MAX’s Return Delayed by FAA Reevaluation of 737 Safety Procedures
Thread Starter
Join Date: Apr 2015
Location: Under the radar, over the rainbow
Posts: 788
Likes: 0
Received 0 Likes
on
0 Posts
Did we know that MCAS was mentioned loud and clear in a Brazilian ODR table dated January 18?
https://www.quora.com/How-safe-is-th...comment_type=2
I've just had a 'comment' to a post I penned on Quora quite a while ago. It shows a copy of the page. Sadly, what is a good forum for science is spread over many subjects and is not structured in a way that gives easy references. However, click 'more' and scroll to Phil Seely's pictures.
https://www.quora.com/How-safe-is-th...comment_type=2
I've just had a 'comment' to a post I penned on Quora quite a while ago. It shows a copy of the page. Sadly, what is a good forum for science is spread over many subjects and is not structured in a way that gives easy references. However, click 'more' and scroll to Phil Seely's pictures.
I found the original document on the Brazilian ANAC site. The MCAS reference is on page 18.
Is it plausible that there is an ongoing broad evaluation of the proposed modifications by the various international authorities without any leakage of these?
It seems more likely that we are still in closed doors negotiations between Boeing and the FAA to define what changes must be made. That suggests the timeline is slipping.
It seems more likely that we are still in closed doors negotiations between Boeing and the FAA to define what changes must be made. That suggests the timeline is slipping.
Join Date: Jun 2019
Location: Tana
Posts: 0
Likes: 0
Received 0 Likes
on
0 Posts
Can we entertain ourselves with a slightly different but related issue? How will 777X be certified? Will (Can) EASA, TC and CAAC demand their own certification? I doubt anyone in the world trusts Boeing or FAA with certification process at the moment. As a matter of fact their own senate doesn't trust them in that regard.
Join Date: Jan 2013
Location: UK
Age: 63
Posts: 37
Likes: 0
Received 0 Likes
on
0 Posts
I have no information about what process Boeing actually followed for the design and verification of MCAS, either initially or as it evolved to encompass a second requirement (i.e., low speed maneuvering). I don't know what kinds of specs were written, what kinds of reviews were held and what kind of testing was performed. But whatever process they followed, coding input validation and output constraints would have cost no additional money. Someone would have just had to think of it and do something reasonable. The more formal the process, the more likely this was to happen. But even with no formal process, it is really difficult to understand why the people who implemented MCAS didn't think of any of this.
I don't see the solution as being primarily software either although software will certainly be involved. The best solution woudl be an intrinsic one, remove the need for the system to be present at all, this isn't going to happen. The next best solution is one which cannot fail unsafely due to a single failure. Various ways seem possible to achieve that but they are not purely software and they will take time to develop, verify and certify.
I have been wondering for a few weeks now myself, how any future Boeing manufactured/produced aircraft may be certified too. Glad others have the similar line of thinking too! Might delay the 777X for a time, certainly a new NMA design/project. Of course they can try the old 747-400 trick again by just updating engines on B757/767, ho ho!
And that right there ladies and gentlemen is the elephant in the room, Boeing took and lost the gamble in 04’.
The 757 had the main gear clearance and chord to have enabled a reengine, the 321XLR couldn’t have come at a better time!
Join Date: Apr 2019
Location: EDSP
Posts: 334
Likes: 0
Received 0 Likes
on
0 Posts
I think it is a mistake to focus on the software and software development process. Certainly it would be sensible for their to be input validation/plausibility checks and these may or may not be present but the big issue was in the system design. It is quite clear that at a system design level this function and the software associated with it were not assessed as having a high safety impact. Everything flowed from this, a single sensor single channel system vulnerable to a single failure in a whole range of areas including the software design and implementation.
I don't see the solution as being primarily software either although software will certainly be involved. The best solution woudl be an intrinsic one, remove the need for the system to be present at all, this isn't going to happen. The next best solution is one which cannot fail unsafely due to a single failure. Various ways seem possible to achieve that but they are not purely software and they will take time to develop, verify and certify.
I don't see the solution as being primarily software either although software will certainly be involved. The best solution woudl be an intrinsic one, remove the need for the system to be present at all, this isn't going to happen. The next best solution is one which cannot fail unsafely due to a single failure. Various ways seem possible to achieve that but they are not purely software and they will take time to develop, verify and certify.
And then someone comes a long and demands you to be more agile . Just look at the suggestions to use multi core processors with multiple layers of non deterministic caching and predictive execution. Unfortuneately many managers are on the same "But my iphone can do this"-knowldedge level.
Join Date: Jul 2002
Location: Ireland
Posts: 596
Likes: 0
Received 0 Likes
on
0 Posts
And then someone comes a long and demands you to be more agile . Just look at the suggestions to use multi core processors with multiple layers of non deterministic caching and predictive execution. Unfortuneately many managers are on the same "But my iphone can do this"-knowldedge level.
Join Date: Jan 2008
Location: uk
Posts: 857
Likes: 0
Received 0 Likes
on
0 Posts
The only real answer to that is "as long as people keep buying them", or just maybe "as long as they are allowed to".
The last commercial B737NG went off the assembly line only in the last few weeks, and they're still building P-8A & E-7 airframes that are B737NG-based.
