|
Boeing 737 Max Software Fixes Due to Lion Air Crash Delayed
Engineering and regulatory complications are expected to delay safety fixes covering hundreds of Boeing Co. BA -0.06% 737 MAX jets until at least April, according to industry and government officials familiar with the details.Boeing is developing revised software for an automated flight-control feature that can forcefully push down the nose of MAX aircraft and was implicated in a high-profile Lion Air crash in Indonesia this past October. But the work has dragged on months longer than initially anticipated following the accident, these officials said. In addition to engineering challenges, they said, another reason for the delay stems from differences of opinion among some federal and company safety experts over how extensive the changes should be.Originally, software updates were expected to be fairly straightforward and slated to be announced in early January. But since then, there have been discussions about potentially adding enhanced pilot training and possibly mandatory cockpit alerts to the package, according to one person briefed on the details.There also has been consideration of more-sweeping design changes that would prevent faulty signals from a single sensor from touching off the automated stall-prevention system, officials said. But at this point, they said, such options appear to be losing favor among regulators.The 35-day partial government shutdown—during which consideration of the fixes was suspended—also created further delays.Over the weekend, a Boeing spokesman said the company “continues to evaluate the need for software or other changes as we learn more from the ongoing investigation.” He declined to elaborate on specifics.Since the accident, the Federal Aviation Administration has said it is considering taking action depending on the results of the investigation and reviewing certain issues related to its certification of 737 MAX aircraft.The Oct. 29 crash of Lion Air Flight 610 roughly 11 minutes after takeoff from Jakarta, killing all 189 on board, has raised fundamental questions about the limits and potential downsides of cockpit automation. The tragedy has highlighted the hazards when automated flight-control features fail or misfire, and pilots aren’t able to respond properly. Boeing has faced criticism from some airline officials, aviators and pilot union leaders for omitting details about the new stall-prevention system in the 737 MAX’s manuals or training requirements, which were approved by the FAA.The Chicago-based plane maker has said the process to create its manuals and training for the 737 MAX was consistent with developing previous airplanes, and that it provided information needed to safely fly the airplane. Boeing has said the airplane is safe and noted it is in operation around the world.Boeing favors a relatively simple solution that would primarily reduce the power and, under some circumstances, probably the repetitive nature of the flight-control system in question, called MCAS, according to these government and industry officials tracking the process. That appears to be the most likely outcome, they said, though no final decisions have been made. And the timing for an announcement remains fluid. The FAA is poised to mandate changes to the 737 MAX once there is a company-government consensus about the overall package.The stakes in the current debate go beyond skirmishes over arcane engineering judgments or Boeing’s design philosophy. The upshot, according to some industry officials and outside safety experts, could affect future suits filed by lawyers representing families of victims.The accident probe will take months to complete, as investigators look at factors ranging from maintenance to operations to aircraft design.The Indonesian-led investigation has tentatively concluded that sensor-calibration issues during maintenance touched off the fatal sequence of events, according to people familiar with the process. Investigators also have said the automated flight-control system was central to the crash, and they have publicly identified a number of pilot slip-ups that appear to have played an important part.The stall-prevention system was designed just for the 737 MAX, a variant of Boeing’s workhorse single-aisle jet that Boeing made its debut in 2015. U.S. operators of the new plane include Southwest Airlines Co. , American Airlines Group Inc. and United Continental Holdings Inc.Among measures the FAA has considered was whether to require all 737 MAX airplanes to be outfitted with indicators that alerts pilots when sensors that feed into the stall-prevention system disagree, the officials said. So-called angle of attack sensors essentially reflect the angle of the plane’s nose versus level flight. Cockpit alerts that show when such sensors disagree are currently optional on the fleet.Preliminary data released by Indonesian investigators points to the MCAS feature misfiring when incorrect signals from a single angle-of-attack sensor prompted the system to repeatedly push down the plane’s nose.In the Lion Air crash, investigators have indicated the pilots fought the MCAS system as it strongly and repeatedly pushed down the plane’s nose, but didn’t follow an existing procedure to deactivate it. Indonesian authorities have recovered, and more recently downloaded data from, Lion Air Flight 610’s cockpit-voice recorder. But they haven’t indicated what clues it may provide about the crew’s understanding of the system, and why shortly before the fatal dive the co-pilot apparently eased back on his nose-up commands.On MAX 8 models, under certain conditions, pilots may be unable to pull the plane out of a dive unless they react quickly and proceed to the most relevant portion of their emergency checklist. Outside safety experts have questioned how the FAA gave the green light for such a design lacking redundant software or hardware safeguards. One malfunctioning sensor or a single stream of faulty signals—called a “single point failure” in engineering lingo—can lead to a catastrophic dive, if pilots react improperly.As part of the overall Lion Air probe, the FAA has said its experts are reviewing that and other issues around how the aircraft was certified to fly passengers.
