MAX’s Return Delayed by FAA Reevaluation of 737 Safety Procedures
Join Date: Sep 2019
Location: leftcoast
Posts: 2
Likes: 0
Received 0 Likes
on
0 Posts
Grebe, ( I note your background) while your links are substantial, I feel that the suggestion we delve that deep rather counters your protest about the need to delve say, into the clutches, on a thread such as this. Having read every post since Novemeber, certain design logic is still not clear even to overview level. An overview is all this old-timer can hope to achieve. However, I go on to a snippet -
Can you answer simply, how the cable system and manual trim wheels can be powered to run after the electric thumb switches have been released? I'm discounting the autopilot since it's just a comparable alternative clutch drive. Was it just the spin-down of the main electric motor which should by then have been decoupled?
The suggestion that a clutch could be binding when not selected is more than a little disturbing.
Can you answer simply, how the cable system and manual trim wheels can be powered to run after the electric thumb switches have been released? I'm discounting the autopilot since it's just a comparable alternative clutch drive. Was it just the spin-down of the main electric motor which should by then have been decoupled?
The suggestion that a clutch could be binding when not selected is more than a little disturbing.
AS I've said - IF you really want credible information- go to the vendor and/or the Boeing company. Look up possibly appropriate patents, etc.
I have no need to do further research that you are unwilling to do for yourself. I have given you several leads and locations to aid you.Thats considerably more then most posters
Have a good day - BYE!
Psychophysiological entity
Oh, goodbye. I was writing this while you were replying.
Grebe also links to another Seattle Times report. The internal politics is a frightening subject, but because of my years in electronics I'll just probe the proposed design concepts.
The idea of synthesised airspeed has long been thought-provoking but the units protruding from the fuselage haven't remained there all these years because the alternatives were easy/reliable. They are one of the earliest detection devices in aviation and their limitations are well understood. However, the issue about the article is that some folk are protesting loudly that certain design advancements would have saved the day? Surely, that's not the point.
MCAS in its original form has a certain logic but it's what happened after 2017 that the real error was made. (That, and not telling most of the world about it.)
Given that MCAS was rewritten is in my opinion the most serious issue in the whole debacle. Yes, taking the data from a single unit broke the rules about one item being able to cause a 'catastrophic' incident, but I'm not quite clear if it would be deemed so if MCAS had not been rewritten. It took the latter to qualify the former. Perhaps.
The lack of an AoA display in the MAX is not a major issue. However, not having a comparator warning, most definitely is. At some stage they found out it was non-functional, yet deemed it something that could be done in the next update. I'm still not totally clear if the comparator would work as a stand-alone device, but let's face it, one small word-group in pale lettering is not exactly the best attention-grabber.
The main issue to me is not what modern electronics could have done to save the day, it's simply what was radically wrong with the system supplied. When they added a single input logic to the rewritten MCAS, everything changed. Let's not forget that the two fatal losses of AoA data, were technically completely disparate failures
Grebe also links to another Seattle Times report. The internal politics is a frightening subject, but because of my years in electronics I'll just probe the proposed design concepts.
The idea of synthesised airspeed has long been thought-provoking but the units protruding from the fuselage haven't remained there all these years because the alternatives were easy/reliable. They are one of the earliest detection devices in aviation and their limitations are well understood. However, the issue about the article is that some folk are protesting loudly that certain design advancements would have saved the day? Surely, that's not the point.
MCAS in its original form has a certain logic but it's what happened after 2017 that the real error was made. (That, and not telling most of the world about it.)
Given that MCAS was rewritten is in my opinion the most serious issue in the whole debacle. Yes, taking the data from a single unit broke the rules about one item being able to cause a 'catastrophic' incident, but I'm not quite clear if it would be deemed so if MCAS had not been rewritten. It took the latter to qualify the former. Perhaps.
The lack of an AoA display in the MAX is not a major issue. However, not having a comparator warning, most definitely is. At some stage they found out it was non-functional, yet deemed it something that could be done in the next update. I'm still not totally clear if the comparator would work as a stand-alone device, but let's face it, one small word-group in pale lettering is not exactly the best attention-grabber.
The main issue to me is not what modern electronics could have done to save the day, it's simply what was radically wrong with the system supplied. When they added a single input logic to the rewritten MCAS, everything changed. Let's not forget that the two fatal losses of AoA data, were technically completely disparate failures
Join Date: Sep 2019
Location: leftcoast
Posts: 2
Likes: 0
Received 0 Likes
on
0 Posts
Grebe also links to another Seattle Times report. The internal politics is a frightening subject, but because of my years in electronics I'll just probe the proposed design concepts.
The idea of synthesised airspeed has long been thought-provoking but the units protruding from the fuselage haven't remained there all these years because the alternatives were easy/reliable. They are one of the earliest detection devices in aviation and their limitations are well understood. However, the issue about the article is that some folk are protesting loudly that certain design advancements would have saved the day? Surely, that's not the point.
MCAS in its original form has a certain logic but it's what happened after 2017 that the real error was made. (That, and not telling most of the world about it.)
Given that MCAS was rewritten is in my opinion the most serious issue in the whole debacle. Yes, taking the data from a single unit broke the rules about one item being able to cause a 'catastrophic' incident, but I'm not quite clear if it would be deemed so if MCAS had not been rewritten. It took the latter to qualify the former. Perhaps.
The lack of an AoA display in the MAX is not a major issue. However, not having a comparator warning, most definitely is. At some stage they found out it was non-functional, yet deemed it something that could be done in the next update. I'm still not totally clear if the comparator would work as a stand-alone device, but let's face it, one small word-group in pale lettering is not exactly the best attention-grabber.
The main issue to me is not what modern electronics could have done to save the day, it's simply what was radically wrong with the system supplied. When they added a single input logic to the rewritten MCAS, everything changed. Let's not forget that the two fatal losses of AoA data, were technically completely disparate failures
The idea of synthesised airspeed has long been thought-provoking but the units protruding from the fuselage haven't remained there all these years because the alternatives were easy/reliable. They are one of the earliest detection devices in aviation and their limitations are well understood. However, the issue about the article is that some folk are protesting loudly that certain design advancements would have saved the day? Surely, that's not the point.
MCAS in its original form has a certain logic but it's what happened after 2017 that the real error was made. (That, and not telling most of the world about it.)
