Go Back  PPRuNe Forums > Flight Deck Forums > Rumours & News
Reload this Page >

Boeing pilot involved in Max testing is indicted in Texas

Rumours & News Reporting Points that may affect our jobs or lives as professional pilots. Also, items that may be of interest to professional pilots.

Boeing pilot involved in Max testing is indicted in Texas

Old 8th Mar 2023, 16:51
  #221 (permalink)  
 
Join Date: Nov 2010
Age: 56
Posts: 981
Received 15 Likes on 8 Posts
Originally Posted by MechEngr
Are false alarms are OK? Wasn't it the startle effect from the false alarm that caused the ET302 crew to ignore that full thrust remained as the plane exceeded the velocity envelope? Wasn't it the false alarm that forced the autopilot to go offline and allow MCAS to operate?

I prefer to focus on the origin of the problem and not the edge of the last chance to correct it.

1) Why wasn't the autopilot software designed to choose the correct AoA sensor? 2) Why when it went off line didn't the autothrottle also go off line? These are also decades old decisions. 3) Why is the AoA sensor not fail-safe? But, sure, multiple decades of depending on all these bad ideas.
Very much agree with the first paragraph, but based on what you post here normally, I am not sure if your last paragraph is as clear as you normally are...

1) How can the AP decide what is the correct one if there is two inputs that are different from each other? You need 3 AOAs to vote, or another input like AHRS attitude and GS to rule out the faulty one (currently being studied (implemented?) by Boeing)
2) If the AT had gone offline, it would not have reduced power either. If anything, the AT could have had a function to automatically reduce thrust in an overspeed. (like the A320 has had for 3+ decades for underspeed)
3) What do you mean by fail-safe? How would it know the data it provides is incorrect without being able to compare to other data?

But yes. You are totally correct the B737 design is decades overdue for a systems and cockpit design change. The B737NG was launched 10 years after the A320, over 25 years ago. The A320 has mostly triple sensors that vote, or let the pilot make a more informed choice about what is the correct one, (can still go wrong, look at the crash of the Airbus in Perpignan, where 2 of the 3 sensors were wrong).
The 737NG still makes mostly do with 2, and when 1 breaks, it is up to the pilot to decide. Add the non-cancelable stick-shaker, stall warning and overspeed warning for some AOA faults for some added confusion in the cockpit.
The MAX was the last chance for Boeing to get it right, but they didn't. And the MCAS system, borrowed from the KC-46, initially for high altitude flight characteristics, and later put on steroids for low and slow flight was just the rotting cherry on that already moldy cake. In the KC-46 MCAS takes info from both AOAs. In order to prevent extra training due to the comparator annunciation that came on if there was a difference between the two AOA inputs into MCAS, Boeing decided to do the wrong thing, and make the MCAS single source. It would only be getting the info from 1 AOA, alternating between legs (power cycles). It was a deliberate design choice, to save money, and we know from the confirmed 3 flight that happened in that condition (failed AOA feeding into MCAS) that the first one almost crashed, and the other two ended with a crash.
Some false alarms are inevitable, and every effort should be made to design them out, and make it easy to diagnose and rectify.
But the MCAS part of the story isn't so much about the false alarm IMO. It is about Boeing deliberately stepping backwards in an already outdated design.
hans brinker is offline  
Old 8th Mar 2023, 17:45
  #222 (permalink)  
 
