbour Master Place
Posts: 662
Originally Posted by GlobalNav View Post
The use of a single AoA sensor at a time, for a function that can do what it did in these two crash scenarios is the problem. The failure event that caused the loss of two airliners, so far, must be classified as Catastrophic, in the terms of 25.1309, and made to be Extremely Improbable (mathematically on the order of 10E-09). It was clearly not Extremely Improbable as certified. So the classification either needs to be upgraded or the system safety analysis called into question, maybe both.

Design strategies to meet this safety requirement may include redundancy (more than one AoA sensor), detection of sensor failure with corresponding steps to disable its input to the MCAS and others. Common causes that could lead to simultaneous failure of multiple AoA sensors must be avoided. As a previous poster noted, current AoA sensors can fail on the order of once every 100,000 hours, though I'm not sure that covers every failure mode. If the MCAS functionality must be assured for certification, then significant redesign of the system hardware architecture is necessary, not merely changing a few lines of code.

Furthermore, I don't know what the hazard classification was approved for MCAS, but it should be Catastrophic, which means that software associated with its function should be at Design Assurance Level A. Not sure what the software DAL is, but to modify Level A software and get the modification approved is not trivial (time-consuming and expensive).
It was stated earlier in the thread the reasoning behind the single sensor design was specifically so no AoA error could be detected. A dual sensor approach would allow an AoA error to be detected, which would necessitate the warning to be presented to the crew, and that would potentially require additional training. The design mandate for the MAX that there would be no requirement for simulator time to save the airlines money. Even the test pilot was unaware of the full MCAS was single channel.

Someone inside Boeing knew exactly what they were doing, and are fully culpable for these accidents. Where was the FAA in all this?
CurtainTwitcher is offline  
Old 28th Mar 2019, 06:53
  #424 (permalink)  
 
Join Date: Feb 2009
Location: Seattle
Posts: 379
Originally Posted by Dee Vee View Post
Can someone shed some light on those AoA graphs, other than what looks like some inverted graphing at the start and end of flight, the left and right sensors seem to be pretty much in agreement from a cursory glance....
The two AOA signals move together but with about 20 degrees separation. The left one is too high. MCAS was using that one during this Lion Air accident. I sure want to see the same parameters from the Ethiopian accident plotted!
FCeng84 is offline  
Old 28th Mar 2019, 06:59
  #425 (permalink)  
 
Join Date: Mar 2015
Location: Washington state
Posts: 209
Originally Posted by CurtainTwitcher View Post
It was stated earlier in the thread the reasoning behind the single sensor design was specifically so no AoA error could be detected. A dual sensor approach would allow an AoA error to be detected, which would necessitate the warning to be presented to the crew, and that would potentially require additional training. The design mandate for the MAX that there would be no requirement for simulator time to save the airlines money. Even the test pilot was unaware of the full MCAS was single channel.

Someone inside Boeing knew exactly what they were doing, and are fully culpable for these accidents. Where was the FAA in all this?
I don't think so. AOA disagree was an option and from what I read Southwest ordered it. Why it was an option is a damn good question since it is apparently just software -- given that the proposed fix does exactly that and takes an hour to install...
Water pilot is offline  
Old 28th Mar 2019, 07:15
  #426 (permalink)  
 
Join Date: May 1999
Location: Quite near 'An aerodrome somewhere in England'
Posts: 26,146
I read from the BBC:
Boeing has redesigned the software so that it will disable MCAS if it receives conflicting data from its sensors.

In a briefing to reporters Boeing said that the upgrades were not an admission that the system had caused the crashes.
If AoA sensor disagreement in future will disable MCAS, then that must surely mean that the aircraft is allegedly safe to fly without it?

Boeing also said that airlines which fit this 'upgrade' are to be required to 'give feedback on its performance'. Surely that's the job of Boeing's flight test department?

I can't see many passengers being happy to fly in a 737 Max ever again, no matter what 'upgrades' Boeing provides.
BEagle is offline  
Old 28th Mar 2019, 07:27
  #427 (permalink)  
 
Join Date: Jan 2008
Location: Reading, UK
Posts: 14,082
Originally Posted by BEagle View Post
If AoA sensor disagreement in future will disable MCAS, then that must surely mean that the aircraft is allegedly safe to fly without it?
Well yes, the argument seems to be that you can mitigate the absence of MCAS, if necessary. Much like saying that the aircraft is "safe" to fly with one engine shut down.

