MAX’s Return Delayed by FAA Reevaluation of 737 Safety Procedures
Join Date: Mar 2019
Location: French Alps
Posts: 326
Likes: 0
Received 0 Likes
on
0 Posts
What is surprising, why is he still in position ?
Or would removing him be an admission that the FAA was at fault ?
Or would removing him be an admission that the FAA was at fault ?
Thread Starter
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 790
Likes: 0
Received 0 Likes
on
0 Posts
Even if the revised MCAS cannot act up again as it did on the crash flights, MAX pilots will still want to be comfortable with manual control of the stabilizer.
A 737 captain on a U.S. airline, who asked for anonymity to speak without permission from his employer, described his own extensive experience as a former test pilot of moving the tail manually.
He said that with the 737 tail at full nose-down position and at maximum design speed, it is “nigh impossible for a normal human to move the manual trim wheel in the nose up direction. The forces are too strong.”
Dennis Tajer, an American Airlines captain and APA spokesman, recently replicated that flight situation in a simulator, deliberately inducing an MCAS-style nose-down pitch at high speed, though still within the normal flight range.
He was able to move the wheel only “a couple of inches, but not enough.”
Tajer said that if the MAX is pitched down toward the ground, it gathers speed all too easily.
“The 737 is a slippery airplane,” said Tajer. “When you put the nose down, it wants to accelerate very quickly.”
A 737 captain on a U.S. airline, who asked for anonymity to speak without permission from his employer, described his own extensive experience as a former test pilot of moving the tail manually.
He said that with the 737 tail at full nose-down position and at maximum design speed, it is “nigh impossible for a normal human to move the manual trim wheel in the nose up direction. The forces are too strong.”
Dennis Tajer, an American Airlines captain and APA spokesman, recently replicated that flight situation in a simulator, deliberately inducing an MCAS-style nose-down pitch at high speed, though still within the normal flight range.
He was able to move the wheel only “a couple of inches, but not enough.”
Tajer said that if the MAX is pitched down toward the ground, it gathers speed all too easily.
“The 737 is a slippery airplane,” said Tajer. “When you put the nose down, it wants to accelerate very quickly.”
Psychophysiological entity
This addresses a problem identified in both accident investigations: that pilots took much longer to recognize and react to an MCAS fault than Boeing had assumed. By stopping any erroneous uncommanded movements automatically, the redesign takes the response out of the pilots’ hands altogether.
MCAS did not fail. The specifications/algorithms, altered late in the day, were to blame, inasmuch as they caused a catastrophic overload of warnings and handling difficulties that were beyond 'the average pilots' ability to manage. If MCAS is the only answer affordable answer, the suggested fixes, aired over the last weeks, sound logical.
Where are the erroneous un-commanded movements going to come from, given the quote implies it's not from the pilots and MCAS has been made safe?
Thread Starter
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 790
Likes: 0
Received 0 Likes
on
0 Posts
Join Date: Jun 2008
Location: Cambridge UK
Posts: 192
Likes: 0
Received 0 Likes
on
0 Posts
Over these months I've become more and more bewildered by certain design-logic. Now this. What is it supposed to mean? Movements that are un-commanded, presumably meaning by the pilots, must mean movements made by MCAS. These are now going to be stopped automatically.
MCAS did not fail. The specifications/algorithms, altered late in the day, were to blame, inasmuch as they caused a catastrophic overload of warnings and handling difficulties that were beyond 'the average pilots' ability to manage. If MCAS is the only answer affordable answer, the suggested fixes, aired over the last weeks, sound logical.
Where are the erroneous un-commanded movements going to come from, given the quote implies it's not from the pilots and MCAS has been made safe?
MCAS did not fail. The specifications/algorithms, altered late in the day, were to blame, inasmuch as they caused a catastrophic overload of warnings and handling difficulties that were beyond 'the average pilots' ability to manage. If MCAS is the only answer affordable answer, the suggested fixes, aired over the last weeks, sound logical.
Where are the erroneous un-commanded movements going to come from, given the quote implies it's not from the pilots and MCAS has been made safe?
keeping the hardware unchanged means that the engineers are trying to do this with at least one arm tied behind their backs.
