Boeing To Make Key Change in 737 MAX Cockpit Software

Boeing is making an extensive change to the flight-control system in the 737 MAX aircraft implicated in October's Lion Air crash in Indonesia, going beyond what many industry officials familiar with the discussions had anticipated. From a report: The change was in the works before a second plane of the same make crashed in Africa last weekend -- and comes as world-wide unease about the 737 MAX's safety grows. The change would mark a major shift from how Boeing originally designed a stall-prevention feature in the aircraft, which were first delivered to airlines in 2017. U.S. aviation regulators are expected to mandate the change by the end of April.

Boeing publicly released details about the planned 737 MAX software update late Monday [Editor's note: the link may be paywalled; alternative source]. A company spokesman confirmed the update would use multiple sensors, or data feeds, in MAX's stall-prevention system -- instead of the current reliance on a single sensor. The change was prompted by preliminary results from the Indonesian crash investigation indicating that erroneous data from a single sensor, which measures the angle of the plane's nose, caused the stall-prevention system to misfire. Then, a series of events put the aircraft into a dangerous dive.

I guess the incredibly obvious question is...

[ZorinLynx]

Why the hell wasn't this the case before?

Aren't flight control systems supposed to be triple-redundant anyway? Everything I've read about them says they are; three systems and if there is incorrect data it uses the two that agree.

Re:I guess the incredibly obvious question is...

[lgw]

I assume they're talking about the sensor behind the pitot hole here. Making that the only sensor, and non-redundant, is particularly questionable. It's well known that pitot holes are very easily thrown off: an insect building a nest inside it (or ice forming, or etc) will throw off the sensor enough to crash a plane, if it's all you rely on.

Re:I guess the incredibly obvious question is...

[geekmux]

I assume they're talking about the sensor behind the pitot hole here. Making that the only sensor, and non-redundant, is particularly questionable. It's well known that pitot holes are very easily thrown off: an insect building a nest inside it (or ice forming, or etc) will throw off the sensor enough to crash a plane, if it's all you rely on.

I would assume you're correct here, but it still begs the question as to why this sensor was non-redundant, and how that SPOF design ultimately got approved.

Re:I guess the incredibly obvious question is...

[drinkypoo]

Yes, this is absolutely bananas. Even the accelerator pedal position sensor on cars with throttle-by-wire is a pair of pots, not just one. If one sweeps smoothly and the other doesn't, the PCM throws a code and only listens to the smooth input.

Re:I guess the incredibly obvious question is...

[Geoffrey.landis]

Why the hell wasn't this the case before?

...

I assume they're talking about the sensor behind the pitot hole here. Making that the only sensor, and non-redundant, is particularly questionable.

I would assume you're correct here, but it still begs the question as to why this sensor was non-redundant, and how that SPOF design ultimately got approved.

I am baffled as to why, if the problem had been identified, the planes weren't grounded until the software fix was implemented.

Alternate source:
https://www.morningstar.com/ne...

Re:I guess the incredibly obvious question is...

[bobbied]

Why the hell wasn't this the case before?

Aren't flight control systems supposed to be triple-redundant anyway? Everything I've read about them says they are; three systems and if there is incorrect data it uses the two that agree.

Well.. I believe the way the system works allows the control inputs of the pilots are able to overcome anything the system does. It's basically like an autopilot, where the pilot can override the system by applying pressure to the controls. This system is designed to apply backpressure as the aircraft approaches a stall, making it harder for the pilot to continue to increase the angle of attack and hopefully avoiding the stall. So you can still stall the aircraft, just pull harder and keep increasing the AOA...

The problem though, is that pilots are conditioned to change the trim to deal with unusual pressures for the desired pitch angle. So if the system believes the sensor and it's saying "STALL" but you are actually not, the system applies pressure to lower the nose, which the pilots will be conditioned to trim out. IF the stall doesn't go away, the system keeps the pressure there and unless the pilots realize what's going on they will keep trimming nose up. Eventually, the process ends up with an aircraft that's severely out of pitch trim which will be very confusing to the pilots, with really high control pressures required to do anything to the pitch. Thus "control problems" seems to describe exactly what I imagine was going on. It was a vicious cycle that makes the aircraft really hard to control.

