Go Back  PPRuNe Forums > Flight Deck Forums > Rumours & News
Reload this Page >

MAX’s Return Delayed by FAA Reevaluation of 737 Safety Procedures

Rumours & News Reporting Points that may affect our jobs or lives as professional pilots. Also, items that may be of interest to professional pilots.

MAX’s Return Delayed by FAA Reevaluation of 737 Safety Procedures

Old 5th Sep 2019, 23:03
  #2201 (permalink)  
 
Join Date: May 2010
Location: Boston
Age: 68
Posts: 430
Originally Posted by Notanatp View Post
The AoA indicator in JT610 was north of 20 degrees when sitting on the ground at zero airspeed. Surely that was enough to trigger a sanity check of inputs. Even in flight, something more than 20 degrees (particularly when it had never been less than 20 degrees, much less in a valid range) would have been an unambiguous indication of bad input (I assume the 737 will stall well below 20 degrees AoA).

The exact parameters of the optimal input checking for MCAS (i.e., rejecting a many invalid conditions as possible while minimizing the rejection of valid conditions) could be subject to some discussion and judgment. But AoA of 20 degrees seems like a no-brainer. At most, it might have required that the FCC "remember" a period of AoA history so it could determine, at the point where the algorithm became active (A/P disengaged, flaps retracted) that the AoA had never been in a valid range.

The bigger issue seems to be that the programmers never questioned the absence of any input validation requirement at all. I fully expect someone to quibble with my assertion that >20 degrees is clearly invalid, but what about 75 degrees? What about readings that are pegged at exactly the same number for a period of time (e.g., frozen or jammed sensor)? Or that suddenly jump from a reasonable number to an out-of-range number?

I just think somebody forgot to ask the question: what is the valid range of inputs and what are the error cases? It wouldn't have taken any time at all to include some kind of basic sanity checks.
My bold in quote, main point is things are not necessarily as simple as it seems;

1:AoA sensor is not active until enough airflow to move the vane, so position with zero airspeed is meaningless. This complicates any input validation since it would require airspeed to turn on any checks.

2: Introducing state (history) can greatly complicate verification since the code must be exercised to reach and respond at to least a subset of all possible states. It also complicates the code which of course adds to risk of bugs.

3: It would have taken some time to code and significantly more time to verify. The greatest schedule impact however might have been getting agreement on valid/invalid values, keeping in mind that MCAS is supposed to respond to somewhat extreme conditions. Even then the checking would not cover all cases, had the Lion AIr sensor chain had less offset it could have triggered MCAS with a totally valid input.
What is shocking is that the second sensor was not used as a cross check, "both must be within x%" is much more robust than any attempt to filter a single input.

As a final note one possible factor in the Air france tragedy was that due to reasonableness checking the stall warning was disabled at low airspeeds only to trigger as the crew lowered the nose, increasing airspeed (while still stalled).
This at a minimum would cause confusion and likely discourage lowering the nose; it yells at me when I do this == don't do that.
MurphyWasRight is offline  
Old 5th Sep 2019, 23:08
  #2202 (permalink)  
 
Join Date: Oct 2002
Location: London UK
Posts: 6,253
BBC reporting today that EASA will not accept FAA certification and will do own tests

"Patrick Ky, Easa's chief executive, revealed a list of four conditions given to the US authorities in a presentation to the European Parliament's committee on transport and tourism on Monday".


I can't see the aircraft returning in the US while Europe will not certify it. The insurers would never accept that, and unlikely the US pilot unions would either.

Last edited by WHBM; 6th Sep 2019 at 08:24.
WHBM is offline  
Old 6th Sep 2019, 01:00
  #2203 (permalink)  
 
Join Date: Jul 2019
Location: Mass
Posts: 21
Originally Posted by MurphyWasRight View Post
My bold in quote, main point is things are not necessarily as simple as it seems;
As they say, "the perfect is the enemy of the good." My main point is that they could have done something--less than perfect, less even than pretty good--but they did nothing. That tells me that the programmers were asleep at the switch. I cannot imagine that they were given marching orders to build this, the orders didn't specify any input validation, they proposed doing something, and the proposal was rejected.