Given that MCAS was rewritten is in my opinion the most serious issue in the whole debacle. Yes, taking the data from a single unit broke the rules about one item being able to cause a 'catastrophic' incident, but I'm not quite clear if it would be deemed so if MCAS had not been rewritten. It took the latter to qualify the former. Perhaps.
The lack of an AoA display in the MAX is not a major issue. However, not having a comparator warning, most definitely is. At some stage they found out it was non-functional, yet deemed it something that could be done in the next update. I'm still not totally clear if the comparator would work as a stand-alone device, but let's face it, one small word-group in pale lettering is not exactly the best attention-grabber.
The main issue to me is not what modern electronics could have done to save the day, it's simply what was radically wrong with the system supplied. When they added a single input logic to the rewritten MCAS, everything changed. Let's not forget that the two fatal losses of AoA data, were technically completely disparate failures
I suggest you take a close look at Boeing
https://www.isasi.org/Documents/libr...ducing-787.pdf page 38 and on
And another Boeing pub ( cant find the link )
OPERATIONAL USEOF ANGLE OF ATTACK
ON MODERN COMMERCIAL JET AIRPLAN
Psychophysiological entity
What a lovely pdf. Thanks. I didn't associate pdf with such good photography. The dynamic photos of wing bending at different loadings is quite . . . tensing.
Join Date: Sep 2019
Location: leftcoast
Posts: 2
Likes: 0
Received 0 Likes
on
0 Posts
Join Date: Feb 2006
Location: USA
Posts: 487
Likes: 0
Received 0 Likes
on
0 Posts
Seattle Times
https://www.seattletimes.com/busines...r-crew-alerts/
Boeing pushed FAA to relax 737 MAX certification requirements for crew alerts
Oct. 2, 2019 at 7:45 pm
By Dominic Gates, Steve Miletich and Lewis Kamb
In 2014, Boeing convinced the Federal Aviation Administration (FAA) to relax the safety standards for the new 737 MAX related to cockpit alerts that would warn pilots if something went wrong during flight, according to documents reviewed by the Seattle Times.
Seeking an exception, Boeing relied on a special FAA rule to successfully argue that full compliance with the latest federal requirements would be “impractical” for the MAX and would cost too much.
“They went through the process and weren’t required to step up,” said an FAA safety engineer familiar with how the waiver request was handled and who asked for anonymity because he spoke without agency authorization.
Based on lessons learned from past airline accidents, the FAA regulation stipulates precise design details for the warning displays in the cockpit. These are aimed at ensuring that alerts relay clearly to the pilots what’s going on when a malfunction occurs, catch attention so that they won’t be overlooked, and avert any possible confusion.
During the two fatal MAX crashes that killed 346 people, pilots struggled to understand the cascade of warnings in their cockpits. Last week a National Transportation Safety Board (NTSB) report on those crashes highlighted the crucial role that crew alerting systems play when pilots face an inflight emergency.
The Seattle Times reviewed the relevant parts of the document that Boeing submitted to the FAA to win its exception. They show the federal regulator struck out four separate clauses that would be requirements for any new jet being produced today.
This meant Boeing avoided having to design a complete upgrade of the 737’s aging flight crew alerting system.
The underlying design of the 737 was first certified more than five decades ago, and its airframe and systems have been upgraded in an incremental patchwork ever since. Boeing’s submission reveals the cold actuarial calculus by which such exceptions are granted to allow certification of airplanes, such as the MAX, that are derivatives of older, legacy models.
Following the MAX crashes, such rulings are likely to come under tougher scrutiny in future.
Boeing declined comment on the details in this story. The FAA said in a statement that the MAX complies with the “applicable” regulations, then listed some of the criteria under which exceptions from full compliance are granted.
Relaxing the rules
Boeing’s argument in the document, which has not been previously reported, rested most basically on the long service history of the 737. At the time the MAX’s exception was granted, that included more than 300 million hours in the air, almost all accumulated on routinely safe flights.
However, Boeing’s analysis also had to deal with the fact that the 737’s record in the previous 20 years included three fatal crashes where crew alerting was a contributing factor: the 2005 Helios Airways crash in Greece that killed 121 people; the 2009 Turkish Airlines crash in Holland with nine fatalities; and the 2008 Aeroflot-Nord crash in Russia, where 88 died.
Boeing convinced the FAA that it had dealt with the three distinct issues in each of those crashes.
The submission from Boeing then cited an estimate of the cost of full compliance at more than $10 billion.
This staggering sum included not only the direct cost to Boeing of redesigning the airplane systems but also the expense of additional pilot training that new systems would require — costs that would have been borne by Boeing’s airline customers and would have made the MAX a much less attractive airplane to buy.
In April 2014, the FAA accepted Boeing’s argument that for the MAX, the safety benefit of full compliance with the crew alerting regulations was “not commensurate with the costs necessary to comply.”
A new urgency
Pilots rely on their instruments to tell them how an airplane is performing in flight and to warn of any system malfunctions. The federal regulations are designed to make such alerts as clear and unambiguous as possible about the nature and severity of any malfunctions.
The early investigation reports into the two MAX crashes show the pilots didn’t understand what their instruments were telling them and failed to handle the emergency as they might have.
Though the accidents were initiated by a failed sensor and a flawed Boeing flight control system, both the capabilities of the pilots and the design of the crew alerting system played a role in the outcome.
Last week’s NTSB report criticized Boeing for failing to account in its testing of the MAX for the overload of warning messages in the cockpit that occurred during the two fatal flights.
One of the current alerting regulations that the MAX is excused from is relevant to such a scenario. It requires that there must be a way to suppress erroneous attention-getting alerts that might interfere with the crew’s ability to focus — such as the “stick-shaker” that vibrated the captain’s control column on both the MAX crash flights.
Because of a faulty angle of attack sensor on each flight, the stick shaker was warning, falsely, that the jet was close to a stall. But having noted it, the pilots couldn’t stop it. With the FAA’s exception granted, the MAX has no way to suppress that alert. The stick shaker continued throughout both flights, along with multiple other alerts.
On the Ethiopian Airlines flight that crashed in March, the pilots faced a barrage of alerts throughout the six-minute flight. Besides the stick shaker they heard repeated loud “DON’T SINK” warnings that the jet was too close to the ground; a “clacker” making a very loud clicking sound to signal the jet was going too fast; and multiple warning lights telling the crew the speed, altitude and other readings on their instruments were unreliable.
