Slashdot Mirror
Flawed Analysis, Failed Oversight: How Boeing, FAA Certified the Suspect 737 MAX Flight Control System (seattletimes.com)
In one of the most detailed descriptions yet of the relationship between Boeing and the Federal Aviation Administration during the 737 Max's certification process, the Seattle Times reports that the U.S. regulator delegated much of the safety assessment to Boeing and that the analysis the planemaker in turn delivered to the authorities had crucial flaws. 0x2A shares the report: Both Boeing and the FAA were informed of the specifics of this story and were asked for responses 11 days ago, before the second crash of a 737 MAX. [...] Several technical experts inside the FAA said October's Lion Air crash, where the MCAS (Maneuvering Characteristics Augmentation System) has been clearly implicated by investigators in Indonesia, is only the latest indicator that the agency's delegation of airplane certification has gone too far, and that it's inappropriate for Boeing employees to have so much authority over safety analyses of Boeing jets. "We need to make sure the FAA is much more engaged in failure assessments and the assumptions that go into them," said one FAA safety engineer. Going against a long Boeing tradition of giving the pilot complete control of the aircraft, the MAX's new MCAS automatic flight control system was designed to act in the background, without pilot input. It was needed because the MAX's much larger engines had to be placed farther forward on the wing, changing the airframe's aerodynamic lift. Designed to activate automatically only in the extreme flight situation of a high-speed stall, this extra kick downward of the nose would make the plane feel the same to a pilot as the older-model 737s.
Boeing engineers authorized to work on behalf of the FAA developed the System Safety Analysis for MCAS, a document which in turn was shared with foreign air-safety regulators in Europe, Canada and elsewhere in the world. The document, "developed to ensure the safe operation of the 737 MAX," concluded that the system complied with all applicable FAA regulations. Yet black box data retrieved after the Lion Air crash indicates that a single faulty sensor -- a vane on the outside of the fuselage that measures the plane's "angle of attack," the angle between the airflow and the wing -- triggered MCAS multiple times during the deadly flight, initiating a tug of war as the system repeatedly pushed the nose of the plane down and the pilots wrestled with the controls to pull it back up, before the final crash.
[...] On the Lion Air flight, when the MCAS pushed the jet's nose down, the captain pulled it back up, using thumb switches on the control column. Still operating under the false angle-of-attack reading, MCAS kicked in each time to swivel the horizontal tail and push the nose down again. The black box data released in the preliminary investigation report shows that after this cycle repeated 21 times, the plane's captain ceded control to the first officer. As MCAS pushed the nose down two or three times more, the first officer responded with only two short flicks of the thumb switches. At a limit of 2.5 degrees, two cycles of MCAS without correction would have been enough to reach the maximum nose-down effect. In the final seconds, the black box data shows the captain resumed control and pulled back up with high force. But it was too late. The plane dived into the sea at more than 500 miles per hour. [...] The former Boeing flight controls engineer who worked on the MAX's certification on behalf of the FAA said that whether a system on a jet can rely on one sensor input, or must have two, is driven by the failure classification in the system safety analysis. He said virtually all equipment on any commercial airplane, including the various sensors, is reliable enough to meet the "major failure" requirement, which is that the probability of a failure must be less than one in 100,000. Such systems are therefore typically allowed to rely on a single input sensor.
Boeing engineers authorized to work on behalf of the FAA developed the System Safety Analysis for MCAS, a document which in turn was shared with foreign air-safety regulators in Europe, Canada and elsewhere in the world. The document, "developed to ensure the safe operation of the 737 MAX," concluded that the system complied with all applicable FAA regulations. Yet black box data retrieved after the Lion Air crash indicates that a single faulty sensor -- a vane on the outside of the fuselage that measures the plane's "angle of attack," the angle between the airflow and the wing -- triggered MCAS multiple times during the deadly flight, initiating a tug of war as the system repeatedly pushed the nose of the plane down and the pilots wrestled with the controls to pull it back up, before the final crash.
[...] On the Lion Air flight, when the MCAS pushed the jet's nose down, the captain pulled it back up, using thumb switches on the control column. Still operating under the false angle-of-attack reading, MCAS kicked in each time to swivel the horizontal tail and push the nose down again. The black box data released in the preliminary investigation report shows that after this cycle repeated 21 times, the plane's captain ceded control to the first officer. As MCAS pushed the nose down two or three times more, the first officer responded with only two short flicks of the thumb switches. At a limit of 2.5 degrees, two cycles of MCAS without correction would have been enough to reach the maximum nose-down effect. In the final seconds, the black box data shows the captain resumed control and pulled back up with high force. But it was too late. The plane dived into the sea at more than 500 miles per hour. [...] The former Boeing flight controls engineer who worked on the MAX's certification on behalf of the FAA said that whether a system on a jet can rely on one sensor input, or must have two, is driven by the failure classification in the system safety analysis. He said virtually all equipment on any commercial airplane, including the various sensors, is reliable enough to meet the "major failure" requirement, which is that the probability of a failure must be less than one in 100,000. Such systems are therefore typically allowed to rely on a single input sensor.
This judgement is going to run into 10 digits.
[quote]only two short flicks of the thumb switches[/quote]
In the systems you design, typically how many times is the user expected to press the Stop Trying To Kill Us button before the system leaves off trying to do so?
The statement of using only one sensor is scary especially for something that automatically adjust the flight path, but even having two is scary. With 2 sensors how does the software know which is right when they disagree ? For true fault tolerance you need a minimum of 3 sensors
This smells like a collusion between Boeing and the US Government (FAA) in order to rush through certification to be anti-competitive to the Airbus product that was ready for this area.
The resulting hundreds of dead is a testament to failed oversight and cost-cutting, lack of redundancy, and what appears to be basic lying to other air regulators.
