Boeing Unveils 737 Max Software Fixes (cnbc.com)

← Back to Stories (view on slashdot.org)

Boeing Unveils 737 Max Software Fixes (cnbc.com)

Posted by BeauHD on Wednesday March 27, 2019 @11:30AM from the software-overhaul dept.

hcs_$reboot shares a report from CNBC: Boeing previewed its software fix, cockpit alerts and additional pilot training for its 737 Max planes on Wednesday, saying the changes improve the safety of the aircraft which has been involved in two deadly crashes since October. By the end of this week, Boeing plans to send the software updates and plan for enhanced pilot training to the FAA for certification approval. After the FAA approves the fix, Boeing said it will send the software update to customers. Among the notable changes to the MAX flight controls:

The plane's Maneuvering Characteristics Augmentation System, or MCAS, automated flight control system, will now receive data from both "angle of attack" sensors, instead of just one.
If those disagree by more than 5.5 degrees, the MCAS system will be disabled and will not push the nose of the plane lower.
Boeing will be adding an indicator to the flight control display so pilots are aware of when the angle of attack sensors disagree.
There will also be enhanced training required for all 737 pilots so they are more fully aware of how the MCAS system works and how to disable it if they encounter an issue.

42 of 249 comments (clear)

Min score:

Reason:

Sort:

enhanced training by zlives · 2019-03-27 11:35 · Score: 2, Interesting

so.. a youtube link?
also these are workarounds, why not fix the actual problem of sensor reading incorrectly?
patch by Anonymous Coward · 2019-03-27 11:38 · Score: 4, Funny

if (crashing() && uncrashFeatureEnabled()) { uncrash(); }
Changes to the MAX flight controls ... by fahrbot-bot · 2019-03-27 11:39 · Score: 4, Funny

Before engaging MCAS the control software will display an animated dialog:
Clippy: It looks like you're plane may stall. Would you like help?

--
It must have been something you assimilated. . . .
1. Re:Changes to the MAX flight controls ... by fahrbot-bot · 2019-03-27 13:38 · Score: 2
  
  I'd try to come up with a funny expansion of MCAS.
  May Cause Air Sickness
  
  --
  It must have been something you assimilated. . . .
Sensors are physical objects by Firethorn · 2019-03-27 11:43 · Score: 5, Informative

Because the sensors are physical devices, and are this subject to all physical device problems. They can break, corrode, be bent by a physical impact, etc...
They're regularly inspected, which is about the best you can do.

--
I don't read AC A human right
1. Re:Sensors are physical objects by zlives · 2019-03-27 11:48 · Score: 4, Interesting
  
  which again goes to question the logic behind an automated system based on sensors that could be faulty forcing correction while on manual flight control... but i am sure i don't understand as I am not an industry insider.
2. Re:Sensors are physical objects by PPH · 2019-03-27 11:55 · Score: 5, Interesting
  
  It might not be the physical sensor. Data from both the LION and Ethiopian flights shows an offset between the two AoA sensors of 22 degrees. Neither appear to be stuck, as they both track airplane movements. But with this offset. Same physical fault causing the exact same offset? Doubtful.
  One theory is that the 22 degree figure is pretty close to the value of one bit in the ARINC 429 word for AoA (22.5 degrees). So, software might be flipping a bit. This might be a tough bug to run down.
  
  --
  Have gnu, will travel.
3. Re:Sensors are physical objects by Firethorn · 2019-03-27 12:05 · Score: 5, Interesting
  