Making MCAS survivable probably entails both minimising its potential effects (e.g. only singe-shot) and providing a practicable SOP for handling it.
Minimising the frequency of false activation probably involves lots of sanity checks on the AoA readings both separately and collectively
(e.g. beware of at-extreme and stuck-at readings).
A major problem with collective AoA checks is that each AoA is only connected to one computer. So both computers have to be fully
operational and communicating with each other to perform them. It would not surprise me if that this unanticipated communication
was far from instantaneous.
My guess that this is where the self-correcting un-commanded movements might be coming from. One computer sees that its AoA
sensor indicates that MCAS is called for and activates it, then later gets information from the other computers AoA sensor that
suggests that this was a bad idea and aborts the MCAS activation. (A lot better that waiting for a time-out to discover that the
other computer is currently inaccessible.)
PS And keep your fingers crossed that the MAX really is aerodynamically stable without MCAS. Because this sort of system is going
to disable it in response to some classes of hardware failure.
My guess that this is where the self-correcting un-commanded movements might be coming from. One computer sees that its AoA
sensor indicates that MCAS is called for and activates it, then later gets information from the other computers AoA sensor that
suggests that this was a bad idea and aborts the MCAS activation. (A lot better that waiting for a time-out to discover that the
other computer is currently inaccessible.)
PS And keep your fingers crossed that the MAX really is aerodynamically stable without MCAS. Because this sort of system is going
Join Date: Jan 2008
Location: uk
Posts: 857
Likes: 0
Received 0 Likes
on
0 Posts
Over these months I've become more and more bewildered by certain design-logic. Now this. What is it supposed to mean? Movements that are un-commanded, presumably meaning by the pilots, must mean movements made by MCAS. These are now going to be stopped automatically.
MCAS did not fail. The specifications/algorithms, altered late in the day, were to blame, inasmuch as they caused a catastrophic overload of warnings and handling difficulties that were beyond 'the average pilots' ability to manage. If MCAS is the only answer affordable answer, the suggested fixes, aired over the last weeks, sound logical.
Where are the erroneous un-commanded movements going to come from, given the quote implies it's not from the pilots and MCAS has been made safe?
MCAS did not fail. The specifications/algorithms, altered late in the day, were to blame, inasmuch as they caused a catastrophic overload of warnings and handling difficulties that were beyond 'the average pilots' ability to manage. If MCAS is the only answer affordable answer, the suggested fixes, aired over the last weeks, sound logical.
Where are the erroneous un-commanded movements going to come from, given the quote implies it's not from the pilots and MCAS has been made safe?
BUT, I think maybe there is an explanation that makes some kind of sense (NB: what follows is pure speculation, I have no non-public info on what they are actually doing):
A while ago I sat down and worked through some implementations of MCAS logic from what we know (I then promptly lost the work, probably why I don't do that sort of stuff for real anymore), I was struck by how simple it actually works out. It is possibly as little as a two state variables, one output, one or two lookup tables and a handful of lines of code - ideal from the point of view of KISS and also for shoehorning into a hard real time control loop that has had decades of mods to use up the future-expansion CPU-time headroom from the original design. The devil is in the reset, you have to wind trim back when AOA drops (or g in original design?) to reduce column force again, but if anything messes with trim in meantime (pilot, autopilot, speed trim) you can't wind back, otherwise you risk auto-trimming back up into stall, so you must have a reset - but then when does MCAS activate again, it can't be once-per-flight (only protects you the first time), there has to be a re-activation condition too (and still does even in new version)... this is the point where the cans are opened and the worms are spewing everywhere...
When Boeing announced the revised design there was something about they would ensure the pilot could always pull 1.5g. My first reaction was "very sensible why didn't you do that before", second was "hang on that's going to be non-trivial to calculate" (third being maybe it is trivial but I've forgotten so much aero stuff I don't have a clue how). There is also the issue that the calculation will be using air data that may be incorrect - so we could be no better off than before. The 1.5g seems to have disappeared from the current write up but I suspect it is still there in some form, but now we also have AOA-compare, and other-FCC-compare - my gut-feel-guess at least an order of magnitude more code, inter-FCC comms latency, possible race conditions, orders of magnitude more analysis and testing... how the **** are they going to fit all that in??
