Slashdot Mirror
Boeing Unveils 737 Max Software Fixes (cnbc.com)
hcs_$reboot shares a report from CNBC: Boeing previewed its software fix, cockpit alerts and additional pilot training for its 737 Max planes on Wednesday, saying the changes improve the safety of the aircraft which has been involved in two deadly crashes since October. By the end of this week, Boeing plans to send the software updates and plan for enhanced pilot training to the FAA for certification approval. After the FAA approves the fix, Boeing said it will send the software update to customers.
Among the notable changes to the MAX flight controls:
- The plane's Maneuvering Characteristics Augmentation System, or MCAS, automated flight control system, will now receive data from both "angle of attack" sensors, instead of just one.
- If those disagree by more than 5.5 degrees, the MCAS system will be disabled and will not push the nose of the plane lower.
- Boeing will be adding an indicator to the flight control display so pilots are aware of when the angle of attack sensors disagree.
- There will also be enhanced training required for all 737 pilots so they are more fully aware of how the MCAS system works and how to disable it if they encounter an issue.
so.. a youtube link?
also these are workarounds, why not fix the actual problem of sensor reading incorrectly?
if (crashing() && uncrashFeatureEnabled()) {
uncrash();
}
Before engaging MCAS the control software will display an animated dialog:
Clippy: It looks like you're plane may stall. Would you like help?
It must have been something you assimilated. . . .
Because the sensors are physical devices, and are this subject to all physical device problems. They can break, corrode, be bent by a physical impact, etc...
They're regularly inspected, which is about the best you can do.
I don't read AC A human right
"I dream of a world where a chicken can cross the road without having its motives questioned."
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
So, the FAA previously left the MCAS certification (along with other systems) to Boeing engineers. Is this how the "fix" is going to go through again? Normally they should go back and have FAA engineers redo the certification of every 737 Max system that might affect safety. ;)
But that would take years and FAA/Boeing wouldn't like that, would they
And all the above is without talking about what is the major cause of concern: software trying to compensate for the hardware design shortcomings an airplane... We could put these new engines on that 50+ year old frame that safely, but, don't worry, some software will take care of it... Only that software will have to turn off if there are issues with the sensors... What do you mean "how is turning off a safety feature safe"? Are you a commie or something?
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
That new software needs to be audited, source code and all, by outside experts. The first thing that was drilled into me in basic instrument flight training was never to fixate on one gauge. Boeing seems to have committed a transport category aircraft to just that.
the PHB is not an Professional Engineer! also an H1B can take your job if you don't ship now.
MCAS wasn't *supposed* to be life critical. Quite the opposite, the Pilots where supposed to be able to override it by grabbing the controls. The problem was that it *became* life critical over time and nobody properly noted the design change's impact and then they failed to see (or just flat ignored) this fact.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Nothing is wrong with the aircraft beyond the MCAS system's design and human factors aspect of how it works in a specific failure mode. There is no need to send these aircraft to the scrap yard, yet...
Arguably the pilots flying the two ill fated flights where not up to par and better training could have saved them, what I see happened is the lack of training ran headlong into a human factors issue of the MCAS design. The failed system confuses pilots, the human factors part of the design sucked badly enough to cause them to crash their aircraft, even though it was fully flyable had they known what to do and popped out a single breaker. Where this is BAD, it's also very fixable, both though pilot training and modifications of the software.
To me, apart from the senseless deaths, what scares me the most is how such a situation can exist where the processes should be in place to avoid stuff like this. Where else has this process failed? When will we find the next dangerous problem? THAT is what would keep me up at night. The MAX 8 will be one of the safest planes in the sky after this design review is done and the software gets updated. I'm worried about what else is waiting to bite us, because flying is dangerous business, even when you do it all right, people are going to die sometimes.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Done.
Will $CURRENT_YEAR be the year of the Linux Desktop?
The problem isn't implementation bugs, it's the basic design that gives the autopilot control authority over the pilot. This exact sort of accident has been with us since the introduction of the first A320 (the first fly-by-wire aircraft where the autopilot could overrule the pilot's control inputs). The fix is in 2 parts:
Quick patch. Another plane please. Boeing and the airline industry will bounce back better but an expensive lesson.
Why wasn't this done in the first place!? It is an industry standard to use redundancy for life critical applications. They have redundancy already, why didn't they use it?