Join Date: Jul 2013
Location: Everett, WA
Age: 69
Posts: 4,554
Received 323 Likes on 157 Posts
I've posted this before, but some either didn't see or have forgotten:
The certification process groups failures into four categories - Minor, Major, Hazardous, and Catastrophic. These have associated acceptable probability numbers - 10-3, 10-5, 10-7, and 10-9 per flight hour, respectively (occasionally modified to per flight cycle).
The entire problem with MCAS started early in the design process were the malfunctioning of MCAS (either erroneous activation or failure to activate when needed) was judged to be "Major" - Major is considered to be no big deal, readily handled by the crew with a moderate increase in crew workload (I'm quite familiar with Major since most 'benign' engine failures are considered 'Major')
Since 'Major' failures are allowed to occur at a rate of 10-5/hour, redundancy is not required (BTW, apparently those who made that judgement also assumed that the flight crews would be told about and trained with regard to MCAS, but somewhere along the line that requirement was dropped).
Now, if someone had really sat down and thought about it - what the impact of a bad AOA sensor activation MCAS along with all the other bells and warnings that would be going off (stick shaker, unreliable airspeed, etc.) they might have realized that MCAS malfunction was at least Hazardous - but that obviously never happened prior to the first MAX crash. So the certification process for MCAS followed the (correct) process for a "Major" system. Now, if someone along the line realized that MCAS was worse than Major and withheld or hid that information - that's fraud and someone should be prosecuted for it. But if it was all an honest mistake - it's just that, a horrible, tragic, mistake, but humans design aircraft and humans make mistakes. I have it on good authority that there was at least one attempted suicide among the people who worked MCAS. These were not cold-blooded accountants that made these decisions - they were real, flesh and blood humans with feelings that made a horrible mistake. Was management pressure to keep things simple and 'on the cheap' a factor? Perhaps, but I know that I often experienced those pressures, and it never made me do or design something that I honestly believed was wrong.
tdracer is offline  
Old 8th Mar 2023, 18:11
  #223 (permalink)  
 
Join Date: Jul 2003
Location: An Island Province
Posts: 1,257
Likes: 0
Received 1 Like on 1 Post
td,
well posted again, and again.
alf5071h is offline  
Old 8th Mar 2023, 19:32
  #224 (permalink)  
 
Join Date: Aug 2013
Location: Washington.
Age: 74
Posts: 1,107
Received 167 Likes on 62 Posts
Originally Posted by MechEngr
MCAS did not fail. The AoA subsystem did, producing erroneous data and a false stall warning. MCAS did exactly what it was supposed to do based on the information it was provided. Isn't the suggestion for pilots to push the nose down when there is a stall warning and stick shaker? While MCAS wasn't designed to detect or react to stalls, and appears to have no such input, it is supposed to provide a correction to a high AoA and it did. The FAA, Boeing, foreign CAAs, and all pilots trained on the 737 NG already accepted the chance for a false stall warning and had done so for, estimating, 2 decades.
Sure, it operated as built.Over and over again until people died in the event of a foreseeable abnormal condition - wrongly designed with neglect of well known system safety principles and deceit, in favor of financial gain.
GlobalNav is offline  
Old 8th Mar 2023, 19:32
  #225 (permalink)  
 
Join Date: Nov 2010
Age: 56
Posts: 981
Received 15 Likes on 8 Posts
Originally Posted by tdracer
I've posted this before, but some either didn't see or have forgotten:
The certification process groups failures into four categories - Minor, Major, Hazardous, and Catastrophic. These have associated acceptable probability numbers - 10-3, 10-5, 10-7, and 10-9 per flight hour, respectively (occasionally modified to per flight cycle).
The entire problem with MCAS started early in the design process were the malfunctioning of MCAS (either erroneous activation or failure to activate when needed) was judged to be "Major" - Major is considered to be no big deal, readily handled by the crew with a moderate increase in crew workload (I'm quite familiar with Major since most 'benign' engine failures are considered 'Major')
Since 'Major' failures are allowed to occur at a rate of 10-5/hour, redundancy is not required (BTW, apparently those who made that judgement also assumed that the flight crews would be told about and trained with regard to MCAS, but somewhere along the line that requirement was dropped).
Now, if someone had really sat down and thought about it - what the impact of a bad AOA sensor activation MCAS along with all the other bells and warnings that would be going off (stick shaker, unreliable airspeed, etc.) they might have realized that MCAS malfunction was at least Hazardous - but that obviously never happened prior to the first MAX crash. So the certification process for MCAS followed the (correct) process for a "Major" system. Now, if someone along the line realized that MCAS was worse than Major and withheld or hid that information - that's fraud and someone should be prosecuted for it. But if it was all an honest mistake - it's just that, a horrible, tragic, mistake, but humans design aircraft and humans make mistakes. I have it on good authority that there was at least one attempted suicide among the people who worked MCAS. These were not cold-blooded accountants that made these decisions - they were real, flesh and blood humans with feelings that made a horrible mistake. Was management pressure to keep things simple and 'on the cheap' a factor? Perhaps, but I know that I often experienced those pressures, and it never made me do or design something that I honestly believed was wrong.
Your level of knowledge of certification is not something I will ever approach. But either the KC-46 was over engineered/certified having dual channel MCAS and a comparator annunciator, or corners were cut with the MAX, when they made it single source. And they definitely made it single source to avoid training and the associated cost. Maybe they thought is was safe enough, but they would have known that is was less safe, and cheaper.......
hans brinker is offline  
Old 8th Mar 2023, 19:48
  #226 (permalink)  
 
