Go Back  PPRuNe Forums > Flight Deck Forums > Rumours & News
Reload this Page >

MAX’s Return Delayed by FAA Reevaluation of 737 Safety Procedures

Rumours & News Reporting Points that may affect our jobs or lives as professional pilots. Also, items that may be of interest to professional pilots.

MAX’s Return Delayed by FAA Reevaluation of 737 Safety Procedures

Old 4th Sep 2019, 20:35
  #2161 (permalink)  
 
Join Date: May 2010
Location: Boston
Age: 68
Posts: 440
Originally Posted by ST Dog View Post
Configuration management is alive and well. Required for a DO-178 process (which is required for aviation). You even have to spell out how you will do it in planning documents, ostensibly before you start development. Changes are tracked, reviewed, connected to problem reports/change requests, etc. Lots of scrutiny.
The issue is does the code change trigger a safety review. DO-178 leaves it to the change maker or other reviewers to decide. But the guys writing the code and making those changes (and their management) don't really understand the airworthiness impact.
It is useful to keep in mind that as far as we know the MCAS software worked exactly as specified/designed/implemented.
No amount of SW process can catch a system level specification error so while important it is no a panacea for problems resulting from inadequate understanding and analysis at a global level.

What can help is a full fault tree analysis, done before the first accident. From other's comments this is done in aviation but not clear the rigour applied when 'minor' changes are made.
I have always been impressed at the ability of investigators ability to determine 'why it blew up' after the fact and often wondered what would result would be if the same resources and methodology was applied in advance.
MurphyWasRight is offline  
Old 4th Sep 2019, 21:09
  #2162 (permalink)  
 
Join Date: Oct 2002
Location: London UK
Posts: 6,303
Originally Posted by MurphyWasRight View Post
It is useful to keep in mind that as far as we know the MCAS software worked exactly as specified/designed/implemented.
This just reminds me of one of our own programmers' responses to a fault issue. "Works As Coded". Well of course it Works As Coded. All computer programs do. But the coding is fundamentally wrong.
WHBM is offline  
Old 4th Sep 2019, 21:35
  #2163 (permalink)  
 
Join Date: Mar 2015
Location: Washington state
Posts: 210
But the guys writing the code and making those changes (and their management) don't really understand the airworthiness impact.
Some of the later news makes me wonder how much they cared. Not that they are unfeeling monsters, but that they cared about something else more than airworthiness. Even the dullest manager involved in the whole MCAS hack debacle had to realize that they were making a plane that was less airworthy than its predecessor. "Oh, it is just like runaway trim" does not negate the fact that they have just made "runaway trim" much more likely, and they knew it.
Water pilot is offline  
Old 4th Sep 2019, 21:51
  #2164 (permalink)  
Thread Starter
 
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 701
Originally Posted by WHBM View Post
This just reminds me of one of our own programmers' responses to a fault issue. "Works As Coded". Well of course it Works As Coded. All computer programs do. But the coding is fundamentally wrong.
I think it would probably be more accurate to say that the design, requirements and/or verification were fundamentally wrong. As far as we know, at this point, the implementation -- the actual MCAS coding -- resulted in the system doing exactly what the coders were told to make it do -- which, under the perfectly-foreseeable but apparently unforeseen conditions of the two accident flights was to fly airplanes into the ground. This may seem like nitpicking but, in an environment where a large number of people who may not ever meet or even know about each other are involved in development, it's crucial to understand where in the process the fatal flaws were introduced and where they were missed.

It's very unlikely, for instance, that the actual code monkeys, either in-house or outsource/contracted, decided on their own initiative to take input from a single AoA vane. Software and systems architects are responsible for decisions at that level. And very senior people are responsible for decisions such as trying to address airframe design issues with software fixes.
OldnGrounded is offline  
Old 4th Sep 2019, 22:12
  #2165 (permalink)  
 
Join Date: Jan 2008
Location: Wintermute
Posts: 46
50 quid says that the MCAS system is a Machine Learning (ML) based solution rather than a traditional mathematical model based solution and this is the reason why 'it's all gone quiet' . . .

