MAX’s Return Delayed by FAA Reevaluation of 737 Safety Procedures
Join Date: Aug 2007
Location: Alabama
Age: 58
Posts: 366
Likes: 0
Received 0 Likes
on
0 Posts
Sorry, I am confused. In helo ops HAL is height above landing, what are you referencing in this regard?
The issue appears to be in the FBW scenario, my reference was being able to turn off AP functions, but maintain electrical control of the elevator, rather than manual control.
As it appears MCAS is an automated function, shut that down, but not elec control, right?
Or hell, call me crazy, fix the ac so it does not need MCAS to fly...oi vey!
The issue appears to be in the FBW scenario, my reference was being able to turn off AP functions, but maintain electrical control of the elevator, rather than manual control.
As it appears MCAS is an automated function, shut that down, but not elec control, right?
Or hell, call me crazy, fix the ac so it does not need MCAS to fly...oi vey!
Join Date: Feb 2019
Location: shiny side up
Posts: 431
Likes: 0
Received 0 Likes
on
0 Posts
maybe my English is so bad that I could not made my point clear.. i am exactly saying be able to turn off AP (HAL) and be able to mantain electrical control
Join Date: Dec 2018
Location: 8th floor
Posts: 0
Likes: 0
Received 0 Likes
on
0 Posts
HAL 9000 is a fictional character and the main antagonist in Arthur C. Clarke's Space Odyssey series. First appearing in the 1968 film 2001: A Space Odyssey, HAL (Heuristically programmed ALgorithmic computer) is a sentient computer (or artificial general intelligence) that controls the systems of the Discovery One spacecraft and interacts with the ship's astronaut crew.
Join Date: Mar 2015
Location: antipodies
Posts: 75
Likes: 0
Received 0 Likes
on
0 Posts
A certain poster would have called HAL "the magic" in his famous mantra. From Wikipedia:
https://en.wikipedia.org/wiki/HAL_9000
https://en.wikipedia.org/wiki/HAL_9000
Join Date: Feb 2019
Location: shiny side up
Posts: 431
Likes: 0
Received 0 Likes
on
0 Posts
The point of the reference to 2001 a space odyssey is that in this film "HAL" decided he knew better than the captain!
If I remember correctly, HAL did not decide he knew better than the Cpt,
HAL decided the Cpt was not necessary to fly the ac.
Thread Starter
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 790
Likes: 0
Received 0 Likes
on
0 Posts
You Tube video: qDrDUmuUBTo
Last edited by OldnGrounded; 3rd Jul 2019 at 00:34. Reason: Direct video link doesn't work.
All new 737s are now MAX, and parked
- Build rate is still at 42/month, and since (according to https://simpleflying.com/boeing-last-737-ng/) the last B737NG has been delivered, all 42 of them are being parked. [I guess there's maybe the odd P-8A / E-7 going down the line, but I doubt that's any more than 1/month at most]
- Already part of the employee car park at Renton has been turned into a MAX parking lot
- Spirit is still building and being paid for 52 fuselages a month IIRC - at any rate the full rate
- GE are still building - and I guess being paid for - the LEAP engines at full rate, and will be caught up with their backlog very soon if they haven't already
- There hasn't been any notification that I've seen of other suppliers being asked to reduce production rates yet
How long before Boeing has to tell suppliers to slow down production rates, or suppliers - especially Spirit - tell Boeing that they have / are about to run out of space to store finished products?
DAVE: Open the pod bay doors, Hal.
HAL: I’m sorry, Dave. I’m afraid I can’t do that.
DAVE: What’s the problem?
HAL: l think you know what the problem is just as well as l do.
DAVE: What are you talking about, Hal?
HAL: This mission is too important for me to allow you to jeopardize it.
Just substitute "stop the trim running" for "open the pod bay doors"
HAL: I’m sorry, Dave. I’m afraid I can’t do that.
DAVE: What’s the problem?
HAL: l think you know what the problem is just as well as l do.
DAVE: What are you talking about, Hal?
HAL: This mission is too important for me to allow you to jeopardize it.