So, I understand the engineering and using one AOA sensor. Kind of makes sense... Hey, the pilots can just override this anyway, we are stopping them from actually stalling the aircraft, just making it harder to do. We've don't this before in fighter aircraft and other fly by wire systems w/o any problems. But I think there wasn't enough thought given to what happens when that sensor fails and if they can implement some cross checks between airspeed, rate of climb, rate of turn, they might be able to more gracefully fail the system and disable it, or at least not get into the vicious cycle that leads to a pitch trim issue.

Re:I guess the incredibly obvious question is...

[Solandri]

Usually there are 3+ pitot tubes. Looks like the 737 has 5, with 3 of them dedicated to measuring airspeed. It's incredibly rare that a single fault causes a crash. Reporters just like to write up their stories that way to give their stories more impact, even if it twists the truth.

This isn't the first time faulty airspeed readings led to a flight computer has led to a crash. It isn't even the second time. In all previous cases, the plane was flyable. It was the confusion as the pilots tried to diagnose the problem based on the bizarre behavior of the plane and the flight control software and alarms which doomed the flights. It requires a deep and thorough understanding of when different flight protection modes in the software are triggered and kick in, to work backwards from the behavior you're seeing, to what problem(s) could be triggering those modes. If you've debugged software, you've encountered this. Unlike natural laws like physics, software can be designed arbitrarily. So your intuitive feel for how things should work becomes useless for tracking down the problem. You're totally dependent on how thoroughly you understand the software's arbitrary design.

Bear in mind that the stall warning is pretty much a "you're gonna die if you ignore me" warning. So it takes quite a bit of convincing before pilots will decide it's the warning that's faulty, not something else that they're doing wrong. That may be the cause of the reluctance of pilots to simply shut it off and fly the plane "by the seat of their pants" based on how the throttle settings, altitude, and attitude. So while theoretically the stall warning triggering incorrectly is a recoverable problem, it may take pilots a long time to diagnose and clear up the problem. Long enough for the plane to crash.

Re:I guess the incredibly obvious question is...

[Shotgun]

The question here is why is the computer listening to a sensor instead of the pilot. A plane can be flown just fine without any instrumentation other than the front window. Why does that sensor get to override the pilot?

Re: I guess the incredibly obvious question is...

[Bryansix]

There is a way to disable the systems but the procedure to do so is incredibly complicated. It's also hard to do anything when an emergency happens seconds after takeoff and the plane isn't even far off the ground yet.

Re:I guess the incredibly obvious question is...

[drinkypoo]

The question here is why is the computer listening to a sensor instead of the pilot. A plane can be flown just fine without any instrumentation other than the front window. Why does that sensor get to override the pilot?

A car can be driven just fine through no information but the window view and the butt dyno, but the [mandatory] ESP system will still start fucking with your brakes if the accelerometer says that you're yawing in a way that isn't called for by the steering angle sensor. The answer to the question of why is the same in both cases, assistive technologies. When everything is working correctly, the vehicle is much better than you are at figuring out what is happening. Normally, as has been pointed out several times in this discussion, multiple sensors are used to cross-check, to make sure that a single malfunctioning sensor can't make the system go bananas.

Barring that, software monitors are used to determine whether sensor input is implausible. For example, OBD-II mandates a "comprehensive" monitor whose job is to perform such checks; it is one of the basic monitors which must be set in order to pass an emissions test. It continually looks for implausible sensor activity (like a temperature sensor which suddenly changes from cold to hot or vice versa, instead of gradually changing) as well as implausible combinations of sensor activity, like a very high coolant temperature reading combined with a very low transmission fluid temperature reading.

In short, Boeing demonstrated gross incompetence here — but it was related to improper use of sensors, not the very idea of helping to fly the aircraft. Even auto manufacturers are more responsible.

Re:I guess the incredibly obvious question is...

This is what happens when you stop expecting your companies to compete on the free market and instead protect them with a combination of defacto and real terms state aid, such as trying to destroy competition such as Bombardier with illegal trade acts.

As soon as you let your companies stop competing and instead give them a position of immunity, determine them too big to fail, and no longer deemed in need of competing on the free market, then they'll get lazy, they'll get incompetent, and shit like this will happen.

