MAX’s Return Delayed by FAA Reevaluation of 737 Safety Procedures
Join Date: Jul 2013
Location: Norway
Age: 57
Posts: 140
Likes: 0
Received 0 Likes
on
0 Posts
However if MCAS starts at say 8 degrees AOA and dont reach full travel until say 16 degrees AOA then the stick force lightening without MCAS would be much less, but I am convinced it still would be ligthening, not just flat.
Anyway, what this boils down to is that it would have been extremely interesting to have a stick force and stick position graph with inoperable MCAS all the way well into stall region, both at 1G/decaying speed and at a higher constant speed wind up turn.
So I fully support EASA's requirement of flight testing this part of the flight envelope, with inoperable MCAS.
Join Date: Dec 2001
Location: Leeds, UK
Posts: 281
Likes: 0
Received 0 Likes
on
0 Posts
it's clear MCAS needs it's own switch so it can be turned off yet electric trim stay available to the pilots. This, along with the AOA disagree light, and knowledge of MCAS, would most likely have prevented the 2 accidents so far.
A third accident is the end of the MAX, which is the end of new 737s.
G
A third accident is the end of the MAX, which is the end of new 737s.
G
Join Date: Feb 2019
Location: shiny side up
Posts: 431
Likes: 0
Received 0 Likes
on
0 Posts
Does MCAS then add to the 737 anti-stall system? The NG stick shaker activate, the stall management yaw damper, speed trim, and elevator feel?
On the NG, during a stall the FCC's command the nose down and the EFSM and column cutout switches make sure the pilot cannot easily stop the automated stab movement with column nose up input....
Is this all still active when MCAS kicks in?
On the NG, during a stall the FCC's command the nose down and the EFSM and column cutout switches make sure the pilot cannot easily stop the automated stab movement with column nose up input....
Is this all still active when MCAS kicks in?
Join Date: Jul 2002
Location: Ireland
Posts: 596
Likes: 0
Received 0 Likes
on
0 Posts
An indication that the FAA really still hasn’t got it and could be the reason why EASA is uneasy about leaving the whole issue up to them. If EASA insist on additional sim time for MAX conversion, I can’t see how the FAA can do anything other than go with it, to avoid any ‘two tier’ diversion of standards and the inevitable ‘awkward’ questions from passengers.
On the AoA ‘integrity’ issue, I can only see this being resolved by EASA insisting that they want to see three AoA vanes installed along with a polling system. Surely nobody is expecting Rosemount to redesign, test and certify a complete new sensor between now and December?
On the AoA ‘integrity’ issue, I can only see this being resolved by EASA insisting that they want to see three AoA vanes installed along with a polling system. Surely nobody is expecting Rosemount to redesign, test and certify a complete new sensor between now and December?
Join Date: Jun 2008
Location: Cambridge UK
Posts: 192
Likes: 0
Received 0 Likes
on
0 Posts
1) If you keep the operation of this switch to the fixed wiring (i.e. computer-out-of-loop) the need for low-latency MCAS-deactivation
computer responses seem to go away. So no need to add another computer, and its inherent complications?
2) If the switch is automatically hardware-toggled by emergency-level pulling on the stick, then its operation doesn't require deep
analysis of the situation. So a fast response with limited training, even in the presence of distracting alarms?
Last edited by Peter H; 5th Sep 2019 at 11:41. Reason: Punctuation
Join Date: Aug 2017
Location: london
Posts: 4
Likes: 0
Received 0 Likes
on
0 Posts
Honestly, even if Boeing, the FAA, the airlines who own or have ordered the 737 Max, and everyone else gets this show back on the road, there is a much bigger problem.
Passengers! Those whom I have spoken to here at Dublin Airport who travel regularly and know the score, have without exception said there is no way they will fly on a Max. Those who are not fully aware, the occasional pax who fly once a year on holiday, will be heavily influenced by the media. The media in turn will report what they wish, regardless of the facts, and the news will not be good. The PR teams for Boeing, and indeed IAG, FR, AA etc etc must be having some sleepless nights.......