|
Slightly more readable version for anyone who can't get behind the WSJ's paywall:
Engineering and regulatory complications are expected to delay safety fixes covering hundreds of Boeing Co. BA -0.06% 737 MAX jets until at least April, according to industry and government officials familiar with the details. Boeing is developing revised software for an automated flight-control feature that can forcefully push down the nose of MAX aircraft and was implicated in a high-profile Lion Air crash in Indonesia this past October. But the work has dragged on months longer than initially anticipated following the accident, these officials said. In addition to engineering challenges, they said, another reason for the delay stems from differences of opinion among some federal and company safety experts over how extensive the changes should be. Originally, software updates were expected to be fairly straightforward and slated to be announced in early January. But since then, there have been discussions about potentially adding enhanced pilot training and possibly mandatory cockpit alerts to the package, according to one person briefed on the details. There also has been consideration of more-sweeping design changes that would prevent faulty signals from a single sensor from touching off the automated stall-prevention system, officials said. But at this point, they said, such options appear to be losing favor among regulators. The 35-day partial government shutdown—during which consideration of the fixes was suspended—also created further delays. Over the weekend, a Boeing spokesman said the company “continues to evaluate the need for software or other changes as we learn more from the ongoing investigation.” He declined to elaborate on specifics. Since the accident, the Federal Aviation Administration has said it is considering taking action depending on the results of the investigation and reviewing certain issues related to its certification of 737 MAX aircraft. The Oct. 29 crash of Lion Air Flight 610 roughly 11 minutes after takeoff from Jakarta, killing all 189 on board, has raised fundamental questions about the limits and potential downsides of cockpit automation. The tragedy has highlighted the hazards when automated flight-control features fail or misfire, and pilots aren’t able to respond properly. Boeing has faced criticism from some airline officials, aviators and pilot union leaders for omitting details about the new stall-prevention system in the 737 MAX’s manuals or training requirements, which were approved by the FAA. The Chicago-based plane maker has said the process to create its manuals and training for the 737 MAX was consistent with developing previous airplanes, and that it provided information needed to safely fly the airplane. Boeing has said the airplane is safe and noted it is in operation around the world. Boeing favors a relatively simple solution that would primarily reduce the power and, under some circumstances, probably the repetitive nature of the flight-control system in question, called MCAS, according to these government and industry officials tracking the process. That appears to be the most likely outcome, they said, though no final decisions have been made. And the timing for an announcement remains fluid. The FAA is poised to mandate changes to the 737 MAX once there is a company-government consensus about the overall package. The stakes in the current debate go beyond skirmishes over arcane engineering judgments or Boeing’s design philosophy. The upshot, according to some industry officials and outside safety experts, could affect future suits filed by lawyers representing families of victims. The accident probe will take months to complete, as investigators look at factors ranging from maintenance to operations to aircraft design. The Indonesian-led investigation has tentatively concluded that sensor-calibration issues during maintenance touched off the fatal sequence of events, according to people familiar with the process. Investigators also have said the automated flight-control system was central to the crash, and they have publicly identified a number of pilot slip-ups that appear to have played an important part. The stall-prevention system was designed just for the 737 MAX, a variant of Boeing’s workhorse single-aisle jet that Boeing made its debut in 2015. U.S. operators of the new plane include Southwest Airlines Co. , American Airlines Group Inc. and United Continental Holdings Inc. Among measures the FAA has considered was whether to require all 737 MAX airplanes to be outfitted with indicators that alerts pilots when sensors that feed into the stall-prevention system disagree, the officials said. So-called angle of attack sensors essentially reflect the angle of the plane’s nose versus level flight. Cockpit alerts that show when such sensors disagree are currently optional on the fleet. Preliminary data released by Indonesian investigators points to the MCAS feature misfiring when incorrect signals from a single angle-of-attack sensor prompted the system to repeatedly push down the plane’s nose. In the Lion Air crash, investigators have indicated the pilots fought the MCAS system as it strongly and repeatedly pushed down the plane’s nose, but didn’t follow an