Boeing 737 Max Software Fixes Due to Lion Air Crash Delayed
Join Date: Nov 2007
Location: dublin
Posts: 2
Likes: 0
Received 0 Likes
on
0 Posts
13 minutes of flight before crash - not 40 seconds
Ok, so we finally have some "we tried this in the sim and...", albeit sim and scenario were under Boeing control (but apparently not under Boeing NDA...). Apparently these were first-world pilots, forewarned, MCAS expected, and obviously with knowledge of the potential implications (smoking crater / large splash).
Things that jumped out at me (my emphasis):
So, 40 seconds to unrecoverable dive due to a system that the pilot does not know about (before), or (now) even with knowledge will not appreciate how powerful it is until they have experienced it in the sim. Which they won't have, because there are no sims outside Boeing because there don't need to be because no max-specific sim training is needed and an NG sim doesn't have MCAS. So the first time a line pilot encounters this "surprisingly powerful" control law is, inevitably, in the air with a plane load of pax behind them (WTF are sims for?), and they have 40s to figure it out - and it is not clear at what altitude that is...
So, that was before Lion Air. Now, having established in tests with line pilots (presumably not done before?) that the "surprisingly powerful" MCAS cannot be appreciated until experienced in the sim (or presumably in the a/c, however briefly), the fix is, drum roll..............:
I really don't know what to say.
I'm sure plaintiffs lawyers will though - they're going to have a ****ing field day in court with this.
Things that jumped out at me (my emphasis):
So, 40 seconds to unrecoverable dive due to a system that the pilot does not know about (before), or (now) even with knowledge will not appreciate how powerful it is until they have experienced it in the sim. Which they won't have, because there are no sims outside Boeing because there don't need to be because no max-specific sim training is needed and an NG sim doesn't have MCAS. So the first time a line pilot encounters this "surprisingly powerful" control law is, inevitably, in the air with a plane load of pax behind them (WTF are sims for?), and they have 40s to figure it out - and it is not clear at what altitude that is...
So, that was before Lion Air. Now, having established in tests with line pilots (presumably not done before?) that the "surprisingly powerful" MCAS cannot be appreciated until experienced in the sim (or presumably in the a/c, however briefly), the fix is, drum roll..............:
I really don't know what to say.
I'm sure plaintiffs lawyers will though - they're going to have a ****ing field day in court with this.
Join Date: Feb 2018
Location: Canberra
Posts: 1
Likes: 0
Received 0 Likes
on
0 Posts
Join Date: Jul 2014
Location: Harbour Master Place
Posts: 662
Likes: 0
Received 0 Likes
on
0 Posts
The use of a single AoA sensor at a time, for a function that can do what it did in these two crash scenarios is the problem. The failure event that caused the loss of two airliners, so far, must be classified as Catastrophic, in the terms of 25.1309, and made to be Extremely Improbable (mathematically on the order of 10E-09). It was clearly not Extremely Improbable as certified. So the classification either needs to be upgraded or the system safety analysis called into question, maybe both.
Design strategies to meet this safety requirement may include redundancy (more than one AoA sensor), detection of sensor failure with corresponding steps to disable its input to the MCAS and others. Common causes that could lead to simultaneous failure of multiple AoA sensors must be avoided. As a previous poster noted, current AoA sensors can fail on the order of once every 100,000 hours, though I'm not sure that covers every failure mode. If the MCAS functionality must be assured for certification, then significant redesign of the system hardware architecture is necessary, not merely changing a few lines of code.
Furthermore, I don't know what the hazard classification was approved for MCAS, but it should be Catastrophic, which means that software associated with its function should be at Design Assurance Level A. Not sure what the software DAL is, but to modify Level A software and get the modification approved is not trivial (time-consuming and expensive).
Design strategies to meet this safety requirement may include redundancy (more than one AoA sensor), detection of sensor failure with corresponding steps to disable its input to the MCAS and others. Common causes that could lead to simultaneous failure of multiple AoA sensors must be avoided. As a previous poster noted, current AoA sensors can fail on the order of once every 100,000 hours, though I'm not sure that covers every failure mode. If the MCAS functionality must be assured for certification, then significant redesign of the system hardware architecture is necessary, not merely changing a few lines of code.
