|
A question or two.
If you "reset" the trim switches, I take it that the pitch trim would then have to be manually adjusted for the remainder of the flight? If the MCAS activates for a few second and the PF pulls back on the control column I understand that the pitch trim stays where it is, so a second activation a few second later would have an even more aggressive effect. Does the MCAS have any effect on the thrust? After the MCAS is countered by the PF could the autopilot be activated before MCAS activates again? Could the Autopilot be activated in the gaps between the MCAS "working"? |
NY Times: After Boeing Crashes, Sharp Questions About Industry Regulating Itself
After Boeing Crashes, Sharp Questions About Industry Regulating ItselfWASHINGTON — Seven years ago, an internal government watchdog took a hard look at the part of the Federal Aviation Administration responsible for certifying new Boeing jetliners. The watchdog’s investigation came to some alarming conclusions.F.A.A. employees viewed their management, the inquiry by the Transportation Department’s inspector general found, as “having too close a relationship with Boeing officials.” F.A.A. managers, the report said, had not always backed efforts by agency employees “to hold Boeing accountable,” and employees feared retaliation for trying to do so.More (Not sure whether this is the best thread for this. Please move if it's not.) |
You can update the software from now till eternity.
The main issue remains. These "events" are triggered by failing AOA sensor/systems. => That is where the main focus should be => Why is the AOA probe/system failing. That MCAS was single probe only is an error, but secondary and wat MCAS is/was trying to do is third. But, and this should be the main focus point => With a solid AOA signal, nothing of this would have happened in the first place. |
Originally Posted by Vilters
(Post 10430708)
You can update the software from now till eternity.
The main issue remains. These "events" are triggered by failing AOA sensor/systems. => That is where the main focus should be => Why is the AOA probe/system failing. That MCAS was single probe only is an error, but secondary and wat MCAS is/was trying to do is third. But, and this should be the main focus point => With a solid AOA signal, nothing of this would have happened in the first place. |
Originally Posted by Vilters
(Post 10430708)
You can update the software from now till eternity.
The main issue remains. These "events" are triggered by failing AOA sensor/systems. => That is where the main focus should be => Why is the AOA probe/system failing. That MCAS was single probe only is an error, but secondary and wat MCAS is/was trying to do is third. But, and this should be the main focus point => With a solid AOA signal, nothing of this would have happened in the first place. |
The MCAS idea has been around for some time apparently. Boeing were going to fit it to the 767 originally, but were able to get the job done with vortex generators. Both the KC-46 and KC-767 have a MCAS system.
https://aviationweek.com/defense/boe...cd1cc979ac68a7 FAA doesn't want to be the first to lift the MAX ban. https://aviationweek.com/commercial-...cd1cc979ac68a7 |
Originally Posted by Infrequent Flyer
Pilots will be required to complete a training on the updated system on their iPads. https://www.pprune.org/images/smilies/eek.gifhttps://www.pprune.org/images/smilies/confused.gifhttps://www.pprune.org/images/smilies2/eusa_wall.gifI really don't know what to say.
I'm sure plaintiffs lawyers will though - they're going to have a ****ing field day in court with this. |
Originally Posted by FCeng84
(Post 10430550)
...
... One of the key elements to the baseline MCAS logic is that it will only put in a single increment of stabilizer motion as long as no pilot trim command is given. This goes in over no more than 10 seconds (less if operating at Mach number greater than 0.4 where MCAS single increment authority is less than 2.5 degrees). ... FCeng84 provides clarity ... Is it possible for sts trim inputs to reset the MCAS logic, is it known with certainty that only pilot switches will do this? (Assuming my understanding of sts is anywhere close to correct) |
Originally Posted by MurphyWasRight
(Post 10430897)
FCeng Thank you for your explanations, they are appreciated.