Answer - they aren't. Longer answer - assuming FCC has (in effect) multiple real-time control loops I expect MCAS to be in the inner-most loop running many times a second, but there will also be "slower" outer loops for less time-critical longer and more complex processes, imagine "MCAS-watchdog" (or MCAS-sanity-check or whatever) does all the complex stuff and runs in one of those. That would enable allowing for inter-FCC bus latency, reducing race conditions, much larger CPU time allowance. Now we have in effect:
* MCAS (as before plus, probably, simple AOA disagree heck) - inner loop, runs many times a second (not sure how many, but a lot more than three)
* MCAS-watchdog - calculates pilot can still pull 1.5g, complex airdata sanity checks, cross checks with other FCC, shuts stuff down if it trips - and runs only three times a second
Now, this is a system where MCAS can activate erroneously but the watchdog process should catch it and shut it down within a third of a second (unless all airdata is fubar on both sides in which case good luck with anything). The watchdog process will have to alert the pilot when it shuts MCAS (and other stuff) down, I strongly suspect it will do this via the "speed trim fail" warning light. Therefore it will shut down speed trim at same time as MCAS, perfectly logical because MCAS has always been part of speed trim really, honestly, nothing to do with the fact that we can thereby avoid adding a new warning light which might need sim training. Details on the additional/new meaning of "speed trim fail" will be in a footnote on page nnn of the iPad conversion training. Speed trim fail NNC may get changed to add something like "expect degraded handling with flaps-up, plan flaps-down asap, land nearest suitable".
I think this is roughly what they've done, it matches what they've said before and the recent description, and it's a vaguely sensible way forward from where they were. It still feels like multiple layers of duct-tape over a weak spot that should never have been there in the first place, but it'll probably be enough, eventually, to get it back in the air.
Join Date: May 2008
Location: denmark
Posts: 9
Likes: 0
Received 0 Likes
on
0 Posts
Quote: ”By stopping any erroneous uncommanded movements automatically, the redesign takes the response out of the pilots’ hands altogether. ” What is it supposed to mean? Movements that are un-commanded, presumably meaning by the pilots, must mean movements made by MCAS. These are now going to be stopped automatically.
MCAS did not fail.
MCAS did not fail.
I have been wondering why there is so strong belief in that fixing the MCAS algorithm makes the aircraft safe, when it is not unlikely that a SEU generates a runaway even if the MCAS algorithm is deleted from the system. I.e. the risk of a software introduced runaway theoretically exists on the NG, except the NG still have the cut-out switches on the yoke.
My understanding of CS 25.671/25.672 is that, either: A trim runaway must be “extremely improbable”, this require a DAL A architecture all the way from sensor to actuators. Or be capable of continued safe flight and landing following runaway. The last claim have been proven impossible, so DAL A it is.
Join Date: Sep 2017
Location: Europe
Posts: 1,674
Likes: 0
Received 0 Likes
on
0 Posts
What remains obvious is that regulatory capture is driving the process.
Thus the only way that the issues actually get resolved will be pilots and the flying public saying no more.
Thus the only way that the issues actually get resolved will be pilots and the flying public saying no more.
Thread Starter
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 790
Likes: 0
Received 0 Likes
on
0 Posts
Join Date: Sep 2019
Location: leftcoast
Posts: 2
Likes: 0
Received 0 Likes
on
0 Posts
so what happens if AOA goes fubar etc and says *** you are diving too steep**eg negative AOA > ?? degrees ***- does Mcas trim nose up ? how much, how long ? Phugoid ??
Last edited by Grebe; 19th Nov 2019 at 04:23. Reason: clsrify ' dive' error in AOA=fat fingers
Join Date: Jul 2014
Location: Harbour Master Place
Posts: 662
Likes: 0
Received 0 Likes
on
0 Posts
* Course content increased 100%, now 2 hours in duration.
Join Date: Mar 2019
Location: On the Ground
Posts: 155
Likes: 0
Received 0 Likes
on
0 Posts
Boeing will let us know, after the fact, that the crew should have figured that out.