  I was keeping my response simple, but for "flight critical" sensors the general idea is to have at least 3 and use a voting system. For sensors that are 99.X% reliable, the odds that two will be out such that they are throwing the same erroneous value(or at least within error margins) is quite low. Though there are differences between 'simple' sensors that report back a simple voltage or resistance where determining a fault can be difficult, and complex ones like radar, GPS, that are more likely to tell the system they have a problem. The vanes here are simple sensors.
  Though with the MCAS it was supposed to assist, not be critical, thus 1 vane being enough. Pilots were supposed to be able to override with just more stick application. That assessment is being challenged, and the 2 vane + alarm thing is Boeing hoping to avoid having to avoid installing another sensor for proper 3 sensor + voting reliability, as the extra sensor will be expensive.
  3 good sensors: all good
  2 good sensors: all good(less redundancy)
  2 good sensors, 1 whack - get fixed after landing
  1 good, 1 whack - system unreliable, turn off. Consider landing early.
  1 good - 2 whack(different values) - system unreliable, turn off, consider landing early
  1 good - 2 whack(same values) - hope you notice before crash/fire. Turn off system. Seriously consider landing early. Last good sensor may or may not be usable(does it have an output you can use?). Consider firing maintainers as it is likely at least one was whack when you took off.
  0 good - 2 whack(same values) - same as previous, really. Without minor hope of good sensor being useable.
  3 whack - same as previous. Consider firing maintenance department out of a cannon.
  
  --
  I don't read AC A human right
4. Re:Sensors are physical objects by Firethorn · 2019-03-27 12:09 · Score: 2
  
  If the crashes were due to software bug, ouch. Didn't the LION flight take off with a known defective AoA sensor though?
  
  --
  I don't read AC A human right
5. Re:Sensors are physical objects by Compuser · 2019-03-27 12:32 · Score: 2
  
  I am not sure why we do not do five sensors for critical stuff and three for less critical. This whole cost cutting business is shady as hell when lives are at stake.
6. Re:Sensors are physical objects by dgatwood · 2019-03-27 12:45 · Score: 5, Interesting
  
  It might not be the physical sensor. Data from both the LION and Ethiopian flights shows an offset between the two AoA sensors of 22 degrees. Neither appear to be stuck, as they both track airplane movements. But with this offset. Same physical fault causing the exact same offset? Doubtful.
  One theory is that the 22 degree figure is pretty close to the value of one bit in the ARINC 429 word for AoA (22.5 degrees). So, software might be flipping a bit. This might be a tough bug to run down.
  It seems unlikely that software would suddenly start flipping a bit repeatedly. That usually implies faulty hardware. The real question is how two pieces of hardware could experience the exact same fault on exactly the same bit.
  My money is on thermal expansion of a BGA fastened with lead-free solder.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
7. Re:Sensors are physical objects by giampy · 2019-03-27 12:48 · Score: 2
  
  In these cases when the sensors disagree for whatever reason, it looks like a light will turn on but essentially they will lose reliability of both sensor ans they won't know which one is faulty (assuming they won't fault at the same exact time, which i sa safe assumption).
  If so it's a little stupid, and sad, as there are plenty of techniques to decide which one is correct and which one is faulty based on the reading of the other sensors (and a small internal model of the aircraft). I hope they implement a better system.
  
  --
  We learn from history that we learn nothing from history - Tom Veneziano
8. Re:Sensors are physical objects by PPH · 2019-03-27 12:54 · Score: 2
  
  That usually implies faulty hardware.
  It would seem so. Like an open/shorted lead on a parallel bus. Maybe a bad pin on an A/D chip. ARINC 429 is a serial protocol, so it's not likely something loose between boxes. What really rules the h/w angle out is the similar fault on (at least) two unrelated flights.
  
  --
  Have gnu, will travel.
9. Re:Sensors are physical objects by viperidaenz · 2019-03-27 12:59 · Score: 5, Informative
  
  No, it's intended to stop a stall from happening by automatically adjusting the stabilizer trim as the elevators don't have enough pitch authority to counteract the pitch-up caused by the more powerful engines.
  The system is intended to allow the plane to be certified without redesigning the elevators.
10. Re:Sensors are physical objects by PPH · 2019-03-27 13:03 · Score: 5, Interesting
  
  The LION plane had an AoA system problem on a previous flight. The sensor was replaced. It appears that didn't fix it.
  
