Wonder if Boeing is going to start doing a patch Tuesday for their kit?
UK joins growing list of territories to ban Boeing 737 Max flights as firm says patch incoming
Britain's Civil Aviation Authority (CAA) has banned all Boeing 737 Max flights in UK airspace after a second fatal crash of the type near Addis Ababa in Ethiopia last Sunday killed all 157 people on board. Meanwhile, Boeing has promised to issue a software update for an under-fire part of the 737 Max flight control suite. …
COMMENTS
-
-
Wednesday 13th March 2019 13:16 GMT Ian Michael Gumby
@Blockchain commentard...
While I appreciate your joke, I have to ask a serious question...
Will some one do an audit of the individuals who worked on this kit?
Seriously I'd love to see their backgrounds and if they are truly software engineers. (Have an engineering degree from an accredited US Engineering school. (US because BA is a US company) )
No joke. I mean going back almost 30 years ago, I was assigned to a project to develop a specialized RTOS and an application to monitor water purification. While it was one of my favorite projects, the only reason I was selected was that I was the only Software Engineer available at the time to do the work. (Talk about luck of the draw).
I have to wonder how much time, thought and energy went in to the design and testing of this code / sensor.
If I were Boeing... I'd do it because its going to be the first thing the FAA and the queue of lawyers are going to want to see.
And this is a bit scary and hits home because I'm on a jet twice a week to and from client(s).
-
Thursday 14th March 2019 18:12 GMT Cederic
Re: @Blockchain commentard...
I think it would be unfair to blame software engineering for this one. It's a multi-disciplinary failure and you wouldn't for instance expect software engineers to have aircraft user interface design expertise.
I'm reluctant to blame anybody for this type of thing. It's a fatal fuck up but shit happens. Lets understand, learn and work to minimise a repeat.
Crucifying the poor cunt that implemented precisely what was asked is not going to achieve that.
-
Friday 15th March 2019 23:01 GMT Ian Michael Gumby
@Cederic Re: @Blockchain commentard...
I'm not out for crucifying anyone.
But the fact is ... lives were lost.
Who did what and when is important.
Who was involved in terms of aeronautical engineering and software engineering.
The center of gravity change is significant ... what do the engineers have to say and what was documented.
Then you have the sensors and also the software controls.
Its not a question of blame, but to find out what went wrong and fix the process so that it doesn't happen again.
To be clear, this audit will occur because the FAA, lawyers and the company will demand it.
-
-
-
-
-
Tuesday 12th March 2019 22:17 GMT Yet Another Anonymous coward
Re: An already safe...
It depends.
If each new 737 variant is a completely different new aircraft when it comes to crash statistics then the later variants have had very few accidents - the -800 a couple and the -900 none (IIRC)
Considering the number of 737s flying and that they mostly do short commuter hops with lots of take offs and landings they are amazingly safe.
If you include all the early models with their somewhat distressing tendancy for control surfaces to fall off then ....
-
-
Tuesday 12th March 2019 23:39 GMT martinusher
Re: An already safe...
That's the wonder of Modern Marketing. By referring to this plane as a "737" people just assumed it was another sort of 737 instead of an entirely new plane. Boeing just piggybacks on the reputation of the long established workhorse instead of having to build from the ground up.
Why would I think of it as an entirely new aircraft? Its true that its roughly the size and capacity of the 737 that it replaces but its got a completely different main wing and flight control systems. The original 737 came from an era where planes were flown by people -- there were literally physical connections between the cockpit controls and the flight surfaces. These sorts of planes have to be inherently stable. The design isn't as efficient as we can make these days, though, so the temptation is to use a very high efficiency airfoil and make up the consequent loss of stability with avionics. This is a whole new game, though. (Disclaimer -- I'm not an aeronautical engineer although I do know quite a bit about sailplanes and their high efficiency airfoils; like most of us on this site I also know quite a bit about the pitfalls of software systems design, execution and testing.)
Boeing rushed the 787 into service without fully wringing out the bugs. This resulted in a six month grounding while problem of battery fires was brought under control (fortunately that didn't result in fatalities.) They need to figure one this out, and not just a quick "Hail Mary" patch. It probably won't do much harm to the company long term.
-
Wednesday 13th March 2019 07:58 GMT bazza
Re: An already safe...
The marketing was helped by the pilot's manuals making no mention of MCAS whatsoever. You can imagine the surprise in the piloting community after its existence came to light after the Lion Air tragedy.
This one is different to the 787 - several hundred people are tragically dead. Also worse than 787, Boeing and the FAA have lost the confidence of the rest of the world's aviation regulators. The high degree of trust that's been carefully built up over generations of engineers and regulators has been destroyed in just a few months.
That means no return to flight in, say, the UK until both Boeing and the FAA have convinced the CAA that the problem has been fixed properly. And the same in France, Germany, etc etc.
That's going to take a very long time to do. It's going to be very expensive. It can easily result in different designs upgrades being required in different countries, meaning there's no common design that's permitted to fly everywhere.
It's a total f*****g disaster for Boeing's commercial prospects. It's not like Boeing are flush with cash, they've been cheerfully paying out a share-price-boosting dividend without any real evidence to suggest that their revenue can support it and cover off disasters like this, especially when their accounting practice seems to involve something termed deferred costs...
It might be cheaper to replace the MAX with A320neos, for both Boeing and the airlines.
-
-
-
-
Wednesday 13th March 2019 18:28 GMT Stoneshop
Re: An already safe...
Technically, the DeHavelland Comet is more reliable at this point. 2 were lost after a year in service.
Just looking at the number of crashed aircraft done in by a particular failure, yes (there had been two other write-offs before that, but those were respectively an actual pilot error on takeoff, and structural failure of the main wing spar in a severe thunderstorm). But crashes are usually counted against either flown distance, number of takeoffs and landings, or passenger-miles, depending on what metric you're interested in. Comet just reached 112 aircraft total with a fair number of them built after the 1954 losses; there are over 350 MAX8's in operation already (well, maybe not at this moment, IYKWIM). So the statistics are slightly different.
The contenders for 'worst aircraft accident stats' are probably the Caproni CA60 (one built, only a single short flight, pilot unhurt, plane totalled) and the Caproni CA48 (again only one built, wing failure at 1000m altitude, 14 fatalities)
-
Wednesday 13th March 2019 14:06 GMT Ian Michael Gumby
@DC Fusor Re: An already safe...
I think the issue is that while its not a completely new aircraft, there are significant changes.
AFAIK the airframe is basically the 737 however they have larger engines which are more fuel efficient and there's a change in the center of gravity.
If the issue is as they suspect, the sensors are set up to keep the plane from having the nose rise to quickly and end up in a stall situation.
The current 'fix' is to turn this off during takeoffs where you're climbing quickly.
If the pilot doesn't, then he's going to be fighting the nose up / auto down and at low levels ... boom into ground. (At least that's what is being said on the news)
With respect to the other crash... there was a question about a bad sensor that was replaced prior to the accident. This begs the question if that it wasn't a bad sensor but the software that controls the input in to the auto pilot that was bad.
-
-
Tuesday 12th March 2019 17:10 GMT Steve Todd
The reason that the Max series need MCAS
Is because they've changed the position and size of the engine nacelles and pylons in order to fit larger engines. This tended to cause the aircraft to nose up in some circumstances, which could cause a stall. MCAS is there to trim nose down if it detects that, but in a fit of genius Boeing saw fit to have only two AoA sensors, not three. If one is faulty how can the software detect which one?
-
Tuesday 12th March 2019 17:53 GMT Steve Todd
I forgot to add
The reason that Boeing could get away with this is, because the 737 Max series are supposedly an upgrade to an existing type, they don't have to go through the full type certification process. It's unlikely that they'd get a Max through the full process in its current form.
-
Tuesday 12th March 2019 18:26 GMT Charlie Clark
Re: I forgot to add
Yes, it will be interesting to see what happens if the software is identified as being at least partly at fault. Difficult to see that not leading to a landmark judgement about the liability of software. Of course, as long as it was just people from south east Asia, er, test driving the software, there was always the hope that no one would lawyer up. Could be different for the Ethiopian flight which, unfortunately, had UN people on board, and where the flight recorder could end up in Paris.
Note, I am not making light of the tragedies nor even really pointing the finger at Boeing, which has still has an enviable safety record. In fact, one of the consequences of the near duopoly of Boeing-AirBus has been fantastically safe planes. But the idea of Boeing rushing to offer a software patch should have everyone worried. In fact, the FAA should seriously consider forcing a complete recertification or otherwise leave itself open to court cases for certifying the planes as safe to fly. Pretty certain some countries will require new certification in any case.
-
Wednesday 13th March 2019 09:20 GMT Waseem Alkurdi
Re: I forgot to add
Difficult to see that not leading to a landmark judgement about the liability of software.
We humans are, frankly, assholes, because we only learn when people die. Cars, aircraft, and now software. Why not get it right the first time?
Could be different for the Ethiopian flight which, unfortunately, had UN people on board, and where the flight recorder could end up in Paris.
Is it not unfortunate that the Ethiopians were onboard as well? I'm not following here.
-
Wednesday 13th March 2019 12:26 GMT anothercynic
Re: I forgot to add
@Waseem, I totally get what you're saying (being from Africa, seeing Ethiopian having this happen hurts, especially given they have a stellar reputation compared to many of their continental aviation compatriots).