Also: Applying the patch creates TWO single points of failure for the system. If EITHER of the angle of attack sensors fails, goes off-calibration by more than 5 1/2 degrees, or angle of attack at the two sensors differs by more than that small amount, the MCAS will shut down.
The MCAS is there to bring the nose down if the aircraft is about to stall, which it is prone to do because of the relocation of the engines (relative to the previous model) forward and up, along with the reshaping of their nacelles. With the MCAS shut down the aircraft is back to having a risk of a sudden stall, which can ALSO cause it to have an "uncontrolled flight into ground" if it's too low for the pilots to recover (which is pretty darned high).
As with aircraft carrier naval groups, continents also ALWAYS have the right-of-way over airliners.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Boeing screwed up ROYALLY and they'll pay for this, likely to the tune of hundreds of millions of dollars.
This was an egregious engineering fuckup that was completely 100% avoidable. So many mistakes, it's horrendous and shameful for a company like Boeing to implement these insane design choices.
Basic SOL and mission-critical applications are always always ALWAYS supposed to use a minimum of two sensors and in most cases they should use three (with an arbitrated voting system).
In addition there was very little in the manual on it plus virtually no pilot training and consequently no pilot awareness, leading to two completely avoidable accidents.
So Boeing says that now they'll add a "plane-is-trying-to-kill-you" lamp, as well as a "please-stop-trying-to-kill-us" switch that turns off the MCAS.
That's nice, but it's a little late for 360+ people.
Just cruising through this digital world at 33 1/3 rpm...
You've confused MCAS with something else.
The only "control grabbing" you can do to stop MCAS is to grab the stabilizer trim wheel while it's spinning and physically stop it. Which only to be done if cutting the power to the stabilizer trim motor doesn't fix the problem.
To be fair though, the pilots should have noticed the trim moving by itself and pitching the plane down. If they didn't know why it was happening they should have gone through their runaway stabilizer trim checklist, which every 737 pilot should already know.
If
{Audio.conv.facebook.newposts == "Oh my god, we're gonna die!!!" >120
}
then
{
Push.stick.omg.enable==1
Set NOCRASH=1
Reset OMG mode
}
endif
*note for the pedantic: this is not code. :)
Truth isn't Truth - Guliani
The amount of pitch up with the newer more powerful engines got to a point where when the plane is already at a high angle of attack, the elevator don't have enough authority to counter act it. The entire rear stabilizer needs to be moved using the stabilizer trim.
Other planes have larger elevators or less pitch-up under full thrust.
The MAX 8 will be one of the safest planes in the sky after this design review is done and the software gets updated.
A plane where the engines have to much power and push the nose so far up that the plane can stall: does not sound safe to me.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Actually, it's more confusing, and that's the problem.
If the pilot manually re-trims, MCAS is overridden for 5 seconds, then it adjusts the trim again. It's not hard to see how the pilot might mis-identify the ongoing problem as a recurrent momentary problem.
Per recent reports, the cockpit voice recorder shows that they were in the middle of it.
And according to Boeing's simulations, they only had forty seconds between stick shaker activation and a rapid unplanned deceleration, so...
The difference is that with the patch, it fails to a less unsafe condition compared to before the patch, with a warning light now to let the pilot know he'll need to be more vigillent. Before the patch, a single failure would cause the plane to repeatedly try to crash.
Passengers will keep debugging.
Great. How do you determine whether the vote has a correct outcome?
Well, I'd start with reading my whole post before replying, because this is only like one of three questions you ask that are answered later in the same post. In some cases by the very next line.
Why ask when the question is already answered?
As for design flaw - that is a whacked sensor. I did mention firing people out of a cannon at that point...
The idea is that crash tendency is noticed.
Well, I said "hope" for a reason. It is a very scary situation to be minimized if possible.
About the only defense against defective sensors that are all returning the same nonsense, short of turning the aircraft into a mess of redundant sensors, would be to include a wider variety of sensor sanity checking. For your example at Balotesi, it sounds like the copilot wasn't paying attention to his attitude indicator. I also can't help but think that GPS might help in some cases as well, as acting like a lawn dart isn't good. While you really need airspeed data for good flight, which is different than ground speed, but if we're talking sanity checking.... It doesnt have to substitute, merely indicate fault, and that you're heading for rapid unscheduled disassembly with the ground.