  --
  Have gnu, will travel.
11. Re: Sensors are physical objects by viperidaenz · 2019-03-27 13:03 · Score: 4, Informative
  
  thrust is what causes the stall this system is designed to mitigate.
  The most thrust you apply to an aircraft the low mounted engines, the more the aircraft pitches up, making a stall more likely.
  If the aircraft has tiny elevators, like the 737, there is a point where the thrust is pitching the aircraft up more than they can correct, given the current angle of attack.
  In that situation, there are only two things you can do to stop a stall
  1) lower the thrust that is pitching the aircraft up
  2) use the stabilizer trim to change the angle of the rear stabilizer - which is what MCAS does automatically.
12. Re:Sensors are physical objects by dgatwood · 2019-03-27 13:18 · Score: 4, Informative
  
  What really rules the h/w angle out is the similar fault on (at least) two unrelated flights.
  It only rules out hardware if you assume that the failure is a random fluke. If it is the result of a mechanical design flaw or an under-specified simple component like a resistor, capacitor, or transistor, hardware failing in the same way isn't particularly rare. For example:
  GPU thermal failures often result in a small number of different sets of identical symptoms; the same solder balls break more frequently because of their location and the way that the chip expands.
  At one point, I was involved in a group buy of some preamplifier hardware from a manufacturer in China. There was something like a 40% failure rate, and it was caused by a single transistor being substituted with a lower-quality part that became unstable in the presence of too little capacitance. And they all failed with the exact same symptom, en masse.
  And a particular age range of certain models of TV failed en masse because of capacitor plague. In every case, the symptom was that they wouldn't turn on.
  Or consider the T-Con board that drives various LCD panels in TVs. They fail with alarming regularity, to such a degree that there's actually a third-party company manufacturing new replacement boards for old TVs. There are only a few different failure modes, usually involving one color channel stuck off or on, and statistically if you buy a used board, nearly 100% of the time you'll get a bad one, because it's the #1 cause of replacing TVs that contain certain models of T-Con board.
  And I can also recall a hard drive connector built by a major manufacturer that was attached by a screw on only one end, and repeatedly would work its way lose, requiring a complete redesign of the hardware in the next generation.
  You get the idea.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
13. Re:Sensors are physical objects by Applehu+Akbar · 2019-03-27 13:19 · Score: 3, Insightful
  
  Reality the only safe choice now, DO NOT BUY US AIRCRAFT
  A whole set of EU pitot tubes would never ice over above a tropical storm, any more than an EU rudder would snap off in wake turbulence, would they now?
14. Re:Sensors are physical objects by Darinbob · 2019-03-27 13:56 · Score: 5, Insightful
  
  Just your industry standard screwup. A better design is expensive, more testing is expensive, any delay is expensive. To the product managers will push and push and push for you to ship the product. The plan was not designed from scratch, it's an incremental modification of the 737 line and this feature was essentially a patch that was less expensive than a redesign.
15. Re:Sensors are physical objects by brausch · 2019-03-27 15:18 · Score: 2
  
  Pretty much every industry worldwide is like this. Auditors check that various reviews and things have been done. The reviews etc. are done by the manufacturers. Take a look at the auto industry and the emissions issues the last few years. The government seldom does the testing, etc. They just set the standards and the manufacturers claim they meet them. Same with the drug manufacturers (see the recent worldwide recall of the blood pressure medicine irbesartan). There isn't enough government expertise or manpower to check everything.
  
