PPRuNe Forums

PPRuNe Forums (https://www.pprune.org/)
-   Rumours & News (https://www.pprune.org/rumours-news-13/)
-   -   Boeing pilot involved in Max testing is indicted in Texas (https://www.pprune.org/rumours-news/643217-boeing-pilot-involved-max-testing-indicted-texas.html)

megan 27th Jun 2022 23:43

ICAO is also due a score card on how the bureaucratizing of aviation is coming along
Does a UN agency ever achieve anything? Sully has handed in his notice after six months.

tdracer 27th Jun 2022 23:45

Originally Posted by WideScreen (Post 11252586)
Yep, that's why I say, to move away from these vague certification criteria. The moment you can use a ruler to check on certification compliance, you give management far fewer chances to cheat on these things.

That may sound great in theory, but in practice it's nearly impossible to implement. Engine failure at V1 must be controllable, and it's demonstrated during cert. But there is a certain probability that a sub-par pilot will botch it when it happens to them in real life. Does that mean we can't certify unless we somehow 100% eliminate the possibility of a V1 engine failure? Better ground the worldwide fleet because no one knows how to do that.
How do you quantify 'controllable' with hard and fast 'ruler' requirements? Hence the requirements are sprinkled with terms like 'unusual pilot skill'. We try to design for the lesser skilled pilots, but you need to draw the line somewhere or we'll never be able to certify a piloted aircraft.

WillowRun 6-3 28th Jun 2022 01:16

Well, it's nice to know that I've been living under a rock . . . . had not previously seen news of Amb. Sullenberger's resignation.

In fairness to ICAO - I mean as an organization or entity, and also a place where many dedicated people at all levels devote much effort - it predates the UN. The Chicago Convetion of 1944, its Annexes, the SARPs and much more, have contributed greatly to the safety, efficiency, and overall vitality of civil aviation sectors in many countries (I mean, Member States) and internationally. Of course it's within the UN umbrella today, but that shouldn't be the reply to all interest in its work or proceedings.

I have no idea why, exactly, the Ambassador has tendered a resignation. Perhaps it is because within the past several years, the Organization has seemed captivated, or maybe "captured, occupied and indentured" is more accurate, to certain aspects of climate change orthodoxy - while at the same time proving feckless against actual present-day aviation matters (RyanAir diversion, Ukrainian Int'l shootdown, MH17, to name some prominent cases). Plus it evidently is lacking anything like cutting-edge, insightful developmental work on preparing to cope with the coming onslaught of en masse cockpit automation (and ATM automation, and higher airspace traffic and usage, and AI . . . .) at least as well as global civil aviation coped with, say, the arrival of the Jet Age, the arrival also of wide-body aircraft (massive traffic growth) and two-engine overwater ops, you know, the pre-Instagram stuff.

This isn't to say that dealing with concepts, and terminology or phrasing within formal certification regulations, about levels of aviation skills, knowledge and abilities would be a subject matter where ICAO could or should take the lead. But at the same time, I think if and when a solution, at least a workable solution from an operational as well as engineering standpoint, finally is found, it would be better by far if ICAO and its various outputs were in alignment.

Cognescenti will recognize the source for this line, but I'm exercising caution in stating attribution; an airline enmeshed at the time in a matter of international civil aviation diplomatic controversy claimed its operations were "the business of freedom." There is something to that notion. Maybe a lot of something. Anyhow, and much to this attorney-and-SLF's disappoinment, the upcoming Assembly in Montreal just won't be the same without the class, eminence and integrity brought to the role of U.S. Permanent Rep.

Pilot DAR 28th Jun 2022 02:22

We try to design for the lesser skilled pilots, but you need to draw the line somewhere or we'll never be able to certify a piloted aircraft.
I agree that "average", "must not require unusual skill" and the like are very difficult to quantify. But there has to be a starting point somewhere. For my experience, if the pilot assessing the handling characteristic has any doubt about compliance, the first thing he/she does, is discuss it with the team, including the certifying authority. This would be the opposite of murmuring to one's self that it's "probably okay" and saying nothing, knowing that doing so steps the certification process along.

I have certainly trained pilots on airplane types which I knew to be totally benign, and the pilot had a terrible time with it - it was the pilot! And, I own a certified single engine GA type, which is so demanding of skill, it is actually actually requires a type rating in other countries. In my opinion, it does demand unusual skill, and type specific training, but it was certified "normally".

In any case, like anything in certification, if in doubt, report and discuss (then probably have another pilot assess, with the concern in mind).

WideScreen 28th Jun 2022 03:34

Originally Posted by tdracer (Post 11252615)
That may sound great in theory, but in practice it's nearly impossible to implement. Engine failure at V1 must be controllable, and it's demonstrated during cert. But there is a certain probability that a sub-par pilot will botch it when it happens to them in real life. Does that mean we can't certify unless we somehow 100% eliminate the possibility of a V1 engine failure? Better ground the worldwide fleet because no one knows how to do that.
How do you quantify 'controllable' with hard and fast 'ruler' requirements? Hence the requirements are sprinkled with terms like 'unusual pilot skill'. We try to design for the lesser skilled pilots, but you need to draw the line somewhere or we'll never be able to certify a piloted aircraft.

I agree, it's not 100% avoidable to have some vagueness, in the end, flying is (for the foreseeable time) a human driven process.

However, striving to minimize the amount of vagueness could be very useful.