Last edited by Takwis; 19th Nov 2019 at 12:32.
Join Date: Sep 2019
Location: leftcoast
Posts: 2
Likes: 0
Received 0 Likes
on
0 Posts
SideNote -- re the Boeing BS described as " Now, according to the Boeing website, it has over 45,000 engineers spread throughout the entire company. Such a deep roster of talent, the aerospace company has incredibly deep and specific expertise for new designs and to manage the safety and airworthiness of the nearly 14,000 Boeing airplanes flying today."
look up the following in the JDA Journal "FAA Insight and Aviation . . ."
look up the following in the JDA Journal "FAA Insight and Aviation . . ."
What Faa Delegation Does—How And Why?
TOPICS:Boeing 737 Max8Mike Borfitz“Designated Airworthiness Representative’ (Dar)“Designated Engineering Representative” (Der)
OK - the article IMHO is partly misleading
First- SPEEA has a total membership of about 20,000 total Engineers AND Techs which includes most ( all? ) DER/ODA type
The majority of the DER/ODA types are in the Seattle Area- Dont know the numbers, but perhaps- maybe 1000 ??
When SPEEA went on strike in 2000-2001, Boeing could NOT deliver any planes without a DER ' signature ' - That was one reason Boeing pushed a few years later the ODA system...
Granted there are some in Aerospace- St louis, etc but for commercial seattle- renton- everett is where its at.
Second -
Under the ' old' DER system- the DER could and did report directly to hjis/her FAA counterpart or committee re the area involved but were of course paid by Boeing.
But under the ODA system, the same " DER" reported THRU Boeing managment to the FAA- and could/was effectively ' filtered ' based on cost, schedule, or management incompetence.
The result is history
TOPICS:Boeing 737 Max8Mike Borfitz“Designated Airworthiness Representative’ (Dar)“Designated Engineering Representative” (Der)
Now, according to the Boeing website, it has over 45,000 engineers spread throughout the entire company. Such a deep roster of talent, the aerospace company has incredibly deep and specific expertise for new designs and to manage the safety and airworthiness of the nearly 14,000 Boeing airplanes flying today.
First- SPEEA has a total membership of about 20,000 total Engineers AND Techs which includes most ( all? ) DER/ODA type
The majority of the DER/ODA types are in the Seattle Area- Dont know the numbers, but perhaps- maybe 1000 ??
When SPEEA went on strike in 2000-2001, Boeing could NOT deliver any planes without a DER ' signature ' - That was one reason Boeing pushed a few years later the ODA system...
Granted there are some in Aerospace- St louis, etc but for commercial seattle- renton- everett is where its at.
Second -
Under the ' old' DER system- the DER could and did report directly to hjis/her FAA counterpart or committee re the area involved but were of course paid by Boeing.
But under the ODA system, the same " DER" reported THRU Boeing managment to the FAA- and could/was effectively ' filtered ' based on cost, schedule, or management incompetence.
The result is history
Join Date: Jun 2019
Location: Tana
Posts: 0
Likes: 0
Received 0 Likes
on
0 Posts
45,000 sounds like A LOT of engineers. An American aviation engineer wouldn't get out of bed for less than 100k a year. That makes it $4.5bil in salary alone. That's almost 10% of the company's revenue and over 80% of net profit.
Another number that kind of scratched my brain the wrong way is "14,000 Boeing aircraft flying today". Are there that many flying? Even with military airplanes and helicopters, that looks like a VERY big number.
Another number that kind of scratched my brain the wrong way is "14,000 Boeing aircraft flying today". Are there that many flying? Even with military airplanes and helicopters, that looks like a VERY big number.
Join Date: Mar 2014
Location: Dallas
Age: 67
Posts: 8
Likes: 0
Received 0 Likes
on
0 Posts
Where's the missing MCAS automatic trim commands?
From the preliminary report of the ET302 accident.
(many copies around the internet)
==============
At 05:40:35, the First-Officer called out “stab trim cut-out” two times. Captain agreed and First-
Officer confirmed stab trim cut-out.