Furthermore, I don't know what the hazard classification was approved for MCAS, but it should be Catastrophic, which means that software associated with its function should be at Design Assurance Level A. Not sure what the software DAL is, but to modify Level A software and get the modification approved is not trivial (time-consuming and expensive).
Someone inside Boeing knew exactly what they were doing, and are fully culpable for these accidents. Where was the FAA in all this?
Join Date: Feb 2009
Location: Seattle
Posts: 379
Likes: 0
Received 0 Likes
on
0 Posts
The two AOA signals move together but with about 20 degrees separation. The left one is too high. MCAS was using that one during this Lion Air accident. I sure want to see the same parameters from the Ethiopian accident plotted!
Join Date: Mar 2015
Location: Washington state
Posts: 209
Likes: 0
Received 0 Likes
on
0 Posts
It was stated earlier in the thread the reasoning behind the single sensor design was specifically so no AoA error could be detected. A dual sensor approach would allow an AoA error to be detected, which would necessitate the warning to be presented to the crew, and that would potentially require additional training. The design mandate for the MAX that there would be no requirement for simulator time to save the airlines money. Even the test pilot was unaware of the full MCAS was single channel.
Someone inside Boeing knew exactly what they were doing, and are fully culpable for these accidents. Where was the FAA in all this?
Someone inside Boeing knew exactly what they were doing, and are fully culpable for these accidents. Where was the FAA in all this?
I read from the BBC:
If AoA sensor disagreement in future will disable MCAS, then that must surely mean that the aircraft is allegedly safe to fly without it?
Boeing also said that airlines which fit this 'upgrade' are to be required to 'give feedback on its performance'. Surely that's the job of Boeing's flight test department?
I can't see many passengers being happy to fly in a 737 Max ever again, no matter what 'upgrades' Boeing provides.
Boeing has redesigned the software so that it will disable MCAS if it receives conflicting data from its sensors.
In a briefing to reporters Boeing said that the upgrades were not an admission that the system had caused the crashes.
In a briefing to reporters Boeing said that the upgrades were not an admission that the system had caused the crashes.
Boeing also said that airlines which fit this 'upgrade' are to be required to 'give feedback on its performance'. Surely that's the job of Boeing's flight test department?
I can't see many passengers being happy to fly in a 737 Max ever again, no matter what 'upgrades' Boeing provides.
Not necessarily a valid parallel ...
Based on what has been disclosed about the proposed changes, the lack of detail does not reassure or provide a convincing argument.
The somewhat obvious changes to system architecture - dual sensing, cross comparison, authority limits, and annunciation (still deficient), should have been in place for certification - thus ‘closing the stable door’. However, there is no reference as to why the AoA value was in error on two aircraft, involving 3 vanes.
Discussions have consided the physical vane, electrical output, software conversation, etc, but nowhere is there a description of why ‘on the day before’ everything was normal, but then the system malfunctioned.
Why were these two aircraft, on that day, so different from all of the other aircraft in service.
These aspects should be addressed by the formal investigations, as yet not disclosed publicly, but should be available to the manufacturer and regulator (but not all?). Software doesn’t leave ‘evidence’ at an accident site.
Returning the aircraft to service is more about public trust than with design and certification; all are required, worldwide. This requires much more detail to restore technical trust, even if the manufacturer believes that a public statement is sufficient.
Are we to accept - an analogy involving a car manufacturer after an accident where the steering-rod bolt fell out, being satisfied by fitting two bolts, but not knowing why the first bolt fell out.
So far the changes are a ‘wet blanket’ over an unidentified cause; can we be convinced that the problem is cured without knowing ‘cause’?
The somewhat obvious changes to system architecture - dual sensing, cross comparison, authority limits, and annunciation (still deficient), should have been in place for certification - thus ‘closing the stable door’. However, there is no reference as to why the AoA value was in error on two aircraft, involving 3 vanes.
Discussions have consided the physical vane, electrical output, software conversation, etc, but nowhere is there a description of why ‘on the day before’ everything was normal, but then the system malfunctioned.