Engine failure at V1 controllable can be specified in maximum flight-path/3D-position/energy deviations vs. time, given a maximum amount/reaction-time of control input.

Compare this with EGPWS. EGPWS effectively creates a dynamic multidimensional "virtual-path", where it is safe to fly. As long as the aircraft stays within these multidimensional boundaries, the aircraft is safe. Move outside this virtual-path and the dangers start adding up, sometimes very quickly.

For the V1 failures, a similar virtual-path can be defined and used as a certification requirement. Define the maximum amount of correction required, vs. the reaction time, and things do get quite deterministic. This would immediately wipe out the possibility that an outright dangerous aircraft will pass the certification tests (because with the vague certification criteria, an ace could save the aircraft certification). This way, you create "a ruler" to be used for the certification. When the current certification criteria were established, technology wasn't available to specify and/or measure this type of specifications, so, one did water down these certification criteria to "average pilot", etc. Nowadays, math, computational power as well as sensor capabilities are an order of magnitude better and a different, less vague, approach to certification would be feasible.

And, because the aircraft certification gets deterministic, the pilot certification can also become more deterministic. Still not perfect, though getting better than the vague "average" qualification.

WideScreen 28th Jun 2022 03:42

Originally Posted by Pilot DAR (Post 11252664)
I agree that "average", "must not require unusual skill" and the like are very difficult to quantify. But there has to be a starting point somewhere. For my experience, if the pilot assessing the handling characteristic has any doubt about compliance, the first thing he/she does, is discuss it with the team, including the certifying authority. This would be the opposite of murmuring to one's self that it's "probably okay" and saying nothing, knowing that doing so steps the certification process along.

I have certainly trained pilots on airplane types which I knew to be totally benign, and the pilot had a terrible time with it - it was the pilot! And, I own a certified single engine GA type, which is so demanding of skill, it is actually actually requires a type rating in other countries. In my opinion, it does demand unusual skill, and type specific training, but it was certified "normally".

In any case, like anything in certification, if in doubt, report and discuss (then probably have another pilot assess, with the concern in mind).

The bold part is the problem. As long as one is dealing with honest people, things are fine. The moment greed sets in, we get what happened to the MAX. Have less vague certification specifications and the amount of cheating will be reduced.

Initially, this sounds pretty bad for aircraft designers, though looking further into this, it makes their life a lot easier. Engineers/Technical designers want to have clear criteria of what they need to achieve, and makes preparing for the certification a lot easier. Not to say, for example, the whole car-industry works on these principles. Turn the vague marketing level requirements into technical requirements and create the technical design from there. Once the technical options are exhausted, work with the marketing to update (maybe water down) the marketing goals for that specific item. Since cars are produced in massive amounts, this working mechanism is mandatory to avoid disaster designs.

slast 28th Jun 2022 16:57

Just as an aside, I’ve never forgotten that many (MANY!) years ago as an IFALPA rep at an ICAO Airworthiness Committee meeting, I worked with a terrific character named Thomas (Tom) Foxworth who was the relevant ALPA committee chairman. We were discussing reaction time for accelerate-stop certification and apropos what “quality” of pilot should be fed into probability models etc, Tom used the phrase “least competent of the competent” to encompass both the pilot who regularly just scraped by on all training, and the one who did pretty well but was at the low end of e.g. fatigue on the day.

PEI_3721 30th Jun 2022 08:43

In a very safe, yet still evolving industry, the processes required to maintain the highest standards also have to change. The difference between the old and new views of safety (human error) is a simplified example.

Outwardly the FAA and Boeing holds the old view, ‘blame and train’. Build systems assuming that it is possible to sufficiently train people - change human nature - to manage foreseeable situations; thus taking the greatest credit for human performance in system operation - malfunction. (Outwardly Airbus appears to differ - safety attitude - integrated systems; EASA less convincing?)

With evolution, safety depends on recognition that human activity and particularly training is limited, with increasing uncertainty in outcome. Certification decisions via requirement and consensus must now be seen as soft judgements which accommodate the widest range of views and (unforeseen) situations. This in part represents the new view; complex operations depend on human activity, the human is an asset, but limited by the situation.
Certification processes in complex system need greater focus on assumptions and ambiguities, on the situational uncertainties which crews are expected to manage; aviation is slowly adapting, but perhaps not as fast as other industries. 20 yrs ago aviation was the benchmark, HF, CRM, risk management; nowadays aviation appears to lag other transport systems and medical care. In many ways aviation is complacent, slow to change, reluctant to view the world differently.

Note the references below; a wide view, evaluation teams, task orientated.
Human Factors in Risk Assessment
note embedded links and also see links and resources
and ‘Reducing Error And Influencing Behaviour hsg48’

“It is our knowledge — the things we are sure of — that makes the world go wrong and keeps us from seeing and learning.” Lincoln Austin Steffens
“We know more than we’re able to explain that we know.
And I call this inarticulate knowledge — the knowledge that I’m not able to articulate to somebody.
And I have inarticulate knowledge about a lot of things, including other people.
I could have tacit knowledge of why I trust somebody that I couldn’t explain to you. If you asked me to give you specific things, I wouldn’t be able to point to that, “Oh, there’s that one time when we were hanging out together,” because it’s probably not any one particular thing. It’s probably a series of things, call it a gut feeling. I just have that.
And I have the same thing for mistrust. Right? And I think that this kind of tacit knowledge and articulate knowledge is undervalued in our society. It’s undervalued because we always want to be able to explain the science and give the hard reasons for it. But a lot of life doesn’t work like that.”
“It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so.” Mark Twain