Pilots around the world vary greatly in their flying expertise, especially in their ability to handle the plane when automated systems fail. While many U.S. airline pilots previously have flown military planes for the Air Force, that’s not the experience level in most countries. Further, even a good pilot will have a bad day.
So both Boeing and rival Airbus will in future have to pay increasing attention to “human factors,” meaning the way people interpret and respond to systems and what’s happening around them — which in an airplane depends crucially on the crew alerting system.
A person familiar with the details said that the European Union Aviation Safety Agency (EASA), in its ongoing re-evaluation of the MAX following the two crashes, has already expressed concern to both Boeing and the FAA about inadequacies in the jet’s alerting system, including the inability to suppress the stick shaker.
Boeing’s state-of-the-art system
Early in the development of the 737 MAX, Boeing considered equipping the flight deck with its state-of-the-art flight crew alerting system, called EICAS, the Engine-Indicating and Crew-Alerting System.
It provides pilots visual, aural and tactile warnings as well as written messages on the main flight display when anything goes wrong with either the engines or with the airplane systems, and then also recommends the remedial action needed.
EICAS, designed to take account of the latest human factors studies, is a system that integrates all the interactions between the pilots and the machine they are flying.
Boeing introduced EICAS in the early 1980s when the 757 and 767 jets entered service. The improved alert system was one justification for removing the role of flight engineer to allow those airplanes to fly with two-person crews. It’s been upgraded incrementally since and installed on all subsequent Boeing jets.
But alone among Boeing jets, the 737 was never updated with EICAS, though it was considered at least twice before in previous iterations of the airplane.
It was pushed again for the MAX.
An ethics complaint submitted in April by Boeing engineer Curtis Ewbank and reviewed by the Seattle Times says that Mike Carriker — Boeing’s chief pilot for product development, who flew the first flight of the 787 Dreamliner — proposed studying whether to put EICAS on the MAX, saying “it was necessary for the 737 to be a modern airplane.”
Boeing identified the detailed changes both to the airplane systems and to crew procedures that would be needed to install EICAS on the 737 MAX. But ultimately that plan was abandoned because of “the overall cost,” the ethics complaint states.
In a brief phone interview last week, Carriker declined to discuss details but said installing EICAS on the 737 “would be challenging.” And pointing to the older systems on the MAX compared to other planes like the Dreamliner, he added that “there aren’t enough sensors on the 737.”
Having settled on retaining its older cockpit alerting system, Boeing then needed to convince the FAA that the MAX should not have to meet all the latest federal crew alerting requirements, which are closely aligned with the capabilities of the EICAS system.
Making an exception
A document submitted by Boeing to the FAA in 2012 lays out the airplane description and preliminary data needed to plan the certification work for the MAX and includes an “issue paper” devoted to the MAX’s crew alerting systems.
A Boeing request for an official exemption from the regulations would have required a public notice in the Federal Register and an opportunity for interested parties or the general public to comment. Instead, Boeing followed a standard procedure for being granted such a waiver that was not public.
Instead of an “exemption,” Boeing asked for an “exception” granted under a special FAA procedure called the “Changed Product Rule,” which lays out the conditions under which a new, changed version of an older model can be granted exceptions during certification.
An official FAA advisory circular stipulates that exceptions will be granted if the applicant, in this case Boeing, can demonstrate that compliance is “impractical.” The design must come close to meeting safety requirements, and then demonstrate that “full compliance would require a substantial increase in the outlay or expenditure of resources with a very small increase in the level of safety.”
Boeing’s submission to the FAA cites first the flight history of the 737, going back to 1967. It notes that by 2011 the jet had completed 321 million flight hours and 213 million departures. Broken down by model type, the 737 version prior to the MAX, known as the 737 NG, had completed 80 million flight hours and 42 million departures.
Boeing then documented the 737’s safety record during the previous 10 years. Between 2002 and 2011, it identified three fatal accidents where a deficiency in the flight crew alerting system had played a role in the tragedy. These were:
Helios Airways flight 522 in 2005. Flying at 34,000 feet near Athens, Greece, the crew misinterpreted a horn that sounded to warn of a cabin depressurization, interpreting it as a false and irrelevant alert about the plane’s take-off configuration. The horn sounds were identical for these two distinct alerts. The pilots passed out from lack of oxygen and the plane continued flying in a straight line on autopilot, shadowed by a Greek jet fighter impotent to help. All 121 people on board died when the airliner ran out of fuel and crashed.
Following the accident, Boeing installed a light on the 737’s pilot display to distinguish a depressurization from the other alert.
Turkish Airlines flight 1951 in 2009. On approach into Amsterdam, a single radio altimeter fed an incorrect low altitude reading to the autothrottle, which duly retarded the engines for landing. The pilots, busy with some checklists, failed to notice until too late a visual alert about the airspeed dropping too low. The plane crashed well short of the runway. Nine people, including three Boeing engineers who were on board by chance, were killed.
Following the accident, Boeing added an extra aural alert — a computerized voice warning — for low airspeed.
Aeroflot-Nord flight 821 in 2008. Flying through clouds at night in central Russia, the pilot lost spatial awareness as the plane banked dangerously left, activating a BANK ANGLE artificial voice alert. Confused, the captain turned the yoke the wrong way, rolling hard left and worsening the bank angle. The jet flipped upside down. All 88 people on board died in the crash.
Following the accident, Boeing designed a new aural alert that announces “Roll Right” or “Roll Left” as appropriate to counter a dangerous bank angle and also shows the right direction via an arrow on the flight display.
Each of those crashes was at least partly attributed to pilot error. Post-mortem tests showed the Russian captain may even have been drunk. Yet in each case, the crew alerting system could have been better, and was made so after the fact.
The FAA safety engineer said that in accidents where the pilots are blamed, “many times you’ll find the indication and alerting system provided confusing or misleading information.”
Boeing argued that the exception for the MAX was justified by the long history of safe 737 flights and the fact that it had addressed the separate alerting issues in each of these fatal accidents.
“There is no reason to believe the future rate of accidents for the 737-8 (MAX) will be significantly different from the 737 NG historical record,” the document states.
The submission to the FAA also points to the “existing common and proven alerting methodology” on the approximately 6,400 Boeing 737s then flying worldwide. It adds that the MAX won’t represent the majority of the world 737 fleet until around 2030, which means airlines would be flying mixed fleets for “two generations of 737 pilots.”
