Proof (as if proof were needed)
That Self Certification doesn't work.
(not when you're talking about Boeing (hee hee boing!!) anyway)
As the Boeing 737 Max controversy rolls on, the American planemaker has now been embroiled in a fresh row – after it was revealed it wants to shorten and replace some physical certification tests with software-powered processes. Specifically, Boeing is “reducing the scope and duration of certain costly physical tests used to …
The airplane crashes? People are scared to go on it? Airlines don't want to buy it as a result?
1. recall the aircraft...in the sense of calling it by a new name = a brand new aircraft after each crash!
2. Airlines rebadge the new plane
3. Passengers relaxed.
4. Share price up, investors happy.
If they do rebrand, you-know-who is going to claim the credit and will be even more insufferable:
What do I know about branding, maybe nothing (but I did become President!), but if I were Boeing, I would FIX the Boeing 737 MAX, add some additional great features, & REBRAND the plane with a new name.
No product has suffered like this one. But again, what the hell do I know?
— Donald J. Trump (@realDonaldTrump) April 15, 2019
Is this the same Boeing that had some fairly major redesign work on the 787 on more than one occasion when the CAD version of the aircraft turned out to be a bit optimistic compared to the physical tests?
Airbus have been caught out too but I can think of more examples for Boeing including things like the 747-800.
Boeing is also building the Starliner spacecraft in competition with SpaceX's Crew Dragon.
At least one of the major abort tests is being done for real by SpaceX but as a simulation by Boeing. I have no idea how they managed to convince Nasa to go along with that, but whether it's sufficient for it to be a simulated test or not, it certainly speaks of the same attitude at work as described in this article.
The arrogance of thinking you know EVERYTHING about a system so don't need physical tests to test if your simulation is real is quite astounding. I'm the product of a line of engineers so I know how they think but this astonishes even me.
But then I'm a Biologist, we do experiments that make engineers and physicists blanch with the degrees of freedom. Which is why we never approach the levels of Sigma physics can get to.
I remember describing to a physicist how we control experiments and he said the idea made him feel queazy.
... and there is the flaw in the plan.
If you had a good reputation for building rock solid planes that didn't pile into the ground as you cut costs, then perhaps people might say "OK with caution", but right now, if you expect me to be a live crash test dummy on your next plane - then nope, no way, that isn't happening
PHB: "So, we've proven we can't write reliable software, what shall we do next?"
Technical Section: "Replace hardware tests with more unreliable software!"
PHB: "Great! Next round is on me."
Dilbert: "Erm, does nobody see a flaw in the plan?"
PHB: "Don't be a downer Dilbert, my grandson told me software is the future!"
I'm a someone with quite a few years performing exactly the sort of computer modelling which Boeing is intending to use (Finite Element Analysis), although I have to admit that I'm not often modelling aircraft components.
There are plenty of examples of manufacturing processes resulting in a part being not quite what was modelled, so in some cases, parts will be stronger than predicted, but in other cases, they will be weaker.
Physical tests help identify when the part is not quite as good as predicted, and are there to ensure that complacency of the engineers checking the calculations used in the design can't cause a fatal problem in a production design.
Even physical testing doesn't always catch every flaw, but it's better than no physical testing. This reeks of bean counting interference in the engineering process. Surely it can't be cheaper to have your planes grounded by the civil aviation authorities after a fatal accident than it is to perform physical tests?
Yes. I have no problem with modelling and running pre-production testing through a simulator. That makes some sense, but once the physical stuff starts being produced, it still needs to be double checked to make sure it is up to spec.
I would think the Software modelling would be useful to eliminate the models that simply won't work at all (the ones designed by the recent engineering graduates of Bonehead University). Find out before you even start building hardware test models, save some time and money that way. That would mean you would *now* have more budget to do the HARDWARE testing on models you have some expectation of success for.
"Surely it can't be cheaper to have your planes grounded by the civil aviation authorities......
The issue here is that it costs Boeing nothing while the planes are grounded. They can still demand that the airlines pay for the planes even while they're not flying. The *lawsuits* from the airlines *after* the fact might cost Boeing something, but thats for the lawyers to fiddle with, not the beancounters.
This might not be the truth; planes are nut purchased as such but airlines pay by engine hours or something like this and they do some of this with crazy leasing contracts. and no new planes will be shipped in the moment. i think it is naive to believe there is no financial impact right not to the manufacturer.