Passengers! Those whom I have spoken to here at Dublin Airport who travel regularly and know the score, have without exception said there is no way they will fly on a Max. Those who are not fully aware, the occasional pax who fly once a year on holiday, will be heavily influenced by the media. The media in turn will report what they wish, regardless of the facts, and the news will not be good. The PR teams for Boeing, and indeed IAG, FR, AA etc etc must be having some sleepless nights.......
Join Date: Jan 2008
Location: uk
Posts: 857
Likes: 0
Received 0 Likes
on
0 Posts
I mean, yes, great idea, doesn't need any training because it's how the a/c did work and was understood to work anyway, but apparently MCAS can't do its "job" with that switch in the loop, so it was bypassed.
Now, some of us might think that bypassing that switch should have been a red flag, that it wasn't put there in the first place just to use up some spare contacts, and that if you have to remove (or bypass) a safety device that's been there for decades without causing any issue in order to meet a safety certification, then you're doing it wrong... but from where we are now, putting it back would appear to be a non-starter.
Join Date: Jul 2002
Location: Ireland
Posts: 596
Likes: 0
Received 0 Likes
on
0 Posts
and that if you have to remove (or bypass) a safety device that's been there for decades without causing any issue in order to meet a safety certification, then you're doing it wrong... but from where we are now, putting it back would appear to be a non-starter.
It is useful to keep in mind that as far as we know the MCAS software worked exactly as specified/designed/implemented.
No amount of SW process can catch a system level specification error so while important it is no a panacea for problems resulting from inadequate understanding and analysis at a global level.
No amount of SW process can catch a system level specification error so while important it is no a panacea for problems resulting from inadequate understanding and analysis at a global level.
What can help is a full fault tree analysis, done before the first accident. From other's comments this is done in aviation but not clear the rigour applied when 'minor' changes are made.
Sadly we will never see the problem reports/change requests and the other documentation surrounding the change in MCAS.
The FAA probably has it. The other investigators will. But not the general public, not that they could understand the arguments made.
I have always been impressed at the ability of investigators ability to determine 'why it blew up' after the fact and often wondered what would result would be if the same resources and methodology was applied in advance.
After the fact you can see something happened and trace it through the system to see the effects.
But before that? How likely did the event seem?
I could probably put together a hazard assessment for MCAS and show it at several criticalities based on different assumptions and probabilities for different faults.
Last edited by ST Dog; 5th Sep 2019 at 19:22.
Join Date: Nov 2005
Location: UK
Age: 78
Posts: 249
Likes: 0
Received 0 Likes
on
0 Posts
A further idea is modify the engine air intakes to reduce lift at high AoA.
Boeing changed intake shape to increase ground clearance so why not to reduce lift, with Delta fins may solve the problem and it looks like re certification may be cheaper.
Perhaps make them elliptical in the vertical plain may work.
Honestly, even if Boeing, the FAA, the airlines who own or have ordered the 737 Max, and everyone else gets this show back on the road, there is a much bigger problem.
Passengers! Those whom I have spoken to here at Dublin Airport who travel regularly and know the score, have without exception said there is no way they will fly on a Max. Those who are not fully aware, the occasional pax who fly once a year on holiday, will be heavily influenced by the media. The media in turn will report what they wish, regardless of the facts, and the news will not be good. The PR teams for Boeing, and indeed IAG, FR, AA etc etc must be having some sleepless nights.......
Passengers! Those whom I have spoken to here at Dublin Airport who travel regularly and know the score, have without exception said there is no way they will fly on a Max. Those who are not fully aware, the occasional pax who fly once a year on holiday, will be heavily influenced by the media. The media in turn will report what they wish, regardless of the facts, and the news will not be good. The PR teams for Boeing, and indeed IAG, FR, AA etc etc must be having some sleepless nights.......
Most passengers have little interest in the aircraft beyond the quality of the seats and of the service.
So once the MAX is returned to flight, I'd expect the issue to die down quickly. Of course, there had better not be yet another crash anytime soon thereafter...
Join Date: Apr 2007
Location: moraira,spain-Norfolk, UK
Age: 82
Posts: 389
Likes: 0
Received 0 Likes
on
0 Posts
I think the real issue that the regulators must, sooner or later, deal with, is that the
persons insisting on 'Grandfather rights' are accountants, not licensed engineers.