Almost certainly this will come back to bite Boeing badly - firstly the lawsuits from the families of the dead, second with sales on what many people would consider a flying death trap of a plane design. It will take a while for this taint to be forgotten, assuming that it is fixed, redundant systems are installed on all planes, and that they pass more robust certification processes around the world.
Forget the revolving door between the aerospace industry and the FAA - Boeing took out the middleman by convincing the government to let it self-regulate, even on matters of extreme importance like the airworthiness certification of aircraft. It's a win-win: Boeing wins because they reduce R&D and materials costs in getting subpar designs certified that otherwise would be rejected. Politicians win because they get their healthy campaign donations. The only people who lose are the ones who screamed for their lives as their plane plummeted to the earth.
> Yet black box data retrieved after the Lion Air crash indicates that a single faulty sensor -- a vane on the outside of the fuselage that measures the plane's "angle of attack," the angle between the airflow and the wing -- triggered MCAS multiple times during the deadly flight, initiating a tug of war as the system repeatedly pushed the nose of the plane down and the pilots wrestled with the controls to pull it back up, before the final crash.
Jesus, what a nightmare. And, I'm sure, no way of turning off the MCAS even though it was clearly malfunctioning. That has to be the worst last moments for a pilot, ever.
I read in a different article that the reason for the airframe design has its roots in the way airports were designed decades ago. Before they had those mobile tunnels that connected between the terminal and the plane, passengers had to walk out to the plane and ascend on a portable stairway. To make boarding easier, the original 737 was designed to be lower to the ground, so there wouldn't be as many steps to board. That part of the 737 design was never changed, and it made the airframe changes for the Max very awkward to implement. Hence the necessity for something like the MCAS, and hence the current mess.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
it'll be safer to buy Delta tickets than find that other airlines are again allowed to put these Max planes back in the air
You said "Safer" and "Delta" in the same sentence, hmm...
This issue seems like something the pilots can work around if they know what is going on, which the U.S. pilots seem to.
I got an email from Southwest Cargo related to the Max, they stated:
While we remain confident in the MAX 8 after completing more than 88,000 flight hours accrued over 41,000 flights, we support the actions of the FAA and other regulatory agencies and governments across the globe that have asked for further review of the data
That's a lot of flights they have done with the plane, so it's not like the plane is inherently unsafe - there is a flaw in this system, which will get resolved one way or another. They'll be back in the air and as safe as any other place flying.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
> "Going against a long Boeing tradition of giving the pilot complete control of the aircraft, the MAX's new MCAS automatic flight control system was designed to act in the background, without pilot input"
Or notify them either, it seems. Or be disabled when it erroneously kicks in over 20 times causing unexpected dives. Fuck everything about this system. Even if they fix it I'm not flying on any aircraft that has this.
> "this extra kick downward of the nose would make the plane feel the same to a pilot as the older-model 737s"
And that's also ridiculous. Because of the change in the engine configuration it is an aircraft that handles differently. "Compensating" so the pilot doesn't know the difference causes confusion, something you don't need when in charge of a passenger jet. Do they make 747s feel like you're flying a TriStar? Of course not.
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
Part of the problem is Boeing didn't want pilots to have to retrain and certify under a different type of aircraft.
So they've jiggled things around to make it look like it's just like any other 737, but it now has different flight characteristics.
So now Boeing has created a situation where they wanted this to appear seamless to the pilots, but that it apparently doesn't work and is anything but seamless to the pilots. They took something which wasn't fly by wire, and made it fly by wire.
What we're seeing now is a case where the FAA let Boeing decide there was no material difference for pilots, when there actually was ... in which case their attempt to not have to force pilots to re-certify in type has now potentially led to two crashes.
When the pilot is saying up, and the system is saying down ... bad things happen.
And clearly, despite Boeing saying it would fly exactly the same, it doesn't.
The safety analysis:
...
"1) Understated the power of the new flight control system, which was designed to swivel the horizontal tail to push the nose of the plane down to avert a stall. When the planes later entered service, MCAS was capable of moving the tail more than four times farther than was stated in the initial safety analysis document."
"2) Failed to account for how the system could reset itself each time a pilot responded, thereby missing the potential impact of the system repeatedly pushing the airplane's nose downward."
"3)
I think this is the most important story on Slashdot in a long time.
The article linked by Slashdot is the best, deepest story in a long time: Flawed analysis, failed oversight: How Boeing, FAA certified the suspect 737 MAX flight control system.
Just like how the FDA relies on the drug companies to run all the tests, submit supporting docs, etc.
Why not just use a stick pusher, like any other non-FBW aircraft with stall issues? Design it so it can be overridden with appropriate back force on the control wheels. Using trim for this is stupid, since with full down trim, you might not have enough elevator authority to recover quickly from a dive (i.e. even if the system is turned off, trim may have to be cranked back manually before the plane can recover).
This looks like criminal stupidity on the part of Boeing engineers.
Dude, auto pilot was off. All auto systems that were in the manual were off.
Obama made America great, and Trump the traitor sold it to Russia for pennies. Don't worry, Mueller will get it back - with his magic rope.
People make a country great, not the president.
"Going against a long Boeing tradition of giving the pilot complete control of the aircraft, the MAX's new MCAS automatic flight control system was designed to act in the background, without pilot input"
Often old and simpler is far better....
Attitude is only one element of the aircraft's operation -- what about airspeed?
Surely if there was a large disparity between the aircraft's airspeed and its attitude (ie: it is accelerating beyond 500mph while the attitude sensor says it's in a steep climb) then the safety system ought to have recognized that there was a fault condition and triggered an alarm which would allow pilots to disable it with the simple flick of a switch.