The UN is special though and having multiple employees killed in a flight (similar to MH 17), can probably invoke additional protocols beyond just a standard accident investigation (usually handled by the country of the airline, the country of the manufacturer and certification authority, and possibly nations of passengers involved in the tragedy). I would not be surprised if they involved the French authorities as well. The global media tends to also sit up when an incident involves Europeans, Americans, or Asians.
-
-
-
Tuesday 12th March 2019 18:30 GMT John Sager
Re: The reason that the Max series need MCAS
And how come, based on potentially faulty AoA data, could the system wind the trim beyond the point that the pilot loses elevator control? That just seems mad. Also, if the attitude is pitch negative (i.e. going down), it still assumes it's going to stall. Some serious head-scratching needs to go on in Seattle.
-
-
Tuesday 12th March 2019 21:42 GMT Updraft102
Re: The reason that the Max series need MCAS
That used to be the one thing that Boeing had over Airbus. Boeing supposedly was of the opinion that they would help the pilot, but ultimately that pilot was the absolute authority at all times. Airbus' attitude was that since pilot error is the largest contributor to air crashes, they would willingly disobey the pilot anytime the on-board computer thought it was a bad idea.
Now we have Boeing demonstrating specifically why the attitude that their competition supposedly has regarding overriding the pilot is a bad idea.
-
Tuesday 12th March 2019 22:51 GMT PhilipN
Re: The reason that the Max series need MCAS
Some years ago a mate of mine, regular visitor to South Africa, said that after a perfect landing in a 747 in Jo'burg the second officer announced gleefully and with much respect and admiration for his boss that it was the final landing by the captain, due to retire after a long commercial flying career, and done entirely manually i.e. without the electronic whiz-bangs.
Question from a non-pilot : Don't they train pilots to fly in an emergency without the technology these days?
-
Tuesday 12th March 2019 23:39 GMT Anonymous Coward
Re: The reason that the Max series need MCAS
"Don't they train pilots to fly in an emergency without the technology these days?"
Which "they" do you mean?
Airbus are pretty much completely reliant on technology, and it is openly acknowledged in their design philosophies etc. The pilot cannot bypass the technology, that capability no longer exists, and that has to be explicitly part of the design->deployment process.
Boeing in public have been criticising Airbus's reliance on technology, saying that the pilot should always be able to take full control if the need arises.
Boeing HQ and the US regulators apprear to have lost the plot, at least temporarily, and some of the FAA's equivalents elsewhere (e.g. EASA) appear to have followed suit (see NYT article link below).
Unfortunately, many people have already lost their lives as a result - whether or not the Air Ethiopia crash had te same root cause as last year's LionAir incident remains to be seen, but in the meantime, readers might find some interesting reading at
https://en.wikipedia.org/wiki/Lion_Air_Flight_610
Also worth a look is:
https://www.nytimes.com/2019/02/03/world/asia/lion-air-plane-crash-pilots.html (3 February 2019)
e.g. for sections like this:
"the new engines for the Max were larger than those on the older version, they needed to be mounted higher and farther forward on the wings to provide adequate ground clearance.
Early analysis revealed that the bigger engines, mounted differently than on the previous version of the 737, would have a destabilizing effect on the airplane, especially at lower speeds during high-banked, tight-turn maneuvers.
[...]
[EASA] was inclined to rule that M.C.A.S. needed to be included in the flight operations manual for the Max, which in turn would have required that pilots be made aware of the new system through a classroom or computer course [...] But ultimately [...] the agency did not consider the issue important enough to hold its ground, and eventually it went along with Boeing and the F.A.A.
When Brazilian regulators published their required training for pilots, they singled out M.C.A.S. as one of the changes that needed to be flagged.
[continues]"
-
Wednesday 13th March 2019 08:00 GMT Mine's a Large One
Re: The reason that the Max series need MCAS
"The pilot cannot bypass the technology, that capability no longer exists, and that has to be explicitly part of the design"
That's not strictly true for Airbus. Simply put, the systems operate in various "Laws" or modes whereby the systems will attempt to protect the aircraft from being flown outside its envelope. They range from Normal Law attempting to protect the aircraft in pitch, roll, speed, load factor and angle-of-attack, through Alternate Law 1 or 2, down to Direct Law which allows the pilot to completely hand-fly the aeroplane in the event of systems failures.
-
Wednesday 13th March 2019 08:19 GMT Anonymous Coward
Re: The reason that the Max series need MCAS
> Which "they" do you mean?
It differs by airline. A friend is a pilot for Air Canada and he says he always does manual take-offs and landings because he feels it is his job to fully understand the aircraft and how to handle it in all conditions. The airline support this view.
Other airlines recommend full automation all the time. This can have problems e.g. Asiana Flight 214 which came in too low at Los Angeles and struck the perimeter wall. The investigation criticised several things including "Over-reliance on automation and lack of systems understanding by the pilots were cited as major factors contributing to the accident."
-
Wednesday 13th March 2019 11:43 GMT AIBailey
Re: The reason that the Max series need MCAS
"Other airlines recommend full automation all the time."
According to a pilot, that's simply not true.
And if you’re wondering: a full 100 percent of takeoffs are manual. There is no such thing as an automatic takeoff anywhere in commercial aviation.
Ask the pilot <- Very interesting site.
-
Wednesday 13th March 2019 12:59 GMT anothercynic
Re: The reason that the Max series need MCAS
Other airlines recommend full automation all the time. This can have problems e.g. Asiana Flight 214 which came in too low at Los Angeles and struck the perimeter wall.
San Francisco. It struck a sea wall which is rather more solid than a mere perimeter wall. That was also the first fatal hull loss of... a BOEING 777. Not an Airbus. A Boeing. And it was not particularly the automation at fault (given this was a visual approach), but also Boeing's unnecessarily convoluted documentation for its flight automation system... THAT is what was criticised. It led to the lack of systems understanding by the pilots (which was a contributing factor).
Anyone pointing fingers at Airbus over automation and gleefully saying that Boeing doesn't have that problem should look at exactly this incident and Lion Air JT610. :-(
-
-
Wednesday 13th March 2019 12:36 GMT anothercynic
Re: The reason that the Max series need MCAS
Airbus are pretty much completely reliant on technology, and it is openly acknowledged in their design philosophies etc. The pilot cannot bypass the technology, that capability no longer exists, and that has to be explicitly part of the design->deployment process.
That is categorically not true. Airbus uses standard flight law, alternate flight law and then only in extreme situations will allow the pilot to make *all* decisions.
QF32's return to Singapore after the engine explosion was literally the latter... One thing that came out of the QF32 debriefs was that the flight computer was not helping with the number of error messages it was showing, and that was apparently changed.
The difference between the 737 MAX certification and Airbus' approach is that Boeing convinced the FAA that the fact they needed MCAS to help deal with the change in the CoG and aircraft stability was not something pilots needed to know. Brazil disagreed and insisted that any airlines using the MAX in Brazil would have to specifically train their pilots to be aware of MCAS and how to control/disable it if it failed/misbehaved. EASA was leaning towards Brazil's view but that also changed (no doubt helped by plenty of chivvying from Boeing).
Airbus is at least very clear about what it does, how it does it, and why it does it. Boeing changed how they did things and showed a lot of arrogance by saying "oh the pilots don't need to know and it won't make much difference in the grand scheme of things". Tell the relatives of JT610 that.
-
-
Wednesday 13th March 2019 16:59 GMT My Alter Ego
Re: The reason that the Max series need MCAS
Except that it didn't happen that way. The flight scene of the movie was incredibly accurate, but then diverted massively from reality. The NTSB acknowledged that the simulations didn't take human reactions into account, they didn't need Sully to tell them that. In fact Robert Sumwalt (the chair of the panel, and a former A320 pilot) was very complimentary about the CRM (Cockpit Resource Management) and the fact that trying to concentrate with pretty much every alarm going off in the cockpit is incredibly difficult, even in a simulator.
Captain Sullenberger actually asked for the real names of NTSB members to be removed from the movie.
The problem is that it's really difficult to make two hours of NTSB hearings into a movie that the general public want to watch. I actually watched the NTSB hearing videos (they're on YouTube) as I'm an aviation nerd, and while dry were actually pretty interesting.
Now when I hear people say "I didn't know that..." in relation to Sully, I reply with "and I didn't know that the Americans captured the Enigma device until I watched U-571".
-
-
-
Tuesday 12th March 2019 23:46 GMT Eddy Ito
Re: The reason that the Max series need MCAS
Essentially it depends on the plane but for some, perhaps most these days, the short answer is no. Keep in mind I haven't flown for some years due to old eyes and few dollars but some planes are fly-by-wire only meaning there is no mechanical or hydraulic backup. Typically there are "sufficient" redundant computers in the event of a failure, IIRC that's 3 so in the event of one being different it essentially gets out voted and ignored and assuming that two failures on a flight should be exceedingly rare.
-
Wednesday 13th March 2019 03:34 GMT PhilipN
Re: The reason that the Max series need MCAS
Many thanks for the above AC and EI.
So are you saying that for example with the way commercial aeronautics are going :
Sully could not have landed on the Hudson? or
The 747 which crashed in Japan some years ago, after the pilot had lost control of the tail, or the tail itself (I forget which), but managed to manoeuvre for some time on engine power alone (an incredible feat), that also could not happen now?