Is it possible for sts trim inputs to reset the MCAS logic, is it known with certainty that only pilot switches will do this? (Assuming my understanding of sts is anywhere close to correct) (See detailed MCAS description that I added to the Ethiopian accident thread today.) |
Why AoA fails
Vilters, #405, “The main issue remains. These "events" are triggered by failing AOA sensor/systems. => That is where the main focus should be => Why is the AOA probe/system failing.” https://www.pprune.org/rumours-news/...l#post10430708 I agree; see related questions in https://www.pprune.org/rumours-news/618252-boeing-737-max-software-fixes-due-lion-air-crash-delayed.html#post10429320 (#381) Also see the links giving a technical basis for a software ‘glitch’; AoA value in error. However, as yet the answered question is:- “Would such a ‘failure’ (glitch) be a random, probabilistic occurrence - just chance, or require an external disturbance - elect spike (FDR AoA error seen during taxi - generator switching?)” Continuing with this hypothesis, then the focus of the investigation should be to confirm or refute the need of at least two contributing factors, what are they, and the circumstances which result in AoA error - MCAS does the rest. If electrical, then follow-on questions should consider if any abnormal ground or in-flight switching or alternate power supply could similarly reset / trigger the initiating conditions - which could also relate to the proposed modifications. /hypothesis. Additionally, and perhaps the key to understanding, is why only two aircraft have exhibited the fault, and the many others in service apparent not. Noting previous linked comments about ground reset, maintenance test, and before flight electrical checks. As a far-out thought; is the order of after-start generator or bus tie checks an option, 1 before 2, etc, is this before flight or after landing as in some other aircraft types. |
Hmm. If an MCAS situation results in an altitude loss in the region 2000-3000ft for a crew consisting of manufacturer test pilots who know what's going to happen, what will that mean for commercial operation by an "average" crew? Keeping flaps down until passing 5000ft AGL after take-off? Having to select flaps down before descending through 5000ft AGL? If so, what challenges will that bring operationally and economically?
Furthermore, if an MCAS situation is so forceful as described in the sim sessions where airline pilots participated, can the training be satisfactorily addressed by CBT only, or will the regulators mandate time in a SIM properly configured for MCAS events? If so, that kind of kills the idea that a NG pilot can breeze into the cockpit of a MAX with just a couple of hours of CBT under his belt. And that, in turn, will undermine Boeings marketing blurb, and thus make the aircraft somewhat less attractive to current and prospective customers. Perhaps it should be renamed the 737 Kludge? |
Originally Posted by SMT Member
(Post 10431109)
Hmm. If an MCAS situation results in an altitude loss in the region 2000-3000ft for a crew consisting of manufacturer test pilots who know what's going to happen, what will that mean for commercial operation by an "average" crew? Keeping flaps down until passing 5000ft AGL after take-off? Having to select flaps down before descending through 5000ft AGL? If so, what challenges will that bring operationally and economically?
|
Originally Posted by poldek77
(Post 10431228)
...or have your autopilot engaged always when flaps up...?
|
Originally Posted by poldek77
(Post 10431228)
...or have your autopilot engaged always when flaps up...?
|
Originally Posted by SMT Member
(Post 10431317)
Which will work wonders addressing the issue of, alleged, insufficient manual handling exposure. Is this really the direction we want to go, pilots only there to manually handle the aircraft for t/o and landing? A world of pilots SOP bound to turn George on and off with the gear going up and down? That'll be a big, fat, no thank you from me.
|
Originally Posted by SMT Member
(Post 10431109)
Hmm. If an MCAS situation results in an altitude loss in the region 2000-3000ft for a crew consisting of manufacturer test pilots who know what's going to happen, what will that mean for commercial operation by an "average" crew?
|
Originally Posted by SMT Member
(Post 10431109)
Furthermore, if an MCAS situation is so forceful as described in the sim sessions where airline pilots participated, can the training be satisfactorily addressed by CBT only, or will the regulators mandate time in a SIM properly configured for MCAS events? If so, that kind of kills the idea that a NG pilot can breeze into the cockpit of a MAX with just a couple of hours of CBT under his belt. And that, in turn, will undermine Boeings marketing blurb, and thus make the aircraft somewhat less attractive to current and prospective customers.