Big Pistons Forever 1st Jul 2022 03:12

Boeing hasn’t delivered a 787 in more than a year and now the latest kick in the arse

[QUOTE][[color=#222222]The U.S. Department of Transportation (DOT) Office of Inspector General (OIG) has announced plans to audit of the FAA’s oversight of Boeing 737 and 787 production. According to a memorandum released by the OIG, the audit will focus on the FAA’s process for “identifying and resolving production issues and addressing allegations of undue pressure within the production environment.” The audit is expected to begin in July./QUOTE]

You would think that by now Boeing execs would have made sorting the production process issues a high priority starting with getting serious about encouraging a robust safety reporting culture, yet the steady drip drip of own goals continues. I think that sadly, Boeing is too broken to fix….

Klauss 1st Jul 2022 04:14

Originally Posted by megan (Post 11252612)
Does a UN agency ever achieve anything? Sully has handed in his notice after six months.

6 months....hm. I feel that ICAO isn´t what it used to be. Doesn´t seem to have enouth people, resources and attention by politicians who expect it to play it´s vital role in aviation. Check this out:
The budget is a Zero Nominal Growth (ZNG) budget, developed by maintaining the average Assessment of Member States for the next three years at the 2019 level, while retaining all important existing activities and providing additional resources for priorities such as aviation security, Carbon Offsetting ((( plus plus plus....)))
Easy to see that ´´traditional´´ ICAO work is put on hold to cater for fancy (though needed) new projects. However, we need a solid basis for Aviation.... Echos of the Boeing management mess ??
Whatever, I can understand Sully.

fdr 1st Jul 2022 13:06

Originally Posted by Big Pistons Forever (Post 11254387)
You would think that by now Boeing execs would have made sorting the production process issues a high priority starting with getting serious about encouraging a robust safety reporting culture, yet the steady drip drip of own goals continues. I think that sadly, Boeing is too broken to fix….

Boeing corporate has been single-minded in doing nothing much to reverse the rot that arose from the MDD invasion of TBC. If they didn't get the message over the tanker debacle, the B737 ring frame saga, the 787 section joints, the Max, and production in the Carolinas, along with the tanker fuel debris etc... apparently the lads are inured to "signs". Moses, they ain't. Boeing doesn't however need a prophet, they need a leader that places quality higher on their agenda than bloated profits (prophets?) They have had more than a few hints to amend their ways, but seem to have the pioneer spirit to keep on in spite of common sense.,

Time to dislodge the board.

WideScreen 2nd Jul 2022 07:15

Originally Posted by fdr (Post 11254615)
Boeing corporate has been single-minded in doing nothing much to reverse the rot that arose from the MDD invasion of TBC. If they didn't get the message over the tanker debacle, the B737 ring frame saga, the 787 section joints, the Max, and production in the Carolinas, along with the tanker fuel debris etc... apparently the lads are inured to "signs". Moses, they ain't. Boeing doesn't however need a prophet, they need a leader that places quality higher on their agenda than bloated profits (prophets?) They have had more than a few hints to amend their ways, but seem to have the pioneer spirit to keep on in spite of common sense.,

I think, it is dangerous to insist on "quality", since this emphasizes "paperwork", which is already available in large quantities at Boeing, though watered down (because of the sheer volume), by those in charge to control the operations are performed according "the books".

What Boeing needs is the reverse to the concept of technical excellence as a leading item. And the understanding that long-term profits only come from the fruits of this technical excellence.

Originally Posted by fdr (Post 11254615)
Time to dislodge the board.

I don't think, that is enough, there are far too many managers below that level, who simply miss the capabilities and/or drive for the technical excellence.

But, hey, this is how all big companies in the end start to fail.

fdr 3rd Jul 2022 05:05

Originally Posted by WideScreen (Post 11254888)
I think, it is dangerous to insist on "quality", since this emphasizes "paperwork", which is already available in large quantities at Boeing, though watered down (because of the sheer volume), by those in charge to control the operations are performed according "the books". What Boeing needs is the reverse to the concept of technical excellence as a leading item. And the understanding that long-term profits only come from the fruits of this technical excellence.

Boeing produces both products and services. The client for any of their output makes a determination on the output based on quality and price, which is the basis of economic differentiation in the marketplace. The term Quality in that sense is not the narrow view of a QA program, it is what the output is considered by the purchaser to be fit for, and it occurs in a comparative space. If the alternative is an AN-2, then the B7XX may be attractive, warts n all. If Boeing is being compared to another competent provider, say one starting with the first letter of the alphabet, then when the products seem to be messed up in the kitty litter routinely, and over 25 years of the input from MDD manglement, it appears this is business as usual or business as desired. That's the quality matter that a purchaser looks at. Price can always be made so attractive that the purchaser's shareholders will have kittens (who don't mind the kitty litter surprises) if the customer doesn't take advantage of the short term gains in discounted products. The OEM's QA department is a part of the quality case, but is just a part. Not caring about your product certainly makes pricing a factor, like the AN-2.

Originally Posted by WideScreen (Post 11254888)
I don't think, that is enough, there are far too many managers below that level, who simply miss the capabilities and/or drive for the technical excellence. But, hey, this is how all big companies in the end start to fail.