If so - God almighty!
-
Wednesday 13th March 2019 06:43 GMT Richard 12
Re: The reason that the Max series need MCAS
No, that isn't true.
The computers have "normal" mode for when Everything Is Fine, and "alternate" modes for when the proverbial excrement has impacted the air recirculation device.
In the normal modes, it does all kinds of clever stuff automatically, to the point where it can technically handle flying and landing almost entirely on its own.
As it loses sensors, it fails back to simpler and simpler rules, based on how much information it is sure of.
In the worst of the alternate modes, it simply drives the hydraulics exactly how the pilot asked, because it knows that it has no idea what's going in.
That's supposed to be the basic concept.
Boeing appear to have forgotten this.
-
Wednesday 13th March 2019 08:05 GMT Mine's a Large One
Re: The reason that the Max series need MCAS
Sully landed in the Hudson in an Airbus A320 complete with standard Airbus automation. If I recall, the only criticism Sully had was that they system imposed limits on his flare before touchdown (probably because the system wasn't in landing mode) meaning touchdown was harder than it could have been.
-
Wednesday 13th March 2019 12:45 GMT anothercynic
Re: The reason that the Max series need MCAS
@PhilipN,
Sully flew an Airbus (US1549). Which is, if you were to believe some in this thread, "fully automatic and the pilot can't do *anything*". The fact that Captain Sullenberger was able to put the A320 down on the Hudson well enough to not only keep the hull intact, but have everyone onboard survive the incident (albeit with injuries), should be enough proof that the whole "Airbus is crap because automation" narrative is crap.
Incidentally, the Atlas (Prime Air) 767 freighter that went down in Texas recently did so after turbulence and 'stick input'... it appears it pitched up (in turbulence) and the pilot then pushed the control column forward to bring the nose down. It then stayed down until it impacted. The stick shaker that *should* activate in that instance apparently didn't. So... Boeing with its "the pilot is always in control" policy clearly is not infallible either (and the 767 has a shedload less automation than the 787 or the new MAX has).
Go figure.
-
-
-
-
-
Wednesday 13th March 2019 01:13 GMT tip pc
Re: The reason that the Max series need MCAS
Traction control and ABS are 2 software systems that effectively just work and have saved many many lives by taking control away from the driver.
New drivers now are not taught how to defeat aquaplaning or preventing wheels from locking under braking due to the reliability of those systems.
Next time your on a plane and it’s raining on landing you’ll be happy the auto brake helps you stop safely.
-
Wednesday 13th March 2019 07:34 GMT big_D
Re: The reason that the Max series need MCAS
I nearly had an accident the first time I drove an ABS equipped car.
It was icy and the car in front lost control. I braked, it locked up, so I automatically went into cadence braking mode, which the ABS also tried to do... I just steered around the spinning car in front, but it was nerve wracking.
I still don't fully trust ABS, it lengthens the braking distance for a good driver.
Likewise my current car has a collission warning system with emergency braking system. It leaves things much too late IMHO, I have never tested the system, because I just don't trust it to stop in time. At the most, it looks like it would lessen the impact, as opposed to avoiding the accident altogether.
-
-
Wednesday 13th March 2019 10:28 GMT big_D
Re: The reason that the Max series need MCAS
No, I was on an icy road, which required standard braking techniques for such conditions. Me pumping the brakes and the ABS trying to do the same thing meant the braking distance was longer than either I or the ABS alone would have managed. The problem is, you have to have trust in those systems, for someone brought up without those systems, it is a huge leap of faith to not brake "properly" and trust the car knows what it is doing.
If I had been too close to the car ahead, I wouldn't have been able to brake and steer around it.
-
Wednesday 13th March 2019 11:37 GMT Anonymous Coward
Re: The reason that the Max series need MCAS
If, in order not to hit the car in front of you (or have to steer round & get killed by whatever is coming the other way) you have to pump the brakes or equivalently if you have to brake hard enough to trigger the ABS so it will do that for you then you are too close.
-
Wednesday 13th March 2019 12:13 GMT JeffyPoooh
Re: The reason that the Max series need MCAS
big_D "...was on an icy road..."
My neighbourhood includes a small hill which can be perfectly icy. My car (W211) is 4Matic and I use Nokian studded tires.
Sometimes the slippery ice is covered with fluffy snow, and that can result in the tires 'rafting' (or 'tobogganing') on the compressed snow, so the tire studs fail to reach the ice. Under these conditions, the ABS is the worst pssoble thing because it keeps regenerating endless new rafts of compressed snow under the tires.
Thankfully, the ABS on my car allow me to press the brake pedal harder and lock up the wheels. Yes, it's true.
I presume that this obscure ABS override feature is only available under certain conditions, such as very slow speed.
With the wheels locked up for a couple of seconds, the snow rafts are ground away and the studs can then bite into the ice. It's possible to creep down the hill safely.
This whole process of getting safely down the hill under these conditions is highly obscure. Without the ABS override it would be much worse.
(Going up the hill is easy as momentum is your friend.)
-
-
-
Wednesday 13th March 2019 11:14 GMT Salestard
Re: The reason that the Max series need MCAS
I can happily report that the auto-braking on the 2015 Volvo S60s works excellently after I was momentarily distracted by a pedestrian whilst approaching a set of lights. Car in front stopped whilst I was still, erm, distracted, and the Swedish Logic Box neatly brought proceedings to a proverbial and literal halt before anything impact-y happened.
At the opposite end of the scale, the forerunner to the S60 was my 2003 V70R, with an astonishing AWD-Traction-Suspension system - within reason, it was basically impossible to drive outside the thing's envelope. Idiotic cornering speeds aside, the really impressive thing with the safety suite was the adaptive brake assist.
In essence, it learned your usual braking style, and thus recognised when you were panic braking - at which point it would give you the full benefit of AP 4 pots & 330mm discs all round, wind front suspension up, and stop you and it to the very fullest of its ability. Only triggered it twice in five years, but it was impressive just how hard it could stop, and slightly concerning that even for an experienced aggressive driver of performance cars, how far away I was from being able to consciously brake that hard.
-
Wednesday 13th March 2019 12:22 GMT Anonymous Coward
Re: The reason that the Max series need MCAS
Salestard triggered his Brake Assist System.
I triggered and experienced the Mercedes BAS once while driving up an highway off ramp at *** kmh. The seat belt tightened, the brake pedal was sucked below my foot (felt very weird, like a failure), my head was flung forward and down, the only thing I could see was the speedometer unwinding like the Bid Clock at the Dutch Flower Auction. Oh. My. Gawd. Internal organs actually hurt.
When the speedometer reached 80 kmh (a perfectly reasonable cornering speed for the upcoming curve), I released the brake and everything went back to normal.
-
-
Wednesday 13th March 2019 11:26 GMT commonsense
Re: The reason that the Max series need MCAS
Likewise my current car has a collission warning system with emergency braking system. It leaves things much too late IMHO, I have never tested the system, because I just don't trust it to stop in time. At the most, it looks like it would lessen the impact, as opposed to avoiding the accident altogether.
The point is that you aren't expected to trust it to stop - it's there if you forget to stop for some reason.
-
Wednesday 13th March 2019 13:35 GMT werdsmith
Re: The reason that the Max series need MCAS
Likewise my current car has a collission warning system with emergency braking system. It leaves things much too late IMHO,
It's an emergency braking system and I am happy to report that far from leaving it too late, when I found my self in an emergency the brakes were on before I could react and push the brake pedal.
-
Wednesday 13th March 2019 14:03 GMT Zimmer
Re: That's the REAL function of ABS !
....which the ABS also tried to do... I just steered around the spinning car in front, but it was nerve wracking....
The ABS is there to give you control of the car in these circumstances, allowing you to brake AND steer with less chance of you locking the wheels and sliding out of control... so it seems it worked very well for you...
-
-
Wednesday 13th March 2019 10:33 GMT elaar
Re: The reason that the Max series need MCAS
"Traction control and ABS are 2 software systems that effectively just work and have saved many many lives by taking control away from the driver."
I regard them as systems that operate to enable the driver to remain IN control. ABS brakes effectively, but allows the driver to steer (somewhat) whilst braking is being performed.
If traction control is operating, what control has been taken away from the driver? The driver never had control of individual wheel speeds anyway.
-
Wednesday 13th March 2019 13:21 GMT MJI
Re: The reason that the Max series need MCAS
My last car hit a kerb at low speeds because it would not stop, foot to floor on brake, ABS pulsing and doing eff all.
In those conditions ABS at 5mph was a total liability.
Current car reports an ABS failure but it still works.
Intermittant contact as one of these units with steel soldered
-
-
-
Wednesday 13th March 2019 08:16 GMT Mine's a Large One
Re: The reason that the Max series need MCAS
Was AF296 caused by Airbus? The pilots flew their aircraft on a low flypast at high-alpha (ie. nose up) with the engines at flight idle, gear/flaps down, and then selected TO/GA too late for them to spool-up to full power and start to climb away from the trees they were heading towards and therefore hit.