Sadly, it seems that this system was never designed to be disabled -- because it was part of the FBW system used to modify the apparent flight characteristics of the new Max8 model so that it would fly like an earlier 737. This was done (so I understand) solely to make the plane more attractive to airlines that didn't want the extra expense of having to get their pilots "rated" for a new aircraft type.
When it comes to the mighty dollar versus safety -- you *know* which one wins :-(
Meanwhile, some people are still saying "it's only a matter of time before a drone brings down an airliner". I wish they'd shut up and focus on the *real* risks that are *actually* claiming hundreds of lives in the aviation industry.
He said virtually all equipment on any commercial airplane, including the various sensors, is reliable enough to meet the "major failure" requirement, which is that the probability of a failure must be less than one in 100,000.
One in a hundred thousand WHAT?
Flights? As of 2014 there's a bit over 100,000 flights per DAY! With a rule like that there should be on the average somewhat over one "major failure" per day per system of that classification level, which allows a single point of failure to exist.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
> This system is designed to detect when the pilot has seriously screwed up, pointing the nose way too high.
Not even close! The plane NATURALLY wants to stand on it's tail at high power output. That's what moving the engines CAUSED. To compound the matter, the engine nacelle shape itself at certain AoA adds to the lift which can exacerbate the problem till it's no longer recoverable. Put your RC plane near vertical and watch what happens... (Well, RC planes generally have massive imbalance of thrust to weight ratio unlike real planes so doubtful you can actually demonstrate the problem)
"regulation" implies a neutral third party. The Credit Card Industry has PCI. Video Games have ESRB. Movies the MPA. None of those things are as immediately lethal as a busted airplane though.
But I wouldn't call it "regulatory capture" either, since Boeing were left to their own devices. They didn't have anything to capture.
No, what we have here is plain, good 'ole deregulation. These days regulation > deregulation is automatic in most people's minds. Between this, Flint Mi, and the 2008 crash I hope folks are starting to change their minds in that regard.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
After accidentally confirming that the Backspace bug still exists on Slashdot and that it can destroy your draft without a trace...
What are you on about? Do you mean that you're fat-fingering the touchpad, losing text focus, hitting backspace, and going back to the prior page? In that case, you should be using both the classic view of Slashdot, and a browser that preserves form contents on back/forward. Firefox, Pale Moon... I opened this reply window in a new tab, so I can't go back. But if I could, if I went forward again, my form contents would still be there. Maybe non-classic view uses DOM to rewrite the form contents, which would break this basic bit of browser functionality (and for which Slashdot's ownership would be to blame) but only noobs use anything but classic anyway.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
How the hell does a critical sensor on an aircraft fail without the system knowing about it? My freaking car told me yesterday that the microphone in the entertainment unit had developed a fault...
I am not interested in articles about life extension advancements.
Too many patches to keep building newer technology airplanes that handle like the old ones. Just to save money on certification and pilot training. Stop already. Just design a new airplane.
Have gnu, will travel.
I'm not sure about parts of your description, but I am pretty sure that it involves the focus getting outside of the input window. Nothing to do with either keypad (though I suspect the mouse), and I am using Firefox. The first thing I do when it happens is to attempt to return forward, but no can do. Pretty sure I'm using the classic view of Slashdot, but not sure how to check that.
Are you perhaps suggesting that I can recover the lost draft by some other method? For example, I haven't tried playing with the history. Maybe it appears as a recently closed tab, even though the tab of the lost information appears to remain open?
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
Comment removed based on user account deletion
You could blame it on the Obama administration or the Trump administration, but it goes back a long time.
The Federal Aviation Act of 1958 was the original statute allowing FAA to delegate activities, as the agency thinks necessary, to approved private people employed by aircraft manufacturers. Although paid by the manufacturers, these designees act as surrogates for FAA in examining aircraft designs, production quality, and airworthiness. The FAA is responsible for overseeing the designees' work and determining whether the designs meet FAA requirements for safety.
On June 29th, 2011, the Department of Transport's Office of Inspector General issued a detailed (23 page) audit report that examined the Federal Aviation Authority's approach to Risk Management.
You can read the report directly here.
This report, published in June 2011, documents in stark detail that the approach taken by the FAA - to significantly scale back oversight of aircraft manufacturers - represented significant risk, even if that activity were performed adequately.
In more detail, the report explains how the FAA took the decision to delegate responsibility for the hiring of individuals to serve as "FAA engineers" - essentially the supposedly independent inspectors who are intended to be able to objectively assess the effectiveness of the design and modification procedures conducted by the company that hired them.
If that wasn't bad enough, the report goes on to say that once the FAA had conducted initial inspections [the document quotes a 2 year time window of monitoring] it then stepped back from even an oversight role. In other words, there was no way that the FAA could have had any confidence that the modifications introduced with the 737 MAX aircraft were actually functional as claimed.
If you read around this news story in search of more details, you might find a couple of other relevant pieces of information. Staggering pieces of information...
One is that Boeing's design/development process broke down, so that when the "final" aircraft was reviewed / safety inspected by their in-house "FAA engineer", all the presented paperwork showed that the force imparted on the contol column by MCAS was set at relatively low, original design levels. In truth the design had changed, to the extent that one of the pilots in Lion Air flight incident had been attempting to fight the controls with over 100lbs of force - and had failed to overcome the aircraft's systems.
Another is that the sensor input to the MCAS system that turned out to be closely related to the problem may have been basing decisions on a single, faulty attitude sensor.
Whatever the causes of the two recent failures in terms of the operational characteristics of the two aircraft involved, I think the 2011 Inspector General's report clearly shows that both of these events were clearly avoidable and could have been prevented had the FAA leadership performed their duties responsibly.