Originally Posted by MurphyWasRight View Post
1:AoA sensor is not active until enough airflow to move the vane, so position with zero airspeed is meaningless. This complicates any input validation since it would require airspeed to turn on any checks.
I feel you are nit picking here. First, the DFDR data from the two accidents suggests that the normal, stationary reading for the vanes is somewhere around zero. I'm sure someone else on the thread can comment knowledgeably, but its looks to me like a stationary reading of more than 20 degrees is a pretty strong sign of a problem. Beyond that, the AoA signal surely becomes valid at some point during the take off roll, so the FCC could mark it as invalid if it's outside a reasonable range before rotation.

Originally Posted by MurphyWasRight View Post
2: Introducing state (history) can greatly complicate verification since the code must be exercised to reach and respond at to least a subset of all possible states. It also complicates the code which of course adds to risk of bugs.
The purpose of the state history is to decide whether to disable MCAS due to a suspected AoA error. The consequences of incorrectly disabling MCAS are not the same as the consequences of incorrectly relying on flight data to take affirmative action and move controls. So I think you are overstating the risk and verification requirements. Mostly, they'd need to make sure references to the AoA history doesn't disable MCAS in the normal cases where it is supposed to activate.

Originally Posted by MurphyWasRight View Post
3: It would have taken some time to code and significantly more time to verify. The greatest schedule impact however might have been getting agreement on valid/invalid values, keeping in mind that MCAS is supposed to respond to somewhat extreme conditions. Even then the checking would not cover all cases, had the Lion AIr sensor chain had less offset it could have triggered MCAS with a totally valid input.
What is shocking is that the second sensor was not used as a cross check, "both must be within x%" is much more robust than any attempt to filter a single input.
If you aren't trying to design the perfect set of input filters, then you aren't going to get bogged down "getting agreement on valid/invalid values." They didn't do nothing because it was taking too much time to agree on doing everything or because it was going to cost too much to do anything at all. And the simplest input validation (e.g., AoA > [pick a number]) would have had negligible impact on the code or testing.

I don't know why they didn't cross check sensors. Maybe the changes were perceived as too invasive and someone made the conscious decision that the risk of screwing that up was greater than the potential gain. Maybe the reason for not cross checking sensors will eventually come out when the full story is told. But whatever the reason was, that was not a reason to do nothing. Again, I think they did nothing because they just didn't think of it.
Notanatp is offline  
Old 6th Sep 2019, 02:20
  #2204 (permalink)  
 
Join Date: May 2011
Location: NEW YORK
Posts: 560
Originally Posted by WHBM View Post
BBC reporting today that EASA will not accept FAA certification and will do own tests

"Patrick Ky, Easa's chief executive, revealed a list of four conditions given to the US authorities in a presentation to the European Parliament's committee on transport and tourism on Monday".

https://www.imdb.com/title/tt0060802/

I can't see the aircraft returning in the US while Europe will not certify it. The insurers would never accept that, and unlikely the US pilot unions would either.
Quite interesting development. I'd expected the Chinese to be the most recalcitrant regulators, rather than the Europeans.
That said, there is surely some sense of betrayal behind this, the Europeans feel deceived by the inadequate FAA supervision of the MAX.
Agree fully with WHBM, this story has a long ways to go.
etudiant is offline  
Old 6th Sep 2019, 02:54
  #2205 (permalink)  
 
Join Date: Jul 2014
Location: Harbour Master Place
Posts: 600
I don't know why they didn't cross check sensors. Maybe the changes were perceived as too invasive and someone made the conscious decision that the risk of screwing that up was greater than the potential gain.
The reasoning behind not doing sensor validation was all to do with crew training. The interview with Rick Ludtke Former Boeing Engineers Say Relentless Cost-Cutting Sacrificed Safety (Bloomberg) documents this.