-
Wednesday 13th March 2019 08:25 GMT Anonymous Coward
Re: The reason that the Max series need MCAS
> Was AF296 caused by Airbus? The pilots flew their aircraft on a low flypast at high-alpha (ie. nose up) with the engines at flight idle, gear/flaps down, and then selected TO/GA too late for them to spool-up to full power and start to climb away from the trees they were heading towards and therefore hit.
Nearly - they weren't on flight idle but nearly full power. There wasn't enough left to 'power up' and the low altitude + approaching hill prevented the only other option - to nose down.
-
-
-
Wednesday 13th March 2019 10:39 GMT Anonymous Coward
Re: Air France 447 all over again?
While the Air France crash was due to two pilots putting in conflicting controls, it was again impounded by the computer not communicating it's actions well (and the pilots).
So in this case, could it be, though only pilot to computer in this case, the computer not communicating it's change in trim well? Thus pilots making adjustments/maneuvers, and "strange things" happening, as the automatic system overrides their action.
You then get a feedback effect, either from the computer, or from the human user, each one trying to adjust the others, each ones action becoming more and more extreme, until one fails.
-
Wednesday 13th March 2019 14:37 GMT brainyguy9999
Re: The reason that the Max series need MCAS
Software "takes control" away from pilots in all airliners. All fly-by-wire systems take the control out of the pilot's hands. Unless you are flying prop planes, fly-by-wire is necessary.
I suspect most people get into their automobiles every day and don't realize they really have little control over their vehicle. The vast majority of modern autos are fly-by-wire. The accelerator and brake pedals are only connected to sensor boxes. They are no longer physically connected to carburetors and brake cables. The steering wheel is the same. In most cases, it is connected to a sensor box and the computer drives the electric motor(s) to turn the wheels. There is no longer a steering shaft that physically connects to the front wheels anymore. Pop your hood and see for yourself.
We all happily go our merry way and don't realize that we have a lot of trust in software when we're racing down the highway.
-
Thursday 14th March 2019 14:01 GMT MJI
Re: The reason that the Max series need MCAS
Pedals not connected
Brakes
Wrong, they are connected hydraulically to the pedal, yes there is a servo but it would take a leak to stop them working.
Steering
Wrong, power steering seems to work by a walking beam type system to operate the power bit, no power steering works.
And there is a nice solid bar with universal joints between the steering column and the steering box
Accelerator
Depends, some are, some are Drive By Wire, last car was DBW and had a motor on the throttle body, previous similar one had a cable. DBW advantage was easy cruise control.
Current is DBW by necessity as it is a unit injector Diesel.
-
Sunday 17th March 2019 20:42 GMT Anonymous Coward
Re: The reason that the Max series need MCAS
"Brakes [...] are connected hydraulically to the pedal, yes there is a servo but it would take a leak to stop them working."
It would generally take *two* leaks, one on each of the two independent sets of piping and pistons etc, to disable brakes on modern cars (ie those with dual circuit brakes, which appear to have been standard fitting since late last century. Doesn't even need a computer :)
https://www.howacarworks.com/basics/how-the-braking-system-works
-
-
Thursday 14th March 2019 14:22 GMT Stork
Re: The reason that the Max series need MCAS
I am quite sure you are wrong regarding cars. Both steering and brakes must and do work in case of a power failure.
You got electric parking brakes, but the main brakes are hydraulic like the last many years.
Likewise there is both hydraulic and electric power steering, but even with the engine off you can turn the wheels..
-
-
Wednesday 13th March 2019 05:21 GMT Anonymous Coward
Re: The reason that the Max series need MCAS
A stall can happen in a dive. Interestingly, with such a circumstance expeditious reaction would likely be more urgent than otherwise. So perhaps automatic recovery based on AOA indication is especially sensible for that case.
Detecting the failed indication via cross check of other instrumentation (sensors) is more nuanced and complex than it might appear at first glance.
-
Wednesday 13th March 2019 12:29 GMT JeffyPoooh
Re: The reason that the Max series need MCAS
AC wisely noted, "Detecting the failed indication via cross check of other instrumentation (sensors) is more nuanced and complex than it might appear at first glance."
Yes. That.
'Connecting the dots' to integrate Avionics can take 10 minutes. Dealing with the failure modes can require the other 99.99% of the engineering budget.
I've seen it done very well; it took over a year.
-
-
Wednesday 13th March 2019 14:36 GMT Anonymous Coward
Re: The reason that the Max series need MCAS
Stall can occur with pitch down situations.
Limiting the trim seems like a band-aid. The addition of more AOA sensors is necessary, IMO, to provide enough redundancy for sensor failure mitigation. I also believe that the new configuration of the MAX makes it inherently unstable in certain conditions, which is unacceptable.
-
-
-
Tuesday 12th March 2019 21:16 GMT sanmigueelbeer
Re: The reason that the Max series need MCAS
If one is faulty how can the software detect which one?
Boeing's soon-to-be-released software patch (for the MCAS) is meant to address this issue. Don't know how the system is going to "coin flip" if two AoA sensors are giving false readings. Which one to trust?
Another thing is pilot training: FAA directive instructs operators to provide simulator time to pilots in order to get them "acquainted" to this new feature.
Pilots must also know how to diagnose a potential MCAS issue as well as know how to manually disable MCAS.
In Australia, there are only two known airline companies operating 737 MAX and they are SilkAIr (an SQ subsidiary) and Air Fiji (QF and VH don't have any).
As for now, the investigation is still fresh. No one is yet certain that the cause is due to MCAS.
-
Tuesday 12th March 2019 22:24 GMT Alister
Re: The reason that the Max series need MCAS
@Phil O'Sophical
As currently configured, the MCAS doesn't compare the inputs from both Angle of Attack sensors, it only works off the one which the currently running Flight Control Computer is using.
I would hope that part of the forthcoming update would address that and include a comparison, but it's still not ideal. In most aviation control loops, a vote of three is the minimum used to identify a faulty sensor.
-
-
Wednesday 13th March 2019 10:49 GMT Anonymous Coward
Re: The reason that the Max series need MCAS
I kinda do agree. Flight 447 is really sad. As, even an untrained, no idea person, I could still figure out "oh, nothing is wrong here, hold heading straight" etc. If 477 had followed the manual perfectly, it would have been ok. Panic set in (or just confusion) and the worse happened.
Here, with the 737 it seems slightly different. Even following training, if no one is told the MACS exists, or if the MACS can be faulty (due to 1 or 2 CPU control, not the normal 3), then how can a pilot or crew respond correctly?
-
Wednesday 13th March 2019 15:55 GMT Anonymous Coward
Re: The reason that the Max series need MCAS
Oh, I didn't mean the pilots should not know about MACS: what I meant was that the failure mode of 'I give up, it's your plane now' tends to result in bad things when people become very used to having the system help them. I'm not sure there's a way around that: I expect the answer is that very automated planes do have these nasty failure modes and will occasionally crash because they drop into some manual mode and the pilots fail to cope. That does not mean they're not still safer, of course.
In the case of MACS people seem to be saying there are only two sensors so there's an obvious split-brain possibility: having three would make it a whole lot safer it seems to me.
-
-
-
-
Wednesday 13th March 2019 10:53 GMT AVee
Re: The reason that the Max series need MCAS
> This tended to cause the aircraft to nose up in some circumstances, which could cause a stall.
That's the thing that gets me. There's all this talk about sensors and software, redundancy, pilot training etc. But before all of that it seems to me that the physical characteristics of this plane are significantly worse then it's predecessors (at least in some aspects). Didn't the problem really start there?
I might be reading to much into it, but it seemed to me Boeing try to squeeze a bit to much out of the 737, which backfired pretty badly.
-
Wednesday 13th March 2019 11:47 GMT Anonymous Coward
Re: The reason that the Max series need MCAS
" the physical characteristics of this plane are significantly worse then it's predecessors (at least in some aspects). Didn't the problem really start there?"
Seems a fair description. In the interests of a ~10% improvement in fuel economy on the MAX series, without having 737 operators incur costs, aircrew downtime for retraining etc, the designers and regulators appear to have been a bit economical with the truth. LionAir showed this last year but didn't hit the headlines to the same extent.
One of the things computers (as distinct from springs and wires and pulleys) can do is allow people to build systems with better efficiency but also with less margin for safety when something fails (than on their non-computerised equivalent).
But that change in tactic has to be seen for what it is - a reduced safety margin in some circumstances, with corresponding tradeoffs.
If people make the change on the quiet, and don't understand or don't admit the implications for whatever reason, Bad Things are likely to happen.
-
-
Wednesday 13th March 2019 12:07 GMT devTrail
Re: The reason that the Max series need MCAS
... but in a fit of genius Boeing saw fit to have only two AoA sensors, not three ...
Actually judging from what I read about the Lion Air crash the situation is even worse. One single faulty sensor was enough to cause the accident. Only some comments to some articles mention two sensors and as they are they just seem unconfirmed rumours.
-
Wednesday 13th March 2019 12:21 GMT Nonymous Crowd Nerd
Re: The reason that the Max series need MCAS
Having only two sensors is the real problem. If there's a failure, there's no way for the software to decide which is wrong and therefore work out the real angle of attack. The real answer is to add an extra sensor, like you say - or more likely two extra sensors for symmetry.
This is why it's a potential financial black hole for Boeing. Adding the extra sensors to existing planes, revising the software to support voting in case of a failure, and testing (properly this time) is an absolute shed-load of work. It would be realistically three months to get even the first grounded planes safely airborne.