Perhaps it should be renamed the 737 Kludge? To quote (my emphasis): Rick Ludtke, a former Boeing engineer who worked on designing the interfaces on the MAX’s flight deck, said managers mandated that any differences from the previous 737 had to be small enough that they wouldn’t trigger the need for pilots to undergo new simulator training. “It’s become such a kludge, that we started to speculate and wonder whether it was safe to do the MAX,” Ludtke said. Ludtke didn’t work directly on the MCAS, but he worked with those who did. He said that if the group had built the MCAS in a way that would depend on two sensors, and would shut the system off if one fails, he thinks the company would have needed to install an alert in the cockpit to make the pilots aware that the safety system was off. And if that happens, Ludtke said, the pilots would potentially need training on the new alert and the underlying system. That could mean simulator time, which was off the table. |
"One off occurrences happen..."
Boeing details its fix for the 737 MAX, but defends the original design[emphasis mine]March 27, 2019 at 11:00 am Updated March 27, 2019 at 12:04 pm Dominic Gates By Dominic Gates Seattle Times aerospace reporter Boeing on Wednesday mounted an effort to win back the trust of airlines, safety regulators and the flying public and get its 737 MAX back in the air. The company described detailed changes to the jet’s flight-control software and what its engineers have been doing since the recent fatal crashes of two airplanes. While declaring that will make the system “more robust,” it denied that the changes mean the original design was inadequate. At a news conference at an airline customer facility in Renton, Mike Sinnett, Boeing vice president of product strategy and development, presented the details of the planned software update. As expected, the changes to the suspect flight-control system known as the Maneuvering Characteristics Augmentation System, or MCAS, mean that it will be activated by input from two sensors instead of a single one; that it will operate only once, not multiple times, if the sensor reading remains stuck at a high value; and the power of the system will be limited so that the pilot will always pull back on the control column with enough force to counteract any automatic nose-down movement MCAS causes. Boeing will also introduce training for pilots on the changes to the MCAS system. This training, which Sinnett said is “provisionally approved,” will consist of about a half-hour of computer-based training. He said that since the MAX will handle exactly the same as the older model 737, no simulator training will be required. Boeing clearly hopes that the grounding can be lifted quickly. The company said it will take only a day to deploy the software once it is approved by safety regulators and that upgrading a specific airplane will take “an hour or so.” However, it’s up to the Federal Aviation Administration (FAA) and foreign regulators to determine when the plane will be allowed to return to service. And then each airline operator will have to run its flight crews through the new MCAS training. In a separate part of the news conference, Boeing answered questions from reporters on condition that the person speaking not be named. In the Lion Air crash last October, black-box data released in the preliminary investigation shows that MCAS was triggered by a single faulty sensor and repeatedly pushed the nose of the jet down as the pilots struggled to pull it back up before losing control. Initial indications that the Ethiopian Airlines crash earlier this month might also involve MCAS were enough for regulators around the world to order the fleet grounded. “One-off occurrences happen, like the accidents we have just experienced, and cause us to always go back and question our basic assumptions and look at our design processes,” Boeing said in answer to questioning about why the change has been made. “Every time something happens we learn from it,” Boeing said. “We do not know the ultimate cause of the accidents. MCAS is just one independent link in the chain. We can make that more robust.” “As tragic as this is — and these two accidents are terribly tragic, and we understand the gravity of that — we do learn from it,” Boeing said. The company said it has conducted audits on all the MAX systems since the accident, taking a close look at the system safety assessments, including analyses of different possible failure modes and the hazard each would cause, and “uncovered nothing that concerns us.” “The process we follow with the regulators and with the (airplane) designs has continued to lead to safer and safer airplanes,” Boeing said. “We can question our assumptions, but in general the process has worked and continues to work and we see no reason to overhaul the process.” Reporters asked whether increased cockpit automation, combined with pilots around the world becoming less familiar with manual flying techniques, is introducing new hazards that the industry needs to address. Boeing countered that the recent history of aviation safety has been stellar and does not indicate “any systemic failure in how the world designs, builds and tests airplanes and trains flight crews.” Boeing defended the original design of MCAS as dependent on a single sensor, saying that industry practice allows such single points of failure provided corrective action “can be quickly performed by a trained pilot using established procedures.” Boeing points out that MCAS can be countered by the pilots and, if all else fails, can be turned off by flipping two cutoff switches. Boeing has been conducting flight tests of the MCAS software fix over the past two weeks, since just before the worldwide fleet was grounded. The company said getting the software fix out and presenting it to the world “took until now because we wanted to get it right. Rushing it is the wrong thing to do.” Sinnett defended the original certification of the airplane and of MCAS. He said the 737 MAX builds on the “tremendous history of safety” of the 737 program and said Boeing is introducing the proposed software changes because aviation is “an industry that is continuously learning” from airplane accidents. “The rigor and thoroughness of the design and testing that went into the MAX gives us complete confidence that the changes we are making would address any of these accidents,” Sinnett said. Meanwhile, more than 200 airline pilots, officials and safety regulators gathered at the 737 assembly plant nearby for briefings and sessions testing the new software upgrade in a MAX simulator. Attendees will be able to watch Boeing pilots sitting in a simulator and talk to them at the same time so that they can request simulated flights with specific scenarios. Dominic Gates: 206-464-2963 or [email protected]; on Twitter: @dominicgates. |
Originally Posted by RickNRoll
(Post 10430787)
All sensors can fail. How does your system cope with failure?