I don't read AC A human right
The cost would be pretty high though :|
[($)]
Anyone who has done embedded development (or avionics for that matter) of any kind knows you need 3 sensor at each location with algorithms that compensate for failed or misfiring sensors both in integrating their readings and the final result. Did they drink the poison that is silicon valley and build out a crack dev team composed solely of cucks?
Does anyone know if Lennart Poettering designed the MCAS? It reminds me of pulseaudio a lot. It is a system built to solve some problem but it has so many problems of its own that the best solution to any problem is to turn it off... which leaves you with the original problem.
Proof of concept, Pay me bitch :P
[($)]
Can anybody imagine a 737 MAX pilot being anything less than viscerally aware of the problem and what must be done to fix it? Anything else being done is gilding the lily. Of course, turning off MCAS with an AoA sensor mismatch simply makes the job easier for the pilots. Now, why do they disagree? Are they really AoA indicators or something else entirely? Why aren't there three if you're going to use them in a flight safety critical manner?
{^_^}
The depressing (or incriminating?) part here is that the fix didn't require any hardware modifications, as I would have expected. I assumed that there was some cost/weight issue to having the MCAS have access to the left and right sensors. But nope, it could have compared both.
If it can be fixed with a software fix, then it could have been done right from the start without any extra hardware costs of production.
Very damning.
I get so tired of the reports calling clear software/algorithm bugs "computer glitches."
It's akin to blaming every pilot error situation on the plane.
Just as with hardware design flaws, software design flaws should have repercussions for the manufacturer, and not written off as "oh, one of those computer glitches!" If your computers are glitchy, don't put them on my plane, thanks.
Love many, trust a few, do harm to none.
The plane should have been a white board redesign
I'm with you on this. Everything I read about the MCAS system sounds like a fudge to save costs; safety took second place to profit.
It surprises me that I haven't seen any comments about the BOAC Comet. Back in the early days of jet flight, the country leading the world in aviation was Britain. Unfortunately, we didn't realise that square windows meant airframe weakness, and sadly it took two crashes to learn that lesson. Despite fixing that problem, most airlines cancelled their orders of the Comet, and America overtook Britain as the jet airliner manufacturer of choice.
I don't fly very often, but when I do, I make sure that I am NEVER flying on a Boeing aircraft. To answer why, let my introduce you to the Boeing 707, the model on which all your wonderful Boeing aircraft today are based.
Let me ask you this. Just over one thousand Boeing 707s were built. How many of them do you think ended up as flaming wrecks on the ground, or in an accident so bad that even the most optimistic shyster wouldn't want to repair them and get them flying again - or, in aviation parlance "Total Hull Loss".
10?
20?
50?
No. 173. Almost ONE IN FIVE. Don't believe me?
So here's a question. Would YOU willingly fly on an aircraft knowing that there's a 1 in 5 chance that it will end its life not in sunny retirement, but smashed into little pieces on the ground? Would you fly on an aircraft that borrowed heavily from the design of an aircraft that had a 1 in 5 chance of ending its life killing everyone on board?
Are you going to fly on a Boeing aircraft again?
Never thought I'd ever write this, but yeah.
"It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
...when we have assholes like Boeing doing it to us anyway?
Debate is a form of harassment. Do not question my truth.
The amount of pitch up with the newer more powerful engines got to a point where when the plane is already at a high angle of attack, the elevator don't have enough authority to counter act it. The entire rear stabilizer needs to be moved using the stabilizer trim.
Other planes have larger elevators or less pitch-up under full thrust.
The moving of the entire stabilizer is how this is done in most commercial aircraft and is not unique to the MAX. There is a "jack screw" that adjusts the angle of the horizontal stabilizer in many aircraft that is driven by the trim system. This arrangement has been standard fare for aircraft design for a very long time and I've seen it used on aircraft from the 60's and I'm sure it was in use long before then. Again, this is not a unique arrangement to the 737 MAX, but very common due to it's aerodynamic efficiency at high speed and range of control authority it offers at low speeds.
There is plenty of control authority in the horizontal stabilizer to safely fly the 737 MAX as designed. The MCAS system was supposed to only adjust how the aircraft "feels" to the pilots. As such, it's not a safety system per-say, or wasn't supposed to be when it was initially envisioned. The idea was to increase the control forces to keep pilots away from the edges of the aerodynamic flight envelope where they where accustomed to higher forces than the 737 MAX naturally provided.