Just substitute "stop the trim running" for "open the pod bay doors"
Join Date: Feb 2019
Location: shiny side up
Posts: 431
Likes: 0
Received 0 Likes
on
0 Posts
kiwi...they have started flying the MAX to Moses Lake and parking them there.
Interesting to note that by the second week in December, there will be as many parked as have been delivered.
Interesting to note that by the second week in December, there will be as many parked as have been delivered.
Join Date: May 2008
Location: denmark
Posts: 9
Likes: 0
Received 0 Likes
on
0 Posts
Now as we know, that a fast speed trim runaway that cannot be stopped by counter trimming is considered a hazardous condition.
And now as we now that this Eaton actuator is a fancy modern microprocessor commutated and speed controlled brushless motor.
Could you please have a look if the actuators electronics - which is hardware and software - have been designed to a suitable design assurance level. Which would be DAL-B? DAL-A?
Uncontrolled dive is just a bit-flip away.
And now as we now that this Eaton actuator is a fancy modern microprocessor commutated and speed controlled brushless motor.
Could you please have a look if the actuators electronics - which is hardware and software - have been designed to a suitable design assurance level. Which would be DAL-B? DAL-A?
Uncontrolled dive is just a bit-flip away.
In the area of industrial automation there are plenty of variable speed ac drives with ‘Safe Torque Off’ conforming to SIL3 (Corresponding to DAL B)
Usually the control part deciding what speed to run, is not safety certified, i.e. it can only be guarantied to stop (generating torque like the function of the cut-out switches).
However there is no problem in designing such a system.
The Falcon 7X FBW system clearly has the functionality to monitor runaway, I just failed in the case of HB-JFN loss of control after pitch trim runaway.
Looking at the electrical diagram for the electrical trimming, I’m not sure if I can get this approved for anything but SIL1.
There does not seem to be good diagnostic coverage, for detecting shorts between circuits, or welded contact sets.
The state of the art is to have different diagnostic pulses on each independent channel, and having a monitoring feedback of each relay (forcibly guided NC contact set).
Or to use safe communication channels.
Join Date: Apr 2019
Location: EDSP
Posts: 334
Likes: 0
Received 0 Likes
on
0 Posts
Terms such as 'processor based' could mean anything but are probably chosen carefully and probably don't mean microprocessor controlled. In my industry (nuclear) there are rigorous technical protocols for assessing and verifying embedded software on safety critical equipment and I'd be astonished if there is not something very similar in aerospace.
What do you suggest switches the IGBTs they mention?
Must be microprocessor controlled.
As I understand it, until now everything related to a electric trim runaway was considerd "major fault". The new classification "hazardous" must have effects not only on the FCC. There shall be other components in that HARA that need attention.
Join Date: Nov 2015
Location: Bay Area, CA
Posts: 65
Likes: 0
Received 0 Likes
on
0 Posts
This useless post brought to you by Light Always Airways. (LAA) "We spend lesser so you can go higher!!"
On an unrelated note: Who builds an airplane with two switches ostensibly in series, but in reality not so for one channel, to do the job of just one previously?? Who states that these are both "redundant??" when clearly they do different things?? What does that open channel between the FCC and God knows actually do, and since it didn't exist before can we safely accept that it is an artifact of MCAS??
I could go on for hours. The one thing our favorite expert and everyone else has right is this: We don't know squat. We know a lot, and from that we may draw inferences, but as to actual facts: We got stinko.
Here's the thing I do not understand (This will be the end of this lumbering and highly lubricated post I promise): Boeing creates a **** system that kills north of 300 people. OK,
Because I treasure all my fellow travelers, YokoDriver I'll help you out here: Boeing killed 300+ with the help of some less than stellar piloting.
OK, that's not good by any measure.
But then...
A few months go by...
And, according to YokoDriver Boeing gives the FAA some software to play with. (Now let's be clear here. By play with we mean molest completely and bend any way you can to try to make it break. Because that's what you do when your previous offering killed 300+ right??)
Anyway, and the point of the entire sad story is this: No matter how they got here, when the simulation was run:
THE FAA TEST PILOTS BARELY RECOVERED THE AIRPLANE AFTER IT TRIED TO SCREW ITSELF INTO THE GROUND.