Gotta start somewhere, and that means probably at the top, they are the ones with the remit to take action. It is conceivable that the engineers and machinists and QA staff of the company could stage a mass walkout, but then it is quite possible that the mgt would care less, they probably can book an improved balance sheet due to the reduction in labor costs, grab their stash 'o cash and retire.

There was a time when we used to be proud of driving Boeing aircraft. Boeing still made hashes occasionally, like JAL 103, but then so did everyone, (DC-10 door locks... L-1011 CWS... Airbus rudder limiter design... vertical stab secondary structure...) Would be nice to have pride in their product.

PS: the AN-2 is actually a pretty neat plane in its own right,

soarbum 19th Jan 2023 23:51

Boeing must publicly face fraud charge in 737 Max deaths, judge says

U.S. District Judge Reed O’Connor has yet to rule on a separate motion to vacate key parts of a deferred prosecution agreement with the company


Bbtengineer 8th Mar 2023 01:52

Originally Posted by fdr (Post 11255291)
Boeing produces both products and services. The client for any of their output makes a determination on the output based on quality and price, which is the basis of economic differentiation in the marketplace. The term Quality in that sense is not the narrow view of a QA program, it is what the output is considered by the purchaser to be fit for, and it occurs in a comparative space. If

Boeing are the product owner.

They cannot in any meaningful sense outsource decisions on the safety or suitability of the product to their customer.

The problem we saw recently with MAX is precisely that they were suckered into doing just that.

It doesn’t work. It has no longevity.

You enquire about your customers’ opportunities and constraints. You don’t ask them to define the solution. That isn’t a customer responsibility.

Succumbing to the lowest common denominator of your client requests, outsourcing your product definition to your client is just a death spiral.

What they actually have to do is figure out how to be justifiably proud enough of their product that they are prepared to fire the customer.

If they can get that right, they won’t have to.

9 lives 8th Mar 2023 03:15

Boeing produces both products and services. The client for any of their output makes a determination on the output based on quality......
Well.... Not exactly. "The client" may make a determination of the output quality, it is their contractual right, should they choose to exercise it. More commonly, the client depends upon the conformity of the product with an approved type design. The authority (in this case, the FAA) has issued that type approval based upon demonstration and finding of design compliance to national or international design standards. The client need not be solely responsible for making a determination of quality, it could be a task beyond their internal technical capability - they depend up the authority for that service to society.

The authority (in this case, again, the FAA) has delegated some of the approval task, of finding of design compliance, to Boeing. Boeing is bound by commitment to the FAA to exercise that delegation ethically - not to find compliance when it has not been demonstrated (the product is not actually compliant). Of course, Boeing is a corporate entity, not a person, so it depends upon people to be ethical in the exercise of the FAA delegation for finding design compliance, and contributing to the FAA's type certification of the product. Every person who is associated with the demonstration and finding of design compliance has an ethical duty to not represent [to the FAA] that compliance has been demonstrated, when it has not. Isn't it fraud when a person (or corporate entity) makes a representation to achieve an outcome, when the representation is false?


Warning information must be provided to alert the crew to unsafe system operating conditions, and to enable them to take appropriate corrective action. Systems, controls, and associated monitoring and warning means must be designed to minimize crew errors which could create additional hazards.
A person in the employ of Boeing either made, or led the FAA to make, a finding of compliance that the MCAS system met the foregoing design requirement. Did the MCAS produce a warning to alert the flight crew to an unsafe condition (its failure)? From what I understand, the warning system was an option, which only a few airline customers purchased. The design requirement does not allow the warning system to be optional! It's required for compliance to be found - but, design compliance was found for airplane which did not include the warning system - someone signed for something which was not there. I imagine that a Boeing test pilot would know of this design requirement, and should speak up when he joins the dots that a required, not pilot controlled, stability system could fail, and there be no crew warning. If a person signs for the compliance of a required system which is not present, to gain [approval], isn't that fraud?

MechEngr 8th Mar 2023 03:35

MCAS did not fail. The AoA subsystem did, producing erroneous data and a false stall warning. MCAS did exactly what it was supposed to do based on the information it was provided. Isn't the suggestion for pilots to push the nose down when there is a stall warning and stick shaker? While MCAS wasn't designed to detect or react to stalls, and appears to have no such input, it is supposed to provide a correction to a high AoA and it did. The FAA, Boeing, foreign CAAs, and all pilots trained on the 737 NG already accepted the chance for a false stall warning and had done so for, estimating, 2 decades.

fdr 8th Mar 2023 06:48

Originally Posted by Bbtengineer (Post 11397413)
Boeing are the product owner.They cannot in any meaningful sense outsource decisions on the safety or suitability of the product to their customer. The problem we saw recently with MAX is precisely that they were suckered into doing just that.


From a regulatory perspective, the TC holder wears the hat for the program quality as a compliance matter to the regulation framework. The customer has choices, and can elect to make their determination of an acquisition based on the value of the product that is provided to them which is quality v pricing. The AN-2 can look attractive in it's own way. Is the product that is offered at present achieving a desirable acquisition to those that have choices?

Less Hair 8th Mar 2023 07:37

MCAS did fail because it had been made dependent on single data point input from AoA-systems and data interpretation not being reliable enough.

P.S. traded an a for some e

MechEngr 8th Mar 2023 08:55

Are false alarms are OK? Wasn't it the startle effect from the false alarm that caused the ET302 crew to ignore that full thrust remained as the plane exceeded the velocity envelope? Wasn't it the false alarm that forced the autopilot to go offline and allow MCAS to operate?