Boeing contended that keeping the MAX systems common with the systems on the prior 737 model would be preferable, to avoid confusion as pilots move between the two types of aircraft.
The FAA in its statement Wednesday listed some of the factors considered in agreeing that an aircraft complies with the rules sufficiently to be certified: “these factors include areas of change (in the airplane design), aircraft service experience and actions taken following earlier accidents.”
There is one glaring omission from that list, a factor that nevertheless the FAA guidelines clearly state will be taken into account: the matter of cost.
Yet Boeing’s argument in the MAX certification document finally arrives at that detail: the cost to Boeing and to its airline customers.
Boeing said a “significant design change” would be required if it had to comply with the complete set of federal crew alerting regulations.
“Compliance would also require revision to the entire system of training and documentation that supports the alerting methodology, as used by 75,000 pilots and a large number of airline mechanics and engineers,” the document states.
Boeing estimated the cost of the design, training and documentation changes to achieve full compliance for the 737 MAX would be “greater than $10 billion” in 2013 dollars.
As a result of the two MAX accidents, Boeing has already racked up more than $8.3 billion in extra costs through July, including a $5.6 billion write-off last quarter, a $2.7 billion addition to the projected future costs of producing the 737, and a payout of $50 million in initial compensation to the families of victims.
The cost has grown since as the grounding of the MAX fleet goes on, and further compensation costs to the families of victims, to customer airlines and to suppliers will likely continue to mount through next year.
The final bill, not even counting Boeing’s potential loss of orders and future market share, will almost certainly far exceed $10 billion.
Those outlays weren’t anticipated during development of the jet. So Boeing’s submission to the FAA concluded that the $10 billion estimate to achieve compliance met the standard for granting an exception, because the effort in terms of cost and changes to manufacturing “would not be commensurate with a small incremental safety gain.”
The FAA accepted this argument and granted Boeing’s request.
A Boeing engineer, who also asked for anonymity to protect his job, was troubled by the way the company’s analysis discounted the Helios, Turkish and Aeroflot 737 crashes.
“Yes, Boeing went and fixed each problem,” said the engineer in an interview. “It did so only after a fatal accident. They are being reactive. Boeing could have been proactive on the 737.”
He said the MAX was another missed opportunity to be proactive on safety upgrades.
In addition, those fixes Boeing developed after the three crashes are not necessarily installed on all the older 737s now in service globally. The FAA did not mandate two of them — the aural alerts that resulted from the Turkish and Aeroflot accidents — in airworthiness directives that would require airlines to comply.
So although U.S. airlines have voluntarily installed those alerts, there may be overseas airlines flying 737s that have not done so.
The FAA engineer agreed that safety shouldn’t depend on an after-the-fact response to fatal accidents. Still, he wasn’t ready to dismiss Boeing’s overall contention that a full upgrade to such an old design wasn’t practical on the MAX.
“Why force a change that would have a huge impact on the industry with no big increase in safety?” he asked. “It’s not a totally invalid argument.”
“It is old technology,” the engineer added. “The 737 flight deck display system is not anywhere near state of the art. But Boeing contends the pilots know it well.”
Dominic Gates: 206-464-2963 or [email protected]; on Twitter: @dominicgates.
Steve Miletich: 206-464-3302 or [email protected]; on Twitter: @stevemiletich.
Lewis Kamb: 206-464-2932 or [email protected]; on Twitter: @lewiskamb.
Oct. 2, 2019 at 7:45 pm
By Dominic Gates, Steve Miletich and Lewis Kamb
In 2014, Boeing convinced the Federal Aviation Administration (FAA) to relax the safety standards for the new 737 MAX related to cockpit alerts that would warn pilots if something went wrong during flight, according to documents reviewed by the Seattle Times.
Seeking an exception, Boeing relied on a special FAA rule to successfully argue that full compliance with the latest federal requirements would be “impractical” for the MAX and would cost too much.
“They went through the process and weren’t required to step up,” said an FAA safety engineer familiar with how the waiver request was handled and who asked for anonymity because he spoke without agency authorization.
Based on lessons learned from past airline accidents, the FAA regulation stipulates precise design details for the warning displays in the cockpit. These are aimed at ensuring that alerts relay clearly to the pilots what’s going on when a malfunction occurs, catch attention so that they won’t be overlooked, and avert any possible confusion.
During the two fatal MAX crashes that killed 346 people, pilots struggled to understand the cascade of warnings in their cockpits. Last week a National Transportation Safety Board (NTSB) report on those crashes highlighted the crucial role that crew alerting systems play when pilots face an inflight emergency.
The Seattle Times reviewed the relevant parts of the document that Boeing submitted to the FAA to win its exception. They show the federal regulator struck out four separate clauses that would be requirements for any new jet being produced today.
This meant Boeing avoided having to design a complete upgrade of the 737’s aging flight crew alerting system.
The underlying design of the 737 was first certified more than five decades ago, and its airframe and systems have been upgraded in an incremental patchwork ever since. Boeing’s submission reveals the cold actuarial calculus by which such exceptions are granted to allow certification of airplanes, such as the MAX, that are derivatives of older, legacy models.
Following the MAX crashes, such rulings are likely to come under tougher scrutiny in future.
Boeing declined comment on the details in this story. The FAA said in a statement that the MAX complies with the “applicable” regulations, then listed some of the criteria under which exceptions from full compliance are granted.
Relaxing the rules
Boeing’s argument in the document, which has not been previously reported, rested most basically on the long service history of the 737. At the time the MAX’s exception was granted, that included more than 300 million hours in the air, almost all accumulated on routinely safe flights.
However, Boeing’s analysis also had to deal with the fact that the 737’s record in the previous 20 years included three fatal crashes where crew alerting was a contributing factor: the 2005 Helios Airways crash in Greece that killed 121 people; the 2009 Turkish Airlines crash in Holland with nine fatalities; and the 2008 Aeroflot-Nord crash in Russia, where 88 died.
Boeing convinced the FAA that it had dealt with the three distinct issues in each of those crashes.
The submission from Boeing then cited an estimate of the cost of full compliance at more than $10 billion.
This staggering sum included not only the direct cost to Boeing of redesigning the airplane systems but also the expense of additional pilot training that new systems would require — costs that would have been borne by Boeing’s airline customers and would have made the MAX a much less attractive airplane to buy.