Any other approach, though, risks the possibility of a third accident which would put Boeing into bankruptcy.
-
-
-
-
Wednesday 13th March 2019 08:03 GMT Anonymous Coward
Re: We do not currently have sufficient information
> @AC, No that's incorrect, you are jumping to conclusions. The CAA have not been given any information from the FDR, as the NTSB haven't released any yet, and the CAA are not a party to the investigation.
That may well be true. In which case why did the CAA spokesperson use the word "sufficient" rather than "any"?
It could just be a slip of the tongue but it doesn't help people who are trying to go by just what official sources are saying.
-
-
-
Tuesday 12th March 2019 17:22 GMT Paul Smith
Panic
There have been 2 incidents. Not twenty or two hundred, but two. As somebody mentioned initial analysis of the FDR did *not* reveal anything obvious, so it is reasonable to assume that it did *not* reveal the trim against the stops or that it did *not* reveal faulty AoA sensor data, so basically, it did not reveal any connection between the two accidents. In other words, shit happened and people died, but jumping to conclusions will not stop more shit happening.
-
Tuesday 12th March 2019 18:30 GMT Steve Todd
Re: Panic
Over 300 people dead? Two accidents over a period of a few months in a new type shortly after it was introduced? Yes it calls for suspension of flying until they can identify the cause. What world do you live in where you can say "we don't know why these aircraft crashed, lets keep risking passengers while we find out"
-
Wednesday 13th March 2019 04:05 GMT JJKing
Re: Panic
Still drive your car even with the hundreds killed around the world every day?
Visitors still go the USA even with the thousands dead from guns each year.
Flying is still 800 times safer than being a passenger in a bus. Should we stop busses driving on the road when one crashes?
300 deaths though tragic will not keep the MAX 10 grounded forever. The reason they crashed will be isolated and fixed and life will go on and aviation will have learnt and important safety lesson.......until the next one arises.
-
Wednesday 13th March 2019 08:41 GMT Dave K
Re: Panic
There's a difference between the understood risk of doing something in everyday life, and using a mode of transport that *may* have a serious safety flaw.
I know drivers can be killed in accidents and I continue to drive. However, if numerous cars the same model that I have started crashing in suspicious circumstances where there looks to be no driver error involved, would I want some assurances that there isn't a critical flaw with my car before I drive it again? Or would I just hop into my potential death-trap car and keep going? I'd stop (in case you're wondering) and would use a different vehicle until mine is confirmed to be safe to drive.
Nobody is saying that the MAX will be grounded forever. However, 2 fatal flights within a few months for a brand new plane is very worrying - especially when it looks as if the flight systems may have intentionally flown the plane into the ground. That's why you ground the planes. When hundreds of lives are at stake, you err on the side of caution until you have proof that the plane is definitely safe.
-
-
Wednesday 13th March 2019 11:04 GMT Anonymous Coward
Re: Panic
If on a new car, just a few hundreds ones on the streets, were reported two incidents where the steer suddenly activated automatically and drove the car into a wall at high speed, killing all occupants, would you feel confident driving it?
Remember these planes fly in a strictly controlled environment where incidents caused by someone not respecting the rules are far, far rarer, and near misses quickly reported and investigated, unlike roads.
-
Wednesday 13th March 2019 13:52 GMT Dave K
Re: Panic
>> Exactly! But two is not numerous!
So, we wait then? Assume it's just bad luck and wait until we have 3, 4, 5+ crashes before taking action? Meanwhile, what happens if someone you know is on a plane that crashes, there have been similar accidents from other planes from the same model but someone felt that "there wasn't enough of a trend" to investigate? How would you feel then?
Each plane crash has the potential to kill hundreds of people. It is essential that potentially serious issues are spotted, investigated and resolved as soon as possible.
This isn't anything against Boeing, when the DC-10 was first introduced and ran into issues with the cargo doors failing, they investigated straight away. Then after a second crash, the DC-10 was grounded until modifications were made. They didn't wait until half a dozen planes had crashed before taking action, and if anything the DC-10 should have been grounded after the first failure (as it was, modifications were recommended but not made mandatory until 346 people were killed on Turkish Airlines flight 981).
TLDR: You don't just shrug and ignore possible issues when hundreds of lives are at stake. You ground the plane, identify the fault and fix it before allowing flights to resume.
-
Wednesday 13th March 2019 19:23 GMT Stoneshop
Re: Panic
Exactly! But two is not numerous!
These are the two only MAX8 accidents. Not just the two that appear to be similar from a larger number of accidents, but the only two accidents so far. And they have rather striking similarities., enough so that it's quite likely attributable to a common cause.
-
-
-
-
Tuesday 12th March 2019 18:31 GMT Charlie Clark
Re: Panic
Nobody is pointing the finger but withdrawing planes is standard procedure (and really the only acceptable procedure) even when there is only a chance of them being at fault. Or would you like to be the one defending the decision if there is another incident, or should the planes should to be at least partly at fault?
See what happened when the batteries in Boeing's 787 started to smoulder, when the engines on the A380 (which can fly pretty well with just one) had troubles. Planes are very,very safe but, unfortunately, when they do have issues, the results are most often catastrophic.
-
Tuesday 12th March 2019 21:35 GMT JimC
Re: Panic
As well as the two superficially similar incidents there was also a very similar near accident where another Lion Air crew just managed to keep the aircraft in the air. **IF** the Air Ethiopia loss does turn out to have the same root cause then that suggests that the instructions given to crews on how to deal with the situation that seems to have caused the Lion air incidents are inadequate. Grounding the aircraft until the cause is established doesn't seem over the top.
-
Tuesday 12th March 2019 22:31 GMT Anonymous Coward
Re: Panic
@Paul Smith
As somebody mentioned initial analysis of the FDR did *not* reveal anything obvious, so it is reasonable to assume that it did *not* reveal the trim against the stops or that it did *not* reveal faulty AoA sensor data
This is completely erroneous information, no data about the content of the FDR has been released yet.
-
Tuesday 12th March 2019 23:50 GMT Rasslin ' in the mud
Re: Panic
"There have been 2 incidents." Wrong!
If you define an incident as MCAS running away, there have been at least three, still a very tiny number. The first one being on the Lion Air aircraft that crashed on a subsequent flight (the first accident) due to a seemingly identical failure. The first time, the flight crew pulled the circuit breaker on the MCAS and continued the flight.
I would love to see the System Safety Hazard Analysis to learn if the potential for these failures was (allowed to be) identified during development.
Regardless, by poo-pooing the idea that there might be a fundamental flaw in the MCAS, Boeing management has harmed the company's reputation and lost a lot of confidence from those of us that fly as passengers.
-
Wednesday 13th March 2019 04:21 GMT Yet Another Anonymous coward
Re: Panic
>Planes are very,very safe
And one of the reasons they are very safe is that when something like this happens airlines and aviation authorities ground them until they are sure if there is a problem and what the fix is.
They don't just turn it off and on again and see if happens again.
-
Wednesday 13th March 2019 09:57 GMT Paul Smith
Re: Panic
And that is the sort of conclusion that kills people. We do not know that this was an MCAS incident, and it is both stupid and dangerous to think that was based on the current evidence because that might make you think that an MCAS patch would fix or prevent it. Nothing has been officially released but given that the FAA has access to the actual Flight Recorder and that they have issued a Continued Airworthiness Notification (PDF) to the International Community (CANIC) related to the Boeing 737-8 and Boeing 737-9 (737 MAX) fleet, it would be safe to say that the flight recorder did not show trim against the limits or faulty AoA data.
-
Wednesday 13th March 2019 10:49 GMT rmason
Re: Panic
How are you not getting this?
"They" aren't making any assumptions, they have grounded the planes while the issue is discovered.
You keep claiming air travel is safe. It is, and things like this are *why* it is safe.
Honestly, what single disadvantage is there to grounding the models in question?
Name a single advantage to allowing them to continue flying while the facts are established?
It doesn't matter, at this stage, what caused it. What matters is stopping those planes from flying in or around our nation(s) until the facts are known and whatever the issue is, is corrected.
-
Wednesday 13th March 2019 11:22 GMT Alister
Re: Panic
@Paul Smith
given that the FAA has access to the actual Flight Recorder and that they have issued a Continued Airworthiness Notification (PDF) to the International Community (CANIC) related to the Boeing 737-8 and Boeing 737-9 (737 MAX) fleet, it would be safe to say that the flight recorder did not show trim against the limits or faulty AoA data.
You are again making assumptions that are not valid. The FAA do not have access to the Flight Data Recorder, it is currently with the NTSB, and the FAA released their CANIC before the Ethiopian FDR had even been recovered.
-
-
-
Wednesday 13th March 2019 10:23 GMT Anonymous Coward
Re: Panic
Grounding the aircraft is not jumping to conclusions: grounding the aircraft is saying 'we don't know what, if anything, is wrong with them but guven the statistics there might be something, so let's do the safe thing and not fly them'. And this will, in fact, 'stop more shit happening'.
-
-
Tuesday 12th March 2019 18:05 GMT Anonymous Coward
Re: Already a patch available?
Given what's known of how the aircraft was performing prior to the crash, they know the crashes weren't the result of a stall. So between the "greater resistance of stall" and "less resistance of stall" choices it is obvious to take the latter.