Design strategies to meet this safety requirement may include redundancy (more than one AoA sensor), detection of sensor failure with corresponding steps to disable its input to the MCAS and others. Common causes that could lead to simultaneous failure of multiple AoA sensors must be avoided. As a previous poster noted, current AoA sensors can fail on the order of once every 100,000 hours, though I'm not sure that covers every failure mode. If the MCAS functionality must be assured for certification, then significant redesign of the system hardware architecture is necessary, not merely changing a few lines of code. Furthermore, I don't know what the hazard classification was approved for MCAS, but it should be Catastrophic, which means that software associated with its function should be at Design Assurance Level A. Not sure what the software DAL is, but to modify Level A software and get the modification approved is not trivial (time-consuming and expensive). |
Originally Posted by GlobalNav
(Post 10431946)
The use of a single AoA sensor at a time, for a function that can do what it did in these two crash scenarios is the problem. ......Furthermore, I don't know what the hazard classification was approved for MCAS, but it should be Catastrophic, which means that software associated with its function should be at Design Assurance Level A. Not sure what the software DAL is, but to modify Level A software and get the modification approved is not trivial (time-consuming and expensive).
As for the announced fix (summary so far), they really need to publish the source code section involved and/or block diagram schematics instead of simply trying to paraphrase ambiguously what the system is capable of doing. I know that's unprecedented, but for pete's sake, this is crazy, them running around with loose english phrasing of how persistent MCAS will be from now on, when it will re-engage, you know, all the state transition diagram logic would be nice to know. ....... For some, it may be enough to know that 2 AoA vane sensors will be compared (finally, right?!), and I might have designed it so MCAS function would still work if one AoA vane malfunctioned by using [AoA = Pitch Angle - Flight Path Angle] as a tie-breaker to determine which AoA vane is sick. I guess just getting rid of MCAS on AoA disagrees is OK here since having no MCAS isn't much of safety problem. They kill MCAS on AoA disagrees, fine..... |
13 minutes of flight before crash - not 40 seconds
Originally Posted by infrequentflyer789
(Post 10430599)
Ok, so we finally have some "we tried this in the sim and...", albeit sim and scenario were under Boeing control (but apparently not under Boeing NDA...). Apparently these were first-world pilots, forewarned, MCAS expected, and obviously with knowledge of the potential implications (smoking crater / large splash).
Things that jumped out at me (my emphasis): So, 40 seconds to unrecoverable dive due to a system that the pilot does not know about (before), or (now) even with knowledge will not appreciate how powerful it is until they have experienced it in the sim. Which they won't have, because there are no sims outside Boeing because there don't need to be because no max-specific sim training is needed and an NG sim doesn't have MCAS. So the first time a line pilot encounters this "surprisingly powerful" control law is, inevitably, in the air with a plane load of pax behind them (WTF are sims for?), and they have 40s to figure it out - and it is not clear at what altitude that is... So, that was before Lion Air. Now, having established in tests with line pilots (presumably not done before?) that the "surprisingly powerful" MCAS cannot be appreciated until experienced in the sim (or presumably in the a/c, however briefly), the fix is, drum roll..............: :eek::confused::ugh:I really don't know what to say. I'm sure plaintiffs lawyers will though - they're going to have a ****ing field day in court with this. |
|
Originally Posted by GlobalNav
(Post 10431946)
The use of a single AoA sensor at a time, for a function that can do what it did in these two crash scenarios is the problem. The failure event that caused the loss of two airliners, so far, must be classified as Catastrophic, in the terms of 25.1309, and made to be Extremely Improbable (mathematically on the order of 10E-09). It was clearly not Extremely Improbable as certified. So the classification either needs to be upgraded or the system safety analysis called into question, maybe both.