Additionally, those who could have intervened abrogated their rights.
Of course the regulators are also those who could have intervened.
BTW does Boeing have a risk management office ?
John
persons insisting on 'Grandfather rights' are accountants, not licensed engineers.
Additionally, those who could have intervened abrogated their rights.
Of course the regulators are also those who could have intervened.
BTW does Boeing have a risk management office ?
John
Join Date: Jul 2019
Location: Mass
Posts: 23
Likes: 0
Received 0 Likes
on
0 Posts
Not exact match to MCAS, at least in Lion AIr case the AOA value was in range..
The "bad packet check" is not possible in this case since there is (with a singe input) no way to check the data.
For the Ethiopian case the essentially maxed out value might have been detectable as unreasonable, although I don't know that as a fact.
Gets back to specification, adding a "reasonableness" filter can add robustness but can also cause problems if not correctly specified or implemented. It also adds complexity and testing overhead.
The "bad packet check" is not possible in this case since there is (with a singe input) no way to check the data.
For the Ethiopian case the essentially maxed out value might have been detectable as unreasonable, although I don't know that as a fact.
Gets back to specification, adding a "reasonableness" filter can add robustness but can also cause problems if not correctly specified or implemented. It also adds complexity and testing overhead.
The exact parameters of the optimal input checking for MCAS (i.e., rejecting a many invalid conditions as possible while minimizing the rejection of valid conditions) could be subject to some discussion and judgment. But AoA of 20 degrees seems like a no-brainer. At most, it might have required that the FCC "remember" a period of AoA history so it could determine, at the point where the algorithm became active (A/P disengaged, flaps retracted) that the AoA had never been in a valid range.
The bigger issue seems to be that the programmers never questioned the absence of any input validation requirement at all. I fully expect someone to quibble with my assertion that >20 degrees is clearly invalid, but what about 75 degrees? What about readings that are pegged at exactly the same number for a period of time (e.g., frozen or jammed sensor)? Or that suddenly jump from a reasonable number to an out-of-range number?
I just think somebody forgot to ask the question: what is the valid range of inputs and what are the error cases? It wouldn't have taken any time at all to include some kind of basic sanity checks.
Seen a lot where there's an input app (partitioned code) that's supposed to do all the validation (range checking, not jabbering, etc) and pass that on to other apps in the partition or other partitions. In this case, the AoA value was available in the code, same one used for other apps, like speed trim. It was presumed good, checked, validated, etc.
Turns out that wasn't entirely true.
I've had just that discussion before. I said everything that uses a value should check that value. They said it was already checked earlier in the system, in a higher DAL partition. I lost that argument.
The repercussions of the certification authorities no longer abiding the reciprocal certification would be a big deal.
If EASA doesn't accept the FAA's certification do that make the reciprocity agreements null? So the FAA no longer accepts EASA certifications?
Not the sort of thing the OEMs want. Dealing with a dozen different authorities would severely delay things and greatly increase the costs.
If EASA doesn't accept the FAA's certification do that make the reciprocity agreements null? So the FAA no longer accepts EASA certifications?
Not the sort of thing the OEMs want. Dealing with a dozen different authorities would severely delay things and greatly increase the costs.
Costs? Time delays? Ask the families and victims how much that bothers them.
Last edited by GlobalNav; 5th Sep 2019 at 21:55.
Anyway, what my calculations was suggesting is that without MCAS the stick force is not only increasing as it should, when going from say 10 to 14 degrees AOA, but that the stick force needs to be relaxed towards zero force and the stick position needs to be brought to near neutral position when going from say 10 to 14 degrees AOA.
The original situation was only 0.6 units of trim, not 2.4. And as far as I've seen it was still only 0.6 units in that situation.
The crashes were at lower speed/altitude that used the changed behavior. And it's never been clear that the low speed changes were certification requirements. The larger trim change was needed because the control surface had less effect in that situation.
Join Date: Jun 2008
Location: Cambridge UK
Posts: 192
Likes: 0
Received 0 Likes
on
0 Posts
How is this different to the aft column cutout switch which is already there?
