Boeing Unveils 737 Max Software Fixes (cnbc.com)

← Back to Stories (view on slashdot.org)

Boeing Unveils 737 Max Software Fixes (cnbc.com)

Posted by BeauHD on Wednesday March 27, 2019 @11:30AM from the software-overhaul dept.

hcs_$reboot shares a report from CNBC: Boeing previewed its software fix, cockpit alerts and additional pilot training for its 737 Max planes on Wednesday, saying the changes improve the safety of the aircraft which has been involved in two deadly crashes since October. By the end of this week, Boeing plans to send the software updates and plan for enhanced pilot training to the FAA for certification approval. After the FAA approves the fix, Boeing said it will send the software update to customers. Among the notable changes to the MAX flight controls:

The plane's Maneuvering Characteristics Augmentation System, or MCAS, automated flight control system, will now receive data from both "angle of attack" sensors, instead of just one.
If those disagree by more than 5.5 degrees, the MCAS system will be disabled and will not push the nose of the plane lower.
Boeing will be adding an indicator to the flight control display so pilots are aware of when the angle of attack sensors disagree.
There will also be enhanced training required for all 737 pilots so they are more fully aware of how the MCAS system works and how to disable it if they encounter an issue.

23 of 249 comments (clear)

Min score:

Reason:

Sort:

patch by Anonymous Coward · 2019-03-27 11:38 · Score: 4, Funny

if (crashing() && uncrashFeatureEnabled()) { uncrash(); }
Changes to the MAX flight controls ... by fahrbot-bot · 2019-03-27 11:39 · Score: 4, Funny

Before engaging MCAS the control software will display an animated dialog:
Clippy: It looks like you're plane may stall. Would you like help?

--
It must have been something you assimilated. . . .
Sensors are physical objects by Firethorn · 2019-03-27 11:43 · Score: 5, Informative

Because the sensors are physical devices, and are this subject to all physical device problems. They can break, corrode, be bent by a physical impact, etc...
They're regularly inspected, which is about the best you can do.

--
I don't read AC A human right
1. Re:Sensors are physical objects by zlives · 2019-03-27 11:48 · Score: 4, Interesting
  
  which again goes to question the logic behind an automated system based on sensors that could be faulty forcing correction while on manual flight control... but i am sure i don't understand as I am not an industry insider.
2. Re:Sensors are physical objects by PPH · 2019-03-27 11:55 · Score: 5, Interesting
  
  It might not be the physical sensor. Data from both the LION and Ethiopian flights shows an offset between the two AoA sensors of 22 degrees. Neither appear to be stuck, as they both track airplane movements. But with this offset. Same physical fault causing the exact same offset? Doubtful.
  One theory is that the 22 degree figure is pretty close to the value of one bit in the ARINC 429 word for AoA (22.5 degrees). So, software might be flipping a bit. This might be a tough bug to run down.
  
  --
  Have gnu, will travel.
3. Re:Sensors are physical objects by Firethorn · 2019-03-27 12:05 · Score: 5, Interesting
  
  I was keeping my response simple, but for "flight critical" sensors the general idea is to have at least 3 and use a voting system. For sensors that are 99.X% reliable, the odds that two will be out such that they are throwing the same erroneous value(or at least within error margins) is quite low. Though there are differences between 'simple' sensors that report back a simple voltage or resistance where determining a fault can be difficult, and complex ones like radar, GPS, that are more likely to tell the system they have a problem. The vanes here are simple sensors.
  Though with the MCAS it was supposed to assist, not be critical, thus 1 vane being enough. Pilots were supposed to be able to override with just more stick application. That assessment is being challenged, and the 2 vane + alarm thing is Boeing hoping to avoid having to avoid installing another sensor for proper 3 sensor + voting reliability, as the extra sensor will be expensive.
  3 good sensors: all good
  2 good sensors: all good(less redundancy)
  2 good sensors, 1 whack - get fixed after landing
  1 good, 1 whack - system unreliable, turn off. Consider landing early.
  1 good - 2 whack(different values) - system unreliable, turn off, consider landing early
  1 good - 2 whack(same values) - hope you notice before crash/fire. Turn off system. Seriously consider landing early. Last good sensor may or may not be usable(does it have an output you can use?). Consider firing maintainers as it is likely at least one was whack when you took off.
  0 good - 2 whack(same values) - same as previous, really. Without minor hope of good sensor being useable.
  3 whack - same as previous. Consider firing maintenance department out of a cannon.
  