Join Date: Jul 2013
Location: Everett, WA
Age: 69
Posts: 4,554
Received 323 Likes on 157 Posts
Originally Posted by hans brinker
Your level of knowledge of certification is not something I will ever approach. But either the KC-46 was over engineered/certified having dual channel MCAS and a comparator annunciator, or corners were cut with the MAX, when they made it single source. And they definitely made it single source to avoid training and the associated cost. Maybe they thought is was safe enough, but they would have known that is was less safe, and cheaper.......
KC-46 MCAS is fundamentally different than 737 MCAS. On the KC-46, it's intended to account for everyday occurrences - the rapidly changing CG as the tanker offloads fuel. Different design requirements when you design something to account for what will routinely happen.
737 MCAS was intended to account something that should rarely occur - the pilot flying the aircraft into a near stall condition. So MCAS would rarely come into play - again, a different design requirement.

Not excusing the sloppy engineering that resulted in the original MAX MCAS implementation, but comparing it to the KC-46 MCAS is apples to oranges.
tdracer is offline  
Old 8th Mar 2023, 21:04
  #227 (permalink)  
 
Join Date: Nov 2010
Age: 56
Posts: 981
Received 15 Likes on 8 Posts
Originally Posted by tdracer
KC-46 MCAS is fundamentally different than 737 MCAS. On the KC-46, it's intended to account for everyday occurrences - the rapidly changing CG as the tanker offloads fuel. Different design requirements when you design something to account for what will routinely happen.
737 MCAS was intended to account something that should rarely occur - the pilot flying the aircraft into a near stall condition. So MCAS would rarely come into play - again, a different design requirement.

Not excusing the sloppy engineering that resulted in the original MAX MCAS implementation, but comparing it to the KC-46 MCAS is apples to oranges.
Thank for that reply, TIL. That distinction is pretty big, but I never saw it mentioned in anything I read...
hans brinker is offline  
Old 8th Mar 2023, 21:18
  #228 (permalink)  
 
Join Date: Oct 2020
Location: Cork
Posts: 55
Received 27 Likes on 13 Posts
Originally Posted by tdracer
I've posted this before, but some either didn't see or have forgotten:
The certification process groups failures into four categories - Minor, Major, Hazardous, and Catastrophic. These have associated acceptable probability numbers - 10-3, 10-5, 10-7, and 10-9 per flight hour, respectively (occasionally modified to per flight cycle).
The entire problem with MCAS started early in the design process were the malfunctioning of MCAS (either erroneous activation or failure to activate when needed) was judged to be "Major" - Major is considered to be no big deal, readily handled by the crew with a moderate increase in crew workload (I'm quite familiar with Major since most 'benign' engine failures are considered 'Major')
Since 'Major' failures are allowed to occur at a rate of 10-5/hour, redundancy is not required (BTW, apparently those who made that judgement also assumed that the flight crews would be told about and trained with regard to MCAS, but somewhere along the line that requirement was dropped).
Now, if someone had really sat down and thought about it - what the impact of a bad AOA sensor activation MCAS along with all the other bells and warnings that would be going off (stick shaker, unreliable airspeed, etc.) they might have realized that MCAS malfunction was at least Hazardous - but that obviously never happened prior to the first MAX crash. So the certification process for MCAS followed the (correct) process for a "Major" system. Now, if someone along the line realized that MCAS was worse than Major and withheld or hid that information - that's fraud and someone should be prosecuted for it. But if it was all an honest mistake - it's just that, a horrible, tragic, mistake, but humans design aircraft and humans make mistakes. I have it on good authority that there was at least one attempted suicide among the people who worked MCAS. These were not cold-blooded accountants that made these decisions - they were real, flesh and blood humans with feelings that made a horrible mistake. Was management pressure to keep things simple and 'on the cheap' a factor? Perhaps, but I know that I often experienced those pressures, and it never made me do or design something that I honestly believed was wrong.
This is perhaps the best summary that I have ever read of how MCAS came to be. What is missing is what happened between the first and the second crash. If the full consequences of an AoA failure had been overlooked when MCAS was designed they were certainly very clear after the first crash. Surely Boeing engineers went back over it with a fine tooth comb at that stage in the simulator and elsewhere and realised what a s--tstorm would be created in the cockpit by such a failure. That was the time to come clean with the airlines and pilots. They could have simply issued an AD to say that if you encounter unreliable airspeed at takeoff, do not retract flaps. They could have explained the MCAS algorithm and how it would not kick back in until x seconds after the last trim input. Instead they doubled down to say that if only the pilots had followed the old trim runaway procedure, it would all have been fine. Boeing gambled that they would get a firmware fix out before another similar AoA failuire occurred. Someone made a decision to gamble with people's lives. Someone in Boeing management made that bet but the people on the Ethiopian flight paid the ultimate price for it.
soarbum is offline  
Old 9th Mar 2023, 00:19
  #229 (permalink)  
 