One can say no more . . .
fergusd is offline  
Old 4th Sep 2019, 22:18
  #2166 (permalink)  
 
Join Date: Jun 2008
Location: Cambridge UK
Posts: 162
Originally Posted by WHBM View Post
This just reminds me of one of our own programmers' responses to a fault issue. "Works As Coded". Well of course it Works As Coded. All computer programs do. But the coding is fundamentally wrong.
I think when MurphyWasRight said
"It is useful to keep in mind that as far as we know the MCAS software worked exactly as specified/designed/implemented"
he was meaning:
- the MCAS software worked exactly as specified.
- its design accurately matched the specification.
- its implementation accurately matched the design.

It seems a case of a specification being accurately implemented, rather than "the [MCAS] coding [being] fundamentally wrong".
Sadly, the risk-analysis of the specification was badly flawed.

As a retired s/w engineer I'm all too ready to criticise s/w SNAFUs, but I cannot see that this is one.
Peter H is offline  
Old 4th Sep 2019, 23:03
  #2167 (permalink)  
 
Join Date: Mar 2015
Location: Washington state
Posts: 210
I would put this in the software error category of failing to anticipate bad input, much like code that gets a packet that says that the remainder is 450 bytes long which then reads 450 bytes from the stream without verifying that there are actually that many bytes left in the stream. Anything that reads external data has to be able to anticipate bad input and do something appropriate in response. Just pretending that bad input is impossible or that somebody else will respond to it for you is not good design.
Water pilot is offline  
Old 4th Sep 2019, 23:15
  #2168 (permalink)  
 
Join Date: Jan 2008
Location: Wintermute
Posts: 46
Originally Posted by Water pilot View Post
I would put this in the software error category of failing to anticipate bad input, much like code that gets a packet that says that the remainder is 450 bytes long which then reads 450 bytes from the stream without verifying that there are actually that many bytes left in the stream. Anything that reads external data has to be able to anticipate bad input and do something appropriate in response. Just pretending that bad input is impossible or that somebody else will respond to it for you is not good design.
Stick to the pilot monkeying . . . this is a very intentional systems design issue, not a software implementation issue . . . you are so far out of your depth you don't even know what depth means . . .
fergusd is offline  
Old 4th Sep 2019, 23:38
  #2169 (permalink)  
 
Join Date: Mar 2015
Location: Washington state
Posts: 210
Originally Posted by fergusd View Post
Stick to the pilot monkeying . . . this is a very intentional systems design issue, not a software implementation issue . . . you are so far out of your depth you don't even know what depth means . . .
What an informed post. That is actually fairly funny, since you are probably unknowingly using software that I had a hand in writing.
Water pilot is offline  
Old 4th Sep 2019, 23:59
  #2170 (permalink)  
 
Join Date: Jan 2008
Location: Wintermute
Posts: 46
Originally Posted by Water pilot View Post
What an informed post. That is actually fairly funny, since you are probably unknowingly using software that I had a hand in writing.
Highly unlikely . . . your self elevated view of your own status is embarrassing to read and demonstrates everything that is wrong in this industry.

I stand by my comment, go whine to someone else.
fergusd is offline  
Old 5th Sep 2019, 00:39
  #2171 (permalink)  
 
Join Date: Mar 2015
Location: Washington state
Posts: 210
Gee, I am not sure what your problem is. Perhaps you should take a break from the internet for awhile, I do that sometimes and find it refreshing. I don't suppose that you even know what IIS stands for so it I rather pointless to continue this part of the conversation.

To be clear, what any of us have done in the past really is not relevant to this discussion, our opinions should stand or fall on their own merits. I'm not sure why you are so opposed to the idea that software must be able to handle bad input; if we were perfect in that regard then there would be a lot fewer successful hacks. (Note that I'm not claiming that the projects that I worked on were that way, far from it if you know what IIS stands for.) It is a bit of a weak analogy to the MCAS problem but I lived through a time when we tended to ignore bad or unexpected input (I don't suppose that you know what strcmp() stands for?) and the software industry suffered greatly.
Water pilot is offline  
Old 5th Sep 2019, 03:09
  #2172 (permalink)  
 
Join Date: May 2010
Location: Boston
Age: 68
Posts: 440
Originally Posted by Water pilot View Post
I would put this in the software error category of failing to anticipate bad input, much like code that gets a packet that says that the remainder is 450 bytes long which then reads 450 bytes from the stream without verifying that there are actually that many bytes left in the stream. Anything that reads external data has to be able to anticipate bad input and do something appropriate in response. Just pretending that bad input is impossible or that somebody else will respond to it for you is not good design.
Not exact match to MCAS, at least in Lion AIr case the AOA value was in range..
The "bad packet check" is not possible in this case since there is (with a singe input) no way to check the data.