Boeing desperately needs to face real competition, and stop being protected by an protection racket artificially created by US government protectionism, and that extends to military contracts too; it can't keep just getting given them on a plate even when it's the worst option.

It's sad that people have to lose their lives for the growing complacency of companies like Boeing to be unveiled and tackled. Even now it's refusing to admit any real fault, claiming the aircraft is still safe when it's very clearly not.

Re:I guess the incredibly obvious question is...

[BostonPilot]

I think you're mixing up fly-by-wire with the previous technology. Fly by wire is what we have: the pilot tells the computer what they want to happen (through the controls) and the computer tells the control surfaces what to do. I have to say that I don't like the idea of a FBW system without a manual reversion mode. Software is just too difficult to get right. The manufacturers are worrying about a bunch of stuff, safety is one of them, but economics is what sells airplanes so there are tradeoffs Airbus and Boeing make that you and I might not agree with.

BTW, split flaps: https://www.law.cornell.edu/cf...

As for training for the impossible... it comes down to pragmatism. Yes, the "impossible" can happen, but do you really want to spend time training people for the impossible? If the goal is to reduce the overall accident rate you're much better off spending additional training effort on things that are more likely to happen than the "impossible" ones like United 232... I heard a talk by Al Haynes about that accident and it was very impressive that they got the airplane (mostly) on the ground... but it probably doesn't make sense to train people for that kind of thing - better to improve the mechanical systems to make it even more impossible.

Bell had a terrible crash in 2016 testing their FBW 525 helicopter - they lost the crew. It reinforced my fears about software flying the aircraft (and now, automobiles). It's a tricky thing to get right. Arguably Boeing and Airbus (and Embraer and Bombardier) and probably some of the top organizations in the world for writing reliable code, but obviously even they have a hard time getting it right 100% of the time...
 

Re:I guess the incredibly obvious question is...

[dunkelfalke]

Only a tiny general aviation aircraft can be flown that way. And even then it can only be flown that way at low altitude and full visibility because the vestibular system doesn't work correctly during flight. An airliner must be flown using instruments.

https://en.m.wikipedia.org/wik...

And don't delude yourselves that you are special and would be able to feel your position correctly.

Re:I guess the incredibly obvious question is...

[uncqual]

My lay person's understanding...

In order to increase fuel efficiency on the 737 MAX, the engine fan diameter was increased. These "underwing" engines would have been too close to the ground if mounted as on other 737 models. Thus, the engineers moved the engines forward and upward to achieve necessary ground clearance. This, along with some other changes, moved the force of thrust forward which made the plane more prone to lift its nose too high and stall. To guard against this, Boeing introduced the Maneuvering Characteristics Augmentation System (MCAS) which activates automatically when the autopilot is off in some conditions which include when the angle of attack (AOA) is too high. The MCAS system, when needed, attempts to prevent a stall by adjusting the horizontal stabilizer trim upward and will do this over, I believe, about 10 seconds or until the pilot overrides it or the angle of attack is within limits. If the pilot activates the trim control switch on the yoke, MCAS will be disabled -- but, five seconds after the switch is released, MCAS will reengage if the conditions call for it (esp. AOA). When MCAS is altering the trim, the manual trim controls on each side of the center "console" will be spinning away and, if a pilot looks down, they will see that motion as there is a white stripe extending outward from the center in order to make the movement obvious.

The best speculation I've heard about the Lion Air crash was that there was a problem with one of the AOA sensors. There are two such sensors - one on both side of the 737 Max.

As in most crashes, due to the redundancy of systems and procedures, it's rarely one thing that causes a crash but rather a cascade of events.

There had been problems with at least one of the AOAs on previous flights but maintenance attempts appear not to have solved the problem. So, first there was a failure of maintenance, but of course AOA sensors will fail from time to time, so one can't blame the crash on that failure.

I've not heard how MCAS handled conflicting AOA sensor readings but I suspect this is one of the big areas of change that they will push in the April "patch". But, it's likely that the failing AOA caused the MCAS to activate when it shouldn't have and push the nose down by adjusting the trim - but this actually pushed the plane's nose down too far. When the pilots tried to correct, they ended up disabling MCAS (although perhaps not explicitly aware that they were doing so) only to have it start undoing what they had accomplished five seconds after they released the trim control on the yolk - and this was a vicious loop.