Using a virtual aircraft to test the structure is fine, if, all you are going to use said aircraft for is virtual flying. Otherwise it would not be a good idea to trust that the simulation is capable of accurately modelling what happens in the physical world.
After all the simulation is only as good as the data it is given.
So thanks, but no thanks. I for one have no wish to be "collateral damage" in Boeing's quest for a fuller bottom line.
I do enough beta testing for Microsoft free of charge and that's enough problems, you can forget it on a FUCKING PLANE!
My old mums 60's next year so my brother and me are taking her on a luxury holiday of a lifetime as a present (with us coming with). I'm was giving very serious consideration to refusing to fly in a 737 MAX already, but that's looking like it's going to be anything by Boeing.
3 (super expensive!) tickets is small fry I know, but other than my wallet what else can you do?
Exactly what I was thinking.
Nothing wrong with doing simulations on the parts in the first instance, and then physical tests later - I can't see the FAA letting them get away without physical tests. But with that said, they should have kept a lid on this for at least another year.
Boeing are going to a massive effort to make themselves look bad globally, cut corners in design, charge extra for safety features, deny problems, blame everyone else.
I await the half year financials at the end of July, expected to be billions short of the January prediction, it's the only pain beancounters ever feel.
If they'd simply put a third sensor on the plane and used all of them them all of the time for MCAS data feed, instead of 350 dead there'd have been two 'MCAS sensor mismatch' warnings and a little bit of unscheduled maintenance.
All the unapplied changes were those that required recertification. So yes, the additional sensor, or other changes, training etc etc could all help. All would need recertification.
It was not the $30 cost of the materials, the $80 cost of manufacturing or the $200 cost of fitting any sensors... or the millions in costs of making and designing a different airframe. It was the billions in cost of delays of development, sales etc from the time taken and needed for recertification. :/
This post has been deleted by its author
Its actually not a half bad idea but the timing of this announcement is "somewhat tone deaf". Most design and verification is done using simulation these days, it happens in all engineering and scientific fields. The reasons for doing this are partly to reduce cost but mostly because its just not possible to physically build and examine all the design and use cases. The trick is to have carefully chosen physical experiments that are run alongside simulations to keep the simulations honest.
Boeing's problems with the MAX are not due to running tests on models but rather either not running enough tests or running them on inadequate models (....or both). The problem with 737 planes' elevator trim has been around for a long time but somehow as new versions of the plane were developed this issue dropped out of sight until what could only be described as a "poorly executed software kludge" brought it to our attention. This undermined confidence in Boeing's systems engineering, not to mention besmirching the embedded software, so the best thing Boeing could do at this time would be to keep their mouths shut and heads down to give them time to repair their damaged reputation.
(Also, bear in mind that an Airbus is effectively a flying flight simulator......)
bear in mind that an Airbus is effectively a flying flight simulator
Well, Airbus doesn't have a reputation for unscheduled, insistent lithobraking on the whim of an internal computer. The Airbus incidents I recall involve unqualified pilots doing stupid things in the cockpit, including flying at least one aircraft with perfectly functional core systems straight into a land barrier near the ocean. Or my favourite, not recognizing their aircraft was in a stall for tens of thousands of feet in VFR -- these things called "windows" are useful to determine aircraft attitude, and I know the cockpit has at least a few...
On the whole Airbus seems to get software (mostly) right. Boeing seems to cut costs until people die. Which one would seem to be more qualified to move tests to software?
Or my favourite, not recognizing their aircraft was in a stall for tens of thousands of feet in VFR -- these things called "windows" are useful to determine aircraft attitude, and I know the cockpit has at least a few...
If this is Air France, attitude itself wasn't exactly the problem (and apparently poor or no visibility meant windows were of little help). Hannah Fry's excellent "Hello World" has a good account of it. One of the chief causes was that neither the captain nor the other co-pilot realised that Bonin (the pilot flying when they encountered problems) had his stick back the whole time, including not releasing it when Robert took control and thereby cancelling out Robert's attempt to lower the nose. Robert was trying, and Dubois (when he re-entered the cockpit) also ordered to pitch as soon as he realised what was happening.