I prefer to focus on the origin of the problem and not the edge of the last chance to correct it.

Why wasn't the autopilot software designed to choose the correct AoA sensor? Why when it went off line didn't the autothrottle also go off line? These are also decades old decisions. Why is the AoA sensor not fail-safe? But, sure, multiple decades of depending on all these bad ideas.

hans brinker 8th Mar 2023 16:51

Originally Posted by MechEngr (Post 11397567)
Are false alarms are OK? Wasn't it the startle effect from the false alarm that caused the ET302 crew to ignore that full thrust remained as the plane exceeded the velocity envelope? Wasn't it the false alarm that forced the autopilot to go offline and allow MCAS to operate?

I prefer to focus on the origin of the problem and not the edge of the last chance to correct it.

1) Why wasn't the autopilot software designed to choose the correct AoA sensor? 2) Why when it went off line didn't the autothrottle also go off line? These are also decades old decisions. 3) Why is the AoA sensor not fail-safe? But, sure, multiple decades of depending on all these bad ideas.

Very much agree with the first paragraph, but based on what you post here normally, I am not sure if your last paragraph is as clear as you normally are...

1) How can the AP decide what is the correct one if there is two inputs that are different from each other? You need 3 AOAs to vote, or another input like AHRS attitude and GS to rule out the faulty one (currently being studied (implemented?) by Boeing)
2) If the AT had gone offline, it would not have reduced power either. If anything, the AT could have had a function to automatically reduce thrust in an overspeed. (like the A320 has had for 3+ decades for underspeed)
3) What do you mean by fail-safe? How would it know the data it provides is incorrect without being able to compare to other data?

But yes. You are totally correct the B737 design is decades overdue for a systems and cockpit design change. The B737NG was launched 10 years after the A320, over 25 years ago. The A320 has mostly triple sensors that vote, or let the pilot make a more informed choice about what is the correct one, (can still go wrong, look at the crash of the Airbus in Perpignan, where 2 of the 3 sensors were wrong).
The 737NG still makes mostly do with 2, and when 1 breaks, it is up to the pilot to decide. Add the non-cancelable stick-shaker, stall warning and overspeed warning for some AOA faults for some added confusion in the cockpit.
The MAX was the last chance for Boeing to get it right, but they didn't. And the MCAS system, borrowed from the KC-46, initially for high altitude flight characteristics, and later put on steroids for low and slow flight was just the rotting cherry on that already moldy cake. In the KC-46 MCAS takes info from both AOAs. In order to prevent extra training due to the comparator annunciation that came on if there was a difference between the two AOA inputs into MCAS, Boeing decided to do the wrong thing, and make the MCAS single source. It would only be getting the info from 1 AOA, alternating between legs (power cycles). It was a deliberate design choice, to save money, and we know from the confirmed 3 flight that happened in that condition (failed AOA feeding into MCAS) that the first one almost crashed, and the other two ended with a crash.
Some false alarms are inevitable, and every effort should be made to design them out, and make it easy to diagnose and rectify.
But the MCAS part of the story isn't so much about the false alarm IMO. It is about Boeing deliberately stepping backwards in an already outdated design.

tdracer 8th Mar 2023 17:45

I've posted this before, but some either didn't see or have forgotten:
The certification process groups failures into four categories - Minor, Major, Hazardous, and Catastrophic. These have associated acceptable probability numbers - 10-3, 10-5, 10-7, and 10-9 per flight hour, respectively (occasionally modified to per flight cycle).
The entire problem with MCAS started early in the design process were the malfunctioning of MCAS (either erroneous activation or failure to activate when needed) was judged to be "Major" - Major is considered to be no big deal, readily handled by the crew with a moderate increase in crew workload (I'm quite familiar with Major since most 'benign' engine failures are considered 'Major')
Since 'Major' failures are allowed to occur at a rate of 10-5/hour, redundancy is not required (BTW, apparently those who made that judgement also assumed that the flight crews would be told about and trained with regard to MCAS, but somewhere along the line that requirement was dropped).
Now, if someone had really sat down and thought about it - what the impact of a bad AOA sensor activation MCAS along with all the other bells and warnings that would be going off (stick shaker, unreliable airspeed, etc.) they might have realized that MCAS malfunction was at least Hazardous - but that obviously never happened prior to the first MAX crash. So the certification process for MCAS followed the (correct) process for a "Major" system. Now, if someone along the line realized that MCAS was worse than Major and withheld or hid that information - that's fraud and someone should be prosecuted for it. But if it was all an honest mistake - it's just that, a horrible, tragic, mistake, but humans design aircraft and humans make mistakes. I have it on good authority that there was at least one attempted suicide among the people who worked MCAS. These were not cold-blooded accountants that made these decisions - they were real, flesh and blood humans with feelings that made a horrible mistake. Was management pressure to keep things simple and 'on the cheap' a factor? Perhaps, but I know that I often experienced those pressures, and it never made me do or design something that I honestly believed was wrong.

alf5071h 8th Mar 2023 18:11

td, :ok:
well posted again, and again.

GlobalNav 8th Mar 2023 19:32

Originally Posted by MechEngr (Post 11397440)
MCAS did not fail. The AoA subsystem did, producing erroneous data and a false stall warning. MCAS did exactly what it was supposed to do based on the information it was provided. Isn't the suggestion for pilots to push the nose down when there is a stall warning and stick shaker? While MCAS wasn't designed to detect or react to stalls, and appears to have no such input, it is supposed to provide a correction to a high AoA and it did. The FAA, Boeing, foreign CAAs, and all pilots trained on the 737 NG already accepted the chance for a false stall warning and had done so for, estimating, 2 decades.

