ST Dog

The repercussions of the certification authorities no longer abiding the reciprocal certification would be a big deal.

If EASA doesn't accept the FAA's certification do that make the reciprocity agreements null? So the FAA no longer accepts EASA certifications?
Not the sort of thing the OEMs want. Dealing with a dozen different authorities would severely delay things and greatly increase the costs.

Water pilot

Unfortunately it seems like Boeing went into this with their eyes wide open. They knew exactly what would happen and they probably had a good idea of how many times it would happen. Their assumption (hope) which they have stated often was that the pilots could handle the failure, which is a pretty strange approach to safety design in my opinion. (How would they feel about "we don't need a circuit breaker in the under seat electrical outlets because the flight attendants are well trained to deal with fires"?)

Thanks for the link to the Challenger disaster, I never knew that the engineers had actually discussed the gasket problem with NASA and were pressured into approving the flight. There is probably nothing worse than knowing exactly why the rocket blew up well before anybody else and wondering why you didn't just argue harder. The same for the Boeing engineers. I feel for them both, but it is an object lesson in why you should never give in to management when they want you to compromise safety -- and they will. There is always some other job that you can do rather than being complicit, and if it goes that far then you didn't want to work there anyway.

Tomaski

​​​​​​https://aviationweek.com/commercial-...ng-evaluations

MAX Lessons Prompt FAA Shift In Training Evaluations

​​​​​​The FAA plans to have a large number of pilots with a variety of backgrounds validate changes to Boeing’s 737 MAX, departing from an approach that aligned operational evaluations with the airlines it regulates.

The agency wants to bring in about 15 crew pairs from around the world to conduct MAX-simulator sessions in the coming weeks, multiple sources confirm. The group will include pilots with varied experience. One source said the FAA plans to recruit evaluators with multicrew pilot licenses. Those licenses emphasize competency-based outcomes and simulator training—as opposed to flight hours—and qualify a candidate to serve as a first officer. The FAA says it “has not specified” a particular number of flight hours for these crews, but that they must have “previous experience at the controls of the Boeing 737MAX.” Such evaluation groups are common, contributing to FAA-led Flight Standardization Boards (FSB) during certification. Usually, they are dominated by U.S. pilots. The FSB conducted during the MAX’s initial certification in 2016 included 737-800 line pilots from American Airlines, Delta Air Lines and Southwest Airlines, as well as representatives from Transport Canada and the European Aviation Safety Agency.

The shift from relying on U.S. pilots is an acknowledgment that, while the FAA’s baseline requirements for training on a specific aircraft can be modified by other agencies, they often are not. This is even though big-picture standards established by authorities for how pilots are trained vary widely.

“We’ve always done the [pilot training] evaluations with the mindset of our system and our understanding of our system,” a senior U.S. government official says. “[The MAX situation] has highlighted that when you have the majority of the fleet going [to other countries], maybe we have to look at it differently. We are now including other pilots from other locations and with different skill sets, training and backgrounds, because they will be the ones [operating the aircraft].”

Past groups have also been smaller, meaning the new approach, which requires coordinating schedules for more pilots, is expected to take more time.

The 385-aircraft MAX fleet was grounded in mid-March following the second fatal MAX accident in five months. Boeing halted deliveries soon after and cut 737 production—now almost all commercial-version MAXs—to 42 per month. The software changes, along with new training materials, are being finalized for review by the FAA.

Boeing’s changes primarily affect the MAX’s Maneuvering Characteristics Augmentation System (MCAS) flight control law that interim investigation reports suggest played a role in the crashes of Lion Air Flight 610 in October 2018 and Ethiopian Airlines Flight 302 in March 2019.

Feedback from the pilot group will help the agency finalize an update to the 737 FSB report, which is needed to clear the MAX to fly again. A draft of the report is expected to be opened for comment for 15-30 days. The agency is still sorting through hundreds of comments made to a previous draft.