Interestingly the point of that part of the book is nearly-good-enough automation causes people to rely on it to the point where they don't have enough experience when the system is forced to hand over control. The AF flight gave control back to the pilots because of faulty sensor inputs, but the pilot flying did not have enough experience flying without assistance to react properly. This may have been compounded by confusing feedback from the automated systems, such as the stall warning resuming when the nose was lowered (and inputs became valid again). Both co-pilots seem not to have realised what the stall warning was actually telling them (if speculation that Bonin kept pulling back in response to the stall warning is correct).
I couldn't find anything detailing the weather conditions at the time, but assumed it was VFR below the cloud deck. I might be wrong, but in any case 35 degrees or higher AoA is quite significant -- just a basic seat-of-pants check (literally) should have indicated something was amiss.
It's a known problem that cognitive loading decreases in highly automated environments, below the minimum needed to keep response time where it needs to be when the automation fails. There's an entire field of research devoted to basically keeping the operator busy with routine tasks with the automation helping, so that if things really do go south the operator is ready to assume control of the higher level functions while the automation takes over whatever it can still handle. I don't know if this has ever been applied to aircraft though.
'I couldn't find anything detailing the weather conditions at the time, but assumed it was VFR below the cloud deck.'
They started out at ~35,000' and were scudding through the tops of the cumulonimbus from the inter-tropical convergence zone near the equator. To get the icing on the pitot tube they would have had to be in cloud at least part of the time, I believe they were in clear air when they pitched up, but then would have been in cloud most of the way down. The artificial horizon should have been working the whole time though as it gets its information from a gyroscope.
Your second paragraph is true, I know they've looked at it for military UAV operators but I'm not sure about airline pilots. I'm sure I've read something about it being tried in a simulator though.
The info on the weather conditions helps even if it opens up even more questions. Your point on the artificial horizon makes that degree of pilot error even more unforgivable -- even in sims, the first thing I do when in any way potentially confused about orientation of the aircraft (e.g. in IFR) is check the gyro immediately. Never mind that the gyro is supposed to be part of the normal gauge scan pattern that any pilot should be following -- it kind of sounds like if those pilots had an engine on fire or other emergency that might come along with more than a handful of computer warnings they wouldn't even have noticed it at the time.
I'd assumed that the artifical horizon had somehow failed as well, but thinking about it more you're right, it should have stayed operational the entire time. At least enough to reliably indicate a 35+degree nose up attitude.
Human factors. What fun.
"I'd assumed that the artifical horizon had somehow failed as well, but thinking about it more you're right, it should have stayed operational the entire time. At least enough to reliably indicate a 35+degree nose up attitude.
Human factors. What fun."
Indeed. AF447 is a case study in human factors. Crew Resource Management was a big failure there. Misreading the instruments was another. I've seen my own brain get saturated and shed inputs and tasks; it's amazing how we humans can fail. (Maybe not part of AF447, but look up "somatogravic illusion" for why someone might screw up pitch.)
Keep an eye out for the report on Atlas Air 5Y3591 in Houston.
Most scientific fields don't involve winged metal tubes carrying hundreds of passengers thousands of feet in the air at several hundred knots.
There is no substitute for physical testing in such cases. Almost like Boeing are trying to crash their business alone with their planes.
Simulating wing tests in a computer misses the whole point of the tests. We assume that they already used computer modelling to design the wings, so know that they won't snap in the computer. The point of a real physical test is to confirm that they actually handle the required load in real life, and that the computer model is not at fault.
Snapping real wings is obviously expensive, but considering a wings are an absolutely essential structural part of the aeroplane that it cannot fly without, and that they generate the lift that keeps the aircraft in the air, it does not seem an unreasonable precaution to insist on actually testing a real wing.
Exactly! Have 100 up-votes if you could!
I always told students that if it fails in simulation it is pretty certain to fail for real, but if it works in simulation that is only a sporting chance of working in real life as models are rarely accurate for all of a device's possible operations.
Computer simulation of tests lets you get to the point where your parts pass the computer simulation tests a lot cheaper. So that is a good thing. You save the money to break a dozen wings that had no chance to survive. Once you pass the simulated tests, you do _one_ real test. If it breaks, then you know your simulation was wrong, so you fix the simulation (now the wing should break in simulation since it broke in real life), and improve the design again until the simulated wing works - and then test a real one again.