In April 2014, the FAA accepted Boeing’s argument that for the MAX, the safety benefit of full compliance with the crew alerting regulations was “not commensurate with the costs necessary to comply.”
A new urgency
Pilots rely on their instruments to tell them how an airplane is performing in flight and to warn of any system malfunctions. The federal regulations are designed to make such alerts as clear and unambiguous as possible about the nature and severity of any malfunctions.
The early investigation reports into the two MAX crashes show the pilots didn’t understand what their instruments were telling them and failed to handle the emergency as they might have.
Though the accidents were initiated by a failed sensor and a flawed Boeing flight control system, both the capabilities of the pilots and the design of the crew alerting system played a role in the outcome.
Last week’s NTSB report criticized Boeing for failing to account in its testing of the MAX for the overload of warning messages in the cockpit that occurred during the two fatal flights.
One of the current alerting regulations that the MAX is excused from is relevant to such a scenario. It requires that there must be a way to suppress erroneous attention-getting alerts that might interfere with the crew’s ability to focus — such as the “stick-shaker” that vibrated the captain’s control column on both the MAX crash flights.
Because of a faulty angle of attack sensor on each flight, the stick shaker was warning, falsely, that the jet was close to a stall. But having noted it, the pilots couldn’t stop it. With the FAA’s exception granted, the MAX has no way to suppress that alert. The stick shaker continued throughout both flights, along with multiple other alerts.
On the Ethiopian Airlines flight that crashed in March, the pilots faced a barrage of alerts throughout the six-minute flight. Besides the stick shaker they heard repeated loud “DON’T SINK” warnings that the jet was too close to the ground; a “clacker” making a very loud clicking sound to signal the jet was going too fast; and multiple warning lights telling the crew the speed, altitude and other readings on their instruments were unreliable.
Pilots around the world vary greatly in their flying expertise, especially in their ability to handle the plane when automated systems fail. While many U.S. airline pilots previously have flown military planes for the Air Force, that’s not the experience level in most countries. Further, even a good pilot will have a bad day.
So both Boeing and rival Airbus will in future have to pay increasing attention to “human factors,” meaning the way people interpret and respond to systems and what’s happening around them — which in an airplane depends crucially on the crew alerting system.
A person familiar with the details said that the European Union Aviation Safety Agency (EASA), in its ongoing re-evaluation of the MAX following the two crashes, has already expressed concern to both Boeing and the FAA about inadequacies in the jet’s alerting system, including the inability to suppress the stick shaker.
Boeing’s state-of-the-art system
Early in the development of the 737 MAX, Boeing considered equipping the flight deck with its state-of-the-art flight crew alerting system, called EICAS, the Engine-Indicating and Crew-Alerting System.
It provides pilots visual, aural and tactile warnings as well as written messages on the main flight display when anything goes wrong with either the engines or with the airplane systems, and then also recommends the remedial action needed.
EICAS, designed to take account of the latest human factors studies, is a system that integrates all the interactions between the pilots and the machine they are flying.
Boeing introduced EICAS in the early 1980s when the 757 and 767 jets entered service. The improved alert system was one justification for removing the role of flight engineer to allow those airplanes to fly with two-person crews. It’s been upgraded incrementally since and installed on all subsequent Boeing jets.
But alone among Boeing jets, the 737 was never updated with EICAS, though it was considered at least twice before in previous iterations of the airplane.
It was pushed again for the MAX.
An ethics complaint submitted in April by Boeing engineer Curtis Ewbank and reviewed by the Seattle Times says that Mike Carriker — Boeing’s chief pilot for product development, who flew the first flight of the 787 Dreamliner — proposed studying whether to put EICAS on the MAX, saying “it was necessary for the 737 to be a modern airplane.”
Boeing identified the detailed changes both to the airplane systems and to crew procedures that would be needed to install EICAS on the 737 MAX. But ultimately that plan was abandoned because of “the overall cost,” the ethics complaint states.
In a brief phone interview last week, Carriker declined to discuss details but said installing EICAS on the 737 “would be challenging.” And pointing to the older systems on the MAX compared to other planes like the Dreamliner, he added that “there aren’t enough sensors on the 737.”
Having settled on retaining its older cockpit alerting system, Boeing then needed to convince the FAA that the MAX should not have to meet all the latest federal crew alerting requirements, which are closely aligned with the capabilities of the EICAS system.
Making an exception
A document submitted by Boeing to the FAA in 2012 lays out the airplane description and preliminary data needed to plan the certification work for the MAX and includes an “issue paper” devoted to the MAX’s crew alerting systems.
A Boeing request for an official exemption from the regulations would have required a public notice in the Federal Register and an opportunity for interested parties or the general public to comment. Instead, Boeing followed a standard procedure for being granted such a waiver that was not public.
Instead of an “exemption,” Boeing asked for an “exception” granted under a special FAA procedure called the “Changed Product Rule,” which lays out the conditions under which a new, changed version of an older model can be granted exceptions during certification.
An official FAA advisory circular stipulates that exceptions will be granted if the applicant, in this case Boeing, can demonstrate that compliance is “impractical.” The design must come close to meeting safety requirements, and then demonstrate that “full compliance would require a substantial increase in the outlay or expenditure of resources with a very small increase in the level of safety.”
Boeing’s submission to the FAA cites first the flight history of the 737, going back to 1967. It notes that by 2011 the jet had completed 321 million flight hours and 213 million departures. Broken down by model type, the 737 version prior to the MAX, known as the 737 NG, had completed 80 million flight hours and 42 million departures.
Boeing then documented the 737’s safety record during the previous 10 years. Between 2002 and 2011, it identified three fatal accidents where a deficiency in the flight crew alerting system had played a role in the tragedy. These were:
Helios Airways flight 522 in 2005. Flying at 34,000 feet near Athens, Greece, the crew misinterpreted a horn that sounded to warn of a cabin depressurization, interpreting it as a false and irrelevant alert about the plane’s take-off configuration. The horn sounds were identical for these two distinct alerts. The pilots passed out from lack of oxygen and the plane continued flying in a straight line on autopilot, shadowed by a Greek jet fighter impotent to help. All 121 people on board died when the airliner ran out of fuel and crashed.
Following the accident, Boeing installed a light on the 737’s pilot display to distinguish a depressurization from the other alert.