Design strategies to meet this safety requirement may include redundancy (more than one AoA sensor), detection of sensor failure with corresponding steps to disable its input to the MCAS and others. Common causes that could lead to simultaneous failure of multiple AoA sensors must be avoided. As a previous poster noted, current AoA sensors can fail on the order of once every 100,000 hours, though I'm not sure that covers every failure mode. If the MCAS functionality must be assured for certification, then significant redesign of the system hardware architecture is necessary, not merely changing a few lines of code. Furthermore, I don't know what the hazard classification was approved for MCAS, but it should be Catastrophic, which means that software associated with its function should be at Design Assurance Level A. Not sure what the software DAL is, but to modify Level A software and get the modification approved is not trivial (time-consuming and expensive). Someone inside Boeing knew exactly what they were doing, and are fully culpable for these accidents. Where was the FAA in all this? |
Originally Posted by Dee Vee
(Post 10432111)
Can someone shed some light on those AoA graphs, other than what looks like some inverted graphing at the start and end of flight, the left and right sensors seem to be pretty much in agreement from a cursory glance....
|
Originally Posted by CurtainTwitcher
(Post 10432135)
It was stated earlier in the thread the reasoning behind the single sensor design was specifically so no AoA error could be detected. A dual sensor approach would allow an AoA error to be detected, which would necessitate the warning to be presented to the crew, and that would potentially require additional training. The design mandate for the MAX that there would be no requirement for simulator time to save the airlines money. Even the test pilot was unaware of the full MCAS was single channel.
Someone inside Boeing knew exactly what they were doing, and are fully culpable for these accidents. Where was the FAA in all this? |
I read from the BBC:
Boeing has redesigned the software so that it will disable MCAS if it receives conflicting data from its sensors. In a briefing to reporters Boeing said that the upgrades were not an admission that the system had caused the crashes. Boeing also said that airlines which fit this 'upgrade' are to be required to 'give feedback on its performance'. Surely that's the job of Boeing's flight test department? I can't see many passengers being happy to fly in a 737 Max ever again, no matter what 'upgrades' Boeing provides. |
Originally Posted by BEagle
(Post 10432150)
If AoA sensor disagreement in future will disable MCAS, then that must surely mean that the aircraft is allegedly safe to fly without it?
Not necessarily a valid parallel ... |
Based on what has been disclosed about the proposed changes, the lack of detail does not reassure or provide a convincing argument. The somewhat obvious changes to system architecture - dual sensing, cross comparison, authority limits, and annunciation (still deficient), should have been in place for certification - thus ‘closing the stable door’. However, there is no reference as to why the AoA value was in error on two aircraft, involving 3 vanes. Discussions have consided the physical vane, electrical output, software conversation, etc, but nowhere is there a description of why ‘on the day before’ everything was normal, but then the system malfunctioned. Why were these two aircraft, on that day, so different from all of the other aircraft in service. These aspects should be addressed by the formal investigations, as yet not disclosed publicly, but should be available to the manufacturer and regulator (but not all?). Software doesn’t leave ‘evidence’ at an accident site. Returning the aircraft to service is more about public trust than with design and certification; all are required, worldwide. This requires much more detail to restore technical trust, even if the manufacturer believes that a public statement is sufficient. Are we to accept - an analogy involving a car manufacturer after an accident where the steering-rod bolt fell out, being satisfied by fitting two bolts, but not knowing why the first bolt fell out. So far the changes are a ‘wet blanket’ over an unidentified cause; can we be convinced that the problem is cured without knowing ‘cause’? |
Feels a bit like deactivating alpha floor protection in an Airbus after only one time use.