If your simulation is good, you will do _one_ real test, and it will pass.
My understanding is that the wing breaks anyway in these tests. The important information is just how much abuse it takes before it breaks.
So long as it gets past n KN of force, or x degrees of flex then it's a pass, but the wing is tortured to breaking point so that they know where the breaking point is. After all, the test is to prove that the wing will permit the flight to land safely. Not to permit the next flight to depart on the same aircraft - that comes at a lower threshold.
>My understanding is that the wing breaks anyway in these tests.
For 787 they didn't test the wing fully to destruction. Which you normally do because having reached the 150% of design load (or whatever is required) the wing is pretty damaged, and it's fun to watch.
They were concerned that video of the failure would make it onto anti-social media and make them look bad
"The point of a real physical test is to confirm that they actually handle the required load in real life, and that the computer model is not at fault."
I'll add that it's also a test that the wing has been built with the correct materials up to the standard as designed. Although that latest news about MCAS being different to the one demonstrated to the regulators doesn't inspire confidence that a test/prototype wing will be the same as the production one.
This post has been deleted by its author
of course uniformity is not absolute, but having been involved in aerospace engineering and manufacturing for several years, the amount of testing, retesting and more testing of all component parts to make sure they meet spec is insane and largely absolute, down to the metallurgy, machining, assembly. It's arduous but purposefully so to ensure that an aircraft assembly is a constant.
I'd wager (and win) that if you took 3 B777 wings, they'd all break within a percentage of 154%, if the original wing tested to 154%.
Concur - I remember the building of the Sherpa at Shorts in Belfast. They didnt build parts to be as strong or stiff as physically possible - the built them to be as consistent as possible.
Thats the main reason planes mostly use rivets, (and usually many types of rivet) rather than (potentially) stronger welds. Welds (even robotic) are not as consistent - even though generally they are stronger.
Watching them do the wing snapping tests is painful for us engineering types.... but it HAS to be done , there is no other way to prove the wing will work to 150% of max load.
I got involved in some work a long time ago on some clever bods saying what we built should take the loads involved and we dont have to test...... it blew up... upon building a test rig we found it failed at 90% of max load because manglement ordered the wrong material(because it was cheaper).. not that it made much difference.. the thing still failed the load test when we tried again... 4inch I section beam sorted that one out....
Ever notice how CG graphics in movies tend to look... not quite right? Spend what you will, there's always a giveaway. In-camera effects, stunt work, THOSE look real. You'll never mistake a real stunt for CG.
Computer-generated anything all has the same flaw. They only contain what the creator knew about and tried to include. Furthermore, it's the designer's interpretation of something real, and again subject to human limits. Real life takes care of all the details. Hair blows right, the textures are good, objects move with correct inertia along the right paths. All the thousand little details that the best paid CG outfit would never think of.
Ask any test pilot. Their job is to find out how the craft flies in Real Life, including any little quirks of behavior the designers absolutely never imagined might happen. Boeing's models and simulations by definition do not include anything unexpected, and are unfit to "test" a toothpick for its breaking point.
I'll go farther and say that there's far too much reliance placed on this kind of crap, modeling in computers instead of Finding Out for real. It's the ultimate Search Bubble, you'll only see what you've seen before and the model can regurgitate back to you. Another flawless test! Oh, it crashed? Well, I guess we'll add that to the model!
Well, they did once using old MCAS and got a pass on it, because the planes and systems were "similar". For some value of "similar". At one point (and maybe it's still there) was requirement where they physically bent the wings on the aircraft and test flew it.
I suspect that even if the US allows simulation testing, many of the other countries won't. Boeing was using a loophole to get around certain tests by the "Oh.. it's the same plane with mods". But real world says the modes should be test in real life.
<sarcasm> I'm sure that the air forces around the world will now rely on computer simulations when it comes down to buy military aircraft. </sarcasm>
<sarcasm> I'm sure that the air forces around the world will now rely on computer simulations when it comes down to buy military aircraft. </sarcasm>
They already do, service personnel are cheap, relatively speaking. No troublesome lawsuits, just a "training accident", or "lost in combat".
That is the only place where theoretical/computer-simulated ''tests'' would be valid - where the use model was built using the same assumptions as the design model. In the real world things do not always behave in the same way as the theoretical/design model -- this is why tests are needed to ensure that we have got the physics right.