  --
  I don't read AC A human right
4. Re:Sensors are physical objects by dgatwood · 2019-03-27 12:45 · Score: 5, Interesting
  
  It might not be the physical sensor. Data from both the LION and Ethiopian flights shows an offset between the two AoA sensors of 22 degrees. Neither appear to be stuck, as they both track airplane movements. But with this offset. Same physical fault causing the exact same offset? Doubtful.
  One theory is that the 22 degree figure is pretty close to the value of one bit in the ARINC 429 word for AoA (22.5 degrees). So, software might be flipping a bit. This might be a tough bug to run down.
  It seems unlikely that software would suddenly start flipping a bit repeatedly. That usually implies faulty hardware. The real question is how two pieces of hardware could experience the exact same fault on exactly the same bit.
  My money is on thermal expansion of a BGA fastened with lead-free solder.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
5. Re:Sensors are physical objects by viperidaenz · 2019-03-27 12:59 · Score: 5, Informative
  
  No, it's intended to stop a stall from happening by automatically adjusting the stabilizer trim as the elevators don't have enough pitch authority to counteract the pitch-up caused by the more powerful engines.
  The system is intended to allow the plane to be certified without redesigning the elevators.
6. Re:Sensors are physical objects by PPH · 2019-03-27 13:03 · Score: 5, Interesting
  
  The LION plane had an AoA system problem on a previous flight. The sensor was replaced. It appears that didn't fix it.
  
  --
  Have gnu, will travel.
7. Re: Sensors are physical objects by viperidaenz · 2019-03-27 13:03 · Score: 4, Informative
  
  thrust is what causes the stall this system is designed to mitigate.
  The most thrust you apply to an aircraft the low mounted engines, the more the aircraft pitches up, making a stall more likely.
  If the aircraft has tiny elevators, like the 737, there is a point where the thrust is pitching the aircraft up more than they can correct, given the current angle of attack.
  In that situation, there are only two things you can do to stop a stall
  1) lower the thrust that is pitching the aircraft up
  2) use the stabilizer trim to change the angle of the rear stabilizer - which is what MCAS does automatically.
8. Re:Sensors are physical objects by dgatwood · 2019-03-27 13:18 · Score: 4, Informative
  
  What really rules the h/w angle out is the similar fault on (at least) two unrelated flights.
  It only rules out hardware if you assume that the failure is a random fluke. If it is the result of a mechanical design flaw or an under-specified simple component like a resistor, capacitor, or transistor, hardware failing in the same way isn't particularly rare. For example:
  GPU thermal failures often result in a small number of different sets of identical symptoms; the same solder balls break more frequently because of their location and the way that the chip expands.
  At one point, I was involved in a group buy of some preamplifier hardware from a manufacturer in China. There was something like a 40% failure rate, and it was caused by a single transistor being substituted with a lower-quality part that became unstable in the presence of too little capacitance. And they all failed with the exact same symptom, en masse.
  And a particular age range of certain models of TV failed en masse because of capacitor plague. In every case, the symptom was that they wouldn't turn on.
  Or consider the T-Con board that drives various LCD panels in TVs. They fail with alarming regularity, to such a degree that there's actually a third-party company manufacturing new replacement boards for old TVs. There are only a few different failure modes, usually involving one color channel stuck off or on, and statistically if you buy a used board, nearly 100% of the time you'll get a bad one, because it's the #1 cause of replacing TVs that contain certain models of T-Con board.
  And I can also recall a hard drive connector built by a major manufacturer that was attached by a screw on only one end, and repeatedly would work its way lose, requiring a complete redesign of the hardware in the next generation.
  You get the idea.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
9. Re:Sensors are physical objects by Darinbob · 2019-03-27 13:56 · Score: 5, Insightful
  
  Just your industry standard screwup. A better design is expensive, more testing is expensive, any delay is expensive. To the product managers will push and push and push for you to ship the product. The plan was not designed from scratch, it's an incremental modification of the 737 line and this feature was essentially a patch that was less expensive than a redesign.
10. Re:Sensors are physical objects by weilawei · 2019-03-27 16:07 · Score: 4, Funny
  
  You started out with such a level atittude in the first paragraph, then you really stalled. Are you sure your MCAS was enabled?
11. Re: Sensors are physical objects by ath1901 · 2019-03-27 20:08 · Score: 4, Insightful
  
  So by disabling the MCAS you can't go full throttle without manually adjusting trim. That's not exactly ideal.
  I've heard elsewhere that the purpose of the MCAS was also to make the Max fly like previous 737 and thus reduce retraining. With MCAS disabled, the pilot is flying a plane he is not trained for.
  I'm not sure if I'm comfortable with this solution. Instead of a crash you get a high risk situation which sure is better but far from good.
12. Re:Sensors are physical objects by ti1ion · 2019-03-28 00:33 · Score: 4, Informative
  
  No, you are wrong. It is not specifically intended to stop a stall. Read up on the issue. It is intended to let all qualified 737 pilots fly the Max WITHOUT EXTRA TRAINING. This plane has different stall characteristics, meaning it does different things when it stalls. Normally, you would train a pilot to notice what it is doing and adjust accordingly. But, that requires training that Boeing told airlines they would not have to do. So, Boeing designed MCAS specifically to make the Max behave like a regular 737 when approaching a stall, ie. kick the nose down. By doing that, the pilot is supposed to be able to see a familiar characteristic and say *ding* *ding* *ding*, my plane is stalling. NO EXTRA TRAINING. MCAS is not a stall prevention system, but a Maneuvering Characteristics Augmentation System. To learn more, at least read the first three paragraphs of this article:
  https://theaircurrent.com/avia...
  And all the white nationalists talking about foreigners in this thread is sickening. Sad to see Slashdot being overrun by these maggots.
Re:How will they certify it? by 0100010001010011 · 2019-03-27 12:08 · Score: 4, Insightful