Sure, it operated as built.Over and over again until people died in the event of a foreseeable abnormal condition - wrongly designed with neglect of well known system safety principles and deceit, in favor of financial gain.

hans brinker 8th Mar 2023 19:32

Originally Posted by tdracer (Post 11397797)
I've posted this before, but some either didn't see or have forgotten:
The certification process groups failures into four categories - Minor, Major, Hazardous, and Catastrophic. These have associated acceptable probability numbers - 10-3, 10-5, 10-7, and 10-9 per flight hour, respectively (occasionally modified to per flight cycle).
The entire problem with MCAS started early in the design process were the malfunctioning of MCAS (either erroneous activation or failure to activate when needed) was judged to be "Major" - Major is considered to be no big deal, readily handled by the crew with a moderate increase in crew workload (I'm quite familiar with Major since most 'benign' engine failures are considered 'Major')
Since 'Major' failures are allowed to occur at a rate of 10-5/hour, redundancy is not required (BTW, apparently those who made that judgement also assumed that the flight crews would be told about and trained with regard to MCAS, but somewhere along the line that requirement was dropped).
Now, if someone had really sat down and thought about it - what the impact of a bad AOA sensor activation MCAS along with all the other bells and warnings that would be going off (stick shaker, unreliable airspeed, etc.) they might have realized that MCAS malfunction was at least Hazardous - but that obviously never happened prior to the first MAX crash. So the certification process for MCAS followed the (correct) process for a "Major" system. Now, if someone along the line realized that MCAS was worse than Major and withheld or hid that information - that's fraud and someone should be prosecuted for it. But if it was all an honest mistake - it's just that, a horrible, tragic, mistake, but humans design aircraft and humans make mistakes. I have it on good authority that there was at least one attempted suicide among the people who worked MCAS. These were not cold-blooded accountants that made these decisions - they were real, flesh and blood humans with feelings that made a horrible mistake. Was management pressure to keep things simple and 'on the cheap' a factor? Perhaps, but I know that I often experienced those pressures, and it never made me do or design something that I honestly believed was wrong.

Your level of knowledge of certification is not something I will ever approach. But either the KC-46 was over engineered/certified having dual channel MCAS and a comparator annunciator, or corners were cut with the MAX, when they made it single source. And they definitely made it single source to avoid training and the associated cost. Maybe they thought is was safe enough, but they would have known that is was less safe, and cheaper.......

tdracer 8th Mar 2023 19:48

Originally Posted by hans brinker (Post 11397841)
Your level of knowledge of certification is not something I will ever approach. But either the KC-46 was over engineered/certified having dual channel MCAS and a comparator annunciator, or corners were cut with the MAX, when they made it single source. And they definitely made it single source to avoid training and the associated cost. Maybe they thought is was safe enough, but they would have known that is was less safe, and cheaper.......

KC-46 MCAS is fundamentally different than 737 MCAS. On the KC-46, it's intended to account for everyday occurrences - the rapidly changing CG as the tanker offloads fuel. Different design requirements when you design something to account for what will routinely happen.
737 MCAS was intended to account something that should rarely occur - the pilot flying the aircraft into a near stall condition. So MCAS would rarely come into play - again, a different design requirement.

Not excusing the sloppy engineering that resulted in the original MAX MCAS implementation, but comparing it to the KC-46 MCAS is apples to oranges.

hans brinker 8th Mar 2023 21:04

Originally Posted by tdracer (Post 11397852)
KC-46 MCAS is fundamentally different than 737 MCAS. On the KC-46, it's intended to account for everyday occurrences - the rapidly changing CG as the tanker offloads fuel. Different design requirements when you design something to account for what will routinely happen.
737 MCAS was intended to account something that should rarely occur - the pilot flying the aircraft into a near stall condition. So MCAS would rarely come into play - again, a different design requirement.

Not excusing the sloppy engineering that resulted in the original MAX MCAS implementation, but comparing it to the KC-46 MCAS is apples to oranges.

Thank for that reply, TIL. That distinction is pretty big, but I never saw it mentioned in anything I read...

soarbum 8th Mar 2023 21:18

Originally Posted by tdracer (Post 11397797)
I've posted this before, but some either didn't see or have forgotten:
The certification process groups failures into four categories - Minor, Major, Hazardous, and Catastrophic. These have associated acceptable probability numbers - 10-3, 10-5, 10-7, and 10-9 per flight hour, respectively (occasionally modified to per flight cycle).
The entire problem with MCAS started early in the design process were the malfunctioning of MCAS (either erroneous activation or failure to activate when needed) was judged to be "Major" - Major is considered to be no big deal, readily handled by the crew with a moderate increase in crew workload (I'm quite familiar with Major since most 'benign' engine failures are considered 'Major')
Since 'Major' failures are allowed to occur at a rate of 10-5/hour, redundancy is not required (BTW, apparently those who made that judgement also assumed that the flight crews would be told about and trained with regard to MCAS, but somewhere along the line that requirement was dropped).
Now, if someone had really sat down and thought about it - what the impact of a bad AOA sensor activation MCAS along with all the other bells and warnings that would be going off (stick shaker, unreliable airspeed, etc.) they might have realized that MCAS malfunction was at least Hazardous - but that obviously never happened prior to the first MAX crash. So the certification process for MCAS followed the (correct) process for a "Major" system. Now, if someone along the line realized that MCAS was worse than Major and withheld or hid that information - that's fraud and someone should be prosecuted for it. But if it was all an honest mistake - it's just that, a horrible, tragic, mistake, but humans design aircraft and humans make mistakes. I have it on good authority that there was at least one attempted suicide among the people who worked MCAS. These were not cold-blooded accountants that made these decisions - they were real, flesh and blood humans with feelings that made a horrible mistake. Was management pressure to keep things simple and 'on the cheap' a factor? Perhaps, but I know that I often experienced those pressures, and it never made me do or design something that I honestly believed was wrong.