Had the pilot recognized what was happening, they simply would have ran the "runaway trim" procedure (which would have disabled MCAS and some other automatic trim controls completely via a switch on the center "console") and flown the plane manually with no problems. Unfortunately, the pilots likely didn't figure out what was causing the problem and failed to execute the necessary procedure. So, that was a pilot error (and, that's probably what will be determined to be the main problem here, with contributing factors).

There is much debate on why the Lion Air pilots may have failed to recognize what was going on. Many pilots and their union claim that they were not told about the existence of MCAS. Boeing hasn't been talking a lot, but they seem to assert that there was no need to train the pilots on MCAS beyond what the manuals/training did as it was a classic "runaway trim" scenario and the training was sufficient to cause the pilots to detect that case and initiate the proper procedure. Boeing did, however, issue documentation updates to operators worldwide soon after the Lion Air crash.

After Boeing issued the documentation updates, every 737 MAX pilot should have been fully aware of MCAS and what to do if was doing the wrong thing. This, coupled with the witness reports that the Ethiopian Airline 737 MAX that crashed was spewing smoke and fire from the back of the plane a

Re: I guess the incredibly obvious question is...

[DigressivePoser]

While the pilot shouts "The override. Where's the override!", the co-pilot laughs at the unintentional Star Trek II reference.

Re:I guess the incredibly obvious question is...

[uncqual]

There are two AOA sensors on the 737 MAX - one on each side. The erroneous one may give a rational, yet wrong, signal. However, I suspect that the Boeing "patch" will add cross checking and perhaps more explicit alerts to the pilots when something seems "off".

Re:I guess the incredibly obvious question is...

[140Mandak262Jamuna]

It raises the question, does not beg the question.

Re:I guess the incredibly obvious question is...

[dgatwood]

The best speculation I've heard about the Lion Air crash was that there was a problem with one of the AOA sensors. There are two such sensors - one on both side of the 737 Max.

One problem is that, if I understand correctly, not all of the 737 aircraft have even so much as an indicator light when the two AOA sensors disagree. At least one airliner (Southwest) insisted on an explicit AOA indicator so you can see both AOA sensors' data and see how much they disagree. But if you don't have that and don't have the indicator light, all you know is that the aircraft keeps trimming the nose down every few seconds. One might still arguably call it pilot error to not recognize the symptoms, but it starts to really blur the lines at that point.

Re:I guess the incredibly obvious question is...

[Strider-]

So, that was a pilot error (and, that's probably what will be determined to be the main problem here, with contributing factors).

As someone who's a technical trainer (in a different transportation field, but still mission critical), this sounds to me like a design failure compounded by insufficient training, rather than pilot error. Training is incredibly important, but it also shouldn't be making up for poor design choices.

Re:I guess the incredibly obvious question is...

[caseih]

The MCAS spins the same trim knobs that the pilot spins. So the pilot can trim the nose back and after MCAS spins it down. They might fight each other, but ultimately they are both adjusting (and potentially undoing) the same thing. I'm sure it's initially confusing to pilots for sure, especially because older planes would cancel the automatic trims when the stick was pulled on, but apparently this is not the case with MCAS. If it turns out the MCAS contributed to the Indonesian crash, then it was a matter of training. But Boeing screwed up the design.

Re:I guess the incredibly obvious question is...

[Hognoxious]

I think that pulling the stick back disables it - but only temporarily. It waits till the pilots think the problem has gone away, then starts shoving the nose down again.

Why anyone could think this is better is beyond me.

Obvious

if ( goingToCrash ) {
        dontCrash();
}

Re:Obvious

[darkain]

Error 404: variable "goingToCrash" not found. Application will now crash.

Re:Redundant Systems?

[Lothsahn]

You think that's bad, how about the aircraft brought down by a burned out light bulb?

https://en.wikipedia.org/wiki/...