existing procedure to deactivate it. Indonesian authorities have recovered, and more recently downloaded data from, Lion Air Flight 610’s cockpit-voice recorder. But they haven’t indicated what clues it may provide about the crew’s understanding of the system, and why shortly before the fatal dive the co-pilot apparently eased back on his nose-up commands. On MAX 8 models, under certain conditions, pilots may be unable to pull the plane out of a dive unless they react quickly and proceed to the most relevant portion of their emergency checklist. Outside safety experts have questioned how the FAA gave the green light for such a design lacking redundant software or hardware safeguards. One malfunctioning sensor or a single stream of faulty signals—called a “single point failure” in engineering lingo—can lead to a catastrophic dive, if pilots react improperly. As part of the overall Lion Air probe, the FAA has said its experts are reviewing that and other issues around how the aircraft was certified to fly passengers. |
Originally Posted by DaveReidUK
(Post 10386515)
Slightly more readable version for anyone who can't get behind the WSJ's paywall:
There also has been consideration of more-sweeping design changes that would prevent faulty signals from a single sensor from touching off the automated stall-prevention system, officials said. But at this point, they said, such options appear to be losing favor among regulators. Pardon the expression, but if not that, WTF are they fixing? |
Salute!
@ infrequent :ok: they are "fixing" to face zillions of $$ in liability lawsuits concerning potentially negligent certification procedures and failure to fully/clearly explain to the crews what the new flight control doofer could do if one AoA sensor or maybe another single component failed. Gums opines... |
The 747 came out with triple INS. In case of disagreement, the odd one was voted out.
With the criticality of MCAS, it seems a strong candidate for triple sensors and a voting algorithm. |
Why not just disable the system on all aircraft? If you do encounter an abnormal where you are down to manual trim the Boeing procedures don't add any caution about avoiding any flight regime that MCAS was supposed to protect.
|
Originally Posted by jimtx
(Post 10386965)
Why not just disable the system on all aircraft? If you do encounter an abnormal where you are down to manual trim the Boeing procedures don't add any caution about avoiding any flight regime that MCAS was supposed to protect.
https://cimg0.ibsrv.net/gimg/pprune....6092bf2e88.jpg Because they can't certify the aircraft without MCAS. At high AOA the engines (being MUCH bigger and WAY further forward) provide too much aerodynamic lift ahead of the CG, pushing the nose up even further. MCAS adds AND trim in this scenario. Just compare the B737-100 with the B737-MAX and you see why they needed to add electronic band-aids to keep it legal. |
jimtex, the problem is not a simple issue of trimming the aircraft. Automatic application of trim appears to be used to improve marginal pitch stability in specific areas of the flight envelope. e.g. with high thrust the aircraft might pitch up faster than could be managed with normal stick input, thus nose down trim reduces the flying task and risk of loss of speed. No MCAS, no certification, #7. The delay is probably a complex interaction of embarrassments; Boeing certification, FAA oversight, EASA talking away doubts, interpretation of required levels of safety, system probabilities, and any other issue which might have been ‘overlooked’ - signed off under grandfather rights / common type certification and pilot rating. Once you have opened a box of issues then all need reconsideration. In addition, having opened the electronic ‘box’ containing AoA computation, then what else is in that box which could be, or was affected. Erroneous low speed awareness, misleading and unwarranted stick shake, feel system, and the difficult question of how much credit should the claimed for pilot intervention in detecting and managing failed systems - particularly where the so called fail-safe system (or process) had failed. There was a brief discussion on slats in another thread; slats appear to be related to the AoA input in one of the computations. The slats might not have operated, but if the safety integrity of the protection system was lost, then there might be opportunity for an eye watering deployment at high speed. |
Originally Posted by hans brinker
(Post 10386987)
https://cimg9.ibsrv.net/gimg/pprune....b62da90118.jpg
https://cimg0.ibsrv.net/gimg/pprune....6092bf2e88.jpg Because they can't certify the aircraft without MCAS. At high AOA the engines (being MUCH bigger and WAY further forward) provide too much aerodynamic lift ahead of the CG, pushing the nose up even further. MCAS adds AND trim in this scenario. Just compare the B737-100 with the B737-MAX and you see why they needed to add electronic band-aids to keep it legal. |
Originally Posted by PEI_3721
(Post 10387003)