Why were these two aircraft, on that day, so different from all of the other aircraft in service.
These aspects should be addressed by the formal investigations, as yet not disclosed publicly, but should be available to the manufacturer and regulator (but not all?). Software doesn’t leave ‘evidence’ at an accident site.
Returning the aircraft to service is more about public trust than with design and certification; all are required, worldwide. This requires much more detail to restore technical trust, even if the manufacturer believes that a public statement is sufficient.
Are we to accept - an analogy involving a car manufacturer after an accident where the steering-rod bolt fell out, being satisfied by fitting two bolts, but not knowing why the first bolt fell out.
So far the changes are a ‘wet blanket’ over an unidentified cause; can we be convinced that the problem is cured without knowing ‘cause’?
Last edited by alf5071h; 28th Mar 2019 at 17:42. Reason: typo
Feels a bit like deactivating alpha floor protection in an Airbus after only one time use.
Join Date: Jan 2008
Location: Irvine, CA
Posts: 94
Likes: 0
Received 0 Likes
on
0 Posts
Seattle Times:
”Ludtke didn’t work directly on the MCAS, but he worked with those who did. He said that if the group had built the MCAS in a way that would depend on two sensors, and would shut the system off if one fails, he thinks the company would have needed to install an alert in the cockpit to make the pilots aware that the safety system was off.
And if that happens, Ludtke said, the pilots would potentially need training on the new alert and the underlying system. That could mean simulator time, which was off the table.”
”Ludtke didn’t work directly on the MCAS, but he worked with those who did. He said that if the group had built the MCAS in a way that would depend on two sensors, and would shut the system off if one fails, he thinks the company would have needed to install an alert in the cockpit to make the pilots aware that the safety system was off.
And if that happens, Ludtke said, the pilots would potentially need training on the new alert and the underlying system. That could mean simulator time, which was off the table.”
So - reasonably speculating - the decision making logic at Boeing went somewhere along this line:
Engineers:
We have two options to design the MCAS requirement into the MAX:
A) with redundancy in the data input, as required for such systems with potentially catastrophic influence on the flight performance. We need to install an alert in the cockpit if the system is switched off due to inconsistency in the data. That means the pilots will need to undergo simulator training for conversion to the MAX.
B) we poll only a single sensor and the system does not check for data integrity against other available data. Then the system can stay in the background and the pilots do not need to know. In case of sensor data corruption, the pilots would - best case - have a few seconds to recognize the problem as in effect comparable to a stabilizer runaway and use the cut out switches and apply manual counter trim. No need to mention this to anyone and no simulator training needed. What could go wrong? Well, in case of single sensor data failure, the airplane will want to fly itself and all on board with authority and high speed into the ground.
Management:
we do option B!
Last edited by Interflug; 28th Mar 2019 at 11:43.
Join Date: Jul 2014
Location: Harbour Master Place
Posts: 662
Likes: 0
Received 0 Likes
on
0 Posts
In response to waterpilot.
Thank you Interflug, that Seattle Times article I was paraphrasing, exactly what I was trying to communicate.
Ethiopian airliner down in Africa
Thank you Interflug, that Seattle Times article I was paraphrasing, exactly what I was trying to communicate.
Even MAX Boeing test pilot didnt aware that MCAS is using one sensor data.
https://www.bakersfield.com/ap/news/...7e6384825.html
https://www.bakersfield.com/ap/news/...7e6384825.html
Join Date: Aug 2006
Location: cardiff
Posts: 598
Likes: 0
Received 0 Likes
on
0 Posts
It was stated earlier in the thread the reasoning behind the single sensor design was specifically so no AoA error could be detected. A dual sensor approach would allow an AoA error to be detected, which would necessitate the warning to be presented to the crew, and that would potentially require additional training. The design mandate for the MAX that there would be no requirement for simulator time to save the airlines money. Even the test pilot was unaware of the full MCAS was single channel.
(caps inserted)
At base level this MCAS is just an augmentation system is it not?
In my view, it does not comply with the basic certification requirement above, and someone in Boeing knows this, software alone won't fix it.