As someone that has worked in both functional safety and off-highway vehicles.
How the fuck did this ever make it into production. Why is a 'second sensor' an upsell?
When given the option to completely update the cockpit to the latest and greatest with digital displays.
They chose to replicate the old mechanical dials so the pilots couldn't be retrained.
The entire thing from start to finish was rushed. Mechanical design comes first. There is no 'try and develop software in parallel'. A clean software design depends on a good mechanical design.
The plane should have been a white board redesign, it should have been balanced such that a pilot could fly it stable with no avionics. This isn't a jet fighter.
But it was rushed because Europe invested in R&D and beat them to economy routes. How much money did Boeing C-suites make before 2011? During the 2009 crash there was a hiring spree by some companies because the market was flooded with cheap, good engineers that just got laid off. Companies invested in talent. Did Boeing?
People died because... Boeing sat on R&D from post WWII while making a ton of money so when Airbus released a good plane they scrambled to retrofit an old design by putting huge engines on an airframe causing it to pitch up but to appease its clients it added software to mimic the old plane behavior and tested it themselves and told the FAA they promise they did it right.
More or less.
Re:Why wasn't it done in the first place!? by bobbied · 2019-03-27 12:21 · Score: 4, Informative

MCAS wasn't *supposed* to be life critical. Quite the opposite, the Pilots where supposed to be able to override it by grabbing the controls. The problem was that it *became* life critical over time and nobody properly noted the design change's impact and then they failed to see (or just flat ignored) this fact.

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Re:Why wasn't it done in the first place!? by Ungrounded+Lightning · 2019-03-27 13:13 · Score: 4, Interesting

Why wasn't this done in the first place!? It is an industry standard to use redundancy for life critical applications. They have redundancy already, why didn't they use it?
Also: Applying the patch creates TWO single points of failure for the system. If EITHER of the angle of attack sensors fails, goes off-calibration by more than 5 1/2 degrees, or angle of attack at the two sensors differs by more than that small amount, the MCAS will shut down.
The MCAS is there to bring the nose down if the aircraft is about to stall, which it is prone to do because of the relocation of the engines (relative to the previous model) forward and up, along with the reshaping of their nacelles. With the MCAS shut down the aircraft is back to having a risk of a sudden stall, which can ALSO cause it to have an "uncontrolled flight into ground" if it's too low for the pilots to recover (which is pretty darned high).
As with aircraft carrier naval groups, continents also ALWAYS have the right-of-way over airliners.

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Re:Encouraging news. Still nervous. by viperidaenz · 2019-03-27 13:33 · Score: 5, Informative

The amount of pitch up with the newer more powerful engines got to a point where when the plane is already at a high angle of attack, the elevator don't have enough authority to counter act it. The entire rear stabilizer needs to be moved using the stabilizer trim.
Other planes have larger elevators or less pitch-up under full thrust.
Re:Look at all the Boeing Apopogists by angel'o'sphere · 2019-03-27 14:58 · Score: 4, Insightful

The MAX 8 will be one of the safest planes in the sky after this design review is done and the software gets updated.
A plane where the engines have to much power and push the nose so far up that the plane can stall: does not sound safe to me.

--
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
Re:Why wasn't it done in the first place!? by sjames · 2019-03-27 15:01 · Score: 4, Interesting

Actually, it's more confusing, and that's the problem.
If the pilot manually re-trims, MCAS is overridden for 5 seconds, then it adjusts the trim again. It's not hard to see how the pilot might mis-identify the ongoing problem as a recurrent momentary problem.
Re:Why wasn't it done in the first place!? by Chrontius · 2019-03-27 15:06 · Score: 4, Informative

Per recent reports, the cockpit voice recorder shows that they were in the middle of it.

And according to Boeing's simulations, they only had forty seconds between stick shaker activation and a rapid unplanned deceleration, so...
A software fix could have used both sensors? by PhotoGuy · 2019-03-27 23:16 · Score: 5, Insightful

The depressing (or incriminating?) part here is that the fix didn't require any hardware modifications, as I would have expected. I assumed that there was some cost/weight issue to having the MCAS have access to the left and right sensors. But nope, it could have compared both.
If it can be fixed with a software fix, then it could have been done right from the start without any extra hardware costs of production.
Very damning.
I get so tired of the reports calling clear software/algorithm bugs "computer glitches."
It's akin to blaming every pilot error situation on the plane.
Just as with hardware design flaws, software design flaws should have repercussions for the manufacturer, and not written off as "oh, one of those computer glitches!" If your computers are glitchy, don't put them on my plane, thanks.

--
Love many, trust a few, do harm to none.