Not necessarily a valid parallel ...
DaveReidUK is online now  
Old 28th Mar 2019, 07:43
  #428 (permalink)  
 
Join Date: Jul 2003
Location: An Island Province
Posts: 1,220
Based on what has been disclosed about the proposed changes, the lack of detail does not reassure or provide a convincing argument.
The somewhat obvious changes to system architecture - dual sensing, cross comparison, authority limits, and annunciation (still deficient), should have been in place for certification - thus ‘closing the stable door’. However, there is no reference as to why the AoA value was in error on two aircraft, involving 3 vanes.

Discussions have consided the physical vane, electrical output, software conversation, etc, but nowhere is there a description of why ‘on the day before’ everything was normal, but then the system malfunctioned.
Why were these two aircraft, on that day, so different from all of the other aircraft in service.

These aspects should be addressed by the formal investigations, as yet not disclosed publicly, but should be available to the manufacturer and regulator (but not all?). Software doesn’t leave ‘evidence’ at an accident site.

Returning the aircraft to service is more about public trust than with design and certification; all are required, worldwide. This requires much more detail to restore technical trust, even if the manufacturer believes that a public statement is sufficient.

Are we to accept - an analogy involving a car manufacturer after an accident where the steering-rod bolt fell out, being satisfied by fitting two bolts, but not knowing why the first bolt fell out.

So far the changes are a ‘wet blanket’ over an unidentified cause; can we be convinced that the problem is cured without knowing ‘cause’?


Last edited by alf5071h; 28th Mar 2019 at 17:42. Reason: typo
alf5071h is offline  
Old 28th Mar 2019, 07:44
  #429 (permalink)  
 
Join Date: Feb 2010
Posts: 468
Feels a bit like deactivating alpha floor protection in an Airbus after only one time use.
Less Hair is offline  
Old 28th Mar 2019, 07:54
  #430 (permalink)  
 
Join Date: Jan 2008
Location: Irvine, CA
Posts: 94
Seattle Times:
”Ludtke didn’t work directly on the MCAS, but he worked with those who did. He said that if the group had built the MCAS in a way that would depend on two sensors, and would shut the system off if one fails, he thinks the company would have needed to install an alert in the cockpit to make the pilots aware that the safety system was off.

And if that happens, Ludtke said, the pilots would potentially need training on the new alert and the underlying system. That could mean simulator time, which was off the table.”
This is crucial information. If true, this would not only amount to gross negligence, but to criminal intent from Boeing’s side.
So - reasonably speculating - the decision making logic at Boeing went somewhere along this line:

Engineers:
We have two options to design the MCAS requirement into the MAX:

A) with redundancy in the data input, as required for such systems with potentially catastrophic influence on the flight performance. We need to install an alert in the cockpit if the system is switched off due to inconsistency in the data. That means the pilots will need to undergo simulator training for conversion to the MAX.

B) we poll only a single sensor and the system does not check for data integrity against other available data. Then the system can stay in the background and the pilots do not need to know. In case of sensor data corruption, the pilots would - best case - have a few seconds to recognize the problem as in effect comparable to a stabilizer runaway and use the cut out switches and apply manual counter trim. No need to mention this to anyone and no simulator training needed. What could go wrong? Well, in case of single sensor data failure, the airplane will want to fly itself and all on board with authority and high speed into the ground.

Management:
we do option B!







Last edited by Interflug; 28th Mar 2019 at 11:43.
Interflug is offline  
Old 28th Mar 2019, 08:00
  #431 (permalink)  
 
Join Date: Jul 2014
Location: Harbour Master Place
Posts: 662
In response to waterpilot.
Thank you Interflug, that Seattle Times article I was paraphrasing, exactly what I was trying to communicate.

Even MAX Boeing test pilot didnt aware that MCAS is using one sensor data.


https://www.bakersfield.com/ap/news/...7e6384825.html
Ethiopian airliner down in Africa
CurtainTwitcher is offline  
Old 28th Mar 2019, 13:22
  #432 (permalink)  
 
Join Date: Aug 2006
Location: cardiff
Posts: 597
Originally Posted by CurtainTwitcher View Post
It was stated earlier in the thread the reasoning behind the single sensor design was specifically so no AoA error could be detected. A dual sensor approach would allow an AoA error to be detected, which would necessitate the warning to be presented to the crew, and that would potentially require additional training. The design mandate for the MAX that there would be no requirement for simulator time to save the airlines money. Even the test pilot was unaware of the full MCAS was single channel.
Think they need to revisit part 25.671, then part 25.672, as a stability augmentation system must have "a warning which is clearly distinguishable to the pilot under expected flight conditions without requiring his attention must be provided for ANY failure in the stability augmentation system or in ANY OTHER AUTOMATIC OR POWER OPERATED SYSTEM WHICH COULD RESULT IN AN UNSAFE CONDITION IF THE PILOT WERE NOT AWARE OF THE FAILURE"

(caps inserted)

At base level this MCAS is just an augmentation system is it not?