Flying is routine until it isn't. Planes are essentially balancing in the air. It doesn't take much to make one stop flying, and one momentary loss of attention at the wrong time or improper control input can end very badly. All of this x10 if the Pilots haven't been informed of or trained on the failure scenario they're encountering.

Next one will crash due to stall

[jfdavis668]

That would have been prevented by the current system.

Re:Next one will crash due to stall

[gweihir]

Probably. The whole thing is a mess, these engines have no business being on that plane. Add an apparently completely incompetent belief that software can fix anything and you get a lot of dead people, all for profit optimization.

Re:The Tesla People

[Geoffrey.landis]

It's funny how they point to aviation as nearly infallible when they talk about self-driving cars.

Well, it's a little less than one failure in four million flight hours, that's a pretty amazing safety record. If Tesla self-driving was one failure in four million driving hours, I'd call that very near infallible, compared to human drivers, anyway.

But when they do fail, it's spectacular, and makes news.

Source: http://planecrashinfo.com/caus...

Re:The Tesla People

[PvtVoid]

It's funny how they point to aviation as nearly infallible when they talk about self-driving cars.

Self-driving cars don't have to be infallible. They just have to be safer than the average person, which is a really low bar.

Re:Redundant Systems?

[bobbied]

million dollar aircraft brought down by a cheap sensor failure

Well that's better than the aircraft accident I helped to investigate... The pilot died because of a power switch position he specifically set in order to turn off the system that prevented his aircraft from departing it's "flying" envelope by applying back pressure to his control inputs. When he went to "break" during some ACM training looking over his shoulder at his opponent, he applied too much rudder input, the aircraft snap rolled as it stopped flying and started to tumble, his head was caught between the ejection seat and the canopy and he died of a broken neck before his aircraft hit the water.

That guy died because he wanted the competitive edge and specifically tried to cheat by putting the aircraft in a forbidden configuration....

I'd rather die from a sensor failure than by some stupid mistake I made to get an unfair advantge because I want to win some competition..

Re:The Tesla People

[HornWumpus]

Let us know when one gets there. All current claims are thoroughly debunked.

Re: I guess the incredibly obvious question is..

There is an option to disable the system. It's a new system and there was not a lot of training about it though.

Additional sources

[Anubis+IV]

Since the alternative source link in the summary appears to link to an article about stock prices, here's some alternative alternative links that actually contain more relevant information:
- Boeing press release
- Gizmodo
- Washington Post

seems like the logic here is flawed.

[goombah99]

Okay lets suppose that some or all of the stall sensors are malfunctioning. There's another sensor that the computer can look at and that's the altitude. If the ALTITUDE is rapidly falling of course the plane might think, see I was right about this stall! But there's one more thing. Namely if the pilots pulled the stick back and the altitude stops falling the plane should now have enough information to figure out that pushing the stick forward is not the right thing to do.

So it seems like the plane should be able to figure out that it's sensors can't be right even if it doesn't know what's exaxtly wrong.

That is, it's job is to overide the pilots if it's convinced they are ignoring a serious problem or doing something to make it worse. But if they do take action and it improves the situation then the logic should be, trust the pilot. Not, continue assuming the pilot is doing the wrong thing.

Re:seems like the logic here is flawed.

[BostonPilot]

No, you're trying to grossly oversimplify the problem, and it's causing you to say things that are silly.

Having worked as a vendor to the avionics group at Boeing, and having had a student who wrote test code for the 777, I can tell you that the testing / verification process for their software is mind boggling. They've had decades to fine tune their processes for creating reliable computer software. Believe me, you sound idiotic second guessing them, and it doesn't sound like you're a pilot either...

The one thing I will agree with you about is that the system should trust the crew. However, I must say that some of my airline captain buddies would strongly disagree with that. Just look at Air France Flight 447 as a perfect example of why trusting the crew can go wrong. However, I still lean towards this... if you don't trust the crew then it's like the old joke about the perfect crew:

The ideal flight crew is a pilot and a dog.

The pilot is there to feed the dog, and the dog is there to bite the pilot if he touches anything.

Seriously, if the automation is so complicated and opaque that the crew can't tell what it's doing and why... that's a problem. The move towards more automation seems to be to make up for an inexperienced crew... I think more training / sim time is the right solution, not more automation. Still, both Airbus and Boeing seem to think more automation is the right way to go.