This is perhaps the best summary that I have ever read of how MCAS came to be. What is missing is what happened between the first and the second crash. If the full consequences of an AoA failure had been overlooked when MCAS was designed they were certainly very clear after the first crash. Surely Boeing engineers went back over it with a fine tooth comb at that stage in the simulator and elsewhere and realised what a s--tstorm would be created in the cockpit by such a failure. That was the time to come clean with the airlines and pilots. They could have simply issued an AD to say that if you encounter unreliable airspeed at takeoff, do not retract flaps. They could have explained the MCAS algorithm and how it would not kick back in until x seconds after the last trim input. Instead they doubled down to say that if only the pilots had followed the old trim runaway procedure, it would all have been fine. Boeing gambled that they would get a firmware fix out before another similar AoA failuire occurred. Someone made a decision to gamble with people's lives. Someone in Boeing management made that bet but the people on the Ethiopian flight paid the ultimate price for it.

ST Dog 9th Mar 2023 00:19

Originally Posted by tdracer (Post 11397797)
The entire problem with MCAS started early in the design process were the malfunctioning of MCAS (either erroneous activation or failure to activate when needed) was judged to be "Major"

(BTW, apparently those who made that judgement also assumed that the flight crews would be told about and trained with regard to MCAS, but somewhere along the line that requirement was dropped).

Now, if someone had really sat down and thought about it … they might have realized that MCAS malfunction was at least Hazardous - but that obviously never happened prior to the first MAX crash.

This points to a hole in the safety process. It's there, without getting into how I know it's there (non-attribution and all that).

The engineers that make changes are the ones that determine if safety needs to look at those changes. Often those engineers don't understand d how their changes impact the larger system, yet the process relies on them at least suspecting it could impact safety in order to bring it to the attention of others.

ST Dog 9th Mar 2023 00:26

Originally Posted by hans brinker (Post 11397873)
Thank for that reply, TIL. That distinction is pretty big, but I never saw it mentioned in anything I read...

Another thing to note is different certification.

747MAX was FAA certification. The military has their own certification. 3 actually Army, Air Force, and Navy each have different certification for their respective aircraft. Just because the Navy certified something doesn't mean it's good for the Air Force.

tdracer 9th Mar 2023 01:11

Originally Posted by ST Dog (Post 11397957)
Another thing to note is different certification.

747MAX was FAA certification. The military has their own certification. 3 actually Army, Air Force, and Navy each have different certification for their respective aircraft. Just because the Navy certified something doesn't mean it's good for the Air Force.

Actually, the KC-46 was FAA certified - two FAA certifications were done - the 767-2C (which was the basis for the KC-46), and the KC-46 modification was certified as well. Some aspects of the KC-46 didn't get direct Part 25 certification (there are no regulations regarding air-to-air refueling), but the airworthiness (including MCAS) of the KC-46 was FAA certified.

ST Dog 9th Mar 2023 03:10

Originally Posted by tdracer (Post 11397970)
Actually, the KC-46 was FAA certified

Interesting. So is the AF flying under the STC and using commercial maintenance instead of organic maintenance? At least historically military maintainers weren't certified to FAA/Boeing standards and thus didn't meet requirements gpr continued airworthiness.
Seems unusual for the AF (and not a practice I care for where other branches have done so), especially for such a specialized aircraft.

tdracer 9th Mar 2023 03:59

Originally Posted by ST Dog (Post 11397994)
Interesting. So is the AF flying under the STC and using commercial maintenance instead of organic maintenance? At least historically military maintainers weren't certified to FAA/Boeing standards and thus didn't meet requirements gpr continued airworthiness.
Seems unusual for the AF (and not a practice I care for where other branches have done so), especially for such a specialized aircraft.

Sorry, what you're asking is getting beyond my knowledge base. I know that the 767-2C and KC-46 went through the FAA cert process (although I didn't have direct involvement in the KC-46 cert since my system didn't change from the -2C to the KC-46). I'd retired before the final cert was finished and maintenance practices were finalized. At least in theory, the 767-2C could be sold in it's 'as built' commercial version as a purely cargo aircraft although I don't believe that's happened.
There has been a strong movement towards certifying commercially derived military aircraft to FAA Part 25 standards - something that I quite frankly don't understand since it adds considerable costs (basically you need to certify twice - once to the FAA and once to the USAF) without any real added value.

ST Dog 9th Mar 2023 07:01

Originally Posted by tdracer (Post 11398006)
Sorry, what you're asking is getting beyond my knowledge base.

Fair enough.

it would be interesting to see the artifacts the FAA cert was based on, particularly for MCAS.

i can't imagine anyone buying a -2C or KC-46 for strictly cargo use vs another dedicated cargo plane without the baggage of the tanker.