Again, there is nothing aerodynamically wrong with the 737 MAX it can be safely flown. There is an issue with a failure mode of the MCAS confusing pilots, by messing with the trim, but The aircraft remains 100% flyable. The pilots are being cognitively challenged because the aircraft is changing the pitch trim for reasons they don't understand and Pilots of any aircraft where the trim is getting messed with would have difficulty. The only part of this which is unique to the MAX is that MCAS system and the one unfortunate failure mode.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
The system should be disabled by pulling back on the stick hard. Having a system designed to nose dive into the ground and completely override the pilot unless a complicated procedure is follow to disable it is asinine. Boeing has the blood of 300+ on its hands.
The MAX 8 will be one of the safest planes in the sky after this design review is done and the software gets updated. A plane where the engines have to much power and push the nose so far up that the plane can stall: does not sound safe to me.
Every low engine aircraft exhibits this very same behavior, to varying degrees. It's a known feature, just like the tendency to turn left on departure is on a single engine prop aircraft or the slow spool up times of turbines in jet aircraft. These are simply the dynamics of flying the aircraft that pilots must know and compensate for. All sorts of things cause pitch trim changes. Raising the landing gear, adjusting the flaps all affect the horizontal trim of the aircraft too, not just the adding of thrust. The MAX has no more dangerous tendency to pitch under power up than it's predecessors did and pilots are trained on how to deal safely with the flying characteristics of their aircraft.
Also, the engines are not really that much more thrust that was the trim change issue, it was the moving of the engine forward (and the associated change in weight and balance). the center of mass moving higher and the effect the larger engine fans and cowling had on the airflow at high angles of attack. This makes the aircraft stall a bit sooner as the airflow is disrupted over the wing root sooner in this configuration. The engine thrust wasn't the major contributor to the problem, as the point here wasn't improving thrust, but fuel consumption, with the new engine configuration.
The MCAS system was really only there to make the stall "feel" like the 737 pilots where used to feeling. The old 737 still could stall at similar angles of attack and in similar situations, but you NEVER want to stall a jetliner full of people, ever. So they invented this flight control augmentation system that makes the MAX "feel" similar to the old 737 and help keep old 737 pilots from stalling it inadvertently when they flew the new aircraft.
It's not that the aircraft is dangerous or has unsafe aerodynamics, quote the opposite, it's likely safer and more efficient, it's just that Boeing recognized that old pilots needed a bit of "help" to fly the thing. Instead of making it a training issue, and putting the pilots though stall training in the simulator on the new airframe, they did this MCAS thing and then didn't train pilots. THAT was the mistake, that was or is the fatal flaw in this process. A flaw that will be repaired by training pilots, providing more information to pilots though software changes to get the MAX back in the air, but more importantly we will fix the PROCESS problem that let such an obvious problem make it into the air, with passengers.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
The MAX is not unstable by design. In fact, it's quite stable, BY DESIGN. All passenger planes are.
What happened is the MAX stalls differently than the 737's that came before it. The MCAS system was designed to help pilots who knew how to fly the 737 fly the MAX without too much extra training. It augmented the flight controls to make the MAX feel and handle like the 737's of old, even though the aircraft was actually different. The MAX doesn't have some dangerous innate aerodynamic flaw, it's just different from the 737 of old, so Boeing tried to adjust that.
The problem was the MCAS system wasn't being trained properly and apparently Boeing short circuited the certification process on this aspect of their design. This isn't a design flaw, persay, but more of a documentation and training flaw. The MCAS system malfunction was NOT a fatal problem, it had been successfully dealt with at least once, but pilots where not being told about this system or trained on how to recognize and deal with failures.
The fatal flaw was the process that let this lack of documentation and training of pilots reach the flying public. Not the aircraft's design.
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
U get the plane :)
[($)]
The more I read about this completely preventable engineering cluster-fùk, the more I lose confidence in Boeing management as an aircraft company.
When two airplanes crash within 6 months the CEO should be fired for cause. Boeing should do a thorough audit questioning the engineers and managers who signed off critical design decision failures, publicly publish the results of the audit and fire the individuals responsible for the failures in this program. Both the 787 and 737 airplanes were grounded demonstrates there are serious engineering process deficiencies within Boeing. Boeing should require ALL management have engineering degrees if they are even tangentially involved in aircraft design. Even HR should be investigated and held accountable for the inadequate personnel they brought into the company.