For the Ethiopian case the essentially maxed out value might have been detectable as unreasonable, although I don't know that as a fact.

Gets back to specification, adding a "reasonableness" filter can add robustness but can also cause problems if not correctly specified or implemented. It also adds complexity and testing overhead.
MurphyWasRight is offline  
Old 5th Sep 2019, 03:31
  #2173 (permalink)  
 
Join Date: Feb 2006
Location: USA
Posts: 435
https://www.seattletimes.com/busines...urn-to-flight/
European aviation safety agency sets strict demands for Boeing 737 MAX return to flight
Sep. 4, 2019 at 6:53 pm Updated Sep. 4, 2019 at 7:24 pm
By Dominic Gates
Seattle Times aerospace reporter

Europe’s aviation safety agency, which is conducting its own independent review of Boeing’s grounded 737 MAX, is not satisfied with a key detail of Boeing’s fix to the jet. It wants Boeing to do more to improve the integrity of the sensors that failed on the two fatal crashes in Indonesia and Ethiopia, killing 346 people.

And it’s demanding that Boeing demonstrate in flight tests the stability of the MAX during extreme maneuvers, not only with Boeing’s newly updated flight-control system but also with that system switched off.

These were among the disclosures in a presentation Tuesday to the European Parliament by Patrick Ky, executive director of the European Union Aviation Safety Agency (EASA). Ky listed what appear to be more stringent EASA requirements than those of its U.S. counterpart, the Federal Aviation Administration (FAA).

Boeing has publicly said it hopes for FAA clearance for the MAX in October so that it can return to passenger service in the U.S. this year.

Typically, overseas regulators follow the FAA’s lead. But after the MAX crashes revealed shortcomings in the FAA’s certification process, that’s no longer certain.

One of Ky’s slides cited a letter EASA sent to the FAA on April 1, less than three weeks after the MAX was grounded, that laid out four conditions for it to allow the MAX to return to service.

The first condition stipulated is, “Design changes proposed by Boeing are EASA approved (no delegation to FAA).”

The second is that EASA complete an “additional and broader independent review” of the aircraft, beyond the specific design changes to the flight-control system that went haywire on the crash flights.

If the FAA moves ahead and clears the MAX to fly while EASA holds off until later, it would create an unprecedented divergence in worldwide regulation that would gravely complicate the schedules of many airlines flying internationally.

FAA approval would apply only to U.S. airlines flying domestically. European airlines flying the MAX, such as Norwegian Air, require clearance from EASA.

And it will put Boeing in a very awkward position if the FAA says the MAX is safe to fly while others hold back approval.

Both MAX crashes were initiated by faulty sensors that measure the plane’s Angle of Attack, the angle between the oncoming air flow and the wing. That fault then activated a new flight-control system — a piece of software known as the Maneuvering Characteristics Augmentation System (MCAS) — that on each of the crash flights repeatedly pushed the nose of the jet down.

Although Boeing has updated MCAS so that it now takes input from both Angle of Attack sensors on the MAX instead of only one, and won’t operate if they disagree, Ky indicated EASA finds this insufficient.

One of his slides states that while Boeing’s proposal has improved the Angle of Attack system, there is “still no appropriate response to Angle of Attack integrity issues.”

And EASA wants stringent flight tests that prove the MAX’s safety with or without MCAS.

Boeing engineers designed the original MCAS to smooth out the feel of the yoke in the pilot’s hands during certain extreme high-speed turn and stall maneuvers.

Before the MAX is cleared to fly passengers again, both EASA and the FAA will require flight tests of the new updated software. In addition, Ky said, EASA will require Boeing to demonstrate the stability of the jet in flight tests that include high-speed turn and stall maneuvers with MCAS switched off.