|
Seattle Times: ”Ludtke didn’t work directly on the MCAS, but he worked with those who did. He said that if the group had built the MCAS in a way that would depend on two sensors, and would shut the system off if one fails, he thinks the company would have needed to install an alert in the cockpit to make the pilots aware that the safety system was off. And if that happens, Ludtke said, the pilots would potentially need training on the new alert and the underlying system. That could mean simulator time, which was off the table.” So - reasonably speculating - the decision making logic at Boeing went somewhere along this line: Engineers: We have two options to design the MCAS requirement into the MAX: A) with redundancy in the data input, as required for such systems with potentially catastrophic influence on the flight performance. We need to install an alert in the cockpit if the system is switched off due to inconsistency in the data. That means the pilots will need to undergo simulator training for conversion to the MAX. B) we poll only a single sensor and the system does not check for data integrity against other available data. Then the system can stay in the background and the pilots do not need to know. In case of sensor data corruption, the pilots would - best case - have a few seconds to recognize the problem as in effect comparable to a stabilizer runaway and use the cut out switches and apply manual counter trim. No need to mention this to anyone and no simulator training needed. What could go wrong? Well, in case of single sensor data failure, the airplane will want to fly itself and all on board with authority and high speed into the ground. Management: we do option B! |
In response to waterpilot.
Thank you Interflug, that Seattle Times article I was paraphrasing, exactly what I was trying to communicate. Even MAX Boeing test pilot didnt aware that MCAS is using one sensor data. https://www.bakersfield.com/ap/news/...7e6384825.html |
Originally Posted by CurtainTwitcher
(Post 10432135)
It was stated earlier in the thread the reasoning behind the single sensor design was specifically so no AoA error could be detected. A dual sensor approach would allow an AoA error to be detected, which would necessitate the warning to be presented to the crew, and that would potentially require additional training. The design mandate for the MAX that there would be no requirement for simulator time to save the airlines money. Even the test pilot was unaware of the full MCAS was single channel.
(caps inserted) At base level this MCAS is just an augmentation system is it not? In my view, it does not comply with the basic certification requirement above, and someone in Boeing knows this, software alone won't fix it. Ttfn |
Originally Posted by ivor toolbox
(Post 10432465)
Think they need to revisit part 25.671, then part 25.672, as a stability augmentation system must have "a warning which is clearly distinguishable to the pilot under expected flight conditions without requiring his attention must be provided for ANY failure in the stability augmentation system or in ANY OTHER AUTOMATIC OR POWER OPERATED SYSTEM WHICH COULD RESULT IN AN UNSAFE CONDITION IF THE PILOT WERE NOT AWARE OF THE FAILURE"
(caps inserted) At base level this MCAS is just an augmentation system is it not? In my view, it does not comply with the basic certification requirement above, and someone in Boeing knows this, software alone won't fix it. Ttfn I think you have pointed to the initial Kernel of causal factors. Many other posters have debated on the presumed application of System Safety "-1309" as the underlying certification base. However, if a more specific requirement is applied, as you suggest, then that regulation must take precedence over a less specific regulation. I would be most interested on how the FAA's North East region found compliance and under what regulation as this is where the fundamental fault may lie. I'm not ready to lay the complete fault at Boeing's door unless they misrepresented facts when submitting their application for acceptance. On the other hand how would the other world regulators accept a faulted certification base ? |
Originally Posted by BEagle
(Post 10432150)
I read from the BBC:
If AoA sensor disagreement in future will disable MCAS, then that must surely mean that the aircraft is allegedly safe to fly without it? Boeing also said that airlines which fit this 'upgrade' are to be required to 'give feedback on its performance'. Surely that's the job of Boeing's flight test department? I can't see many passengers being happy to fly in a 737 Max ever again, no matter what 'upgrades' Boeing provides. Another example of is the impact pressure schedule for the variable column feel on the 737. There are two separate feel units that are each driven by their own air data sensors. If a failure of one occurs (let's say its probe gets plugged as a result of hitting a bird) the column feel characteristics will be degraded - likely to a degree that would not support certification with respect to every day operation. Piloted evaluation, however, has shown that at the presumed rate of hitting a bird such that the probe is plugged the associated degradation in column feel is acceptable. In a more remote event hitting a flock of birds might plug both probes causing both feel units to behave improperly and the feel characteristic to degrade much more. Pilot evaluation of the change in feel characteristics with both feel units degraded has shown that it is acceptable given the probability of occurrence of that event. |
FCEng84, great posts. Would adding the line of code: "IF (pitch_angle < 7 degrees) THEN (disable MCAS autotrimming) END_IF" be a simple, good solution. (pitch_angle is triplex reliable).....