So will they blame some lowly programmer or a physicist when these planes crash ?
"the only place where theoretical/computer-simulated ''tests'' would be valid - where the use model was built using the same assumptions as the design model. "
"tests are needed to ensure that we have got the physics right."
There are some people in Derby that you (or maybe the article's author, Gareth Corfield) might want to talk to/hear from. That's if the relevant folks are not already redeployed for cultural re-education.
If you thought MBAs were bad for safety critical systems, just wait till the first MBSE-related incidents (they won't be 'accidents') start happening. Some organisations' understanding of MBSE seems to have degraded since it was first proposed.
And this off the back of news that Engine Fire Extinguisher switches are known to have failed in 787s. I don't know exactly when the rot set in at Boeing, but the consequences now seem to be coming to light.
Aviation might be an expensive business to be in, but the costs of trying to do things on the cheap are much, much higher.
instead of doing things like bending actual, and highly expensive, components until they snap
And it is not as if Boeing doesn't "pass the cost" of these physical test(s) to the cost of a brand new airframe. This is just a way for Boeing to claw back more money. I seriously doubt that Boeing will say "the benefits of this is lower unit prices". Yeah, right.
Don't forget that Boeing has a (very) cozy relationship with the FAA where Boeing staff are allowed to "self certifies" a lot of their stuff.
The issue is not whether or not Boeing will be allowed to do this by the FAA (that's already a given). The issue is whether or not Boeing will be allowed by by the other regulators from other countries.
(When news of "Boeing self certify" broke, EU regulators immediately said that they were not going to "rubber stamp" FAA's approval for the 737 MAX to fly again. And then everyone joined that bandwagon. And when the Chinese regulators chimed in, FAA had no choice but to "invite" everyone into the 737 MAX review process.)
I don't believe foreign regulators will rubber stamp on the "computer simulation vs actual test". It will be tough road ahead for the FAA to win back the trust.
"This is just a way for Boeing to claw back more money."
I'd bet it's more about *time* than money (though of course, time is money in the end). Physical tests are cumbersome and time-consuming; simulations aren't. In news that is I'm sure *entirely* unrelated (koff koff), Airbus announced a new long-range A321 variant today which puts a lot of pressure on a planned new Boeing plane referred to as the NMA ("New Midsize Airplane") which is already suffering from delays in its development timeline:
so yeah, must be unrelated to why Boeing might want to replace slow physical tests with fast simulations. I'm sure it's because the simulations will be better, that's definitely it.
I'm sure that the software will thoroughly test every single possible fault.
That they already know about.
Of course in the ludicrously unlikely possibility that there's a problem that the people writing the software didn't think of then they - or rather the passengers - are buggered.
I think I am going to be a lot fussier about who I fly with and what's in their fleet.
A good friend of mine isa CFD guy, has worked on civil and military aircraft as well as things that are supposed to go bang. He values physical testing as it verifies his work (or not).
The Romans used to do this with architects and bridge designers. The grand designer had to stand under the arch/lintel/whatever as the wooden scaffolding is removed. This didn't guarantee structural integrity but ensured that unsuccessful designers didn't inflict any more unsafe structures on the public.
Holistics is great, you treat the whole system not just one symptom/problem.
for example, a person goes to the Dr and has high sugar, diagnosis type-2 diabetes, normal treatment is give them drugs
Holistically you look at the person and maybe then you see the cause of the diabetes and instead of drugs you see their weight and diet is probably the cause, so you get them on a better diet, on a training regime to get the weight down, while also starting you on medication to keep the Diabetes under control while the lifestyle change takes effect.. Finally there is a good chance the person can then come off of the medication.
I remember reading about some testing performed by Boeing in a wind tunnel. Wind tunnel models are normally scaled down, otherwise you would need enormous wind tunnels. You can further reduce the size of the model by only building the left or right half meaning that your wind tunnel only has to be half as wide. This assumes that air flow actually flows along the centre line of the aircraft.
Every test was tickety-boo. When the 'plane went into service they found that it had two stable attitudes and it flipped between the two. The tail was something like eight feet to the left or right of the direction of travel and the 'plane yawed between the two every so often. (It wasn't the same size of offset in both directions for some reason.) So all of the wind-tunnel tests were meaningless. (Note, this was a physical test, not a simulation.)