In my view, it does not comply with the basic certification requirement above, and someone in Boeing knows this, software alone won't fix it.


Ttfn
ivor toolbox is offline  
Old 28th Mar 2019, 17:05
  #433 (permalink)  
 
Join Date: Mar 2002
Location: Florida
Posts: 4,567
Originally Posted by ivor toolbox View Post
Think they need to revisit part 25.671, then part 25.672, as a stability augmentation system must have "a warning which is clearly distinguishable to the pilot under expected flight conditions without requiring his attention must be provided for ANY failure in the stability augmentation system or in ANY OTHER AUTOMATIC OR POWER OPERATED SYSTEM WHICH COULD RESULT IN AN UNSAFE CONDITION IF THE PILOT WERE NOT AWARE OF THE FAILURE"

(caps inserted)

At base level this MCAS is just an augmentation system is it not?

In my view, it does not comply with the basic certification requirement above, and someone in Boeing knows this, software alone won't fix it.


Ttfn

I think you have pointed to the initial Kernel of causal factors. Many other posters have debated on the presumed application of System Safety "-1309" as the underlying certification base. However, if a more specific requirement is applied, as you suggest, then that regulation must take precedence over a less specific regulation.

I would be most interested on how the FAA's North East region found compliance and under what regulation as this is where the fundamental fault may lie.

I'm not ready to lay the complete fault at Boeing's door unless they misrepresented facts when submitting their application for acceptance. On the other hand how would the other world regulators accept a faulted certification base ?
lomapaseo is offline  
Old 28th Mar 2019, 17:34
  #434 (permalink)  
 
Join Date: Feb 2009
Location: Seattle
Posts: 379
Originally Posted by BEagle View Post
I read from the BBC:

If AoA sensor disagreement in future will disable MCAS, then that must surely mean that the aircraft is allegedly safe to fly without it?

Boeing also said that airlines which fit this 'upgrade' are to be required to 'give feedback on its performance'. Surely that's the job of Boeing's flight test department?

I can't see many passengers being happy to fly in a 737 Max ever again, no matter what 'upgrades' Boeing provides.
With regard to the acceptability of operating without a particular control system feature active, it all comes down to consideration of both the consequences of not having that feature and the rate of occurrence of not having that feature. In the case of MCAS, the function is designed to only act at higher AOA so for most flights it will not come alive. Combining the probability of being at an AOA where MCAS activates with the probability of an AOA sensor failure that would now be detected and lead to MCAS not being available must push the likelihood of not having MCAS when it would act out to a very low rate. The pilot assessment hazard level associated with not having MCAS must be low enough to allow the resulting unavailability rate.

Another example of is the impact pressure schedule for the variable column feel on the 737. There are two separate feel units that are each driven by their own air data sensors. If a failure of one occurs (let's say its probe gets plugged as a result of hitting a bird) the column feel characteristics will be degraded - likely to a degree that would not support certification with respect to every day operation. Piloted evaluation, however, has shown that at the presumed rate of hitting a bird such that the probe is plugged the associated degradation in column feel is acceptable. In a more remote event hitting a flock of birds might plug both probes causing both feel units to behave improperly and the feel characteristic to degrade much more. Pilot evaluation of the change in feel characteristics with both feel units degraded has shown that it is acceptable given the probability of occurrence of that event.
FCeng84 is offline  
Old 28th Mar 2019, 19:55
  #435 (permalink)  
 
Join Date: May 2017
Location: San Diego
Posts: 65
FCEng84, great posts. Would adding the line of code: "IF (pitch_angle < 7 degrees) THEN (disable MCAS autotrimming) END_IF" be a simple, good solution. (pitch_angle is triplex reliable).....
I know Boeing has already announced the alpha-disagree & etc. fix, yet if they would have put that inhibit in there, you could still say "skip sim training" for current 737 pilots, right?
QuagmireAirlines is offline  
Old 28th Mar 2019, 20:01
  #436 (permalink)  
 