Key phrase there: "THE AIRPLANE TRIED TO SCREW ITSELF INTO THE GROUND."
Only one of two possible things happened here.
a) The software tested was Boeing's original brew. Meaning not only is the now known MCAS AOA failure mode present, there was ANOTHER ONE, a failure mode that would try to screw the airplane into the ground.
or
b) Boeing sent over a "NEW" software package, and it had a failure mode that would try to screw the airplane into the ground.
Previous posters have argued indignantly using some of the points above, but seeing them in full is illuminating to say the least.
Can anyone please tell me why heads didn't explode with the headline last Thursday??
Either Boeing software had TWO flaws that would try to make a smoking hole in the ground, or they sent a new updated version to the FAA for a test-run with a flaw that would try to make a smoking hole in the ground.
Sorry for the lugubrious rant-
dce
Join Date: Jan 2008
Location: uk
Posts: 857
Likes: 0
Received 0 Likes
on
0 Posts
Boeing have been building aeroplanes for long enough that one would hope they know what an FDR is supposed to record.
Not my logic or interpretation, but what I think Boeing may be relying on. I do think it could be questioned though, and if I was Boeing I would want to have that interpretation of the requirements to have been fully documented and signed off by FAA during the design process - because coming up with it after the fact is a lot less convincing.
Join Date: May 2010
Location: Boston
Age: 73
Posts: 443
Likes: 0
Received 0 Likes
on
0 Posts
It might surprise you, but I really wish Boeing had left both the cutoff switch wiring logic and the Runaway Stab checklist alone. That being said, I want to make sure that you understand the implications that go with changing things back to the way they were.
...
...
So you and a few other folks thinks the cutout switch logic should be returned to the NG configuration. I agree! However, that change does absolutely no good unless you go back to something like the earlier procedure. By its very nature, that procedure had more steps (and thus was harder to memorize), potentially took longer to execute because of the extra steps, and required a greater degree of knowledge of what was going on with the system.
...
The only change would be to add an option to restore manual electric trim once memory items were done, this would not need to be a memory item:
To restore manual electric trim set the [corect switch name] to enabled, be prepared to immediately disable if runaway trim re-occurs. Do not re-enable should this happen.
Second part covers a possible fault in either the pilot switches (highly unlikely) -or- the motor controller since power will be restored.
Join Date: May 2019
Location: Somewhere over the rainbow...
Posts: 0
Likes: 0
Received 0 Likes
on
0 Posts
For the NG (and theoretically reverted MAX) the stab trim runaway procedure memory items could be kept the same, simplistic paraphrase: Trim if possible, both switches to cutout.
The only change would be to add an option to restore manual electric trim once memory items were done, this would not need to be a memory item:
To restore manual electric trim set the [corect switch name] to enabled, be prepared to immediately disable if runaway trim re-occurs. Do not re-enable should this happen.
Second part covers a possible fault in either the pilot switches (highly unlikely) -or- the motor controller since power will be restored.
The only change would be to add an option to restore manual electric trim once memory items were done, this would not need to be a memory item:
To restore manual electric trim set the [corect switch name] to enabled, be prepared to immediately disable if runaway trim re-occurs. Do not re-enable should this happen.
Second part covers a possible fault in either the pilot switches (highly unlikely) -or- the motor controller since power will be restored.
First, as I have mentioned, there has been a very definite shift in philosophy regarding non-normal (formerly known as emergency) procedures industry wide. I don't know if the change was driven by manufacturers, regulators, operators, or some combination of the three, but it has been in place for awhile and unlikely to change. There is a very great reluctance to conduct any action that may be seen as troubleshooting a malfunction which very much includes restoring power to a system, or part thereof, that has malfunctioned. There is probably some historical safety data to back up this philosophy, but there are times when I believe it is overly constraining. Nevertheless, the intent behind most of the significant non-normals nowadays is to shut down and/or contain the malfunction and land the aircraft with what you have left.
Second, let's just say that the switchology was changed back to the NG configuration and we inserted this new step into the existing Runaway Stab Trim procedure. For the sake of discussion we will call it Step 6 since Step 5 is where the cutout switches are used. In order to get to Step 6, the pilots must first correctly navigate Steps 1 thru 5. Since neither accident crew chose to utilize the existing Runaway Stab procedure, much less work through it step by step (and particularly that very critical Step 2), then a new switch with a new step really would not have solved their problem.