Boeing hope to build at least another 4,000 B737-8, -9 & -10 and possibly a few -7 too and unless they get a complete new FCC they'll all be running "x286-based 16 bit processing". At 60/month that's another 5 to 6 years production, and a reasonable proportion of them should last at least thirty years.
So if everything goes to Boeing's plans, airframes will be flying that good old early-1980s technology until the 2050s or 2060s.
Horrifying to contemplate
Pegase Driver
Join Date: May 1997
Location: Europe
Age: 74
Posts: 3,684
Likes: 0
Received 0 Likes
on
0 Posts
So if everything goes to Boeing's plans, airframes will be flying that good old early-1980s technology until the 2050s or 2060s.
Join Date: Mar 2002
Location: London, UK
Posts: 437
Likes: 0
Received 0 Likes
on
0 Posts
The truth may eventually prove otherwise, but I have a hard time believing that someone told his manager that they should hold a design meeting to review the requirements and spec for the feature, and the manager said no. There may have been cost and schedule pressures that explicitly or implicitly discouraged a highly-formal development process for MCAS. But it smells more like a situation where the engineers involved simply didn't appreciate the risk presented and thought of it more as a bug fix or minor tweak not requiring formal process, rather than appreciating the risk but intentionally cutting corners on the sw dev process to save money.
“Take off your engineering hat and put on your management hat”
Jerry Mason, a Senior VP at Thiokol, and the most senior manager present starts the Thiokol caucus by observing that the decision from here on will be “a management decision”, and that “Am I the only one who wants to fly?”
Well-analysed here: https://clearthinking.co/the-telecon...fted-part-two/
Also https://www.onlineethics.org/Topics/...icationContent
Join Date: Mar 2019
Location: French Alps
Posts: 326
Likes: 0
Received 0 Likes
on
0 Posts
“Take off your engineering hat and put on your management hat”
Jerry Mason, a Senior VP at Thiokol, and the most senior manager present starts the Thiokol caucus by observing that the decision from here on will be “a management decision”, and that “Am I the only one who wants to fly?”
Well-analysed here: https://clearthinking.co/the-telecon...fted-part-two/
Join Date: Mar 2002
Location: London, UK
Posts: 437
Likes: 0
Received 0 Likes
on
0 Posts
You're welcome. NASA went on to do it all over again with Columbia (ignoring prior engineering warnings about foam damage to the heat-resistant tiles).
The "normalisation of deviance" -- Diane Vaughan -- is a serious organisational threat in most modern businesses.
The "normalisation of deviance" -- Diane Vaughan -- is a serious organisational threat in most modern businesses.
There is a threshold to where a new version is easily certified for use, (ie expedited review) but that is usually reserved for corrections or modifications to existing code. MCAS was an additional feature, so that would have caused a major level upgrade and the extended certification process.
The problem was the later modifications to that code were not seen as significant and thus not subjected to the higher level scrutiny.
Join Date: Jul 2002
Location: Ireland
Posts: 596
Likes: 0
Received 0 Likes
on
0 Posts
Join Date: Feb 2019
Location: shiny side up
Posts: 431
Likes: 0
Received 0 Likes
on
0 Posts
The news today from EASA, doing their own certification.
"European Aviation Safety Agency (EASA) executive director Patrick Ky said there is “still a lot of work to be performed” before it will allow the Boeing 737 MAX to return to service. Europe’s aviation safety authority has criticized the way FAA has allowed Boeing to “auto-certify” the key systems.
Ky told the European Parliament’s transport committee Sept. 3 that EASA has decided to recertify parts of the MAX’s flight control systems itself, oversight of which had been transferred to the FAA previously. “A lot of work is being done,” Ky said. EASA has been in close coordination with Boeing and the FAA for months. At this point the European agency is “happy” with some aspects of Boeing’s answers to its requests while there are others that “we need to discuss some more” and some issues still require more work."
https://aviationweek.com/commercial-...eed-be-changed
"European Aviation Safety Agency (EASA) executive director Patrick Ky said there is “still a lot of work to be performed” before it will allow the Boeing 737 MAX to return to service. Europe’s aviation safety authority has criticized the way FAA has allowed Boeing to “auto-certify” the key systems.
Ky told the European Parliament’s transport committee Sept. 3 that EASA has decided to recertify parts of the MAX’s flight control systems itself, oversight of which had been transferred to the FAA previously. “A lot of work is being done,” Ky said. EASA has been in close coordination with Boeing and the FAA for months. At this point the European agency is “happy” with some aspects of Boeing’s answers to its requests while there are others that “we need to discuss some more” and some issues still require more work."
https://aviationweek.com/commercial-...eed-be-changed
Join Date: Jun 2008
Location: Cambridge UK
Posts: 192
Likes: 0
Received 0 Likes
on
0 Posts
The news today from EASA, doing their own certification.
https://aviationweek.com/commercial-...eed-be-changed
https://aviationweek.com/commercial-...eed-be-changed
Don't know if I'm especially unlucky, but the link wouldn't load until I removed the 's' from 'https'. It then loaded and re-establish the 's'.
It's a tough sell, and would be in the courts for a long time.