I mean, yes, great idea, doesn't need any training because it's how the a/c did work and was understood to work anyway, but apparently MCAS can't do its "job" with that switch in the loop, so it was bypassed.
Now, some of us might think that bypassing that switch should have been a red flag, that it wasn't put there in the first place just to use up some spare contacts, and that if you have to remove (or bypass) a safety device that's been there for decades without causing any issue in order to meet a safety certification, then you're doing it wrong... but from where we are now, putting it back would appear to be a non-starter.
I mean, yes, great idea, doesn't need any training because it's how the a/c did work and was understood to work anyway, but apparently MCAS can't do its "job" with that switch in the loop, so it was bypassed.
Now, some of us might think that bypassing that switch should have been a red flag, that it wasn't put there in the first place just to use up some spare contacts, and that if you have to remove (or bypass) a safety device that's been there for decades without causing any issue in order to meet a safety certification, then you're doing it wrong... but from where we are now, putting it back would appear to be a non-starter.
It's different because:
- MCAS trimming is disabled by an additional force-operated switch which "is automatically hardware-toggled by emergency-level pulling on the stick".
- while non-MCAS trimming is still disabled by the original cutout switch.
I just know there are reciprocal agreements where EASA accepts FAA certification and the FAA accepts EASA certification.
Builder then certifies once and can fly anywhere. Without them the world certification system grinds to a halt. Then can barely handle what they do now. No way they can all handle al the aircraft/systems/parts being developed. No does it make sense to repeats all that effort a dozen times.
Costs? Time delays? Ask the families and victims how much that bothers them.
They also don't care about the costs for pilot training.
They'd just balk at ticket prices, complain, and fly less.
The same as arguments over a part that costs $1 more on an automobile. Individuals don't see that that's millions of dollars to the company.
Just like the worries about the general public refusing to fly on the MAX. If you about to board and find it's a MAX. Do you wait 4-5 hours for a different aircraft?
I'll wager most won't.
Shoot I've been offered $100+ to wait 3 hours for a different flight and not accepted. (Those offers always occur when I need to be somewhere at a specific time, and the change would ripple into me arriving 5-6 hours later. Not good when I have a big meeting/event the next morning)
It seems EASA are asking questions that Boeing and the FAA are going to struggle to answer.
EASA are asking Boeing to address aerodynamic stability with MCAS turned off. As I understand it, MCAS is only required because without it the Max does not meet the certification performance standard. So that will be an interesting conversation.
They have further asked Boeing to demonstrate the loads on the trim wheel are acceptable, which given that the stabiliser is larger, the trim wheel smaller, and sky goddesses more common, should also be an interesting conversation.
I don't think it is a given the public will flock to the Max once it is cleared to fly: occasional travellers may not know what they are flying on but if frequent fliers avoid the Max that will have an impact. My frequent flier colleagues all plan to avoid it out of disgust with Boeing: they acknowledge it will be safe if recertified, but that is a secondary consideration for them. If the FAA say it is OK, and EASA are ballsy enough to say it isn't, my guess is outside North America it will stay grounded: and a lot of Americans will think twice.
It seems US airlines are very aware of the potential toxicity of the Max: are bookings down on airlines with the Max in their fleet? Noticeable that all the major airlines have said they won't bring the Max back before Thanksgiving, presumably because they need people to book flights. Christmas is next. The offer of free transfers of Max flights by some airlines suggests people are already voting with their feet and the airlines are being forced to respond.
Despite Boeings best efforts, the general public are not buying 'pilot error'. If the problems with the Max, and the culture that led to the problems, were not deep seated it would be flying again by now. Boeing are still on the back foot: this is getting uglier by the day.
EASA are asking Boeing to address aerodynamic stability with MCAS turned off. As I understand it, MCAS is only required because without it the Max does not meet the certification performance standard. So that will be an interesting conversation.
They have further asked Boeing to demonstrate the loads on the trim wheel are acceptable, which given that the stabiliser is larger, the trim wheel smaller, and sky goddesses more common, should also be an interesting conversation.