  --
  "Almost every wise saying has an opposite one, no less wise, to balance it." - George Santayana
16. Re:Sensors are physical objects by weilawei · 2019-03-27 16:07 · Score: 4, Funny
  
  You started out with such a level atittude in the first paragraph, then you really stalled. Are you sure your MCAS was enabled?
17. Re:Sensors are physical objects by dgatwood · 2019-03-27 17:37 · Score: 2
  
  You really don't think that Boeing has thought to do accelerated life testing on lead-free solder connections?
  If you had asked me a month ago whether Boeing would build hardware that could command huge amounts of trim using only a single AoA sensor, I'd have said no. So if you're seriously asking whether I think that a design team who would sign off on MCAS might also have underestimated the impact of using a different epoxy in some BGA part, not realizing that it would overstress some solder ball because of its composition, then yeah, I'd say that's entirely possible. And if you don't think so, I hope you're not involved in the certification process. :-)
  And it's not just thermal stress. Lead-free solder is subject to random formation of tin whiskers that can short things out. If two solder pads just happen to be slightly closer to one another than other similar pads, the odds of catastrophic whisker formation occurring between those pads would be much higher than between the other similar pads, which could easily cause a much higher failure rate of a specific bit on some parallel bus or similar.
  
  Not every bad thing that happens to electronics is because of the world-wide conspiracy to take lead out of solder.
  No, but a lot of them are, including some that you might not be aware of. For example, many cases of Toyota's unexpected acceleration were likely caused by tin whiskers resulting from certain lead-free solder formulations (NESC Assessment #TI-10-00618).
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
18. Re: Sensors are physical objects by ath1901 · 2019-03-27 20:08 · Score: 4, Insightful
  
  So by disabling the MCAS you can't go full throttle without manually adjusting trim. That's not exactly ideal.
  I've heard elsewhere that the purpose of the MCAS was also to make the Max fly like previous 737 and thus reduce retraining. With MCAS disabled, the pilot is flying a plane he is not trained for.
  I'm not sure if I'm comfortable with this solution. Instead of a crash you get a high risk situation which sure is better but far from good.
19. Re:Sensors are physical objects by ilguido · 2019-03-27 20:21 · Score: 3, Insightful
  
  The airplane in the LION air crash was 2 months old (delivered new mid-August, crashed in October). They had no time to do poor maintenance.
20. Re:Sensors are physical objects by JaredOfEuropa · 2019-03-27 21:41 · Score: 2
  
  Wait, so if the sensor craps out and MCAS is disabled, the pilots will be unable to prevent a pitch-up when opening up the throttle, unless they manually dial in stabiliser down trim? Somehow that doesn’t make me feel a whole lot better about this fix.
  
  --
  If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
21. Re:Sensors are physical objects by ti1ion · 2019-03-28 00:33 · Score: 4, Informative
  
  No, you are wrong. It is not specifically intended to stop a stall. Read up on the issue. It is intended to let all qualified 737 pilots fly the Max WITHOUT EXTRA TRAINING. This plane has different stall characteristics, meaning it does different things when it stalls. Normally, you would train a pilot to notice what it is doing and adjust accordingly. But, that requires training that Boeing told airlines they would not have to do. So, Boeing designed MCAS specifically to make the Max behave like a regular 737 when approaching a stall, ie. kick the nose down. By doing that, the pilot is supposed to be able to see a familiar characteristic and say *ding* *ding* *ding*, my plane is stalling. NO EXTRA TRAINING. MCAS is not a stall prevention system, but a Maneuvering Characteristics Augmentation System. To learn more, at least read the first three paragraphs of this article:
  https://theaircurrent.com/avia...
  And all the white nationalists talking about foreigners in this thread is sickening. Sad to see Slashdot being overrun by these maggots.
22. Re:Sensors are physical objects by jbengt · 2019-03-28 01:31 · Score: 3, Insightful
  
  The more redundant devices you use, the more likely that there is a failure of at least one, which is not good, because now you have to decide what' going on. And if the failure modes are not different enough, it may be common that when one fails, many fail. You could be no better off with more and, depending on the math of the specifics, you might be actually worse off with more.
23. Re:Sensors are physical objects by mjwx · 2019-03-28 02:48 · Score: 2
  
  which again goes to question the logic behind an automated system based on sensors that could be faulty forcing correction while on manual flight control... but i am sure i don't understand as I am not an industry insider.
  That is Airbuses model, if all 3 flight computers cant agree, they throw control back to the pilot and say "sorry, your plane now". A system that has been fantastically safe and Boeing has spend billions trying to rubbish.
  