They flew 88,000 flight hours and still flew two airplanes into the ground. I can see the FAA re-certifying the 737 but I wouldn't expect the EU to put this high on their to-do list. I'm sure Airbus will be happy to pick up the slack while Boeing works out their kinks.
I do not block ads. I do block third party scripts.
Yea, just so you know.. My father was an avionics and radio mechanic for a major US airline for 38 years, including a decade stent keeping flight simulators running at their pilot training center (to which I got to regularly go and "fly" the big sims), so I grew up around airplanes all my life. I also worked as an avionics engineer on a Navy fighter aircraft and I've done some private flying on my own. I'm not a expert on Boeing's avionics or modern flight control systems, but I do have a few clues about how they work.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Everything will be in the paper trail. That, and dead bodies, is a conviction.
If not in the USA, then in any other country willing to prosecute on behalf of their dead citizen.
Sure, but if said person is not IN said country and extradition treaties are not in existence, what does it matter? Not a whole lot.
I can go to Sealand and get a judgment, but who's going to enforce it? Who's going to honor the judgment in the USA? It's not like you can contact the local Sherriff and get him to enforce a judgment from outside the country.
Also, don't forget there is a vast difference between civil judgments (i.e. money awards) and criminal charges.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
I love software testing, but I quit and moved on cause the field just doesn't get the respect/resources is needs.
Developers and managers are always trying to "reign in" the testing staff and make them stick to a stupid script --
written by the same developers that made the mistakes in the first place.
My most important bug discoveries were almost always the result of informal testing, or thinking about the test script
and "trying something" that wasn't on the script. Overnight "random monkey testing" with the automated test harness was
very effective at finding real world problems -- but invariably got a rebuke from some manager, "Why were you doing that?"
This sounds a lot like that, but with the added bureaucracy of Aerospace+gov't.
The development process then adapts to minimize bureaucracy, instead of maximizing safety.
So as I see it, one of two things happened:
1. There was a test engineer somewhere who thought about these failure modes before the first crash. He was ignored and didn't have the power to escalate the issue.
2. The tests were stupid and were run by stupid people.
There were enough red flags -- I think it was #1.
Test Engineers -- throw off your chains !
The safety of the world depends on you.
There's a good chance the aftermath of this is going to bankrupt Boeing.
The evidence for gross engineering negligence is piling up, and they are not going to live through the results.
and self driving cars have much less testing and that can lead to more damage then just 1-2 planes going down.
ANOTHER example of poor management at Boeing: Boeing tanker jets grounded due to tools and debris left during manufacturing. (Feb. 28, 2019)
"They may have missed it, just like Boeing did. Boeing certainly doesn't want to make planes that crash. That's even worse for business than a delay in certification."
Do you think so? Only time will tell, but probably just current 737MAX signed contracts will outset the penalties, direct and indirect of this scandal.
The problem is not that FAA might have overlooked it (which, theoretically certainly could happen) but that even Boing would have catch it in "normal" circumstances, taking their due time for the assesment.
But since you can't count on a corporation to do the proper thing, even if not doing it goes against the long term perspectives of the company itself, that's why you put regulation agencies in place -letting corporate greed to overpressure the regulator, which is exactly what happened here, fully negates its value, and results like the present one are to be expected.
To generate paperwork.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
And my ex-wife likely was responsible for the OS that the plane was using. Certification is backwards. The company making the OS or plane or drug should not be paying for the certification. The buyers of the product need to group together to do it. When I did security certification at IBM no one ever failed. Our customer was the maker of the product so we couldn't fail them. We almost never asked the customer to make changes (and when we did we never verified that they did make the changes), all the certification process was about getting the paper work correct. For the OS certification it might actually be worse. The certifiers probably aren't very good programmers. Their tests are running automated code checkers and running a subset of the tests the OS maker made. One really bad mistake my ex's team made was misunderstanding a processor errata spec on cache misses. A non-trivial percentage of the worlds aircraft were nearly grounded because of that*. My ex's team had misread the errata and the certification house had relied on her teams interpretation of the errata (or more likely had no clue what it meant).
Critical systems don't allow free() so all non-stack memory will be in static locations. Someone was able to write a program to analyse the executable images to determine if this particular cache miss would ever happen. Turned out that no production systems were affected. The scary part though is change the length of a single text string could trigger this problem.
Because China and Soviet Russia never had any airplanes crash?
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
On a side note, this story from the Seattle Times shows how important investigative reporting is to society. If the government ever gets serious about regulating private enterprise again, it will be due to stories like this, and the resulting public outrage. We are yet again in their debt.
"One current FAA safety engineer said that every time the pilots on the Lion Air flight reset the (trim) switches on their control columns to pull the nose back up, MCAS would (reset its 0 degree reference and) have kicked in again and “allowed new increments of 2.5 degrees.”
“So once they pushed a couple of times, they were at full stop,” meaning at the full extent of the tail swivel, he said.
So in summary a system FAA-certified on the basis of being able to adjust nose-down trim by 0.6 degrees could actually, (after a few cycles of the pilot correcting it a little bit with trim up), command full nose-down trim, about 5 or 6 degrees tailplane tilt.
All of this relying on input from a single angle-of-attack sensor. Get this, the plane has two such sensors, one on each side, but the MCAS only uses input from one of them!!! ! !! ! ! ! ! What the hell? If you use two of them, then your software can check if they diverge, and disable systems relying on the input, and warn the pilots. That is some criminally bad development cost saving judgement there.
Where are we going and why are we in a handbasket?
Is 0.2 degrees per second with a pause every ten seconds or after any trim input forcing the nose down hard?
"It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
professional engineer have the power to say no and there certs on the line.
It isn't just the FAA, this is a problem with many if not MOST of the Federal Regulatory agencies....