Turkish Airlines flight 1951 in 2009. On approach into Amsterdam, a single radio altimeter fed an incorrect low altitude reading to the autothrottle, which duly retarded the engines for landing. The pilots, busy with some checklists, failed to notice until too late a visual alert about the airspeed dropping too low. The plane crashed well short of the runway. Nine people, including three Boeing engineers who were on board by chance, were killed.
Following the accident, Boeing added an extra aural alert — a computerized voice warning — for low airspeed.
Aeroflot-Nord flight 821 in 2008. Flying through clouds at night in central Russia, the pilot lost spatial awareness as the plane banked dangerously left, activating a BANK ANGLE artificial voice alert. Confused, the captain turned the yoke the wrong way, rolling hard left and worsening the bank angle. The jet flipped upside down. All 88 people on board died in the crash.
Following the accident, Boeing designed a new aural alert that announces “Roll Right” or “Roll Left” as appropriate to counter a dangerous bank angle and also shows the right direction via an arrow on the flight display.
Each of those crashes was at least partly attributed to pilot error. Post-mortem tests showed the Russian captain may even have been drunk. Yet in each case, the crew alerting system could have been better, and was made so after the fact.
The FAA safety engineer said that in accidents where the pilots are blamed, “many times you’ll find the indication and alerting system provided confusing or misleading information.”
Boeing argued that the exception for the MAX was justified by the long history of safe 737 flights and the fact that it had addressed the separate alerting issues in each of these fatal accidents.
“There is no reason to believe the future rate of accidents for the 737-8 (MAX) will be significantly different from the 737 NG historical record,” the document states.
The submission to the FAA also points to the “existing common and proven alerting methodology” on the approximately 6,400 Boeing 737s then flying worldwide. It adds that the MAX won’t represent the majority of the world 737 fleet until around 2030, which means airlines would be flying mixed fleets for “two generations of 737 pilots.”
Boeing contended that keeping the MAX systems common with the systems on the prior 737 model would be preferable, to avoid confusion as pilots move between the two types of aircraft.
The FAA in its statement Wednesday listed some of the factors considered in agreeing that an aircraft complies with the rules sufficiently to be certified: “these factors include areas of change (in the airplane design), aircraft service experience and actions taken following earlier accidents.”
There is one glaring omission from that list, a factor that nevertheless the FAA guidelines clearly state will be taken into account: the matter of cost.
Yet Boeing’s argument in the MAX certification document finally arrives at that detail: the cost to Boeing and to its airline customers.
Boeing said a “significant design change” would be required if it had to comply with the complete set of federal crew alerting regulations.
“Compliance would also require revision to the entire system of training and documentation that supports the alerting methodology, as used by 75,000 pilots and a large number of airline mechanics and engineers,” the document states.
Boeing estimated the cost of the design, training and documentation changes to achieve full compliance for the 737 MAX would be “greater than $10 billion” in 2013 dollars.
As a result of the two MAX accidents, Boeing has already racked up more than $8.3 billion in extra costs through July, including a $5.6 billion write-off last quarter, a $2.7 billion addition to the projected future costs of producing the 737, and a payout of $50 million in initial compensation to the families of victims.
The cost has grown since as the grounding of the MAX fleet goes on, and further compensation costs to the families of victims, to customer airlines and to suppliers will likely continue to mount through next year.
The final bill, not even counting Boeing’s potential loss of orders and future market share, will almost certainly far exceed $10 billion.
Those outlays weren’t anticipated during development of the jet. So Boeing’s submission to the FAA concluded that the $10 billion estimate to achieve compliance met the standard for granting an exception, because the effort in terms of cost and changes to manufacturing “would not be commensurate with a small incremental safety gain.”
The FAA accepted this argument and granted Boeing’s request.
A Boeing engineer, who also asked for anonymity to protect his job, was troubled by the way the company’s analysis discounted the Helios, Turkish and Aeroflot 737 crashes.
“Yes, Boeing went and fixed each problem,” said the engineer in an interview. “It did so only after a fatal accident. They are being reactive. Boeing could have been proactive on the 737.”
He said the MAX was another missed opportunity to be proactive on safety upgrades.
In addition, those fixes Boeing developed after the three crashes are not necessarily installed on all the older 737s now in service globally. The FAA did not mandate two of them — the aural alerts that resulted from the Turkish and Aeroflot accidents — in airworthiness directives that would require airlines to comply.
So although U.S. airlines have voluntarily installed those alerts, there may be overseas airlines flying 737s that have not done so.
The FAA engineer agreed that safety shouldn’t depend on an after-the-fact response to fatal accidents. Still, he wasn’t ready to dismiss Boeing’s overall contention that a full upgrade to such an old design wasn’t practical on the MAX.
“Why force a change that would have a huge impact on the industry with no big increase in safety?” he asked. “It’s not a totally invalid argument.”
“It is old technology,” the engineer added. “The 737 flight deck display system is not anywhere near state of the art. But Boeing contends the pilots know it well.”
Dominic Gates: 206-464-2963 or [email protected]; on Twitter: @dominicgates.
Steve Miletich: 206-464-3302 or [email protected]; on Twitter: @stevemiletich.
Lewis Kamb: 206-464-2932 or [email protected]; on Twitter: @lewiskamb.
Join Date: Apr 2019
Location: Toronto
Posts: 20
Likes: 0
Received 0 Likes
on
0 Posts
I'm not sure why you're in such a bad mood over this, but none of your links contain the answer to the question I and others have about the design (unless I've missed it) and saying "do your research" is not particularly helpful. We're tying to understand. With the depth and breadth of expertise from various contributors on these boards, it's surely not too much to make the query, and hope that someone who has the answer will reply.
Join Date: Mar 2008
Location: UK
Posts: 82
Likes: 0
Received 0 Likes
on
0 Posts
737 MAX Crew Alert Certification Clauses Cut
The Seattle Times is reporting that Boeing asked the FAA to cut out the need to comply with regulations stipulating the design for the warning displays in the cockpit designed to avoid any possible confusion. The article states that Boeing asked for an "exception", rather than an "exemption";
"A Boeing request for an official exemption from the regulations would have required a public notice in the Federal Register and an opportunity for interested parties or the general public to comment. Instead, Boeing followed a standard procedure for being granted such a waiver that was not public.Instead of an “exemption,” Boeing asked for an “exception” granted under a special FAA procedure called the “Changed Product Rule,” which lays out the conditions under which a new, changed version of an older model can be granted exceptions during certification.An official FAA advisory circular stipulates that exceptions will be granted if the applicant, in this case Boeing, can demonstrate that compliance is “impractical.” The design must come close to meeting safety requirements, and then demonstrate that “full compliance would require a substantial increase in the outlay or expenditure of resources with a very small increase in the level of safety.”