  The system in the 737 MAX is there because they've changed the position of the engines from under the wing to in front of the wing which pushes the thrust directly under the surface of the wing. This has the nasty side effect of being able to increase the pitch of the aircraft without the direction of the pilot or flight control computers up to a point where the engines might stall. The anti stall measure in the MCAS is there because of this and will over-ride the pilot so it's not like the Airbus system. It is, a bad hardware design and you can't simply patch out bad hardware design in software.
  
  It's my hope that it doesn't take another fatal crash to realise this.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
24. Re:Sensors are physical objects by iserlohn · 2019-03-28 12:17 · Score: 2
  
  >The system is intended to allow the plane to be certified without redesigning the elevators.
  Actually the whole airframe has to be redesigned because the original 737 was designed too low to fit the larger, more efficient engines of the MAX fully underneath it's wings. The workaround was for the engines mounts have to be moved forward, changing the handling of the aircraft and leading to the introduction of MCAS.
  
  --
  :. Ultimate Control Dedicated/VM Servers
25. Re:Sensors are physical objects by tzanger · 2019-03-28 13:11 · Score: 2
  
  My UID is pretty old. I remember GNAA, frosty piss, hot gritz, JonKatz and Roblimo, etc., etc..
  Slashdot is a mere shadow of what it once was. The moderation system is beyond broken. MOST of the posts here should be moderated away yet aren't. The seedy underbelly was always there, but now it's being elevated to the top. OP is right, /. has been overrun with the maggots. I'd estimate a good 80% of every story's comments are shitposts and racist bullshit. It didn't used to be that way.
Re:How will they certify it? by 0100010001010011 · 2019-03-27 12:08 · Score: 4, Insightful

As someone that has worked in both functional safety and off-highway vehicles.
How the fuck did this ever make it into production. Why is a 'second sensor' an upsell?
When given the option to completely update the cockpit to the latest and greatest with digital displays.
They chose to replicate the old mechanical dials so the pilots couldn't be retrained.
The entire thing from start to finish was rushed. Mechanical design comes first. There is no 'try and develop software in parallel'. A clean software design depends on a good mechanical design.
The plane should have been a white board redesign, it should have been balanced such that a pilot could fly it stable with no avionics. This isn't a jet fighter.
But it was rushed because Europe invested in R&D and beat them to economy routes. How much money did Boeing C-suites make before 2011? During the 2009 crash there was a hiring spree by some companies because the market was flooded with cheap, good engineers that just got laid off. Companies invested in talent. Did Boeing?
People died because... Boeing sat on R&D from post WWII while making a ton of money so when Airbus released a good plane they scrambled to retrofit an old design by putting huge engines on an airframe causing it to pitch up but to appease its clients it added software to mimic the old plane behavior and tested it themselves and told the FAA they promise they did it right.
More or less.
Re:Why wasn't it done in the first place!? by bobbied · 2019-03-27 12:21 · Score: 4, Informative

MCAS wasn't *supposed* to be life critical. Quite the opposite, the Pilots where supposed to be able to override it by grabbing the controls. The problem was that it *became* life critical over time and nobody properly noted the design change's impact and then they failed to see (or just flat ignored) this fact.

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Re:Why wasn't it done in the first place!? by Ungrounded+Lightning · 2019-03-27 13:13 · Score: 4, Interesting

Why wasn't this done in the first place!? It is an industry standard to use redundancy for life critical applications. They have redundancy already, why didn't they use it?
Also: Applying the patch creates TWO single points of failure for the system. If EITHER of the angle of attack sensors fails, goes off-calibration by more than 5 1/2 degrees, or angle of attack at the two sensors differs by more than that small amount, the MCAS will shut down.
The MCAS is there to bring the nose down if the aircraft is about to stall, which it is prone to do because of the relocation of the engines (relative to the previous model) forward and up, along with the reshaping of their nacelles. With the MCAS shut down the aircraft is back to having a risk of a sudden stall, which can ALSO cause it to have an "uncontrolled flight into ground" if it's too low for the pilots to recover (which is pretty darned high).
As with aircraft carrier naval groups, continents also ALWAYS have the right-of-way over airliners.