Bbtengineer 27th Mar 2023 22:03

Originally Posted by MechEngr (Post 11397440)
MCAS did not fail. The AoA subsystem did, producing erroneous data and a false stall warning. MCAS did exactly what it was supposed to do based on the information it was provided. Isn't the suggestion for pilots to push the nose down when there is a stall warning and stick shaker? While MCAS wasn't designed to detect or react to stalls, and appears to have no such input, it is supposed to provide a correction to a high AoA and it did. The FAA, Boeing, foreign CAAs, and all pilots trained on the 737 NG already accepted the chance for a false stall warning and had done so for, estimating, 2 decades.

MCAS did fail.

Its job was to provide a “suitable” stick force gradient in specific flight envelope circumstances.

That didn’t happen here not least because those flight envelope circumstances didn’t even exist.

It’s supposed to do what it’s designed for.

It didn’t.

That’s a failure.

MechEngr 27th Mar 2023 23:27


Are you satisfied that there was a false stall warning and that the AoA system reported false information?
Satisfied that the major errors in ET-302 happened primarily because of that false stall warning and prior to MCAS activation?

What other sensors should be allowed to lie? Fuel amount? Radalt? Engine fire?

I have been looking at the whole system. I agree - it was the failure to do so that got people killed.

You are looking at a piece of software that acted exactly as it was specified to act. It would have saved AF 447 is Airbus had installed a similar system.

In contrast, the AoA sensor didn't report the correct AoA and the related control subsystems all acted as if it did. All of them relied on the false AoA information, including the autopilot, which bugged out because of the false AoA sensor reading.

Bbtengineer 28th Mar 2023 00:28

Originally Posted by MechEngr (Post 11410026)

Are you satisfied that there was a false stall warning and that the AoA system reported false information?
Satisfied that the major errors in ET-302 happened primarily because of that false stall warning and prior to MCAS activation?

What other sensors should be allowed to lie? Fuel amount? Radalt? Engine fire?

I have been looking at the whole system. I agree - it was the failure to do so that got people killed.

You are looking at a piece of software that acted exactly as it was specified to act. It would have saved AF 447 is Airbus had installed a similar system.

In contrast, the AoA sensor didn't report the correct AoA and the related control subsystems all acted as if it did. All of them relied on the false AoA information, including the autopilot, which bugged out because of the false AoA sensor reading.

The software had faulty inputs.

I would expect a software engineer to anticipate faulty inputs, and to figure out how to detect them and deal with them.

Apparently they did neither.

In what universe was a totally unconstrained application of AND ever going to be appropriate?

It obviously didn’t work and I can’t quite actually believe we’re discussing a hypothesis that it did.

tdracer 28th Mar 2023 02:02

Originally Posted by Bbtengineer (Post 11410045)
The software had faulty inputs.

I would expect a software engineer to anticipate faulty inputs, and to figure out how to detect them and deal with them.

Apparently they did neither.

In what universe was a totally unconstrained application of AND ever going to be appropriate?

It obviously didn’t work and I can’t quite actually believe we’re discussing a hypothesis that it did.

The flaw wasn't in the software - it acted exactly as the software requirements would have it react.
The flaw was in the software requirements. Software is tested to confirm it conforms to the requirements - not to confirm it does what the designer intended...
This, unfortunately, is a common problem with software - poorly defined requirements that result in software not behaving as we'd like.
This is somewhat independent of s/w DAL (Design Assurance Level) - even DAL A (flight critical) software can behave in unanticipated ways if the requirements are not clearly defined.

Bbtengineer 28th Mar 2023 02:30

Originally Posted by tdracer (Post 11410061)
The flaw wasn't in the software - it acted exactly as the software requirements would have it react.
The flaw was in the software requirements. Software is tested to confirm it conforms to the requirements - not to confirm it does what the designer intended...
This, unfortunately, is a common problem with software - poorly defined requirements that result in software not behaving as we'd like.
This is somewhat independent of s/w DAL (Design Assurance Level) - even DAL A (flight critical) software can behave in unanticipated ways if the requirements are not clearly defined.

I’m sorry but you’re treating the team implementing the software as idiots.

At best as people who aren’t expected to actually understand the requirement in any context whatsoever.

People who implement software aren’t supposed to exist in a vacuum. They’re supposed to actually understand what they’re building and why.

The requirement apparently said apply nose down repetitively forever.

Nobody should ever have accepted that requirement.

tdracer 28th Mar 2023 02:45

Originally Posted by Bbtengineer (Post 11410069)
I’m sorry but you’re treating the team implementing the software as idiots.

At best as people who aren’t expected to actually understand the requirement in any context whatsoever.

People who implement software aren’t supposed to exist in a vacuum. They’re supposed to actually understand what they’re building and why.

The requirement apparently said apply nose down repetitively forever.

Nobody should ever have accepted that requirement.

The people who create the software are not the ones who define the requirements - in aviation they seldom are even in the same company.
That's why it's so critically important to get the s/w requirements correct.
The requirements did not consider what would happen if MCAS kept trimming the nose down, because it was assumed early in the design process that if the stab trim was doing something the pilots didn't want or understand, they'd turn it off. Hence the classification of inappropriate MCAS activation as only Major - that's what a stab trim malfunction was classified as.
As I noted previously - the entire MCAS mess grew from that flawed assumption that an issue with MCAS was no worse than Major.

All times are GMT. The time now is 20:54.

Copyright © 2024 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.