The FAA is not expected to call for simulator sessions before MAX pilots can fly again but will likely require them during recurrent training. Deeper dives into the MAX’s flight control system uncovered high-pilot-workload failure scenarios that 737 pilots may benefit from practicing. They also highlight that assumptions made during the MAX’s certification, such as that pilots would quickly diagnose an MCAS malfunction as a common runaway stabilizer problem and react accordingly, were wrong. This could prompt other countries and some airlines to insist on simulator time right away.

Boeing says it is working to deliver its final MAX update package to the FAA “in the September time frame,” part of a timeline that has regulators starting to lift flight bans in the fourth quarter. It has made financial estimates based on that and is hiring several hundred temporary technical workers to help move the backlog of undelivered MAXs. Once its final package is in the FAA’s hands, the agency is expected to take at least a month to validate it.

The FAA has not committed to a timeline. Two sources say the FAA and other regulators continue to ask numerous, detailed questions about Boeing’s software changes, including some that go beyond the MCAS. It is unclear whether this, combined with the expanded pilot-review effort, will put Boeing’s fourth-quarter return to service estimate at risk.

Boeing’s changes are addressing the MAX-specific issues and should eliminate MCAS failures as a source of concern. But the MAX-accident preliminary reports suggest longer-term challenges remain, such as how well crews were trained to handle an emergency that required procedures rarely, if ever, practiced by airline pilots.

By expanding participation in evaluation boards, the FAA hopes to receive feedback that is more representative of the industry and establish more effective training standards. The issue goes beyond flight-hour experience, the government official says, noting: “It’s about gaining a better understanding of different environments.”

Vendee

So what does that tell us? Yes, MAX pilots should practice this in the sim but not if it will cost Boeing or the airlines for the additional sim sessions? I do hope that EASA and other non US regulators call for pilot sim time before the MAX flies again.

groundbum

the FAA wants it both ways. On the one hand they only want pilots on their evaluation board with prior MAX experience, but on the other hand they say no prior experience (or MAX sim time) is necessary to fly the thing operationally! It's this have the cake and eat it that created this mess. They need to hold every part of the industry to the same stndard, not some kind of watered down fudge middle ground for what is easy and convenient. Have a backbone FAA!

G

Speed of Sound

Fly Aiprt

Thistle42

[Not a pilot, but my brother was a FE on 707/727/747s so I am aware of some of the background and culture]

From the evidence and reading between the lines, it seems to me that the plan is to get just the FAA alone to certify the MAX only in the USA (and maybe neighbouring countries with some arm twisting?). The assumption will be that reluctance of certification from elsewhere is expected to collapse when it is proven that the MAX can fly safely. How effective this scheme will be is anyone's guess but I am sure flight crew will want to be 100% convinced of the ‘fix’ which from what we can glean is a simple software patch. If it involved hardware changes (new wiring) that would be a major certification issue surely?

What concerns me as a retired software dev/tester of over 30 years experience, is the blasé assumption that yet more code will fix this. We all have experience of another Seattle company that has a regular ‘Patch Tuesday’ that fixes what previous patches broke. I’ve never worked on safety-critical code but even run of the mill commercial applications take a lot of planning, test plans, and test cases and even then something comes out later to bite you on the bum. As for combining 2 FCCs, it’s not a trivial task.

I have worked for US companies such as Xerox and they used CMM (as it was back then, now CMMI) as a process to control software changes. This was for an embedded controller for a multifunction machine with greater than a million LOC. The thing is that this process actually worked! No change was so trivial that you did not have to run it past a meeting of peers and librarian and justify the change and potential side effects with a backout plan as well. So how did any code change on the MAX not get scrutiny?

DType

Yes, I was pressurised many times by managers to sign off faulty equipment, so I always said that if I was really creating a fuss about nothing then they were welcome to overrule me and sign it off themselves. They never did.