Look at the FDA rosters, and you can easily see why we won't ever get sensible food regulations/recommendations the would actually help address obesity, etc....in the US.
Light travels faster than sound. This is why some people appear bright until you hear them speak.........
The "certification process" is "filling out the correct paperwork". Yes. All the paperwork was filled out, in triplicate.
Adding more paperwork to the process will not make the plane any safer.
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
The FAA has a dual-contradictory role and that's its real problem:
- to promote flying, and
- to regulate air safety.
Sadly, there are a few fatalities that can be linked back to soft standards (I know citation), and one I can think
of was the famous fractured jet engine mounts. The mounts failed because of shortcuts taken to remove and
install the engine after maintenance were allowed to happen because of sloppy FAA oversight and inspections.
Not all, but I'd bet there's an uncomfortable percentage of fatalities that can be laid at the feet of the FAA.
It's like the olde saying that a traffic light wont be installed at an intersection until there are more than 2 deaths.
The FAA is reactive, not proactive like it was mandated.
CAP === 'crumbles'
Boing is at fault. They should have made it mandatory and presented it as a major system which could lead to major lethal problem in case of misunderstanding or failure or mishandling. Instead they made it an option, a "don't worry not too important" case. They are the one knowing the consequence, so they are the ones which should have insisted. But by the sound of it, it was passed off as a minor problem or no accent was really put on it.
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
If you deactivate it, what then? The aircraft is apparently badly designed, having grown out of the limitations of the basic airframe over many years. This was supposed to prevent accidents resulting from this, why would you turn off an accident-preventing system? You'd most likely just swap accidents caused by this system by accidents caused by pilots flying this unwieldy machine.
Ezekiel 23:20
And you seriously think that people would follow the FDA recommendation? Actually in several studies people loose weight if they are given food that adhere to the existing FDA regulations so the problem is not the regulations but that people do not give a shit.
The dumbest thing about all of this is that they chose to use a computer to compensate for a trim issue that could have just been handled manually. Instead of setting the trim to X for take off, set it to X+more.
Unless the initial pitch up resulted in wild oscillations that required a computer to deal with, let the pilots fly the fucking plane.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
You make a good observation. Not only is this a good idea, but it is also available to the pilots in the 737 Max. You may have come across the term "breakers" used by pilots when conducting pre-flight inspections of aircraft... You might have seen a movie in which one of two pilots reads a checklist and the other inspects the various dials and controls.
You will hear terminology such as breakers set to "open" [which is switch open, or the circuit switched off], or "closed", which is switch closed, or the circuit switched on. for example, this image shows a board of circuit breakers on an aircraft.
In most cases, what the pilot is supposed to do, if they identify a fault with a system or component, is to disable it by "opening the (circuit) breaker". That basically means pulling the little black button out of the dashboard, which cuts power to the component, thereby forcibly disabling it.
It's possible that you might ask a follow-up question at this point, along the lines of, "Well, if that's what they were supposed to do, why didn't the pilots do that in these cases?" Another very good question.
I will have to speculate as to the answer, but there are at least two possible options. One is that the pilots of the lost aircraft lacked either the training or experience to be able to handle a failure of this type. Much as we would like to hope it is otherwise, the quality of pilot training is not the same the world over. It's also worth pointing out that the flight characteristics of the aircraft at the point of failure was to put the aircraft in to a very high speed, steep dive. It doesn't matter how good you are, if that happens unexpectedly - a true emergency - you are going to go in to "panic/response" mode. Your ability to rationalize coherently *will* be impaired. This is why pilots have to undergo so much training and take so many readiness checks. This is why pilots have to use checklists even when they have been flying the same aircraft for years. The other is to point out that, of course, the documentation for the MAX variant of the 737 didn't actually document anything about the MCAS - to the best of my knowledge it isn't even mentioned in the Ops Manual - because Boeing argued [and their in-house safety inspectors agreed] that the aircraft "flew the same" as earlier 737 variants which didn't have the MCAS.
This is a bit of a long-winded answer and a way of saying that, based on anecdotal and unsubstantiated claims mentioned on the internet in the wake of these two tragic accidents, it has been alleged that there was no mention of the MCAS system in either the aircraft documentation or any differences training. The argument for this seems to have been: "The MCAS unit gives the MAX the exact same flight characteristics as earlier models, so MCAS training is redundant."
I'm going to emphasize this again: I'm repeating unsubstantiated claims gleaned from reading various web articles, not informed by knowledge of the actual aircraft manuals. But it does fit the pattern of data that has been made public to date.
Train the pilot to fly the aircraft instead of having the aircraft pretend to be something else. Also regulatory capture is a problem.
That seems like a reasonable *rate* at which to bring the nose down.
If the system is adding 0.2 down elevator every second even though there is already 15 degrees down elevator and the pilot is pulling the stick back, and the AoA indicator isn't responding - it's staying at max AoA despite full down elevator, that's what I'm calling forcing the nose down hard. Forcing - overriding pilot input, hard - overriding all common sense based on the available dates.
For contrast, the system I designed set the elevator position near max AoA based on essentially this:
Max AoA - 2.5 + sqrt (stick back force)
So a pilot would have to have pull almost all the way back to exceed max AoA. The linkage was such that it had no effect until the elevator was up past neutral. Of course, this is on a plane that will naturally nose down in a stall if the elevator is neutral. That's a much more conservative approach than what Boeing did, based on what I've read.
I'm not a professional plane designer, just an amateur, and I haven't examined Boeing's design in detail. Reports indicate that it forced the nose down despite numerous indications that it was not appropriate to do so, based solely on the AoA sensor.
If the rest of the world forbids that class of aircraft from flying in their airspace then it affects America.
One in 100,000 what? Seconds, minutes, hours, lifetimes?