If it turns out the cause of the crashes was something else, or two unrelated causes that had really terrible coincidence/timing, there's little harm done since MCAS is basically a backup to the pilot's abilities - if they are properly trained they should not put a commercial aircraft in a situation where it may stall in the first place.
-
Tuesday 12th March 2019 21:06 GMT Anonymous Coward
Re: Already a patch available?
Nobody doubts modern airline pilots are well trained. Review the results of the Air France 447 crash, for what well trained pilots do when confused or overloaded. A flight controller that prevents unsafe flying regime is much better than trusting your well trained pilots will always understand and do the right thing.
-
Tuesday 12th March 2019 22:01 GMT Anonymous Coward
Re: Already a patch available?
Agreed, but if you have even the slightest suspicion that the flight controller that prevents unsafe flying might actually have a serious problem, it is better to disable or tone down its "help" in any suspect cases, and rely more heavily on the pilot, until the flight controller can be fixed or absolved.
-
Wednesday 13th March 2019 08:40 GMT Anonymous Coward
Re: Already a patch available?
> Review the results of the Air France 447 crash, for what well trained pilots do when confused or overloaded.
No. I cannot let you get away with this statement. AF447 showed that Air France training was utter shit.
Rule one in an emergency incident: ONE and only one pilot attempts to fly the plane, while the other goes through the checklists to determine what is wrong and what to do about it. The pilots are trained to communicate clearly so each knows what the other is doing. NONE of this happened in the Air France case.
So either their training was shit or they ignored it. Proper simulator evaluations will weed out pilots who ignore their training. So their training was shit.
Personally, I can't believe that AF management managed to avoid manslaughter through negligence charges.
Sorry for the rant - but as you can tell - it makes me angry.
-
Wednesday 13th March 2019 13:01 GMT Anonymous Coward
Re: Already a patch available?
Apparantely, manslaughter charges were filed against Airbus and Air France, but there doesn't seem to be any reference anywhere on the internet about whatever happened to the case. This is unsettling.. why doesn't Google tell me how the case ended? It can't have just vanished into the ether without a dismissal or a conviction?
-
-
Wednesday 13th March 2019 13:22 GMT JeffyPoooh
Re: Already a patch available?
AC, "A flight controller that prevents unsafe flying regime is much better than trusting your well trained pilots will always understand and do the right thing."
If a car has Automatic Braking (to apply the brakes automatically when it detects that a crash would otherwise occur), then that may be a very good thing. Nothing but good.
But if that system started slamming the brakes on randomly, then please turn it off. Not so "nothing but good" now.
-
Wednesday 13th March 2019 19:26 GMT Anonymous Coward
Re: If a car has automated braking
"If a car has Automatic Braking (to apply the brakes automatically when it detects that a crash would otherwise occur), then that may be a very good thing. Nothing but good.
But if that system started slamming the brakes on randomly, then please turn it off. Not so "nothing but good" now."
Well spotted. And here's my own experience. Make your own mind up whether it's anecdote or evidence.
I had a car that "slammed the brakes on randomly" (or, arguably, worse)..
It was a brand new "city car", intended mostly as an around town runabout. It had Automatic Braking including some kind of forward looking 'radar'. It also turned out to come with an interesting failure mode where under certain initially unclear circumstances the radar would apparently see things that weren't really there and the result was that the (automatic, computer controlled) gearbox went into neutral (even if you were moving at 30-40mph at the time).
Turning the car off and on again while stationary restored normal service (for a while). Definitely 'not so good'.
The dealers were clueless, especially as no fault codes were recorded, so it stopped being used for anything except test drives based on my low speed very low traffic 5km commute.
Eventually I became able to provoke the failures and to recover, safely, during that route almost on demand on a specific low risk llow speed low traffic section of the route.
After a few weeks experimenting it turned out that one way of avoiding the failures was to push the button that disabled the forward looking radar 'safety' system. Pretty much 100% repeatable. Fancy that.
It did eventually get fixed, but it took rather longer than it should have done to work out wtf was going on.
Still, I'm sure Boeing, CFM, FAA, etc will sort out the 737-MAX issues in due course. It'd perhaps be better if these things were sorted *before* they were certified for commercial use.
-
-
-
-
Wednesday 13th March 2019 10:10 GMT Stoneshop
Re: Already a patch available?
The fact Boeing already know in which direction to patch is the most worrysome to me. How can they already know how to fix an issue they don´t know yet?
Boeing were already working on a fix after the Lion Air crash (and the not-crash preceding it), but those things need to go through the relevant authority (in this case the FAA) before they can be rolled out.
Trump's Wall Tantrum (a.k.a. the recent US govt shutdown) delayed that for five weeks.
-
-
Tuesday 12th March 2019 17:35 GMT Wellyboot
Re: 737-800 v Max-8
The new engine placement is a fairly big change from a flight physics point of view, The different distances between point of thrust, direction of thrust & CoG has introduced enough of an issue that the aircraft need an automatic trimming system to deal with the problems it can cause.
-
Tuesday 12th March 2019 22:57 GMT Anonymous Coward
Re: 737-800 v Max-8
"The different distances between point of thrust, direction of thrust & CoG has introduced enough of an issue that the aircraft need an automatic trimming system [MCAS] to deal with the problems it can cause"
YES! (though maybe centre of lift comes into the arithmetic somewhere too, I forget).
This is *the* crucial factor in this whole sad MCAS story. The 737 MAX wasn't going to be airworthy without overriding the 737-vanilla pilot's inputs occasionally, because the MAX's weight and geometry (and thus its flight characteristics) were noticeably different than its vanilla predecessors.
The rest of this sad MCAS story follows from that previously-hidden change, and whether or not the MCAS is found to be involved in this latest incident, Boeing and the FAA clearly already have some important questions to answer.
-
Wednesday 13th March 2019 06:54 GMT Richard 12
Re: 737-800 v Max-8
Exactly!
Why did the FAA refuse to ask the question "What happens if it's broken?"
Even back then, and assuming that MCAS was perfect, if the MCAS lost all* its sensors, then the pilots need to be able to fly the aircraft without it.
That means simulator time, not just a couple of pages or a video to show them what an MCAS failure might look like and where the switches are.
If you can't fly the aircraft without it, then any failure of that system is a fatal crash.
* Seems to be just one... Gods!
-
Wednesday 13th March 2019 10:35 GMT Zolko
Re: 737-800 v Max-8
"then the pilots need to be able to fly the aircraft without it."
from what I understood, this is the whole point: Boeing's marketing was that the -Max and non-Max did fly the same way, therefore no extra pilot training was needed which was money-saving for the airlines. Therefore, the pilots were not only not trained to fly the -Max without MCAS, but didn't actually know it even existed !
This is bordering on criminal.
-
Wednesday 13th March 2019 11:14 GMT Anonymous Coward
"Why did the FAA refuse to ask the question "What happens if it's broken?" "
It's the new "light touch regulation" - and remember they would like to privatize part of the FAA as well.
FAA should have told Boeing - "sorry, these changes are enough to require re-certification of the airplane, and training for pilots - regardless of what you're saying to sell it better".
But of course now US authorities are told to be "business-friendly" because otherwise they "disrupt innovation, increase customers costs, etc. etc." - the real cost can be then measured in lives.
And FAA as far as I know as I'm writing, is still not grounding the planes to avoid to admit it made a huge mistake.
-
-
-
-
Tuesday 12th March 2019 19:30 GMT Marty McFly
Avionics experts and the court of public opinion....
I get a chuckle out of all the armchair avionics experts appearing here. Blaming MCAS is nothing but presumption. The bottom line here is *we don't know* what caused this second crash *at this time*. Is it prudent to ground the entire fleet? Seems over-reactionary at this point. The UK fleet grounding (home of Airbus) when the US fleet is flying (home of Boeing) just reeks of industry politics.
-
Tuesday 12th March 2019 21:02 GMT SkippyBing
Re: Avionics experts and the court of public opinion....
The grounding is because they're not sure why a second 737 Max has ploughed in in only six months, for a type that's only been in service since May 17 that's a terrible record. If you don't know why an aircraft has crashed it's often considered a good idea to stop flying them until you know why. For a similar example look at the Comet, until they know for certain why these things are crashing it's not worth the risk. Although if you think it is you can probably get a used example quite cheaply now.
-
Tuesday 12th March 2019 21:52 GMT sanmigueelbeer
Re: Avionics experts and the court of public opinion....
Is it prudent to ground the entire fleet?
I agree that the "jury is still out" and the cause of the latest accident has just started (and the press isn't helping).
Is it prudent to ground the entire 737 MAX? Yes and no.
No it is not because no one knows the cause of the latest accident. The trust in the aviation industry is on shaky grounds. Remember the SARS epidemic? A lot of airline executives are still haunted by it. Airline industry spend billions (combined) in PR and they don't want to waste all that money because the press & media are fanning the flames of how "unsafe" the 737 MAX is even without knowing the cause of this latest accident.
This is not a "stunt": If individual 737 MAX operators won't ground their planes voluntarily then passengers will fly with someone who doesn't have them. Now that is a nightmare no airline executive wants.
-
Wednesday 13th March 2019 07:16 GMT Richard 12
Re: Avionics experts and the court of public opinion....