The article goes on to say;
"Boeing said a “significant design change” would be required if it had to comply with the complete set of federal crew alerting regulations.“Compliance would also require revision to the entire system of training and documentation that supports the alerting methodology, as used by 75,000 pilots and a large number of airline mechanics and engineers,” the document states.Boeing estimated the cost of the design, training and documentation changes to achieve full compliance for the 737 MAX would be “greater than $10 billion” in 2013 dollars."
This follows last week's NTSB report on the 737 MAX crashes that highlighted the importance of clear, unambiguous crew alerting systems in an in-flight emergency and brings the whole human factors issue into the spotlight, and the news of Boeing engineer whistle-blower Curtis Ewbank's ethics complaint about additional safety measures being rejected, as reported in the New York Times.
Without wanting to read too much into all this incrementally, it's starting to look like alot more changes, modifications and additional safeguards...and training...are going to be required before the MAX flies again.
The full article can be found here;
https://www.seattletimes.com/busines...r-crew-alerts/
"A Boeing request for an official exemption from the regulations would have required a public notice in the Federal Register and an opportunity for interested parties or the general public to comment. Instead, Boeing followed a standard procedure for being granted such a waiver that was not public.Instead of an “exemption,” Boeing asked for an “exception” granted under a special FAA procedure called the “Changed Product Rule,” which lays out the conditions under which a new, changed version of an older model can be granted exceptions during certification.An official FAA advisory circular stipulates that exceptions will be granted if the applicant, in this case Boeing, can demonstrate that compliance is “impractical.” The design must come close to meeting safety requirements, and then demonstrate that “full compliance would require a substantial increase in the outlay or expenditure of resources with a very small increase in the level of safety.”
The article goes on to say;
"Boeing said a “significant design change” would be required if it had to comply with the complete set of federal crew alerting regulations.“Compliance would also require revision to the entire system of training and documentation that supports the alerting methodology, as used by 75,000 pilots and a large number of airline mechanics and engineers,” the document states.Boeing estimated the cost of the design, training and documentation changes to achieve full compliance for the 737 MAX would be “greater than $10 billion” in 2013 dollars."
This follows last week's NTSB report on the 737 MAX crashes that highlighted the importance of clear, unambiguous crew alerting systems in an in-flight emergency and brings the whole human factors issue into the spotlight, and the news of Boeing engineer whistle-blower Curtis Ewbank's ethics complaint about additional safety measures being rejected, as reported in the New York Times.
Without wanting to read too much into all this incrementally, it's starting to look like alot more changes, modifications and additional safeguards...and training...are going to be required before the MAX flies again.
The full article can be found here;
https://www.seattletimes.com/busines...r-crew-alerts/
From the Seattle Times quote:
.
By 'engineering' ways of failing to comply fully, the cost has already been hundreds of lives. This says a lot about Boeing and how they rate the importance of safety Vs profit.
Boeing estimated the cost of the design, training and documentation changes to achieve full compliance for the 737 MAX would be “greater than $10 billion” in 2013 dollars
By 'engineering' ways of failing to comply fully, the cost has already been hundreds of lives. This says a lot about Boeing and how they rate the importance of safety Vs profit.
Join Date: Dec 2006
Location: Florida and wherever my laptop is
Posts: 1,350
Likes: 0
Received 0 Likes
on
0 Posts
Based on lessons learned from past airline accidents, the FAA regulation stipulates precise design details for the warning displays in the cockpit. These are aimed at ensuring that alerts relay clearly to the pilots what’s going on when a malfunction occurs, catch attention so that they won’t be overlooked, and avert any possible confusion.
During the two fatal MAX crashes that killed 346 people, pilots struggled to understand the cascade of warnings in their cockpits. Last week a National Transportation Safety Board (NTSB) report on those crashes highlighted the crucial role that crew alerting systems play when pilots face an inflight emergency.
During the two fatal MAX crashes that killed 346 people, pilots struggled to understand the cascade of warnings in their cockpits. Last week a National Transportation Safety Board (NTSB) report on those crashes highlighted the crucial role that crew alerting systems play when pilots face an inflight emergency.
So all malfunctions must be alerted in a way that cannot be ignored AND avert possible confusion? It is the mass of cannot ignore alerts that cause the confusion.
Last edited by Ian W; 3rd Oct 2019 at 12:04. Reason: grammar
Join Date: Jun 2019
Location: VA
Posts: 210
Likes: 0
Received 0 Likes
on
0 Posts
Not really sure how I feel about these last two articles. The main contention seems to be Boeing should be faulted for not dragging the 737 fully into the 21st Century by incorporating systems such as synthetic airspeed and EICAS. Setting aside the problems with MCAS for a moment, it is likely that the MAX would never have been built if such a major overhaul of its avionics, sensors, and alerting package was required. Admittedly, one of the challenges of operating the 737 is that it always has a foot firmly planted in the past, but the 737NG's enviable safety record (very comparable to the A320 family) does not seem to flag this as a problem.
If the buyer buys a competitors aircraft after using 737 NGs it is going to have to retrain its crews too.
A difference course from NG to Max including MCAS normal and failure modes is a lot less training than a complete ab initio on the A320, so they save on training anyway.
A difference course from NG to Max including MCAS normal and failure modes is a lot less training than a complete ab initio on the A320, so they save on training anyway.
W/o the limited training the MAX didn't have a market. They built what the market wanted, a more efficient 737 w/ limited retraining or infrastructure changes.
And it appears SW wasn't convinced Boeing could do it, hence the $1m discount (to cover the added costs they expected).
Given that MCAS was rewritten is in my opinion the most serious issue in the whole debacle. Yes, taking the data from a single unit broke the rules about one item being able to cause a 'catastrophic' incident, but I'm not quite clear if it would be deemed so if MCAS had not been rewritten. It took the latter to qualify the former. Perhaps.
The analysis was wrong/incomplete, as the NTSB noted. But that's what the team was working from when they modified MCAS.