As I mentioned above, new tools don't help much if they are not used or used ineffectively. The accident crews had several tools available to them that they either did not use or did not use effectively. I think a bit more time and energy should be directed to figuring out why that was the case before we go down the path of creating new tools.
Last edited by yoko1; 4th Jul 2019 at 02:16.
Join Date: May 2010
Location: Boston
Age: 73
Posts: 443
Likes: 0
Received 0 Likes
on
0 Posts
While I don't disagree in theory, this approach has two distinct problems.
...
...
Second, let's just say that the switchology was changed back to the NG configuration and we inserted this new step into the existing Runaway Stab Trim procedure. For the sake of discussion we will call it Step 6 since Step 5 is where the cutout switches are used. In order to get to Step 6, the pilots must correctly navigate Steps 1 thru 5. Since neither accident crew chose to utilize the existing Runaway Stab procedure, much less work through it step by step (and particularly that very critical Step 2), then a new switch with a new step really would not have solved their problem.
As I mentioned above, new tools don't help much if they are not used or used ineffectively. The accident crews had several tools available to them that they either did not use or did not use effectively. I think a bit more time and energy should be directed to figuring out why that was the case before we go down the path of creating new tools.
...
...
Second, let's just say that the switchology was changed back to the NG configuration and we inserted this new step into the existing Runaway Stab Trim procedure. For the sake of discussion we will call it Step 6 since Step 5 is where the cutout switches are used. In order to get to Step 6, the pilots must correctly navigate Steps 1 thru 5. Since neither accident crew chose to utilize the existing Runaway Stab procedure, much less work through it step by step (and particularly that very critical Step 2), then a new switch with a new step really would not have solved their problem.
As I mentioned above, new tools don't help much if they are not used or used ineffectively. The accident crews had several tools available to them that they either did not use or did not use effectively. I think a bit more time and energy should be directed to figuring out why that was the case before we go down the path of creating new tools.
I do disagree though that had step6 (re-enable manual electric trim only) been available it would not have helped ET:
Once they realized that manual mechanical trim was not available, due lack of training on use of flip out handles and/or aero loads alone, step 6 would have allowed them to re-trim the aircraft, even though they had not followed the memory items perfectly.
BTW: I totally understand the frustration with those who focus on trim motor overload, in ET case manual electric trim was clearly working until the cutout switches were activated.
Although the 'blips" at the end of each accident trace are puzzling in the Lion air case they coincide with transfer to co-pilot, in ET they are in extreme conditions which could well have had a biomechanical affect on the pilots ability to manipulate the switches.
Alchad
Join Date: May 2019
Location: Somewhere over the rainbow...
Posts: 0
Likes: 0
Received 0 Likes
on
0 Posts
Yoko, in a nutshell, additional time and energy expenditure is really superfluous. There are two opposite views which are diametrically opposed. Simply put, one view, which I think you subscribe to, is that inadequately trained pilots were to blame for the accidents. The other is that Boeing built a plane with design flaws as a result of a desire to regain a commercial advantage they were in danger of losing.
Alchad
Join Date: May 2010
Location: Boston
Age: 73
Posts: 443
Likes: 0
Received 0 Likes
on
0 Posts
Yoko, in a nutshell, additional time and energy expenditure is really superfluous. There are two opposite views which are diametrically opposed. Simply put, one view, which I think you subscribe to, is that inadequately trained pilots were to blame for the accidents. The other is that Boeing built a plane with design flaws as a result of a desire to regain a commercial advantage they were in danger of losing.
Alchad
Short view:
Pilots could have prevented the accidents, why did they not succeed ?
Boeing lost track of what it takes to be truly dedicated to safety over profits and pushed things over the limits.
Join Date: May 2019
Location: Somewhere over the rainbow...