I know Boeing has already announced the alpha-disagree & etc. fix, yet if they would have put that inhibit in there, you could still say "skip sim training" for current 737 pilots, right? |
Originally Posted by Water pilot
(Post 10432142)
I don't think so. AOA disagree was an option and from what I read Southwest ordered it. Why it was an option is a damn good question since it is apparently just software -- given that the proposed fix does exactly that and takes an hour to install...
|
Originally Posted by lomapaseo
(Post 10432690)
I think you have pointed to the initial Kernel of causal factors. Many other posters have debated on the presumed application of System Safety "-1309" as the underlying certification base. However, if a more specific requirement is applied, as you suggest, then that regulation must take precedence over a less specific regulation.
I would be most interested on how the FAA's North East region found compliance and under what regulation as this is where the fundamental fault may lie. I'm not ready to lay the complete fault at Boeing's door unless they misrepresented facts when submitting their application for acceptance. On the other hand how would the other world regulators accept a faulted certification base ? As for other countries, well, under various bi-lateral agreements, once it gains FAA sign off and type cert, its read across as being compliant in those countries too. Ttfn |
Do countries like Ethiopia and Indonesia have the expertise to attempt to review an FAA aircraft type certification?
|
Originally Posted by Vilters
(Post 10430708)
You can update the software from now till eternity.
The main issue remains. These "events" are triggered by failing AOA sensor/systems. => That is where the main focus should be => Why is the AOA probe/system failing. That MCAS was single probe only is an error, but secondary and wat MCAS is/was trying to do is third. But, and this should be the main focus point => With a solid AOA signal, nothing of this would have happened in the first place. Hardware failures have to be possible without disastrous effects or consequences. Either the aircraft shouldn't require such a strange convoluted system for retaining stick force increase at the stall... Or a system should be built in that is 'totally foolproof' in so far as meeting theoretical and practically tested fault paths or redundancy... Or.. the airworthiness requirement should be waived with stall training and AoA alarms... Theory being why would you normally be flying into a stall.. neither Lion Air or Ethiopean were or would have been near the stall.. the IRONY is an Airworthiness Requirement KILLED people, LOTS? Lets ask this... how serious is a STRAIGHT stall if it's detected and countered formally (standard response) unless its a low level ? Is the stick force ~alpha curve or stick force per G overrated as a design criteria ? |
Originally Posted by HarryMann
(Post 10432915)
Don't necessarily agree...
Hardware failures have to be possible without disastrous effects or consequences. Either the aircraft shouldn't require such a strange convoluted system for retaining stick force increase at the stall... Or a system should be built in that is 'totally foolproof' in so far as meeting theoretical and practically tested fault paths or redundancy... Or.. the airworthiness requirement should be waived with stall training and AoA alarms... Theory being why would you normally be flying into a stall.. neither Lion Air or Ethiopean were or would have been near the stall.. the IRONY is an Airworthiness Requirement KILLED people, LOTS? Lets ask this... how serious is a STRAIGHT stall if it's detected and countered formally (standard response) unless its a low level ? Is the stick force ~alpha curve or stick force per G overrated as a design criteria ? But the signals coming from the AOA sensors tricked the "aircraft" to "think" it was in a stall and corrective action had to be taken. => MCAS and stick shaker where activated to counter an issue that did not exist in the first place. And now? ? They are going to "fix' this with a SOFTWARE UPDATE? Let us start with a third AOA sensor, then start thinking about the software. |
| All times are GMT. The time now is 18:05. |
Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.