I don't think it is a given the public will flock to the Max once it is cleared to fly: occasional travellers may not know what they are flying on but if frequent fliers avoid the Max that will have an impact. My frequent flier colleagues all plan to avoid it out of disgust with Boeing: they acknowledge it will be safe if recertified, but that is a secondary consideration for them. If the FAA say it is OK, and EASA are ballsy enough to say it isn't, my guess is outside North America it will stay grounded: and a lot of Americans will think twice.
It seems US airlines are very aware of the potential toxicity of the Max: are bookings down on airlines with the Max in their fleet? Noticeable that all the major airlines have said they won't bring the Max back before Thanksgiving, presumably because they need people to book flights. Christmas is next. The offer of free transfers of Max flights by some airlines suggests people are already voting with their feet and the airlines are being forced to respond.
Despite Boeings best efforts, the general public are not buying 'pilot error'. If the problems with the Max, and the culture that led to the problems, were not deep seated it would be flying again by now. Boeing are still on the back foot: this is getting uglier by the day.
Join Date: May 2010
Location: Boston
Age: 73
Posts: 443
Likes: 0
Received 0 Likes
on
0 Posts
The AoA indicator in JT610 was north of 20 degrees when sitting on the ground at zero airspeed. Surely that was enough to trigger a sanity check of inputs. Even in flight, something more than 20 degrees (particularly when it had never been less than 20 degrees, much less in a valid range) would have been an unambiguous indication of bad input (I assume the 737 will stall well below 20 degrees AoA).
The exact parameters of the optimal input checking for MCAS (i.e., rejecting a many invalid conditions as possible while minimizing the rejection of valid conditions) could be subject to some discussion and judgment. But AoA of 20 degrees seems like a no-brainer. At most, it might have required that the FCC "remember" a period of AoA history so it could determine, at the point where the algorithm became active (A/P disengaged, flaps retracted) that the AoA had never been in a valid range.
The bigger issue seems to be that the programmers never questioned the absence of any input validation requirement at all. I fully expect someone to quibble with my assertion that >20 degrees is clearly invalid, but what about 75 degrees? What about readings that are pegged at exactly the same number for a period of time (e.g., frozen or jammed sensor)? Or that suddenly jump from a reasonable number to an out-of-range number?
I just think somebody forgot to ask the question: what is the valid range of inputs and what are the error cases? It wouldn't have taken any time at all to include some kind of basic sanity checks.
The exact parameters of the optimal input checking for MCAS (i.e., rejecting a many invalid conditions as possible while minimizing the rejection of valid conditions) could be subject to some discussion and judgment. But AoA of 20 degrees seems like a no-brainer. At most, it might have required that the FCC "remember" a period of AoA history so it could determine, at the point where the algorithm became active (A/P disengaged, flaps retracted) that the AoA had never been in a valid range.
The bigger issue seems to be that the programmers never questioned the absence of any input validation requirement at all. I fully expect someone to quibble with my assertion that >20 degrees is clearly invalid, but what about 75 degrees? What about readings that are pegged at exactly the same number for a period of time (e.g., frozen or jammed sensor)? Or that suddenly jump from a reasonable number to an out-of-range number?
I just think somebody forgot to ask the question: what is the valid range of inputs and what are the error cases? It wouldn't have taken any time at all to include some kind of basic sanity checks.
1:AoA sensor is not active until enough airflow to move the vane, so position with zero airspeed is meaningless. This complicates any input validation since it would require airspeed to turn on any checks.
2: Introducing state (history) can greatly complicate verification since the code must be exercised to reach and respond at to least a subset of all possible states. It also complicates the code which of course adds to risk of bugs.
3: It would have taken some time to code and significantly more time to verify. The greatest schedule impact however might have been getting agreement on valid/invalid values, keeping in mind that MCAS is supposed to respond to somewhat extreme conditions. Even then the checking would not cover all cases, had the Lion AIr sensor chain had less offset it could have triggered MCAS with a totally valid input.
What is shocking is that the second sensor was not used as a cross check, "both must be within x%" is much more robust than any attempt to filter a single input.
As a final note one possible factor in the Air france tragedy was that due to reasonableness checking the stall warning was disabled at low airspeeds only to trigger as the crew lowered the nose, increasing airspeed (while still stalled).
This at a minimum would cause confusion and likely discourage lowering the nose; it yells at me when I do this == don't do that.