I'll be interested to hear what they learn from the FDR...

Re:seems like the logic here is flawed.

[dgatwood]

Okay lets suppose that some or all of the stall sensors are malfunctioning. There's another sensor that the computer can look at and that's the altitude. If the ALTITUDE is rapidly falling of course the plane might think, see I was right about this stall! But there's one more thing. Namely if the pilots pulled the stick back and the altitude stops falling the plane should now have enough information to figure out that pushing the stick forward is not the right thing to do.

No, you're trying to grossly oversimplify the problem, and it's causing you to say things that are silly.

Not sure what's silly about that. If the computer says you're beyond the maximum AOA, then pushing the nose up should always cause the aircraft to lose altitude. If a nose up action results in an altitude increase and the sensors still say that the aircraft is beyond the maximum AOA, then the sensors have to be wrong, period, unless I'm missing something about the physics.

There is, of course, a region in which the avionics system would think you're *near* the maximum AOA and a nose-up maneuver would still increase your lift, albeit less than normal. So a nose-up maneuver causing increased altitude during a stall indication isn't *always* an indication that the data is crap, but it certainly could be, if the AOA sensor data is far enough off from reality.

Also, I don't understand why the computers in these planes don't take advantage of all the other sensor data that is at their disposal. The 737 has both pitch/roll inclinometers, GPS, airspeed indicators, and altimeters. With that data, it should be possible to crudely estimate the AOA. The change in velocity relative to the ground is acceleration, which you subtract from the inclinometer data to get your actual angle relative to the earth. Your air speed relative to ground speed gives you some crude indication of how far off your AOA is likely to be (more wind = larger margin of error). And you can also detect an updraft or downdraft with the altimeter to further determine the amount of bias.

If the combination of those pieces of data comes up with an AOA estimate that is radically different from the AOA sensors, then either your inclinometer is stuck, your airspeed indicator is malfunctioning, the GPS ground speed estimate is wrong, or the AOA sensors are lying. And clearly, the AOA data should take priority by default, because it is likely to be the most accurate. But if the numbers are way off for an extended period of time, or if they get farther and farther apart while the pilot is deliberately fighting against the plane's MCAS-derived trim adjustment, that's probably the point where the avionics system should throw up its hands, tell the pilot that it has no idea what is going on, and disable MCAS, or at least clearly alert the pilot that the stall indicator is unreliable and recommend that the pilot override the MCAS-derived trim.

What am I missing?

Re:seems like the logic here is flawed.

[K.+S.+Kyosuke]

I can tell you that the testing / verification process for their software is mind boggling. They've had decades to fine tune their processes for creating reliable computer software.

Haven't we had ample evidence by now that it's all too easy to make computer software that very reliably and very accurately does exactly the wrong thing?

Re:Arrogant engineering and being beta testers

[JoeyRox]

The pilot has always been able to turn off the system.

Except up until recently 737MAX pilots didn't even know "the system" (MCAS) existed, which IMO is Boeing's biggest mistake in this matter.

Re:Arrogant engineering and being beta testers

[HornWumpus]

They knew it existed but thought it had its old name. The same two switches turn both off.

Re:The problem is normal and alternate control law

[uncqual]

A description of alternate law as it applies to aviation can be found here although this focuses on Airbus.

Re: Back in my day,...

[jrumney]

Back in your day, plane crashes were a regular occurrence, even though there were far fewer aircraft flying.

The 2 crashes are even more related

[hcs_$reboot]

Something struck me regarding latitudes: the Air Lion crash was 6 degrees South (Djakarta), the Ethiopian crash was 9 degrees North (Addis Ababa) ; both flights were close to the Equator (symmetrically). Could have something to do with sensors reliability.

Re:What about the yoke?

[Strider-]

It does, but as soon as they let go, the MCAS kicks in again, because it's still active, so if the pilot doesn't catch what's going on, they wind up fighting the aircraft all the way into the ground.

Re: I guess the incredibly obvious question is..

[Hognoxious]

There is an option to disable the system.

It's a button in the aft toilet under a locked flap with "beware of the leopard" written on it.