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
No, no, no... by Grog6 · 2019-03-27 13:27 · Score: 2

If
{Audio.conv.facebook.newposts == "Oh my god, we're gonna die!!!" >120
}
then
{
Push.stick.omg.enable==1
Set NOCRASH=1
Reset OMG mode
}
endif
*note for the pedantic: this is not code. :)

--
Truth isn't Truth - Guliani
Re:Encouraging news. Still nervous. by viperidaenz · 2019-03-27 13:33 · Score: 5, Informative

The amount of pitch up with the newer more powerful engines got to a point where when the plane is already at a high angle of attack, the elevator don't have enough authority to counter act it. The entire rear stabilizer needs to be moved using the stabilizer trim.
Other planes have larger elevators or less pitch-up under full thrust.
Re:Look at all the Boeing Apopogists by angel'o'sphere · 2019-03-27 14:58 · Score: 4, Insightful

The MAX 8 will be one of the safest planes in the sky after this design review is done and the software gets updated.
A plane where the engines have to much power and push the nose so far up that the plane can stall: does not sound safe to me.

--
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Re:Why wasn't it done in the first place!? by sjames · 2019-03-27 15:01 · Score: 4, Interesting

Actually, it's more confusing, and that's the problem.
If the pilot manually re-trims, MCAS is overridden for 5 seconds, then it adjusts the trim again. It's not hard to see how the pilot might mis-identify the ongoing problem as a recurrent momentary problem.
Re:Why wasn't it done in the first place!? by Chrontius · 2019-03-27 15:06 · Score: 4, Informative

Per recent reports, the cockpit voice recorder shows that they were in the middle of it.

And according to Boeing's simulations, they only had forty seconds between stick shaker activation and a rapid unplanned deceleration, so...
Re:Why wasn't it done in the first place!? by sjames · 2019-03-27 15:06 · Score: 2

The difference is that with the patch, it fails to a less unsafe condition compared to before the patch, with a warning light now to let the pilot know he'll need to be more vigillent. Before the patch, a single failure would cause the plane to repeatedly try to crash.
Re:Primtive, but good ideas by hcs_$reboot · 2019-03-27 18:32 · Score: 2

Passengers will keep debugging.
This is the global trend. But unfortunately that pattern does not apply well for aviation (or medical)

--
Slashdot, fix the reply notifications... You won't get away with it...
Real fix is already in by Wizardess · 2019-03-27 21:30 · Score: 2

Can anybody imagine a 737 MAX pilot being anything less than viscerally aware of the problem and what must be done to fix it? Anything else being done is gilding the lily. Of course, turning off MCAS with an AoA sensor mismatch simply makes the job easier for the pilots. Now, why do they disagree? Are they really AoA indicators or something else entirely? Why aren't there three if you're going to use them in a flight safety critical manner?
{^_^}
A software fix could have used both sensors? by PhotoGuy · 2019-03-27 23:16 · Score: 5, Insightful

The depressing (or incriminating?) part here is that the fix didn't require any hardware modifications, as I would have expected. I assumed that there was some cost/weight issue to having the MCAS have access to the left and right sensors. But nope, it could have compared both.
If it can be fixed with a software fix, then it could have been done right from the start without any extra hardware costs of production.
Very damning.
I get so tired of the reports calling clear software/algorithm bugs "computer glitches."
It's akin to blaming every pilot error situation on the plane.
Just as with hardware design flaws, software design flaws should have repercussions for the manufacturer, and not written off as "oh, one of those computer glitches!" If your computers are glitchy, don't put them on my plane, thanks.

--
Love many, trust a few, do harm to none.