Ttfn
Think they need to revisit part 25.671, then part 25.672, as a stability augmentation system must have "a warning which is clearly distinguishable to the pilot under expected flight conditions without requiring his attention must be provided for ANY failure in the stability augmentation system or in ANY OTHER AUTOMATIC OR POWER OPERATED SYSTEM WHICH COULD RESULT IN AN UNSAFE CONDITION IF THE PILOT WERE NOT AWARE OF THE FAILURE"
(caps inserted)
At base level this MCAS is just an augmentation system is it not?
In my view, it does not comply with the basic certification requirement above, and someone in Boeing knows this, software alone won't fix it.
Ttfn
(caps inserted)
At base level this MCAS is just an augmentation system is it not?
In my view, it does not comply with the basic certification requirement above, and someone in Boeing knows this, software alone won't fix it.
Ttfn
I think you have pointed to the initial Kernel of causal factors. Many other posters have debated on the presumed application of System Safety "-1309" as the underlying certification base. However, if a more specific requirement is applied, as you suggest, then that regulation must take precedence over a less specific regulation.
I would be most interested on how the FAA's North East region found compliance and under what regulation as this is where the fundamental fault may lie.
I'm not ready to lay the complete fault at Boeing's door unless they misrepresented facts when submitting their application for acceptance. On the other hand how would the other world regulators accept a faulted certification base ?
Join Date: Feb 2009
Location: Seattle
Posts: 379
Likes: 0
Received 0 Likes
on
0 Posts
I read from the BBC:
If AoA sensor disagreement in future will disable MCAS, then that must surely mean that the aircraft is allegedly safe to fly without it?
Boeing also said that airlines which fit this 'upgrade' are to be required to 'give feedback on its performance'. Surely that's the job of Boeing's flight test department?
I can't see many passengers being happy to fly in a 737 Max ever again, no matter what 'upgrades' Boeing provides.
If AoA sensor disagreement in future will disable MCAS, then that must surely mean that the aircraft is allegedly safe to fly without it?
Boeing also said that airlines which fit this 'upgrade' are to be required to 'give feedback on its performance'. Surely that's the job of Boeing's flight test department?
I can't see many passengers being happy to fly in a 737 Max ever again, no matter what 'upgrades' Boeing provides.
Another example of is the impact pressure schedule for the variable column feel on the 737. There are two separate feel units that are each driven by their own air data sensors. If a failure of one occurs (let's say its probe gets plugged as a result of hitting a bird) the column feel characteristics will be degraded - likely to a degree that would not support certification with respect to every day operation. Piloted evaluation, however, has shown that at the presumed rate of hitting a bird such that the probe is plugged the associated degradation in column feel is acceptable. In a more remote event hitting a flock of birds might plug both probes causing both feel units to behave improperly and the feel characteristic to degrade much more. Pilot evaluation of the change in feel characteristics with both feel units degraded has shown that it is acceptable given the probability of occurrence of that event.
Join Date: May 2017
Location: San Diego
Posts: 66
Likes: 0
Received 0 Likes
on
0 Posts
FCEng84, great posts. Would adding the line of code: "IF (pitch_angle < 7 degrees) THEN (disable MCAS autotrimming) END_IF" be a simple, good solution. (pitch_angle is triplex reliable).....
I know Boeing has already announced the alpha-disagree & etc. fix, yet if they would have put that inhibit in there, you could still say "skip sim training" for current 737 pilots, right?
I know Boeing has already announced the alpha-disagree & etc. fix, yet if they would have put that inhibit in there, you could still say "skip sim training" for current 737 pilots, right?
Join Date: Nov 2000
Location: Canada
Posts: 603
Likes: 0
Received 0 Likes
on
0 Posts
Air Canada installed both options on their 737MAX aircraft. I wonder how many carriers did.
Join Date: Aug 2006
Location: cardiff
Posts: 598
Likes: 0
Received 0 Likes
on
0 Posts
I think you have pointed to the initial Kernel of causal factors. Many other posters have debated on the presumed application of System Safety "-1309" as the underlying certification base. However, if a more specific requirement is applied, as you suggest, then that regulation must take precedence over a less specific regulation.