Speed of Sound

silverstrata

SteinarN

And at the same time Boeing obviously did NOT expect the pilots do diagnose a correct MCAS activation in a real high AOA event as trim runaway. How did Boeing figure this out, that the pilots would ONLY diagnose an erroneous MCAS activation as trim runaway and not diagnose a correct MCAS activation as trim runaway?

horizon flyer

Thinking right field and going back to basics would not an aerodynamic fix be better. Then MCAS would not be needed, may even remove the need for a stick shaker. How, well Lear did this on one of their models think might have been the 35 by adding what they called Delta Fins under the end of the rear fuselage, provided an up force at high angles of attack to push the nose down and stop a super stall so no stick shaker needed, think the model had a T tail. Of course on the Max may need to place one each side of the fuselage rather than under so not to scrap them on the runway on high angle landings and takeoffs. I think it would be better than playing with the electronics which can always fail. Also the extra training need would go away.

The fins are delta shaped and mounted at 45 degrees down bit like an invert butterfly tail.

Speed of Sound

Ian W

It is a standard approach to safety design, THE reason pilots are in the cockpit is to deal with problems that the automatics cannot and that is standard practice for all manufacturers.

The standard design of flight management systems is that the software will deal with most eventualities but when it starts getting more complicated for the beast of little (286) brain to deal with and the software cannot sort out what to do. rather than carry on increasingly complex and expensive coding to fully automate the system, the FMS is designed to disconnect or enter an 'alternate mode' and the pilot is expected to take over. The same is generally true for all aircraft automation. Pilots 50 years ago operated entire flights without automation; leg and arm strength and methods to fly aircraft with problems was an expected part of being a pilot. As automation and 'glass cockpits' have been introduced the length of time pilots actually control the aircraft and the number of occasions that the automatics need the pilot to take control have been reducing. This has not gone unnoticed by the beancounters who have reduced manual flying and training for manual flying; and simulator slots are becoming pre-warned box ticking. [yes I know these are worst cases]

The result is pilots that are less prepared as failures are rare, and less capable to cope with a failure when it does occur and by definition the failures are more complex because they may cause a cascade of events in the automation. It is an unsafe assumption by the FMS and systems designers that pilots are 'happy' or even capable of switching off all automatics and flying manually. Remember, there was quite a lot of back pressure by some pilots about deskilling when these automated systems were brought into service. An analogy is a driver of a self-driving car who is allowed to occasionally touch system controls when parking or leaving a parking spot but otherwise just monitors progress.... suddenly finding after raucous alarms, that the car is a stick shift with no synchromesh requiring double declutching and 'heel and toe' gear changing while braking without power brakes or power steering and the problem is a deflating tire at speed, with fading brakes, on a steep down hill winding icy road at night with poor lights. It doesn't help the older drivers saying can't you cope with a simple soft tire?

The automation manufacturers and air frame builders expect pilot capabilities that are no longer there in line pilots the pilots are not trained for them. The forecast deskilling has arrived.

So where to go from here? The assumptions made by the manufacturers must be met by the operators or the aircraft should not be purchased. It doesn't help that 'needs no (re)training' is used to tempt beancounters into further deskilling. There are actually 2 ways to go from here and it is a close run thing which will win.
1. The first is to train the pilots to be able to fly the aircraft when the automatics disengage and the pilot must fly the aircraft AND cope with the problem(s) that caused the automatics to fail. That training and continuation training costs money, money that often was not budgeted for
2. The second approach is to ensure that the automatics do not fail. This costs manufacturers a lot of money once, when the systems are built (analysis/design/manufacture/test/fault fix/regression test) but once solved for one aircraft it is solved for all of them so the cost is shared over all the manufactured aircraft. And of course if the automatics failure rate is less than 10^-9 -- then it will be said that "we really do not need pilots" and the savings there would be huge.