Join Date: Aug 2019
Location: Rocket City
Posts: 47
Received 0 Likes on 0 Posts
Originally Posted by tdracer
The entire problem with MCAS started early in the design process were the malfunctioning of MCAS (either erroneous activation or failure to activate when needed) was judged to be "Major"
Ö
(BTW, apparently those who made that judgement also assumed that the flight crews would be told about and trained with regard to MCAS, but somewhere along the line that requirement was dropped).

Now, if someone had really sat down and thought about it Ö they might have realized that MCAS malfunction was at least Hazardous - but that obviously never happened prior to the first MAX crash.
This points to a hole in the safety process. It's there, without getting into how I know it's there (non-attribution and all that).

The engineers that make changes are the ones that determine if safety needs to look at those changes. Often those engineers don't understand d how their changes impact the larger system, yet the process relies on them at least suspecting it could impact safety in order to bring it to the attention of others.
ST Dog is offline  
Old 9th Mar 2023, 00:26
  #230 (permalink)  
 
Join Date: Aug 2019
Location: Rocket City
Posts: 47
Received 0 Likes on 0 Posts
Originally Posted by hans brinker
Thank for that reply, TIL. That distinction is pretty big, but I never saw it mentioned in anything I read...
Another thing to note is different certification.

747MAX was FAA certification. The military has their own certification. 3 actually Army, Air Force, and Navy each have different certification for their respective aircraft. Just because the Navy certified something doesn't mean it's good for the Air Force.

ST Dog is offline  
Old 9th Mar 2023, 01:11
  #231 (permalink)  
 
Join Date: Jul 2013
Location: Everett, WA
Age: 69
Posts: 4,554
Received 323 Likes on 157 Posts
Originally Posted by ST Dog
Another thing to note is different certification.

747MAX was FAA certification. The military has their own certification. 3 actually Army, Air Force, and Navy each have different certification for their respective aircraft. Just because the Navy certified something doesn't mean it's good for the Air Force.
Actually, the KC-46 was FAA certified - two FAA certifications were done - the 767-2C (which was the basis for the KC-46), and the KC-46 modification was certified as well. Some aspects of the KC-46 didn't get direct Part 25 certification (there are no regulations regarding air-to-air refueling), but the airworthiness (including MCAS) of the KC-46 was FAA certified.
tdracer is offline  
Old 9th Mar 2023, 03:10
  #232 (permalink)  
 
Join Date: Aug 2019
Location: Rocket City
Posts: 47
Received 0 Likes on 0 Posts
Originally Posted by tdracer
Actually, the KC-46 was FAA certified
Interesting. So is the AF flying under the STC and using commercial maintenance instead of organic maintenance? At least historically military maintainers weren't certified to FAA/Boeing standards and thus didn't meet requirements gpr continued airworthiness.
Seems unusual for the AF (and not a practice I care for where other branches have done so), especially for such a specialized aircraft.
ST Dog is offline  
Old 9th Mar 2023, 03:59
  #233 (permalink)  
 