I think the model was the original 737.
I'm sure everything will be fine as long as they don't make any unwarranted assumptions.
It has since come to light that the version of MCAS installed aboard production 737 Maxes was not the same version initially demonstrated to regulators overseeing the development of the jet.
If this is true, doesn't that remove the relationship with the FAA from discussion as a possible issue with the crashes and mean someone in Boeing is responsible for selling uncertified planes?
Just read yesterday that the 737 MAX flight simulator at Ethiopian Airlines (they actually have one of the few in the world!) could not faithfully recreate the crash scenario that happened.
This shows that even the flight sim was NOT a full representation of reality.
A stark reminder that any theoretical modelling may be useful, but does not replace real-world testing.
My father worked in flight simulation for about twenty years. These were analogue computers and took up a lot of space with their pots, actuators, perspex cams and other arcana.
At one place he worked the pilots used to tease him about his "lousy Comet IV
simulator" because the plotter pen always drew their flights slightly wrong on the vertical map outside the fake cockpit. (There was a vertical map with a perspex cover and the plotter pen drew the flightpath in red ink. This could be wiped off after the exercise ended.)
This annoyed him for a long time as he could not find the source of the reported error.
Then, one day, some RAF Nimrod pilots turned up and had a go on the old jalopy. All the red lines were in exactly the right place, all the turns were made exactly on the beacons etc. They did point out, however, that it was a lousy Comet IV simulator because it wouldn't do barrel rolls properly.
Didnt Boeing quietly admit last week, that the simulator software was wrong, and didnt reflect what really happens when MCAS goes wrong??
All the sims they did prior to the Ethiopia crash showed the aircraft could be restored to safe flight - but in reality the pilots using it werent having their control surfaces degraded the way they would in real life; nor suffering the physical push-back on the controls from the airflow that occurs when the brown stuff hits the rotating blades.
Releasing this simulator news so soon after admitting that snafu is tantamount to corporate suicide - assuming the law-suits that have already starting flowing dont bankrupt them anyway.
Airlines have hundreds of unflyable Max-8s burning through their budgets; sooner or later they are going to start suing Boeing for selling them unsafe crap.
Air Ethiopia alone has 10 of them mothballed ??
They will do whatever they want like emperors of old, protected by favorable laws their lobbyists made happen so nobody can be held accountable.
In some countries people get in jail for not paying a fine or insulting a cop.
In our developed Western countries, CEO's earn 100 million and more, kill 600 people as a result of their decision making, and either keep their job or get severance of 200 million.
As long "We the people..." allow them to get away with murder, it will continue, and they just laugh about it.
Simulations of all types use models* and they are always compromises at least in my area of engineering; I would not know why it would be any different when using finite element analysis.
There are so many variables even in an apparently simple model that to account for all the possible variations would take a long time.
When I was in the business of flight control computers, we had a particular box that was getting significant numbers of failures (over 50%) when being subjected to lightning testing (yes, we expect an aircraft to take lightning hits). As this was the 'last man standing' piece of kit (the primary flight controls have failed and the person up front has already had a really bad day) it was rather concerning.
One of the designers told me that multiple simulations had been run and showed there should be no problems at all. They had tried changing suppression devices with different engagement levels, all to no avail - for every change they made, a new problem appeared and the failures continued unabated.
When I looked at the models for the suppression devices (there were multiple), it showed the devices engaging in picoseconds (by which time the lightning stroke would have reached perhaps 30 Volts which would have been perfectly acceptable in this particular case). Now, the silicon could engage that quickly, but device parasitics (the real world effect) would not.
I measured the response of the circuitry to the lightning stroke and the devices only fully engaged at about 400 nanoseconds by which time the lightning stroke effect had reached several hundred volts (which is not good for most integrated circuit electronics which then very quickly becomes a fuse).
Having measured the real response to the lightning test, we were then able to re-design the protection circuit so it did not fail under lightning conditions.
So - simulations are great as indicators of performance but not as guarantees of performance; only actual testing can show that.
Perhaps someone might like to remind Boeing management (although I would expect the usual waffle from them).
* Seems obvious but it gets forgotten by a lot of people in engineering.
I was surprised to see wing loading tests given as an example of something that might be modeled rather than destructively verified. Is that an El Reg speculation, or did Boeing actually mention that as a specific example?