This aircraft is new. Very new.
This aircraft has now had two definite MCAS incidents, one of which caused a fatal crash during ascent.
This aircraft has now had another fatal crash during ascent. That's 3 serious incidents, including two fatal crashes during ascent in only 22 months. Far more than any other passenger aircraft that I'm aware of.
As we do not know what caused the third incident, the only prudent course of action is to ground the worldwide fleet until we do.
However, we do know that the Ethiopian pilots knew that MCAS exists, what it can do and how to disable it. That implies this crash does not have the same event chain as the previous two!
Something else happened - perhaps an unexpected side effect of the new procedure, perhaps something else entirely.
We don't know, and thus the aircraft must be grounded until we do.
-
Wednesday 13th March 2019 07:39 GMT bazza
Re: Avionics experts and the court of public opinion....
The reason why we're now seeing groundings is because of how the FAA and Boeing have equivacated over the implications of the Lion Air crash, made worse by the seemingly similar circumstances of the Ethiopian crash. It seems like the FAA have maintained a line of business as usual, nothing to see yet, not even giving out guidance on how pilots should be trained to deal with MCAS, fly without MCAS, etc. It's been a guidance vacuum, other than giving out a note saying "treat it like trim runaway". As I understand it that's not great, because the symptoms aren't the same as trim runaway. The info vacuum is what's finally lead the rest of the world to ground it.
There's anecdotal evidence to suggest that US pilots are now flying MAX on their own rules, having worked out what is necessary to deal with it. Whilst laudable, and no doubt benefitting from the experience of those with militarily test pilot histories, it does have a technical description; it's called 'Making it up for one's self". Which, strictly speaking, isn't allowed.
One of the US airlines has taken upon itself to give its pilots a raw view of the AOA sensors' outputs so that they can form an independent opinion of the operation of MCAS. Again, that's making it up for themselves. It's unofficial, probably not Boeing sanctioned, but probably a life saver.
-
Tuesday 12th March 2019 21:02 GMT Anonymous Coward
" and provides a limit to the stabilizer command in order to retain elevator authority."
That's a worrying thing to admit. So, currently, the system can automatically trim to the point of saturation and removing elevator control from the pilots, in response to faulty sensor data?
Seriously?
-
Tuesday 12th March 2019 21:04 GMT SkippyBing
Currently it has full nose down trim authority, which means you have to be pulling something like 50kg back force on the control column to keep it in level flight. I'm assuming they did this rather than limit it to avoid potential problems with the limit, after all there's no situation where it'd actually need to wind it all the way forwards right?...
-
Tuesday 12th March 2019 22:07 GMT Anonymous Coward
It's Worse Than That
You have to add the control column torque tube linkage into the mix. This is designed so that the pilots can break it (in case one elevator jams, for example). If that happens, each pilot then has control over only 1 elevator.
One elevator alone hasn't got the aerodynamic ability to override maximum down trim, no matter how hard you pull on it.
As I understand it, corrections welcome, it goes something like this. With an MCAS fault this has the potential to cause loss of control. Two pilots, already highly stressed, one of them doing the flying and applying max load to their control column, are near to breaking that torque tube. I think the Lion Air BB data showed this had happened. If that happens, one elevator goes neutral, the nose lurches downwards because one elevator alone is not enough to prevent this. The other pilot has a second or two to react and grab their control column to join in before that dive probably becomes unrecoverable. The conditions in which the pilot has to make that determination are extreme; lots of negative G, stuff flying about the cockpit, ground rushing up fast...
Meanwhile both of them are now not in a position to do anything about turning off MCAS. They both need both hands on the control columns to apply sufficient force. And the two pilots somehow have to coordinate their actions in order to fly the aircraft, whilst hauling back on their control columns for all they're worth, having never simmed for that situation in their entire lives, whilst trying to deal with an aircraft that's trying very hard to kill them.
Great, isn't it? Not...
The ramifications of this system being required, designed, approved, flown, and turning killer, still flown, are enormous. FAA is looking like it's toast so far as the rest of the world is concerned. This could make it very difficult to return the MAX to flight.
-
-
-
-
Wednesday 13th March 2019 07:20 GMT bazza
Re: God, the stress involved in writing this stuff...
That's been a problem for years now. I've seen ads years ago for Ada programmers, offering huge sums per hour. You can't do flight control software in Ruby. Python, Perl or PHP.
There have been safety critical systems written in C; nothing wrong with that, but takes a lot of very careful review.
-
Wednesday 13th March 2019 09:23 GMT Anonymous Coward
Re: God, the stress involved in writing this stuff...
There is more certifiable code written in C than Ada, with C++ on the way up. The challenge is in proving that the executable is correctly implementing the safety requirements, not what language is used for the source code. Software to help with the traceability of requirements to source code to executable code tends to be (there are relatively few examples) written for C first, then C++ and rarely for Ada (I'm told there is some, but I've not seen it).
-
Wednesday 13th March 2019 17:42 GMT bazza
Re: God, the stress involved in writing this stuff...
There is more certifiable code written in C than Ada, with C++ on the way up. The challenge is in proving that the executable is correctly implementing the safety requirements, not what language is used for the source code.
That's where specialist tools vendors like Greenhills comes in. And their OS, INTEGRITY. And guess which airliner OEMs use these things?
I like the feature in Ada where the valid range of values for a variable can be set. With only a little self discipline you can achieve something similar using ASN.1, but it's not built-in in C/C++/Java/C# like cardinality is in Ada.
-
-
Wednesday 13th March 2019 08:48 GMT Solarflare
Re: God, the stress involved in writing this stuff...
Just wait for the new age of "Flight Dev Ops - Agile development for agile aircraft". It doesn't matter if there is a bug, we'll patch it in the next cycle. Each flight can be renamed as a "sprint" and if one of those fails then we know not to use that bit in a release. Wonderful stuff.
-
-
-
Wednesday 13th March 2019 07:09 GMT Anonymous Coward
Wiring
If the MAX has the same AOA setup as it's predecessor, the NG, then it's using analogue Resolver AOA transducers. With resolver (and the closely related synchro) you can get some strange and hard to diagnose behaviour caused by wiring faults. If you have an intermittent wiring problem then you can be in deep trouble.
If this is what's actually been happening, it's difficult to sort out during routine maintenance. You have to buzz through the cable to check for shorts, grounds, crosses, etc. and you should inspect the entire length of the cable to see if there's insulation damage, too tight a bend, anything that might cause intermittent problems.
-
Wednesday 13th March 2019 07:40 GMT Richard 12
AoA sensors are a probe or fin on the side
Looks something like these.
The fin type is basically a fin on a potentiometer* (like a household rotary dimmer), the probe type measures differential pressure. I understand that the 737MAX has the fin type (as do most modern aircraft)
Any sensor could fail in flight - a plastic bag or helium balloon could wrap around it, a bird could hit it or crap on it, it could ice up or stick for other reasons, it might be fitted wrong or burn out young etc.
So if the sensor is really important, you have at least three, of at least two different designs and placed in different locations so that it's really unlikely that two would fail on the same flight (hit by the same object, ice up together etc)
With three sensors, you can tell which one is broken - the other two agree - and thus fly to an airport where they can fix it before you fly again.
If two break on the same flight, it's even less likely that they'd break in the same way at the same moment, so you can tell that at least two are broken - but you don't know which to trust and should ignore them all.
With only two sensors, if one is broken then you cannot tell which one is right, so you should ignore both if they disagree.
With only one sensor, if it breaks you simply don't know.
*Or other type of absolute encoder
-
Wednesday 13th March 2019 16:09 GMT Yet Another Anonymous coward
Re: AoA sensors are a probe or fin on the side
>With only two sensors, if one is broken then you cannot tell which one is right,
This is in a way worse. It has two sensors but the suspect system only uses one, another part of the flight control system uses the other. So if one fails you flip a coin, if it comes up heads the plane stalls.
-
This post has been deleted by its author
-
-
-
-
This post has been deleted by its author
-
-
Wednesday 13th March 2019 06:45 GMT Anonymous Coward
Automatic trim adjustment does not push down the nose aggressively
Given a plain canvas at Boeing and the desire to extend the life of the 737 what they have actually done is upgrossed the capacity and length of the airframe and added additional power for the 737 MAX. Since Boeing was using the basic design of the 737 they probably performed the modifications using a series of supplemental type certificates (STDs). This reduces the time and cost for the development of the new 737s.
Fundamentally they increased the capacity of the aircraft to carry weight, fly safely at speed, and be controllable across all flight surfaces and axes.
In changing the length of the aircraft AND increasing the wing size AND AND...changing the engine type, critically the center of gravity was moved (I am guessing) aft. While load and balance can control nose up (passengers and luggage-freight) making it safe to fly, the pitch axis (a sudden pitch downward in climb out is what happened in both crashes) seems to be what the software system was designed to compensate for in the MAX versions of the 737.
The reason the plane can exist in its upgrossed size however is the LEAP engine, for both commercial and aeronautical reasons. There must be something bad inherent in the design of this upgrossed version of the aircraft which the software control is meant to mitigate.