It is stupid to make something that can kill people rely on a single input sensor. I programmed experimental tests in nuclear reactors and we always had multiple inputs (thermocouples, flow sensors, etc.) and had sanity checks on the values to identify failed equipment.
Seems like Boeing's software could have taken more things into consideration than just the angle of attack? What about speed, altitude, rate of climb/descent, etc.
"Almost every wise saying has an opposite one, no less wise, to balance it." - George Santayana
Well, since the CEO probably needs to go to prison for a few hundred years for this, fat chance.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I see that all the time in the IT industry. Process is more important than solid technology. And it is getting worse. At one customer, I basically have to sneak the solid tech past their processes. Of course the paper-pushers do not want that and make it harder. Until things break and cannot be easily repaired anymore.
Personally, I think what is missing is a "Chief Engineer" that is an actual engineer, very senior, very experienced and that has both final say and final responsibility on all tech decisions. What they have today is a CTO that is an administrative position. That just does not cut it.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
" farther forward on the wing, changing the airframe's aerodynamic lift. "
"farther forward on the wing, making the plane unstable."
FIFY
Comment removed based on user account deletion
This is such a fundamental flaw that I'm actually in awe that it could have ever been approved. It goes against EVERYTHING taught in practically any engineering discipline.
You NEVER rely on a single sensor for life-critical operations- you normally use 3 and use an intermediary computer or other device to "vote" on what the reading actually is (or should be).
Segals Law: "A man with one watch always knows what time it is. A man with two watches is never sure."
And that's true, but a man with three watches can be reasonably certain what time it is even if one watch fails.
Granted, most things don't need a "tell me three times" setup, but for manned flight and other mission critical applications it's the standard.
How could they possibly have passed this through? It's an engineering mistake that even most rookies and newbs would never make.
One bad sensor (or even two!) should never bring down a plane. This was, at its heart, negligent engineering from a company that should have known better.
I don't care if the sensors only fail one in a million times and cost a million dollars per piece, you NEVER rely on just one sensor. NEVER.
Just cruising through this digital world at 33 1/3 rpm...
Companies have to spend money complying with regulations. That's kind of the point. To force compliance. What the hell would the alternative be? I suppose we could nationalize their industries. But beyond that, well, that's just how laws work. It's like complaining the government doesn't set the speed on my car.
As for the IRS, it's been heavily manipulated by the GOP. Seriously, it has. They massively cut funding to audits for big companies and the wealthy while writing requirements into law that the IRS audits a certain number of "low income earners", e.g. poor people. This is a calculated attack on the working class to make them hate the IRS and taxation so that they can in turn use that hate to get tax cuts for themselves and their wealthy donors.
Finally, ask how important the overall stats of airline travel are to the families of the dead after they find out this was no accident.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
What I have read is that the only indication is that the trim wheel (not in the pilot's/copilot's line of sight, it's at the base of the throttle controls, and apparently only on the copilot side) starts moving. The problem is that MCAS makes it move too far. And while it is supposedly somewhat audible, it isn't so audible if alarms are blaring and crew is trying to communicate over the alarms. You can deactivate it by either setting the stabilizer trim to manual, or disengaging the autopilot. Since the Lion Air incident, many pilots who fly the 737 MAX know this. But it's not a training item, so many of them don't know about it.
Here is a picture of a 737 trim wheel.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Boeing did all these dodgy hardware and software hacks just to avoid the time and cost of certifying a new type. This was a panicked rush to market, to compete with Airbus 320neo. Which isn't crippled by stubby landing gear like the 737, so its engines can placed in an inherently aerodynamically stable position.
Because it wasn't a new type, FAA did not require that pilots be certified. And furthermore Boeing buried the details of how to fully return the plane to manual control, because that would conflict with the story they told the FAA about unchanged flight characteristics. Unfortunately for all involved, Max 8 really did have a new flight characteristic: falling out of the sky under computer control.
So yes, Boeing is going to pay out the biggest settlement in aviation history. There is just no way to escape culpability. And we have a huge indictment of Trumpist deregulation too: industry didn't win by weakening FAA oversight, rather it lost big league.
When all you have is a hammer, every problem starts to look like a thumb.
I feel like I shouldn't have to clarify my position on this, but...
I am NOT attacking the FAA. I think that there is a real need for external moderators, or you might prefer to call them honest referees, to keep track of how the players are playing the game. In the game of business for profit, that means the moderators (or referees) aren't driven by the profit motive uber alles. The FAA has clearly failed to keep Boeing from cheating on the rules in this case, and lots of people are dead as a result.
Part of my solution approach would be to increase competition and freedom. Less massive profit and fewer industry-dominating players and more controlled risks. The rate of progress might be a toss-up. I think more competition will lead to faster progress, but there are cases where huge research projects are required. Might be a legitimate need for some big government assistance in those cases, but in general I think smaller government is good, too, though the referee needs to be at least as strong as the strongest players. Yet another argument for smaller corporations so we can have smaller government.
Lots of similar comments in my earlier writings...
Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
I'm not a big fan of MBAs, but this was a pretty long and complicated chain of errors. From what I gather: Boeing wanted to keep the 737's low ground clearance but needed to put bigger engines on to match the efficiency of the new A320s, which meant changing the aerodynamics. Boeing also wanted pilots to be able to do a simple difference training course, rather than have to recertify on a new aircraft, so they invented MCAS. The engineers must have figured that it was a supplemental system, and easy to turn off if it malfunctioned, so they chose to make it kick in aggressively rather than conservatively (either sensor says go, rather than both sensors say go). They also made it harder to turn off than the old system, probably by accident. Then Boeing decided not to mention the new system to pilots in that difference course, to avoid confusing them.