The latter requirement should go some way to satisfying one gnawing public concern about the MAX. On the Internet, many Boeing critics have expressed concern that the jet is “inherently unstable” with engines that are too big, and that a software “band-aid” isn’t good enough to fix that. The EASA requirement to fly safely without MCAS should demonstrate otherwise.

On Wednesday, the FAA declined to clarify if the EASA requirements are stricter or in line with its own.

“We aren’t going to comment on specific details about ongoing discussions,” the FAA said in a statement. “The FAA has a transparent and collaborative relationship with other civil aviation authorities as we continue our review of changes to software on the Boeing 737 MAX … Each government will make its own decision to return the aircraft to service based on a thorough safety assessment.”

A safety official within the FAA, who asked for anonymity because he spoke without agency approval, said that the U.S. regulator has worked through the MAX approval process, looking for system flaws “with a fine-tooth comb, like they never have before.”

“People know it’s perhaps something they should have caught the first time around,” he said. “They want to make sure it doesn’t happen again.”

Still, the official wasn’t aware of any lingering concern at the FAA with the Angle of Attack sensor system. He said that the software and system changes Boeing has proposed have been all but agreed upon within the FAA and that only the level of pilot training that will be required remains undecided.

While U.S. pilots have said they are satisfied that some computer-based training is sufficient, overseas regulators may require full flight-simulator training. The FAA official said that both EASA and India’s aviation regulator, the Directorate General of Civil Aviation, have so far balked at agreeing to computer-based training alone.

Ky’s presentation confirms that, for EASA, the amount of pilot training required before the MAX flies passengers is still “a work in progress.”

Ky said that EASA communicated to Boeing and the FAA in July a list of significant technical issues, which included system failures insufficiently monitored; forces needed to move the manual trim wheel too high; and a risk of crew confusion in some failure cases, especially an Angle of Attack single failure at takeoff.

A slide presenting the “latest status” of the process indicates that the pilot training and Angle of Attack system remain in play.

In a statement Wednesday, Boeing declined to comment on discussions with regulators. “We continue to work with the FAA and global regulators on addressing their concerns in order to safely return the MAX to service,” the company said in a statement.

On Tuesday, Alexandre de Juniac — head of the International Air Transport Association, the global trade group representing the world’s airlines — told Reuters in Chicago that “with the 737 MAX we are a bit worried … because we don’t see the normal unanimity among international regulators that should be the case.”

“We see a discrepancy that’s detrimental to the industry,” de Juniac added, urging regulators to make any changes to the single certification process “collectively,” according to Reuters.

Ky’s parliamentary presentation the same day, also briefly cited by Reuters, made that discrepancy plain.

Dominic Gates: 206-464-2963 or [email protected]; on Twitter: @dominicgates.
Zeffy is offline  
Old 5th Sep 2019, 03:39
  #2174 (permalink)  
 
Join Date: Nov 2007
Location: Seoul
Posts: 103
WestJet just dropped Max until 2020.

https://www.cbc.ca/news/business/wes...ax-8-1.5268771
TeachMe is offline  
Old 5th Sep 2019, 03:56
  #2175 (permalink)  
Thread Starter
 
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 701
United says it will allow passengers to avoid 737 Max flights

New York (CNN Business) United Airlines passengers fearful of boarding a Boeing 737 Max will be able to rebook flights for free once United starts flying the planes again.

"If you get to the gate and it's not an airplane you want to fly on for whatever reason, if it's a Max, we'll put you on another flight," said Andrew Nocella, the airline's chief commercial officer, at an investor conference Wednesday.
Nocella said it's probably too soon to tell what passenger reaction will be once the 737 Max returns to service. The Boeing jet has been grounded since March, following two fatal crashes that killed 346 people.
"We need to get through the recertification process, return the aircraft to service and see how things go," he said. "If somebody is uncomfortable getting on the aircraft... we want to make sure we can put them on a different aircraft."

A United (UAL) spokesman confirmed the rebooking would be done without the passengers being required to pay any change fee.

More
The story also discusses Delta's, American's and Southwest's policies.