In a nutshell, the logic was this:
  • Invalid sensor = Mandatory warning to crew
  • Mandatory crew warning = mandatory Simulator (Level D) training
  • Mandatory Simulator Training = unacceptable to the MAX business model (Some Airlines building in penalties from mandatory Simulator training of $1 million per aircraft)
therefore...
  • No dual channel validity checking
A quote from the interview
Managers didn’t merely insist to employees that no designs should lead to Level D training. They also made their desires known to the FAA team in charge of 737 training requirements, which was led by Stacey Klein, who’d previously been a pilot at now-defunct Skyway Airlines for six years. “She had no engineering background, her airplane experience was very limited,” Ludtke says. “It was just an impossible scenario.” FAA spokesman Greg Martin says the position Klein occupies, “while substantial,” is primarily that of “an organizer, facilitator, and executor of the FAA policy and guidelines,” and that in her role she calls on experts from multiple organizations.
Another from Forbes
Rick Ludtke, a former Boeing engineer who worked on 737 MAX cockpit features but not the MCAS system, told the Journal that midlevel managers told their staff members that Boeing had committed to paying Southwest Airlines -- which has ordered 280 MAX aircraft -- $1 million per plane if the 737 MAX ended up requiring pilots to spend more time training on simulators.
It really was that simple. This whole crisis was to increase profit by $1 million per airframe in reduced training costs, for some large operators.
CurtainTwitcher is online now  
Old 6th Sep 2019, 07:30
  #2206 (permalink)  
 
Join Date: Jan 2008
Location: Reading, UK
Posts: 10,886
Try this one: Europe will not accept US verdict on 737 Max safety
DaveReidUK is offline  
Old 6th Sep 2019, 07:35
  #2207 (permalink)  
 
Join Date: Nov 2010
Location: Atlanta
Age: 52
Posts: 15
Originally Posted by Notanatp View Post
l feel you are nit picking here. First, the DFDR data from the two accidents suggests that the normal, stationary reading for the vanes is somewhere around zero. I'm sure someone else on the thread can comment knowledgeably, but its looks to me like a stationary reading of more than 20 degrees is a pretty strong sign of a problem. Beyond that, the AoA signal surely becomes valid at some point during the take off roll, so the FCC could mark it as invalid if it's outside a reasonable range before rotation.
I think you are replying to someone who is more knowledgeable, but I will add the same thing:

AOA sensors (of the type used on the B737) have an outside vane, and an inside counterweight. Unless the aircraft is moving fast enough (and I would guess around 60-80kts) the information from the AOA is ABSOLUTELY useless. I see them pointed in every random direction during the preflight ( not on the 737, but A320 has similar).

Not an engineer, but during strong crosswinds there will be substantial difference in airflow between the sides, so it might be better to wait until the aircraft is airborne and better aligned with the airflow.
hans brinker is offline  
Old 6th Sep 2019, 07:59
  #2208 (permalink)  

Only half a speed-brake
 
Join Date: Apr 2003
Location: Commuting home
Age: 41
Posts: 2,617
Originally Posted by Notanatp View Post
(i.e., rejecting a many invalid conditions as possible while minimizing the rejection of valid conditions) could be subject to some discussion and judgment. But AoA of 20 degrees seems like a no-brainer. At most, it might have required that the FCC "remember" a period of AoA history so it could determine, at the point where the algorithm became active (A/P disengaged, flaps retracted) that the AoA had never been in a valid range.

The bigger issue seems to be that the programmers never questioned the absence of any input validation requirement at all. I fully expect someone to quibble with my assertion that >20 degrees is clearly invalid, but what about 75 degrees?
It is a valid proposal, but supercaution is advised. The AF447 doomed crew was not helped by the stall warning silencing nor by FDs re-appearing in nose up position. All due to validity boundaries being exceeded, while the data were actually true in the deep stall.
FlightDetent is online now  
Old 6th Sep 2019, 08:27
  #2209 (permalink)  
 
Join Date: Apr 2018
Location: Sudbury, Suffolk
Posts: 133
Originally Posted by SLF3 View Post
It seems EASA are asking questions that Boeing and the FAA are going to struggle to answer.

EASA are asking Boeing to address aerodynamic stability with MCAS turned off. As I understand it, MCAS is only required because without it the Max does not meet the certification performance standard. So that will be an interesting conversation.
This is an existential question for the MAX. If regulators are not going to be satisfied with a mitigation through intervention of another system (owing to the possibility of failure of that system) then removal of the hazard through a change in aerodynamics would be needed. Had that been possible while retaining the economic benefits I would expect it to have been implemented, or at least mentioned by now. Perhaps I am naive though.