Guess which option is going to receive the most support

Water pilot

You make good points that are relevant to a lot of accidents, but in my opinion that is not what happened here. This was not a case of the automatics being faced with a problem and throwing control back to the pilot (who couldn't handle it), it was a case of the automatics actively putting the aircraft into danger by pointing the nose at the ground. It wasn't even a case of the pilots not paying enough attention to how the plane was flying or not understanding how to fly, they knew that they had a problem but they didn't know the steps to resolve it.

Boeing's reluctance to endanger the $1 million "no retraining" bonus caused them to make the unforgivable decision to not even mention that it was a possibility for the automatics to do something different than the NG. After thousands of posts here we have come up with the procedure that the pilots should have followed (the "Goldilocks" solution of turning off the electric trim , but only after using the electric trim to get back to neutral). Initially I thought of this as a case where the engineers did not have enough imagination to consider this scenario, but apparently it was well discussed at Boeing, so they could have had a procedure outlined for the pilots to follow -- but that might have involved retraining and thus losing $1 million per plane. They could have used two sensors (which is still not a good enough solution to defeat Murphy) but for unknown reasons they decided not to.

The fundamental problem is that Boeing turned an AOA failure from an annoying problem that the crews could have easily handled into a "do the right thing in 40 seconds or everybody dies" sort of situation. The first aircrew certainly had no idea what peril they were in; the same situation on the NG would have presented just as many flashing lights and stick shakers (as I understand) but would have been an otherwise uneventful flight and the pilots would have had a great deal of time to resolve the annoyances. The Max in the same situation pointed its nose at the ground and opened up a whole Pandora's box of interesting issues that the pilots were expected to solve with no help from anybody in a very short amount of time. Designing the automatics to do that with forethought is equivalent to designing an electrical system that you know will catch fire in some circumstances but assuming that the people in charge will know how to put out the fire.

GordonR_Cape

This point has been raised before, but your comment highlights the reality that the original MCAS design was not thought through from beginning to end result, in terms of a flow-chart or decision-tree. You could write a whole essay about erroneous assumptions, but hopefully the bugs have been sorted out by now. Even when 'fixed' MCAS remains a band-aid, and violates many of the tenets of manual versus automated systems. The mere fact that there is no indication when the system is active, compounds the bad ergonomics. Pilots can't be expected to fly manually, and at the same time monitor what the computer may be doing wrong in the background.

To give a legalistic answer to your question: The intent was that MCAS would very rarely activate in normal passenger flight, and IMO it was a 'regulatory' solution, not a realistic requirement. The erroneous activation of MCAS due to a faulty AOA sensor was simply not on the radar, and I don't think there was a conscious tradeoff such as you suggest.

Something that I raised previously, is that both crashes happened during daytime VFR conditions. The worst-case scenario of faulty AOA sensor and MCAS activation during night IFR conditions, along with somatogravic illusion, would have made the crew workload immeasurably harder. I wonder if any of those cases were tested in a simulator?

ST Dog

Configuration management is alive and well. Required for a DO-178 process (which is required for aviation). You even have to spell out how you will do it in planning documents, ostensibly before you start development. Changes are tracked, reviewed, connected to problem reports/change requests, etc. Lots of scrutiny.
The issue is does the code change trigger a safety review. DO-178 leaves it to the change maker or other reviewers to decide. But the guys writing the code and making those changes (and their management) don't really understand the airworthiness impact.

ST Dog

MCAS was added to speed trim, an existing single channel system. Neither was considered a critical flight control system based on the hazard analysis.

MurphyWasRight

It is useful to keep in mind that as far as we know the MCAS software worked exactly as specified/designed/implemented.
No amount of SW process can catch a system level specification error so while important it is no a panacea for problems resulting from inadequate understanding and analysis at a global level.

What can help is a full fault tree analysis, done before the first accident. From other's comments this is done in aviation but not clear the rigour applied when 'minor' changes are made.
I have always been impressed at the ability of investigators ability to determine 'why it blew up' after the fact and often wondered what would result would be if the same resources and methodology was applied in advance.