jimtex, the problem is not a simple issue of trimming the aircraft. Automatic application of trim appears to be used to improve marginal pitch stability in specific areas of the flight envelope. e.g. during go around with high thrust the aircraft might pitch up faster than could be managed with normal stick input, thus ‘prepositioning’ (anticipating) the need for nose down trim reduces the flying task and risk of loss of speed. No MCAS, no certification, #7. The delay is probably a complex interaction of embarrassments; Boeing certification, FAA oversight, EASA talking away doubts, interpretation of required levels of safety, system probabilities, and any other issue which might have been ‘overlooked’ - signed off under grandfather rights / common type certification and pilot rating. Once you have opened a box of issues then all need reconsideration. In addition, having opened the electronic ‘box’ containing AoA computation, then what else is in that box which could be, or was affected. Erroneous low speed awareness, misleading and unwarranted stick shake, feel system, and the difficult question of how much credit should the claimed for pilot intervention in detecting and managing failed systems - particularly where the so called fail-safe system (or process) had failed. There was a brief discussion on slats in another thread; slats appear to be related to the AoA input in one of the computations. The slats might not have operated, but if the safety integrity of the protection system was lost, then there might be opportunity for an eye watering deployment at high speed. |
Why not just disable the system on all aircraft? |
They should put longer landing gear on the 737 so the engines can be a bit farther back. |
MCAS is flaps up only. Furthermore, it is not needed to provide anticipatory stabilizer trim in order to maintain sufficient pitch control power via the column/elevator. If column/elevator were not able to generate enough pitch control power without moving the stabilizer other than to provide long term pitch trim that would constitute a certification issue that could not be addressed via either stabilizer trim or a stick pusher.
The certification issue that is addressed by MCAS is that the inherent pitch up encountered at high AOA, aft CG, flaps up is such that increased AOA can require relaxing of the column pull needed to initiate the maneuver. Requirements call for stick force needed to increase AOA up to stick shaker must not drop with increasing AOA. |
Originally Posted by ImbracableCrunk
(Post 10387012)
They should put longer landing gear on the 737 so the engines can be a bit farther back. And maybe change the nose so it's a bit quieter. Maybe put some cutting-edge 1970's avionics in it. How about a more pleasing brown color for the cockpit?
|
Originally Posted by FCeng84
(Post 10387054)
MCAS is flaps up only. Furthermore, it is not needed to provide anticipatory stabilizer trim in order to maintain sufficient pitch control power via the column/elevator. If column/elevator were not able to generate enough pitch control power without moving the stabilizer other than to provide long term pitch trim that would constitute a certification issue that could not be addressed via either stabilizer trim or a stick pusher.
The certification issue that is addressed by MCAS is that the inherent pitch up encountered at high AOA, aft CG, flaps up is such that increased AOA can require relaxing of the column pull needed to initiate the maneuver. Requirements call for stick force needed to increase AOA up to stick shaker must not drop with increasing AOA. |
jimtx - you are right about MCAS addressing a hand flying, handling qualities issue. MCAS is active only when the autopilot is disengaged. You are also correct that a pilot paying close attention to pitch response will manage the stick (or in this case the column on 737) so as to command the pitch attitude needed to achieve the desired normal load factor / flight path angle. The issue here is that certification rules require that increasing pull pitch controller input must be needed to command ever increasing AOA / normal load factor. Without MCAS there are 737MAX flight conditions where AOA / normal load factor can increase with constant column pull such that the pilot would need to relax the pull force in order to avoid exceeding their target nose up pitch maneuver. This characteristic does not comply with certification requirements and thus MCAS was introduced to assure that a steady increase in AOA / normal load factor requires a steady increase in column pull force.
|
So how does this system function during a low level Windshear recovery with the stick shaker activating?
|
You all appear to missing a very critical portion of the article:
But at this point, they said, such options appear to be losing favor among regulators. It's unfortunate and ironic that the more safety critical the change, the more difficult and time consuming it is to get it certified. I ran into this phenomena many times during my career - and that was without the political, lawyer, and ass covering complications that are undoubtedly coming into play on this issue. - |
Call my cynical ...
|
WhatsaLizad - Any low level operation would be with flaps extended => MCAS not operable.
tdracer - Agreed, engineers tend to lobby for design features that take their systems from Safe to Safer. Roadblock to enhanced safety are usually found elsewhere. |
| All times are GMT. The time now is 11:33. |
Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.