The root cause in a nutshell. The failure mode has been demonstrated, fatally, to be catastrophic. A single, even a double, sensor input would not be a satisfactory architecture to prevent it, and safety standards require that the associated enabling software have the corresponding design assurance level "A". A very expensive fix, and more delay, if implemented.
Tom, #2852,
The central issue is the certification process opposed to faulting companies or organisations, however deficient they appear to have been.
Previous safety records only contribute to past probability; just because the outcome of a flight did not involve failure does not change the underlying risk within a system, i.e. the risks involved with multiple alerts remains the same for the 737 NG, but this is different from the MAX in not having MCAS and the combination of problems to manage.
At the centre of the 737 Max problem is that the true underlying risk (MCAS) has only been established after two accidents, whereas the design and certification process and appropriate judgement of ‘grandfather rights’ should have identified it.
A failure of the design, certification, and oversight processes.
The central issue is the certification process opposed to faulting companies or organisations, however deficient they appear to have been.
Previous safety records only contribute to past probability; just because the outcome of a flight did not involve failure does not change the underlying risk within a system, i.e. the risks involved with multiple alerts remains the same for the 737 NG, but this is different from the MAX in not having MCAS and the combination of problems to manage.
At the centre of the 737 Max problem is that the true underlying risk (MCAS) has only been established after two accidents, whereas the design and certification process and appropriate judgement of ‘grandfather rights’ should have identified it.
A failure of the design, certification, and oversight processes.
The root cause in a nutshell. The failure mode has been demonstrated, fatally, to be catastrophic. A single, even a double, sensor input would not be a satisfactory architecture to prevent it, and safety standards require that the associated enabling software have the corresponding design assurance level "A". A very expensive fix, and more delay, if implemented.
I'd have to go back through the rules. Multiple systems at various DALs combining together (and some requirements of not less than some level). And without the actual fault tree it's all speculation as to how they combine/interact. System safety is not a back-of-the-envelope endeavor.
Personally I think anything that can directly move a flight control surface should be IDAL A these days, but I don't write the rules. And it's a lot harder when dealing with legacy systems that were developed before DO-178B, ARP4754, and AC 1309-1B (still a draft, though accepted for compliance of FAR 25.1309)
Organizationally, I suggest people are motivated by the measurable factors that business plans and compensation are based on. If the business plan metrics are time and cost, managers and even their subordinates are motivated control those. In aviation, "Safety is #1 priority", yes, but safety is not measured (probably not even measurable) and it's not compensated for. So, I would suggest, that in spite of commentary from outside the community, managers are not necessarily cold-hearted, and dismissive of safety. Rather they working to achieve the best results for the metrics in use in their organization. For this reason, I believe, the check-and-balances of manufacturer and regulator is most useful. Different sets of metrics working in tension. The lack of which is likely one reason that the current system has failed.
The current delegation process of the FAA is not the checks-and-balances of the manufacture decision factors that it once was. Oversight is more clerical than technical, now. An engineer raising technical questions and/or objections to a manufacturer's certification plan only create "problems" that the FAA (read "FAA manager") is blamed for and success is reducing or suppressing such problems, at the expense of technically effective oversight. It is difficult for the engineer to even suggest involvement in otherwise delegated compliance findings. It used to be that regulator oversight allowed for an engineer to look into any issue that was delegated. The delegated engineering representatives know this and it helped keep things honest.
Not saying that any system is perfect, but oversight needs to be substantial, not merely clerical. Delegated engineering representatives need to expect anything they do being checked by technically competent regulators, even if a relatively small fraction of their work will be. The difference in the business metrics between manufacturer and regulator is a safety advantage, not a detriment.
The current delegation process of the FAA is not the checks-and-balances of the manufacture decision factors that it once was. Oversight is more clerical than technical, now. An engineer raising technical questions and/or objections to a manufacturer's certification plan only create "problems" that the FAA (read "FAA manager") is blamed for and success is reducing or suppressing such problems, at the expense of technically effective oversight. It is difficult for the engineer to even suggest involvement in otherwise delegated compliance findings. It used to be that regulator oversight allowed for an engineer to look into any issue that was delegated. The delegated engineering representatives know this and it helped keep things honest.
Not saying that any system is perfect, but oversight needs to be substantial, not merely clerical. Delegated engineering representatives need to expect anything they do being checked by technically competent regulators, even if a relatively small fraction of their work will be. The difference in the business metrics between manufacturer and regulator is a safety advantage, not a detriment.
Not saying that any system is perfect, but oversight needs to be substantial, not merely clerical. Delegated engineering representatives need to expect anything they do being checked by technically competent regulators, even if a relatively small fraction of their work will be. The difference in the business metrics between manufacturer and regulator is a safety advantage, not a detriment.
"To create a more flexible, efficient, and safer system, certification authorities worldwide are transforming oversight based on transactions to oversight based on collaboration and shared risk. The aviation industry is also transforming to more self-guided responsibilities. The applicant and the regulators have begun a transition to a state which has progressively less direct involvement of the regulators in the compliance activities of the applicant."
At the same conference there was an interesting paper on the failings of DO-178 and how it interacted with the safety process. In particular how it's up to the software engineers to determine when requirement changes need to go back and be evaluated by the safety process.
(pax). I can just about see why MCAS failure would be a major hazard (rather than catastrophic as it is still possible to recover and fly). However DAL -B has a max failure rate of 10^-7 per year. Is that really a credible reliability for the AOA sensor and processing?
Sorry for the intrusion.
Sorry for the intrusion.
Given the absence of any public progress to date, does anyone still believe the early 2020 return to service date?
With the EU as well as the Chinese currently experiencing the Trump administration's negotiation techniques, what chances these entities accept the FAA terms, whenever those are actually promulgated?
Lastly, has anyone in the regulatory bodies considered what the impact of a third, post return to flight fatal accident would be?
I'd think their necks are just as much on the line now as Boeing's managements. So they will surely be extra careful. To me, that suggests the odds are not good for the Max to ever return.
With the EU as well as the Chinese currently experiencing the Trump administration's negotiation techniques, what chances these entities accept the FAA terms, whenever those are actually promulgated?
Lastly, has anyone in the regulatory bodies considered what the impact of a third, post return to flight fatal accident would be?
I'd think their necks are just as much on the line now as Boeing's managements. So they will surely be extra careful. To me, that suggests the odds are not good for the Max to ever return.