Join Date: Nov 2000
Location: Canada
Posts: 574
Originally Posted by Water pilot View Post
I don't think so. AOA disagree was an option and from what I read Southwest ordered it. Why it was an option is a damn good question since it is apparently just software -- given that the proposed fix does exactly that and takes an hour to install...
Air Canada installed both options on their 737MAX aircraft. I wonder how many carriers did.
Longtimer is offline  
Old 28th Mar 2019, 21:30
  #437 (permalink)  
 
Join Date: Aug 2006
Location: cardiff
Posts: 597
Originally Posted by lomapaseo View Post
I think you have pointed to the initial Kernel of causal factors. Many other posters have debated on the presumed application of System Safety "-1309" as the underlying certification base. However, if a more specific requirement is applied, as you suggest, then that regulation must take precedence over a less specific regulation.

I would be most interested on how the FAA's North East region found compliance and under what regulation as this is where the fundamental fault may lie.

I'm not ready to lay the complete fault at Boeing's door unless they misrepresented facts when submitting their application for acceptance. On the other hand how would the other world regulators accept a faulted certification base ?
As has been described on other threads, Boeing did it (certification) themselves, the FAA appear to have rubber stamped the completed documents that were presented to them with, shall we say 'all boxes ticked'

As for other countries, well, under various bi-lateral agreements, once it gains FAA sign off and type cert, its read across as being compliant in those countries too.

Ttfn
ivor toolbox is offline  
Old 28th Mar 2019, 22:22
  #438 (permalink)  
 
Join Date: May 2000
Location: Seattle
Posts: 3,188
Do countries like Ethiopia and Indonesia have the expertise to attempt to review an FAA aircraft type certification?
Intruder is offline  
Old 28th Mar 2019, 22:30
  #439 (permalink)  
 
Join Date: Jan 2008
Location: Herts, UK
Posts: 747
Originally Posted by Vilters View Post
You can update the software from now till eternity.

The main issue remains.
These "events" are triggered by failing AOA sensor/systems. => That is where the main focus should be => Why is the AOA probe/system failing.
That MCAS was single probe only is an error, but secondary and wat MCAS is/was trying to do is third.

But, and this should be the main focus point => With a solid AOA signal, nothing of this would have happened in the first place.
Don't necessarily agree...
Hardware failures have to be possible without disastrous effects or consequences.
Either the aircraft shouldn't require such a strange convoluted system for retaining stick force increase at the stall...
Or a system should be built in that is 'totally foolproof' in so far as meeting theoretical and practically tested fault paths or redundancy...
Or.. the airworthiness requirement should be waived with stall training and AoA alarms...

Theory being why would you normally be flying into a stall.. neither Lion Air or Ethiopean were or would have been near the stall.. the IRONY is an Airworthiness Requirement KILLED people, LOTS?

Lets ask this... how serious is a STRAIGHT stall if it's detected and countered formally (standard response) unless its a low level ?
Is the stick force ~alpha curve or stick force per G overrated as a design criteria ?
HarryMann is offline  
Old 29th Mar 2019, 00:24
  #440 (permalink)  
 
Join Date: Sep 2011
Location: Belgium
Age: 63
Posts: 138
Originally Posted by HarryMann View Post
Don't necessarily agree...
Hardware failures have to be possible without disastrous effects or consequences.
Either the aircraft shouldn't require such a strange convoluted system for retaining stick force increase at the stall...
Or a system should be built in that is 'totally foolproof' in so far as meeting theoretical and practically tested fault paths or redundancy...
Or.. the airworthiness requirement should be waived with stall training and AoA alarms...

Theory being why would you normally be flying into a stall.. neither Lion Air or Ethiopean were or would have been near the stall.. the IRONY is an Airworthiness Requirement KILLED people, LOTS?

Lets ask this... how serious is a STRAIGHT stall if it's detected and countered formally (standard response) unless its a low level ?
Is the stick force ~alpha curve or stick force per G overrated as a design criteria ?
Correct : None of the aircraft where even close to a stall.
But the signals coming from the AOA sensors tricked the "aircraft" to "think" it was in a stall and corrective action had to be taken. => MCAS and stick shaker where activated to counter an issue that did not exist in the first place.

And now? ? They are going to "fix' this with a SOFTWARE UPDATE?

Let us start with a third AOA sensor, then start thinking about the software.
Vilters is offline  

Thread Tools
Search this Thread

Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information -

Copyright 2021 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.