I would be most interested on how the FAA's North East region found compliance and under what regulation as this is where the fundamental fault may lie.
I'm not ready to lay the complete fault at Boeing's door unless they misrepresented facts when submitting their application for acceptance. On the other hand how would the other world regulators accept a faulted certification base ?
I would be most interested on how the FAA's North East region found compliance and under what regulation as this is where the fundamental fault may lie.
I'm not ready to lay the complete fault at Boeing's door unless they misrepresented facts when submitting their application for acceptance. On the other hand how would the other world regulators accept a faulted certification base ?
As for other countries, well, under various bi-lateral agreements, once it gains FAA sign off and type cert, its read across as being compliant in those countries too.
Ttfn
Join Date: Jan 2008
Location: Herts, UK
Posts: 748
Likes: 0
Received 0 Likes
on
0 Posts
You can update the software from now till eternity.
The main issue remains.
These "events" are triggered by failing AOA sensor/systems. => That is where the main focus should be => Why is the AOA probe/system failing.
That MCAS was single probe only is an error, but secondary and wat MCAS is/was trying to do is third.
But, and this should be the main focus point => With a solid AOA signal, nothing of this would have happened in the first place.
The main issue remains.
These "events" are triggered by failing AOA sensor/systems. => That is where the main focus should be => Why is the AOA probe/system failing.
That MCAS was single probe only is an error, but secondary and wat MCAS is/was trying to do is third.
But, and this should be the main focus point => With a solid AOA signal, nothing of this would have happened in the first place.
Hardware failures have to be possible without disastrous effects or consequences.
Either the aircraft shouldn't require such a strange convoluted system for retaining stick force increase at the stall...
Or a system should be built in that is 'totally foolproof' in so far as meeting theoretical and practically tested fault paths or redundancy...
Or.. the airworthiness requirement should be waived with stall training and AoA alarms...
Theory being why would you normally be flying into a stall.. neither Lion Air or Ethiopean were or would have been near the stall.. the IRONY is an Airworthiness Requirement KILLED people, LOTS?
Lets ask this... how serious is a STRAIGHT stall if it's detected and countered formally (standard response) unless its a low level ?
Is the stick force ~alpha curve or stick force per G overrated as a design criteria ?
Join Date: Sep 2011
Location: Belgium
Age: 64
Posts: 138
Likes: 0
Received 0 Likes
on
0 Posts
Don't necessarily agree...
Hardware failures have to be possible without disastrous effects or consequences.
Either the aircraft shouldn't require such a strange convoluted system for retaining stick force increase at the stall...
Or a system should be built in that is 'totally foolproof' in so far as meeting theoretical and practically tested fault paths or redundancy...
Or.. the airworthiness requirement should be waived with stall training and AoA alarms...
Theory being why would you normally be flying into a stall.. neither Lion Air or Ethiopean were or would have been near the stall.. the IRONY is an Airworthiness Requirement KILLED people, LOTS?
Lets ask this... how serious is a STRAIGHT stall if it's detected and countered formally (standard response) unless its a low level ?
Is the stick force ~alpha curve or stick force per G overrated as a design criteria ?
Hardware failures have to be possible without disastrous effects or consequences.
Either the aircraft shouldn't require such a strange convoluted system for retaining stick force increase at the stall...
Or a system should be built in that is 'totally foolproof' in so far as meeting theoretical and practically tested fault paths or redundancy...
Or.. the airworthiness requirement should be waived with stall training and AoA alarms...
Theory being why would you normally be flying into a stall.. neither Lion Air or Ethiopean were or would have been near the stall.. the IRONY is an Airworthiness Requirement KILLED people, LOTS?
Lets ask this... how serious is a STRAIGHT stall if it's detected and countered formally (standard response) unless its a low level ?
Is the stick force ~alpha curve or stick force per G overrated as a design criteria ?
But the signals coming from the AOA sensors tricked the "aircraft" to "think" it was in a stall and corrective action had to be taken. => MCAS and stick shaker where activated to counter an issue that did not exist in the first place.
And now? ? They are going to "fix' this with a SOFTWARE UPDATE?
Let us start with a third AOA sensor, then start thinking about the software.