They have further asked Boeing to demonstrate the loads on the trim wheel are acceptable, which given that the stabiliser is larger, the trim wheel smaller, and sky goddesses more common, should also be an interesting conversation.
This is a threat to a much larger fleet as the trim wheel design and layout is shared with the NG.

Last edited by Maninthebar; 6th Sep 2019 at 10:37.
Maninthebar is offline  
Old 6th Sep 2019, 09:02
  #2210 (permalink)  
 
Join Date: Jan 2008
Location: Reading, UK
Posts: 10,886
Originally Posted by Notanatp View Post
First, the DFDR data from the two accidents suggests that the normal, stationary reading for the vanes is somewhere around zero.
I think it's more likely that the DFDR simply ignores AoA inputs below a given IAS threshold.

As noted above, on a parked aircraft you can expect to see the vanes oriented at pretty well any angle, in the absence of airflow.

DaveReidUK is offline  
Old 6th Sep 2019, 10:30
  #2211 (permalink)  
 
Join Date: Jun 2008
Location: Cambridge UK
Posts: 147
Originally Posted by WHBM View Post
BBC reporting today that EASA will not accept FAA certification and will do own tests

"Patrick Ky, Easa's chief executive, revealed a list of four conditions given to the US authorities in a presentation to the European Parliament's committee on transport and tourism on Monday".

<wayward link>

I can't see the aircraft returning in the US while Europe will not certify it. The insurers would never accept that, and unlikely the US pilot unions would either.
This looks like the intend link https://www.bbc.co.uk/news/business-49591363
Mr Ky's presentation showed a refusal to accept delegation was the first of the four conditions that had to be met before flights in Europe could resume.
The other three were:
- an "additional and broader independent design review" by Easa
- that the two fatal crashes were "deemed sufficiently understood"
- and that flight crews had been adequately trained in any changes to the plane.
Peter H is online now  
Old 6th Sep 2019, 11:11
  #2212 (permalink)  
 
Join Date: Jul 2002
Location: Ireland
Posts: 595
Originally Posted by etudiant View Post

Quite interesting development. I'd expected the Chinese to be the most recalcitrant regulators, rather than the Europeans.
This could be simply PR in that EASA wants to be seen as attempting to distance itself from the credibility difficulties the FAA are currently having.

Or it could be as a result of the ongoing discussions between EASA/Boeing/FAA. If EASA are raising issues which are being marginalised by Boeing who are then backed by the FAA then I can see them taking a more ‘independent’ stance.

It would be best for everyone if all parties sat down together and resolved this like adults, putting commercial/national/economic concerns aside and looking at this as a purely engineering and flight safety matter. My gut feeling however, based on some of the statements made by both Boeing and the FAA, is that the FAA is still putting the economic well-being of US aviation on a par with safety and are expecting EASA to collude with them in this.

EASA also know that they have considerable influence here. I don’t think that anyone seriously thinks that a ‘US-only’ ungrounding will fly, so to speak. That would eventually cause more problems than it would solve.

Looking at things more globally, it is not outside the bounds of possibility that EASA are taking up the cause on behalf of China. It is almost certain that there have been discussions between EASA and the CAAC about the ungrounding and with the ongoing bunfight between Trump and Beijing, EASA taking the lead on this depoliticises the whole thing.
Speed of Sound is offline  
Old 6th Sep 2019, 11:32
  #2213 (permalink)  
fdr
 
Join Date: Jun 2001
Location: 3rd Rock, #29B
Posts: 679
I must be getting slow after a long day flying, but I remain rather befuddled as to what basis the latest issues by EASA arise under. I was apparently mistaken in my belief that EASA is a signatory to the TIP:

TECHNICAL IMPLEMENTATION PROCEDURES FOR AIRWORTHINESS and ENVIRONMENTAL CERTIFICATION between the Federal Aviation Administration of the United States of America and the European Aviation Safety Agency of the European Union Revision 6, dated September 22, 2017 And Amendment 1 dated June 22, 2018 Amendment 2 dated April 2, 2019.