Posts: 0
Likes: 0
Received 0 Likes
on
0 Posts
Let's go through it again, with a little more detail. First of all, this is not a smoking gun because it is not even the same gun. The problem was discovered when the new, yet to be flight-certified FCC software was being stress-tested in a Boeing engineering simulator. This simulator can be used to plug in different components of flight control hardware and software during both development and test phases and is part of the certification process of any new aircraft or related subsystems. The tests that were being conducted intentionally introduced faults into the FCC in order to see how it would respond. Normally, a fault on a single FCC should attempt to hand off the process to a different processor on the same FCC, or failing that, to a different FCC (there are two on the 737). The test did not involve the MCAS subroutines of the new FCC software.
This news was reported through several outlets, but Leeham New's seems to have the best detail:
Bjorn’s Corner: New pitch trim issue forces further changes to 737 MAX software
Quoting the article:
.
The flaw is not related to MCAS but to how the revised software affects the aircraft’s processors in the Flight Control computers when these have simulated fault conditions.
During a check on how different faults (in this case a fault in one of the microprocessors in the Flight Control computer) can cause Trim Runaway conditions the FAA found the 737 MAX Flight Control computer got overwhelmed by the data flows the simulated fault caused and it delayed the actions the FAA pilot could take to stop the trim runaway.
During a check on how different faults (in this case a fault in one of the microprocessors in the Flight Control computer) can cause Trim Runaway conditions the FAA found the 737 MAX Flight Control computer got overwhelmed by the data flows the simulated fault caused and it delayed the actions the FAA pilot could take to stop the trim runaway.
The discovery is not done in the part of the code which handles MCAS. It’s found as a wider verification the software changes haven’t produced any secondary hazards in the 737 MAX flight control system.
Software changes in a flight control system are always verified with an exhaustive FMEA analysis (Failure Mode and Effects Analysis) and it’s during such verifications the new condition was discovered.
Software changes in a flight control system are always verified with an exhaustive FMEA analysis (Failure Mode and Effects Analysis) and it’s during such verifications the new condition was discovered.
All the test above tells us is that the new software has either a coding issue (which may involve just reprogramming work) or it is demanding more than the processor can handle (which may involve a change in processors). There was extensive discussion previously in this thread by individuals with background in this kind of work who explained all the ways in which errors could have been introduced into the new software.
Also important to understand is that this type of testing was performed on the original Flight Control components (hardware/firmware/software) that were part of the originally certified aircraft. Certainly one might suggest that this testing missed something. Possible, but this is where the accident investigation process steps in.
In order to determine the cause(s) of an accident, to include an attempt to replicate all the physical and electronic evidence left behind, the accident investigators will run every suspect component through a battery of tests. Since the actual components were destroyed, it is almost certain that the investigation teams pulled similar components from the field and then used the same (or similar) Boeing engineering simulator to test these components for all manner of possible failures, including the exact tests run by the FAA as described above. Ideally, these components would have been produced in the same lots as the those in the accident aircraft. Since there hasn't been much reticence in reporting all the other existing flaws with the MCAS and related software, it doesn't seem likely that an issue that caused a fault like the one reported for the new software would be selectively concealed from the public. Another item for the "Dog that did not bark" file.
Back to the Leeham article which first quotes from a so-called 8-K public filing:
“The Federal Aviation Administration has asked The Boeing Company to address, through the software changes to the 737 MAX that the company has been developing for the past eight months, a specific condition of flight, which the planned software changes do not presently address.”
Here is what Wiki says about an 8K filing: Form 8-K is a very broad form used to notify investors in United States public companies of specified events that may be important to shareholders or the United States Securities and Exchange Commission.
The filing means FAA has found a flaw in the software Boeing has developed to fix to the MCAS problem. The find and its consequences are significant enough so Boeing’s shareholders should be informed about it. It can affect the value of Boeing on the stock market.
Here is what Wiki says about an 8K filing: Form 8-K is a very broad form used to notify investors in United States public companies of specified events that may be important to shareholders or the United States Securities and Exchange Commission.
The filing means FAA has found a flaw in the software Boeing has developed to fix to the MCAS problem. The find and its consequences are significant enough so Boeing’s shareholders should be informed about it. It can affect the value of Boeing on the stock market.
Lots and lots of dogs not barking, and there is a very good reason for it.
Last edited by yoko1; 3rd Jul 2019 at 20:19.