OldnGrounded is offline  
Old 5th Sep 2019, 07:31
  #2176 (permalink)  
 
Join Date: Jan 2008
Location: Reading, UK
Posts: 11,145
From that Seattle Times article:

"People know it’s perhaps something they should have caught the first time around," he [a safety official within the FAA] said.
Perhaps ???

Hmmm.
DaveReidUK is offline  
Old 5th Sep 2019, 09:07
  #2177 (permalink)  
 
Join Date: Mar 2019
Location: French Alps
Posts: 325
The EASA requirement to fly safely without MCAS should demonstrate otherwise.
This demonstration will settle the matter of the airplane "not being unstable" etc. that Boeing and some observers have kept repeating.

The fact that Boeing has yet to perform this demonstration, which could have been done months ago with any of the grounded airplanes, is a cause for concern.
One wonders what the hundreds of test flights since the accidents have been for...
Fly Aiprt is offline  
Old 5th Sep 2019, 09:39
  #2178 (permalink)  
 
Join Date: Jan 2008
Location: uk
Posts: 793
Originally Posted by fergusd View Post
50 quid says that the MCAS system is a Machine Learning (ML) based solution rather than a traditional mathematical model based solution and this is the reason why 'it's all gone quiet' . . .

One can say no more . . .
You'll lose. Given what is known about the hardware capabilities of the FCC, both CPU and memory, anyone who could shoehorn an ML solution into the spare capacity left after several decades of enhancements would be so damned good they couldn't possibly have ****ed up so damned bad. End of story.
infrequentflyer789 is offline  
Old 5th Sep 2019, 10:37
  #2179 (permalink)  
 
Join Date: Jul 2013
Location: Norway
Age: 53
Posts: 126
Originally Posted by Fly Aiprt View Post
This demonstration will settle the matter of the airplane "not being unstable" etc. that Boeing and some observers have kept repeating.

The fact that Boeing has yet to perform this demonstration, which could have been done months ago with any of the grounded airplanes, is a cause for concern.
One wonders what the hundreds of test flights since the accidents have been for...
A couple months ago I tried to make a back-of-the-envelope calculation on what the elevator forces/positions would be in the 10-14 AOA region. Ofc I had to make several assumptions, like that the full 2,4 degrees MCAS authority would be needed to make the stick force/position in line with the stick force requirements. I didnt get much response other than the calculations had no value whatsoever.

Anyway, what my calculations was suggesting is that without MCAS the stick force is not only increasing as it should, when going from say 10 to 14 degrees AOA, but that the stick force needs to be relaxed towards zero force and the stick position needs to be brought to near neutral position when going from say 10 to 14 degrees AOA. Such a pitch behaviour is ofc very undesirable in the case of a non operable MCAS system at the same time as a low speed/high AOA event which could happen for a number of reasons.

I think that if this would be near what is actually happening, then this would be a very good reason for Boeing beeing very reluctant to disclose the pitch behaviour of the aircraft with non-operational MCAS system.
SteinarN is offline  
Old 5th Sep 2019, 10:45
  #2180 (permalink)  
 
Join Date: Oct 2017
Location: Tent
Posts: 476
Originally Posted by SteinarN View Post
A couple months ago I tried to make a back-of-the-envelope calculation on what the elevator forces/positions would be in the 10-14 AOA region. Ofc I had to make several assumptions, like that the full 2,4 degrees MCAS authority would be needed to make the stick force/position in line with the stick force requirements. I didnt get much response other than the calculations had no value whatsoever.

Anyway, what my calculations was suggesting is that without MCAS the stick force is not only increasing as it should, when going from say 10 to 14 degrees AOA, but that the stick force needs to be relaxed towards zero force and the stick position needs to be brought to near neutral position when going from say 10 to 14 degrees AOA. Such a pitch behaviour is ofc very undesirable in the case of a non operable MCAS system at the same time as a low speed/high AOA event which could happen for a number of reasons.

I think that if this would be near what is actually happening, then this would be a very good reason for Boeing beeing very reluctant to disclose the behaviour of the aircraft with non-operational MCAS system.
MCAS was "invented" for a reason, it was then heavily modified for another reason.

MAX can not meet the requirements with inactive MCAS - so simple, but lets pull some wool.
Bend alot is offline  

Thread Tools
Search this Thread

Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright © 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.