Used to be that some regulatory protocols existed, Para 1.6 was the protocol for addressing concerns, and that seems at odds with the current state of affairs. TRUMPing it all, EASA products would be subject to some level of quid pro quo, which would be an unfortunate state of affairs for euro products, which have their own oddities that come to pass from time to time. In these strange times of "fake news", EASA products acceptance by the FAA are subject to the mutual recognition under the TIP, so there is room for this to blow back into EASAland. Why on earth would the king with no clothes not beat up on what can be characterised by politicians as an unfair market. Do I think it is unfair? doesn't matter, it only matters what the Mad Hatter thinks in Fort Fumble.

Curious.
fdr is offline  
Old 6th Sep 2019, 11:38
  #2214 (permalink)  
 
Join Date: Feb 2013
Location: 60 north
Age: 55
Posts: 3
EASAs 4 conditions!

It is great to see that EASA is finally doing a proper job assuring a safe and sound Certification of the Max.
The drawback being that I and thousand of pilots in Europe are still in limbo with regards to when we get our hand on the Beast.
I can live with, some might struggle as different companys might not make it trough the wait this winter.
That is the cost of Safety, and I hope this debacle is soon over and have a successful end.
This is a purely Technical and Operational Training issue and need proper objective attention.
The fact that we live in a Politically rather challenging time will , hopefully, not influence the outcome.
Good luck to all.

Regards
Cpt B
BluSdUp is offline  
Old 6th Sep 2019, 12:59
  #2215 (permalink)  
 
Join Date: Jul 2002
Location: Ireland
Posts: 595
Originally Posted by fdr View Post

EASA products would be subject to some level of quid pro quo, which would be an unfortunate state of affairs for euro products, which have their own oddities that come to pass from time to time.
Have any of these oddities cost 346 lives?


Speed of Sound is offline  
Old 6th Sep 2019, 14:06
  #2216 (permalink)  
 
Join Date: Nov 2007
Location: Munich
Posts: 3
EASA presentation

Google has the slides when you search for "european parliament easa 737 ky". Sorry I can't post links yet.
fruitflyer is offline  
Old 6th Sep 2019, 14:24
  #2217 (permalink)  
thf
 
Join Date: May 2014
Location: living room
Posts: 40


Complete: https://www.europarl.europa.eu/cmsda...y-original.pdf
thf is offline  
Old 6th Sep 2019, 15:06
  #2218 (permalink)  
 
Join Date: Jul 2002
Location: Ireland
Posts: 595
Originally Posted by thf View Post
Wow!

No delegation to FAA” That is harsh! The FAA must be feeling like Boris Johnson after his brother resigned, to put the national interest above friendship with his brother.

I can only assume that this stance has been taken after EASA failed to reach a unified approach to the recertification. Something tells me that Boeing and the FAA are going to have to compromise on the sim time requirements at the very least.That will pose some contractual difficulties for Boeing as I assume that the ‘iPad only’ conversion was written into the purchasing agreements.

And condition #2 is so open ended as to be meaningless.
Speed of Sound is offline  
Old 6th Sep 2019, 15:42
  #2219 (permalink)  
 
Join Date: Dec 2006
Location: Florida and wherever my laptop is
Posts: 1,314
Originally Posted by Speed of Sound View Post


Have any of these oddities cost 346 lives?
AF 447 did not recover mainly because stall warnings were disabled and the Flight Directors allowed to provide indications despite the FMS being in alternate law . The crew of 447 were unaware of the control column actions of the other crew member and one was pulling back continually while the other was pushing (this is a certified area in AB and common to all side stick AB) . All these 'oddities' passed EASA certification.
Ian W is online now  
Old 6th Sep 2019, 16:06
  #2220 (permalink)  
 
Join Date: Jul 2002
Location: Ireland
Posts: 595
Originally Posted by Ian W View Post

AF 447 did not recover mainly because stall warnings were disabled
Without wanting to revisit the whole AF 447 discussion the crash was caused by unreliable airspeed indications leading to disconnection of the autopilot after which the crew reacted incorrectly and ultimately caused the aircraft to enter an aerodynamic stall, from which it did not recover.’

And let’s not forget that these guys had way more time and altitude to troubleshoot the situation and rectify it than the crews of LI 610 and ET 302.
Speed of Sound is offline  

Thread Tools
Search this Thread

Contact Us Archive Advertising Cookie Policy Privacy Statement Terms of Service

Copyright © 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.