The LEAP engine is being operated commercially at less than maximum output in order to allow for a longer engine life, and the turbofan has some considerable novelty built into it which increases the thrust to weight ratio. Since there are conditions when thrust decouples from airspeed, for example clear air turbulence, updrafts-downdrafts, and since the engine seems to rely upon available air (quantity-density) for full blade inflation (operating at its rated capacities) and predictable thrust, maybe the software was developed to compensate for blade deflation (and the resultant reduced airflow across the wings caused by reduced thrust plus the blade re-inflation latency). If the air supply faltered in climb out, and the blades deflated, you would want the nose to drop quickly to reduce the angle of attack to prevent a stall of what are probably super critical wings, close to the ground. No recovery from that.
I wouldn't be surprised if the weather was really hot upon departure for those (now) two downed aircraft...the air is much less dense and stable and therefore more difficult for the engines to 'bite'.
The fact that the software interfaced with a single sensor in the two downed aircraft demonstrates a breakdown in communications between software engineers and the aeronautic wonks. Properly developed software, given the critical nature of its purpose, should have been relying upon multiple points for data for it to fly safely if the design flaws above exist as stated.
I think the point of failure was in the design of the aircraft-engine pairing given the 737 MAX is just an upgraded version of an existing aircraft, and that it operates at the edge of the performance envelope in its upgrossed design. The software was meant to make the design workable.
Properly operating software will make the plane safe to fly in automatic mode, however the plane is still flyable by a pilot (I am relying on Richard S. Bach and his Jonathan Livingston Seagull to explain what pilots can do to manipulate safe flight that machines (aircraft) can't do alone) manually.
Finally, and commercially speaking, the 737 series is a very practical solution for a range of flight requirements. Because of the similarity in flight characteristics between the different models and configurations, a pilot checked on type of one model can pick up and check out quickly on the other models as well. This is a big selling feature of the 737. It may be that the MAX series requires special training and increased awareness of the people that schedule and fly them.
Calling the nose down feature of the software control system a 'trim adjustment' is meant to minimize the importance of the role Boeing plays in these two crashes, I think. The software is designed for disaster prevention, but poorly.
-
Wednesday 13th March 2019 09:04 GMT Alister
Re: Automatic trim adjustment does not push down the nose aggressively
the pitch axis (a sudden pitch downward in climb out is what happened in both crashes) seems to be what the software system was designed to compensate for in the MAX versions of the 737.
The MCAS is designed to induce a pitch down to counteract the fact that the engine nacelles are lower, longer, and further forward on the 737 MAX and therefore can cause a pitch up in certain conditions.
The MCAS rotates the whole stabiliser to achieve this, and can therefore induce sufficient downward moment that the elevators cannot compensate for it even with full upward deflection.
-
This post has been deleted by its author
-
-
This post has been deleted by its author
-
-
Wednesday 13th March 2019 10:57 GMT Anonymous Coward
DO-178
"New software should be released any year now. Once we get these 57 documents and 27 meetings finished. Until then, you can just wait. We do this to assure safety."
Hey, how's that 'assured safety' working out for you?
Now they'll be tempted to go back and make the process even worse in *all* respects.
The standards people shouldn't be allowed to create standards. They're doing it wrong, due to a host of false assumptions.
-
Wednesday 13th March 2019 11:25 GMT Conundrum1885
Re. Screamliner
Re. standards. Therac-25 comes to mind. Also LHC, Tchernobyl and Columbia.
Sure it complied when it was originally constructed but that ****** was a disaster waiting to happen.
RIP all those who have died due to a most likely entirely preventable software issue.
Boeing should do the honourable thing and publish the firmware to trusted third parties so they can
go through it in *LINE BY LINE* analysis and find out exactly why it went so terribly wrong.
Then the report should be referred to in court when the managers are held responsible as they
quite rightly should be for corporate manslaughter.
I feel bad about this but its best to get it out in the open.
Also it looks like quite a few issues have been caused by stall prevention systems over the years,
perhaps the right thing to do is ground *all* the 737-MAX planes and those using related software
until it can be permanently resolved and the required backup systems added.
If needs be throw unlimited resources at it and take folks off less urgent projects no matter what the cost.
Consider scrapping the aircraft class if it can't be fixed without a complete redesign.
-
Wednesday 13th March 2019 12:27 GMT jigr1969
Boeing has a history
I'm sure all of you on here remember the RAF Chinook crash into the Mull of Kintyre back in 1984, which was covered in great length on the computer weekly website. It turned out that the FADEC system was relying on two speed sensors in order to keep the two engines running in sync. If erroneous data was received, it could cause a single engine to overrun, which in turn would cause the helicopter to flip.
Looks like Boeing has forgotten previous mistakes.
https://www5.in.tum.de/~huckle/chinook_software.pdf
-
Wednesday 13th March 2019 12:34 GMT naive
I don't want Albert Einstein to be my pilot
"Split second decisions are needed, and the complexity creates danger. All of this for great cost yet very little gain. I don't know about you, but I don't want Albert Einstein to be my pilot. I want great flying professionals that are allowed to easily and quickly take control of a plane!"
Donald J. Trump, president of the USA, March 13, 2019
No more explanations needed, just fire all this cheap .NET programming H1B visa labor, and start building planes again.
Or ask your grandpa, how they built the excellent 707's.
-
This post has been deleted by its author
-
Wednesday 13th March 2019 14:28 GMT Milton
Absence of evidence is not evidence of absence
I understand that Boeing and the FAA, eyeing the potential economic and reputational fallout from a grounding, are staking a position on the lack of immediate evidence that Ethiopian 302 went down for the same reason as Lion 610, and further that the loss of Lion 610 might well have been avoided if the pilots had turned off the anti-stall setting that may, given bad data by a defective AoA sensor, have been at the root of the problem.
A Boeing executive might well honestly say:
"A. Lion 610 wouldn't have crashed if the pilots had been more aware of how to correct the situation (which they should have been, from reports of prior incidents, for that very aircraft, which were sucessfully resolved); B. we simply don't know yet what caused Ethiopian 302 to crash; and C. even if it was the same scenario, we must again point out that pilots had no excuse not to know how to rectify the problem."
I think you really cannot blame an executive for that line of reasoning.
But.
But, a Boeing engineer might have some rather different thoughts, like:
"Yeah, both sets of pilots should have known what to do in the case of the anti-stall system being erroneously activated. Both sets of pilots already had a body of prior events and reports to work from. Lion 610's pilots should have known about what had already occurred on previous flights with their very own airframe. Ethiopian 302's pilots cannot conceivably have been unaware of Lion 610. So what if there is more to this than we're assuming? What if, while we're obsessing about bad AoA data setting off our (nice, shiny, new) anti-stall software, there is another, much more subtle, much less easily fixed problem which occurs very infrequently, perhaps with almost random intermittency? Doesn't this, in fact, stink like a catch of week-old haddock left in the noonday sun?"
My guess is that executives will make the basically bad decision to keep the plane flying, not out of greed or even stupidity, but because they follow their own logic. Which, to a non-engineer brain, makes sense.
Whereas engineer brains are preprogrammed with laws like Murphy's, and that one about Unintended Consequences, and in particular the one that correlates systems complexity with not only increased numbers of points of failure, but to the ever-increasing difficulty of finding, replicating, diagnosing and fixing the rare and subtle ones. (Look how long it took to finally figure out the phenomenally rare combination of factors involved the B737 rudder hardover failures that brought down UA 585, USAir 427, and nearly killed Eastwind 517. This was an entirely mechanical problem in a single power control unit, occasioned when a specific sequence of flight events brought very hot hydraulic fluid into a very cold servo system. Nowhere near as complex as a million lines of code, but from the first deadly accident to a final finding by NTSB was eight years. (The fact that this too was B737 is purely coincidental.))
It's difficult enough to prove that 1,000 lines of code are error-free, let alone the millions that can make up aircraft OS and flight systems programs. (And let's not overlook the fact that this airframe has some significant changes from the NG series that preceded it. The positioning of the engines—further forward and higher, to accommodate larger fan diameters—has made big differences to CG and trim; the winglets are new; and even changing the nose gear system alters an aircraft's inflight CG and trim needs. Fuel figures suggest the 737MAX flies beautifully trimmed ... but all these things are changes which do affect the way software performs and makes decisions.)
On balance, I suspect experienced engineers would be a leetle bit more inclined to ground the 737MAX fleet, right now, than their bosses in the e-suite.
-
Thursday 14th March 2019 02:42 GMT Wobbly World
Eyewitness...
Eyewitness, Turn Buzuna, a 26-year-old housewife and farmer report that the the Boeing 737 MAX 8 was shuddering making, “A loud rattling sound, like straining and shaking metal, it tried to climb but it failed with the nose pointed down and the tail raised up. It went straight to the ground with its nose, it then exploded.”
Another witness, Tamirat Abera, 25, was walking past the field at the time reported that, “Before it crashed there was fire in the tail that was trailing white smoke, that turned black, items like clothes and papers were coming from the tail. Then when the plane was very close to the ground, the plane turned sharply, before hitting earth, crashing about 300 meters away.”
Questions:
Were the pilots trying to correct a fatal dive caused by failure of the MCAS, that was repeatedly force the airliner's nose down??
Did the pilots lose elevator control on one wing or did one engine fail or was it pilot input that caused the final sharp turn before hitting the ground??
Did faulty AoA data and the MCAS wind the trim system to its max and did that cause aerodynamic loads on the tail section in the dive that caused it to break up in flight??