Join Date: Jul 2013
Location: Everett, WA
Age: 69
Posts: 4,554
Received 323 Likes on 157 Posts
Originally Posted by ST Dog
Interesting. So is the AF flying under the STC and using commercial maintenance instead of organic maintenance? At least historically military maintainers weren't certified to FAA/Boeing standards and thus didn't meet requirements gpr continued airworthiness.
Seems unusual for the AF (and not a practice I care for where other branches have done so), especially for such a specialized aircraft.
Sorry, what you're asking is getting beyond my knowledge base. I know that the 767-2C and KC-46 went through the FAA cert process (although I didn't have direct involvement in the KC-46 cert since my system didn't change from the -2C to the KC-46). I'd retired before the final cert was finished and maintenance practices were finalized. At least in theory, the 767-2C could be sold in it's 'as built' commercial version as a purely cargo aircraft although I don't believe that's happened.
There has been a strong movement towards certifying commercially derived military aircraft to FAA Part 25 standards - something that I quite frankly don't understand since it adds considerable costs (basically you need to certify twice - once to the FAA and once to the USAF) without any real added value.
tdracer is offline  
Old 9th Mar 2023, 07:01
  #234 (permalink)  
 
Join Date: Aug 2019
Location: Rocket City
Posts: 47
Received 0 Likes on 0 Posts
Originally Posted by tdracer
Sorry, what you're asking is getting beyond my knowledge base.
Fair enough.

it would be interesting to see the artifacts the FAA cert was based on, particularly for MCAS.

i can't imagine anyone buying a -2C or KC-46 for strictly cargo use vs another dedicated cargo plane without the baggage of the tanker.
ST Dog is offline  
Old 27th Mar 2023, 22:03
  #235 (permalink)  
 
Join Date: Oct 2018
Location: Oka
Posts: 49
Received 23 Likes on 8 Posts
Originally Posted by MechEngr
MCAS did not fail. The AoA subsystem did, producing erroneous data and a false stall warning. MCAS did exactly what it was supposed to do based on the information it was provided. Isn't the suggestion for pilots to push the nose down when there is a stall warning and stick shaker? While MCAS wasn't designed to detect or react to stalls, and appears to have no such input, it is supposed to provide a correction to a high AoA and it did. The FAA, Boeing, foreign CAAs, and all pilots trained on the 737 NG already accepted the chance for a false stall warning and had done so for, estimating, 2 decades.
MCAS did fail.

Its job was to provide a ďsuitableĒ stick force gradient in specific flight envelope circumstances.

That didnít happen here not least because those flight envelope circumstances didnít even exist.

Itís supposed to do what itís designed for.

It didnít.

Thatís a failure.

Last edited by Bbtengineer; 27th Mar 2023 at 22:34.
Bbtengineer is offline  
Old 27th Mar 2023, 23:27
  #236 (permalink)  
 
Join Date: Oct 2019
Location: USA
Posts: 991
Received 366 Likes on 198 Posts
Bbtengineer,

Are you satisfied that there was a false stall warning and that the AoA system reported false information?
Satisfied that the major errors in ET-302 happened primarily because of that false stall warning and prior to MCAS activation?

What other sensors should be allowed to lie? Fuel amount? Radalt? Engine fire?

I have been looking at the whole system. I agree - it was the failure to do so that got people killed.

You are looking at a piece of software that acted exactly as it was specified to act. It would have saved AF 447 is Airbus had installed a similar system.

In contrast, the AoA sensor didn't report the correct AoA and the related control subsystems all acted as if it did. All of them relied on the false AoA information, including the autopilot, which bugged out because of the false AoA sensor reading.
MechEngr is offline  
Old 28th Mar 2023, 00:28
  #237 (permalink)  
 
Join Date: Oct 2018
Location: Oka
Posts: 49
Received 23 Likes on 8 Posts
Originally Posted by MechEngr
Bbtengineer,

Are you satisfied that there was a false stall warning and that the AoA system reported false information?
Satisfied that the major errors in ET-302 happened primarily because of that false stall warning and prior to MCAS activation?