At 05:40:41, approximately five seconds after the end of the ANU stabilizer motion, a third instance
of AND automatic trim command occurred without any corresponding motion of the stabilizer,
which is consistent with the stabilizer trim cutout switches were in the ‘’cutout’’ position
==============
At this point, the trim cutout switches were shutting down the output from MCAS reaching the trim motors. So, why are there no more automatic MCAS trim commands recorded? (Cyan color in the Flight data recorder tracings on page 26 of the report) The trim cutout switches shouldn't inhibit the FCC from issuing commands, just the trim motor being cutout. For approximaty two minutes, MCAS should be issuing 8 or 9 more AND automatic trim commands but, they aren't on the data trace. Flaps are up, AOA is off the chart, A/P is OFF. The only change is the stabilizer trim cutout switches were in the cutout position. How should that change MCAS from issuing more AND automatic trim commands? The trim motor is cutout from accepting the commands, but, they should still be issued from MCAS, unless there is some connection between one or both of the stabilizer trim cutout switches and the FCC MCAS program somehow? Only when the stabilizer trim cutout swiches are turned back to normal, do the automatic trim commands reappear at the end of the flight.
(many copies around the internet)
==============
At 05:40:35, the First-Officer called out “stab trim cut-out” two times. Captain agreed and First-
Officer confirmed stab trim cut-out.
At 05:40:41, approximately five seconds after the end of the ANU stabilizer motion, a third instance
of AND automatic trim command occurred without any corresponding motion of the stabilizer,
which is consistent with the stabilizer trim cutout switches were in the ‘’cutout’’ position
==============
At this point, the trim cutout switches were shutting down the output from MCAS reaching the trim motors. So, why are there no more automatic MCAS trim commands recorded? (Cyan color in the Flight data recorder tracings on page 26 of the report) The trim cutout switches shouldn't inhibit the FCC from issuing commands, just the trim motor being cutout. For approximaty two minutes, MCAS should be issuing 8 or 9 more AND automatic trim commands but, they aren't on the data trace. Flaps are up, AOA is off the chart, A/P is OFF. The only change is the stabilizer trim cutout switches were in the cutout position. How should that change MCAS from issuing more AND automatic trim commands? The trim motor is cutout from accepting the commands, but, they should still be issued from MCAS, unless there is some connection between one or both of the stabilizer trim cutout switches and the FCC MCAS program somehow? Only when the stabilizer trim cutout swiches are turned back to normal, do the automatic trim commands reappear at the end of the flight.
Join Date: Sep 2019
Location: leftcoast
Posts: 2
Likes: 0
Received 0 Likes
on
0 Posts
45,000 sounds like A LOT of engineers. An American aviation engineer wouldn't get out of bed for less than 100k a year. That makes it $4.5bil in salary alone. That's almost 10% of the company's revenue and over 80% of net profit.
Another number that kind of scratched my brain the wrong way is "14,000 Boeing aircraft flying today". Are there that many flying? Even with military airplanes and helicopters, that looks like a VERY big number.
Another number that kind of scratched my brain the wrong way is "14,000 Boeing aircraft flying today". Are there that many flying? Even with military airplanes and helicopters, that looks like a VERY big number.
About SPEEA - IFPTE Local 2001
The Society of Professional Engineering Employees in Aerospace (SPEEA), IFPTE Local 2001, is a professional aerospace labor union representing more than 22,650 engineers, technical workers, pilots and other professionals in the aerospace industry. Presently, our union represents employees at The Boeing Company, Spirit AeroSystems, and Triumph Composite Systems. Members work in Washington, Kansas, Oregon, Utah, Florida and California.
The Society of Professional Engineering Employees in Aerospace (SPEEA), IFPTE Local 2001, is a professional aerospace labor union representing more than 22,650 engineers, technical workers, pilots and other professionals in the aerospace industry. Presently, our union represents employees at The Boeing Company, Spirit AeroSystems, and Triumph Composite Systems. Members work in Washington, Kansas, Oregon, Utah, Florida and California.
Join Date: Apr 2019
Location: Toronto
Posts: 20
Likes: 0
Received 0 Likes
on
0 Posts