Lots of errors to go around. Some are definitely cost saving, but some are probably a result of not enough whole-system oversight. The decision to go based on one sensor is a bit mystifying. There are already two AoA sensors on the aircraft, and lots of other ways of cross checking them. In fact, Boeing is releasing a software update to add all that cross checking in, so it's not even a hardware limitation.
The 737 MAX isn't actually aerodynamically unstable in normal flight. Any airliner, including all the 737s, with the standard under-the-wing engines will have off-axis thrust that will add a bit of pitch up. The aircraft is designed to compensate for that in normal flight, but in a stall if the pilot gooses the engine it can make it impossible to recover. 737 pilots (including the older model) are trained NOT to increase throttle in a stall because of it. The MAX handles differently in that situation, so they added MCAS so the pilots wouldn't have to be trained in a new stall recovery procedure.
1 in 100,000 is just not enough for something that is a matter of life and death. Considering that Google says the FAA handles over 15 million flights yearly, it is conceivable that this system could have become implemented in enough planes eventually to make 1 in 100,000 very common, even if it hadn’t actually failed much sooner than that. I would say no fewer than three sensors must be checked before fighting with the pilot for control. Of course you do have to account for the fact that the pilot could be wrong, but then we have a copilot to act as a redundancy. Any lack of redundancy is just a bad idea.
Incipiamus, fratres, servire Domino Deo, quia hucusque vix vel parum in nullo profecimus.
Quit reanimating the undead 737 airframe, introduce a new type, and train pilots to fly that.
When all you have is a hammer, every problem starts to look like a thumb.
The term is "regulatory capture", and it's been blamed for the Deepwater Horizon incident, and Wall Street's shenanigans.
From that second link, "the process by which regulatory agencies eventually come to be dominated by the very industries they were charged with regulating. Regulatory capture happens when a regulatory agency, formed to act in the public's interest, eventually acts in ways that benefit the industry it is supposed to be regulating, rather than the public."
If you really believe that you will invest every penny you have or can beg, borrow, or steal to bet on the downside - selling short, options etc.
Nope, Boeing will survive this. Yes, there's some engineering changes needed and it will hurt their reputation a bit for a couple years but I'd wager that this won't result in many cancelled orders. A few billion dollars is easily absorbed. The sooner they can get the 737 MAX back in the air, the better for them of course.
If both the Lion Air and Ethiopian Airline crashes were caused by the same thing and that was a faulty AOA sensor driving the MCAS to do the wrong thing, I'd happily fly on a 737 MAX even without any fixes -- as long as I know the pilots have trained for this scenario. It's really fairly easy to detect this problem and recover from it if the pilots are trained in it. Of course, I'd rather fly on a 737 MAX with some engineering fixes (just warning the pilots that the AOA indicators don't agree and training the pilot to disable automatic trim control and "take the wheel" would be a step in the right direction).
Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading
Probably not. Most people think safety regulation is to protect consumers. It isn't. It is to protect the entrenched companies that can afford to dedicate departments to compliance, pay the fees, and pay the lobbiests for more (which said company in turns publicly protests).
Because Boeing followed all reasonable efforts to comply in good faith with all FAA safety regulations and good practices and the FAA certified the system as being safe, short of some hidden or misleading information submitted, it is going to be a serious uphill battle to claim negligence on the part of Boeing here.
Boeing wasn't negligent, the FAA was and until their bread stops being buttered by the people they are supposed to regulate it will happen with the FAA and every other safety agency. Until lobbyists and politicians bread stops being buttered by the same safety regulation that is difficult for upstarts to comply with but presents no real barrier to megacorps like Boeing will continue to be the rule of the day.
"Sandy Hook taught me that the non-regulated industries have lobbyists that prevent regulation."
Aviation is hardly an unregulated industry but in most regulated industries it is industries that pay the lobbyists to fight FOR regulation. They make sure the regulations carry fines, fees, and most of all red tape that keeps anyone from entering their industry without very deep pockets and a pack of insiders. In the meantime, the more regulation the more protection they have against lawsuits. Which is exactly why Boeing will walk away from this unscathed. They disclosed everything to the FAA and followed all good practices and compliance procedures to ensure the aircraft was safe. The FAA giving their blessing means short of having lied or misrepresented something somewhere Boeing is in the clear.
Yes. Those recommendations impact what the giant food companies can get away with. There need to be regulations on refined flour and sugar. First step is to treat and list refined flour as sugar. Refined olis also need called out. This shit is disastrous to the general health of everyone--that we are all expected to pay thier massive health bills to save thier feet from falling off or thier heart failure. We need to start labeling this trash that is currently passed off as healthy, as junk food.
This was supposed to prevent accidents resulting from this
Actually no, the intent of the MCAS was to make the 737 Max fly exactly like a 737 NG in stall conditions, so that Boeing could avoid certifying a new airframe.
When all you have is a hammer, every problem starts to look like a thumb.
Disengaging the autopilot does not disengage the MCAS, in fact it engages it.
When all you have is a hammer, every problem starts to look like a thumb.
The 737 MAX is perfectly capable of flying safely with MCAS disabled. It's disabled with autopilot on so that's not an issue. It's only when autopilot is off that MCAS can be active and then it's just a backup in case the pilots screw up so if it's been disabled during manual flight control, the pilots have to be particularly careful - esp. not to react incorrectly to a stall (something they seem to be unlikely to do - but the behavior of the737 MAX would be somewhat different than of the other 737 models with less powerful engines tucked in a bit further back and lower).
There are all sorts of situations where pilots have to be trained to react quickly and correctly in the light of a failure of some component - such as engine failure during takeoff in a 737. This will be another. But hopefully the fix will include detecting that the AOA sensors don't agree and alerting the pilot to this and, perhaps, modifying MCAS behavior when that condition is detected, esp. when the pilot seems to be trying to do just the opposite of what MCAS keeps trying to do (although the latter may just create another layer of complication that will confuse pilots so may be ill-advised).
Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading
That sounds alarmingly plausible.
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
probably just current 737MAX signed contracts will outset the penalties, direct and indirect of this scandal.
Aircraft purchase contracts come with generous cancellation provisions, otherwise carriers will delay them until the last possible instant. I think a flurry of 737 cancellations is imminent, coinciding with a modest uptick in 320 orders.
When all you have is a hammer, every problem starts to look like a thumb.
At least this article finally gives some info on the software fixes being developed by Boeing, instead of the nonsensical speculation we've been getting thusfar. Changing MCAS to take into consideration the angle of both AOA vanes, and limiting the amount of trim that it can command to a more reasonable level. Unfortunately for Boeing, at least one of these is a fairly obvious safety features which should have been implemented in the first place; it's not going to look good for them in any upcoming lawsuits.
737's can inappropriately (and repeatedly) retard the throttles to idle if the single radar altimeter used gives a bad reading. (And the plane has two radar altimeters!)
https://en.wikipedia.org/wiki/...
There are supposedly other similarly reported incidents.
Love many, trust a few, do harm to none.
Nope - the lawsuits they are screwed on. But they (and their insurance company) have plenty of money and it will be mostly forgotten in two years. Although, they are lucky that most of the dead are not from the US, the land of ridiculous lawsuit outcomes (at least until appeal).
Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading
That's assuming the plane is flying itself. Add a pilot - even a fairly incompetent one - into the mix, and the rate goes down a lot more. Add competent aircrew into the mix, and the rate becomes indistinguishable from zero.
Indeed it is. What everyone is missing is they've taken a 737 airframe, bodged some aerodynamic changes onto it that has seemingly caused the aircraft some serious and probably unknown aerodynamic problems and they've covered it with software. It isn't the software that's the problem here.
I'd start selling Boeing stock.
The underlying problem is (agency name) has a revolving door to the (industry name) Industry where people, regulation and oversight passes through unobstructed by responsibility or moral conscience.
FTFY
I hope you never work in any safety critical role.
The answer is never to kludge on a counter to a bad design when a good design would have eliminated the need.
Happened to me from time to time in Pale Moon. You can disable that terrible design idea in config. Google it.
Going forward/back always lost my post content.
Happens (for different reasons) on phone. Touch the screen the wrong way and poof it's gone.
1 in 100,000 is not great really.
Odds of getting all six numbers in the Lotto 6/49 is 1 in 13,983,816. Yet it gets won on a semi-regular basis.
This sounds too much like the "unsinkable" Titanic.
This is how the FAA has operated for years folks, get a grip. They require the aircraft manufacturers to certify their designs but again, how many incidents with this aircraft type in the US? 0
Armchair philosophers here will of course obviate Airbus when their tail fell off an A300 in Jamaica Bay in 2001 and they did nothing about it.
Oh remember when Airbus had to change all their angle of attack sensors after that A400M crashed while testing? They washed the plane and water behind the sensor froze at altitude, giving erroneous information to the flight control system.
It's not Boeing or Airbus it's the culture that technology will solve all the problems. Yes, more testing always helps but design flaws exist in every system out there. I fly every week in Boeing, Airbus, Bombardier, Embraer and even McDonnell Douglas planes. Your risks are all the same regardless of tech or age.
Move on, Boeing will fix this and another tidbit unless they can find criminal misconduct or negligence, the passenger losses are fixed by international agreement.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
>The pilots flew properly and under normal operation the MCAS trimmed out the elevator over and over until pulling the stick all the way back still left you pointing at the ground.
Yes, I explained it does that based on one sensor, and suggested that perhaps it shouldn't trim so far, especially with other instruments indicating it probably wasn't in a stall. So you disagree with the second half of my comment? You think it SHOULD nose dive?
As someone whose company had this happen, including random circuit traces that served no purpose other than to identify the source, I can attest to this.
Use this one then:
Nordic Nutrition Recommendations 2012 http://norden.diva-portal.org/...
"so the problem is not the regulations but that people do not give a shit."
Actually I think it's both. The FDA getting more lax, and people giving 'less of a shit'. And if that's the case, then the thing to work on is the causes contributing to both situations.
If you deactivate it, what then?
Then you continue to fly the airplane. Just like you've been trained to do. What do you think would happen?
why would you turn off an accident-preventing system?
Because it has failed. Let's say your fancy new fully AV is stuck on the freeway at a dead stop because a failed obstacle detector says you're about to hit someone. Do you A) find a way to turn off the failed "accident-preventing system" and drive to the shop to get it fixed, or B) sit helpless in the middle of rush-hour traffic because you won't turn off an "accident-prevention" system that has failed?
You'd most likely just swap accidents caused by this system by accidents caused by pilots flying this unwieldy machine.
You do realize, I hope, that unless the pilots were actually in a too-high AoA situation the MCAS would never activate and they'd be flying the airplane the same way they would without it at all?
That basically means pulling the little black button out of the dashboard, which cuts power to the component, thereby forcibly disabling it.
And if you look closely, you'll see that some circuit breakers are flush with the panel when "on", and some have a knob sticking out. The difference is that the flush ones control circuits that also have an on/off switch somewhere that would duplicate the breaker interruption of power, while the knobby ones are powering systems that don't, or might need to be pulled when the "off" switch doesn't work.
The avionics master is an example of the former. There's a switch. The autopilot is an example of the latter. The breaker is the last line of defense against an autopilot "off" switch that is a soft control.
The relevant deregulation happened under Obama, you butthurt cock sucker.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.