What other sensors should be allowed to lie? Fuel amount? Radalt? Engine fire?

I have been looking at the whole system. I agree - it was the failure to do so that got people killed.

You are looking at a piece of software that acted exactly as it was specified to act. It would have saved AF 447 is Airbus had installed a similar system.

In contrast, the AoA sensor didn't report the correct AoA and the related control subsystems all acted as if it did. All of them relied on the false AoA information, including the autopilot, which bugged out because of the false AoA sensor reading.
The software had faulty inputs.

I would expect a software engineer to anticipate faulty inputs, and to figure out how to detect them and deal with them.

Apparently they did neither.

In what universe was a totally unconstrained application of AND ever going to be appropriate?

It obviously didnít work and I canít quite actually believe weíre discussing a hypothesis that it did.


Last edited by Bbtengineer; 28th Mar 2023 at 00:58.
Bbtengineer is offline  
Old 28th Mar 2023, 02:02
  #238 (permalink)  
 
Join Date: Jul 2013
Location: Everett, WA
Age: 69
Posts: 4,554
Received 323 Likes on 157 Posts
Originally Posted by Bbtengineer
The software had faulty inputs.

I would expect a software engineer to anticipate faulty inputs, and to figure out how to detect them and deal with them.

Apparently they did neither.

In what universe was a totally unconstrained application of AND ever going to be appropriate?

It obviously didn’t work and I can’t quite actually believe we’re discussing a hypothesis that it did.
The flaw wasn't in the software - it acted exactly as the software requirements would have it react.
The flaw was in the software requirements. Software is tested to confirm it conforms to the requirements - not to confirm it does what the designer intended...
This, unfortunately, is a common problem with software - poorly defined requirements that result in software not behaving as we'd like.
This is somewhat independent of s/w DAL (Design Assurance Level) - even DAL A (flight critical) software can behave in unanticipated ways if the requirements are not clearly defined.
tdracer is offline  
Old 28th Mar 2023, 02:30
  #239 (permalink)  
 
Join Date: Oct 2018
Location: Oka
Posts: 49
Received 23 Likes on 8 Posts
Originally Posted by tdracer
The flaw wasn't in the software - it acted exactly as the software requirements would have it react.
The flaw was in the software requirements. Software is tested to confirm it conforms to the requirements - not to confirm it does what the designer intended...
This, unfortunately, is a common problem with software - poorly defined requirements that result in software not behaving as we'd like.
This is somewhat independent of s/w DAL (Design Assurance Level) - even DAL A (flight critical) software can behave in unanticipated ways if the requirements are not clearly defined.
Iím sorry but youíre treating the team implementing the software as idiots.

At best as people who arenít expected to actually understand the requirement in any context whatsoever.

People who implement software arenít supposed to exist in a vacuum. Theyíre supposed to actually understand what theyíre building and why.

The requirement apparently said apply nose down repetitively forever.

Nobody should ever have accepted that requirement.
Bbtengineer is offline  
Old 28th Mar 2023, 02:45
  #240 (permalink)  
 
Join Date: Jul 2013
Location: Everett, WA
Age: 69
Posts: 4,554
Received 323 Likes on 157 Posts
Originally Posted by Bbtengineer
Iím sorry but youíre treating the team implementing the software as idiots.

At best as people who arenít expected to actually understand the requirement in any context whatsoever.

People who implement software arenít supposed to exist in a vacuum. Theyíre supposed to actually understand what theyíre building and why.

The requirement apparently said apply nose down repetitively forever.

Nobody should ever have accepted that requirement.
The people who create the software are not the ones who define the requirements - in aviation they seldom are even in the same company.
That's why it's so critically important to get the s/w requirements correct.
The requirements did not consider what would happen if MCAS kept trimming the nose down, because it was assumed early in the design process that if the stab trim was doing something the pilots didn't want or understand, they'd turn it off. Hence the classification of inappropriate MCAS activation as only Major - that's what a stab trim malfunction was classified as.
As I noted previously - the entire MCAS mess grew from that flawed assumption that an issue with MCAS was no worse than Major.
tdracer is offline  

Thread Tools
Search this Thread

Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service

Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.