I think there have been at least three, possibly four occasions in the last 20—30 years when major transport-category aircraft (civilian or military) have failed load tests at less than the required margin (usually 150% I think)—in all cases a surprise to the designers and engineers, and in all cases necessitating strengthening of some structural components. This would suggest that despite extremely thorough materials assessment and engineering calculations, the models just were not accurate enough. (There have been numerous incidents where less strongly built and tested wings would have killed a planeload of people: for just one example, think of the Chinese 747 whose pilots buggered up a cruise-altitude flameout over the Pacific in the 90s).
Given that 150% isn't an exceptionally large margin by engineering safety standards, you must ask: what margin will be designed for, if testing is no longer destructive? 200%? 300%? Because if your "testing" becomes less rigorous (which is by definition the case, for anything less than destructive) you have to increase margins. That means that planes will become unnecessarily heavier, and less efficient, as you add material to bring wings up to, say, a 200% margin.
I can imagine there is actually a good case for model-based certification in some cases—think about simulation of performance of electronic circuits, power buses, insulation—but equally it becomes very bad idea in others. Once a while an engine manufacturer straps a chunk of plastique to a fan blade and blows it off, destroying several million dollars of engine, just to prove—prove!—that a failure will be contained and not chop a plane to pieces. At the kind of phenomenal energies, power and performance levels concerned, no conceivable simulation would be good enough.
Not least because GIGO. Even a supremely well designed computer system is susceptible to bad input. (Indeed, a few plane incidents themselves have been caused by this: mistaking a FPS descent rate for a degrees descent, for example; getting a pounds-to-kilos fuel weight conversion wrong; dialling in the wrong air temps before takeoff; I could go on.)
I think I'd like to know that when my family travels, the wings on their model of plane were actually physically broken in a way and at a loading that cannot lie; rather than depend on a tired engineer getting the rarefied subtleties of tensor calculus right every single time.
"Boeing digital" except when they are desperately trying to keep everything feeling analog and old school in the cockpits so that the aircraft can be type certified instead of classed as a new aircraft. No high tech displays or fly by wire technologies for Boeing. That would be modern and require pilots to be retrained. High tech testing, low tech instrumentation and flight controls - that's the way to go. What could possibly go wrong?
"As specified, as designed, as simulated, as tested, and as routinely built. "
They're all guaranteed to be the same, aren't they. Except when they aren't.
If these defectively-manufactured things 'routinely escape' the factory quality assurance process (which according to recent Boeing announcements apparently is also going to be cost-reduced), what happens next? It won't be the Boeing boardroom that pay the price, that much is already clear.
For a 737-related example from decades ago, look at the case of the "bear straps" which didn't fit in the factory assembly process, unless holes were drilled in places where holes weren't supposed to be:
TAYLOR SMITH: One of the shop managers sent me emails saying they were having problems with the fail-safe chords, which were the long ribs which go all around the aircraft, they go half way around and then they join up to the ribs that come up from the bottom. They were telling me that from the beginning of the 1996 time frame when they started manufacturing these parts and they were having shy edge margins and they were out of contour.
Boeing's internal documents which we have obtained, give a snapshot of the scale of the problem.
'Part out of contour, quantity 1.'
'Part Width - oversize, quantity 4.'
'Material thin, quantity 6.'
'Part under cut - quantity 26.'
'Poor mis-located, quantity 17.'
[continues - have a read for yourself at
Then came "We design and test and verify on a computer. It's safe, the track record proves it.""
Soon to be followed by
"ooops. we got complacent. We didn't pay proper attention to "near miss" incidents, not least because we didn't keep the customer fully informed. Consequently quite a few people didn't properly record regulatory and design and manufacturing issues, leading to many more people who died unnecessarily, and then a few people threatened to sue us, but they weren't boardroom people and the money carried on coming in, so it was OK, wasn't it."
And then what? And when?
This week's Paris Airshow PR spinners may have come and gone, but in the real world, this show's not over yet. E.g. Ralph Nader's still out there in the background somewhere...
Will Boeing's executives (and its board of directors) be required to fly on all flights where a plane has only gone through digital simulation certification? Their company AD&D (accidental death and dismemberment) insurance should also be waived so that neither the company nor their family members can receive any compensation from that in case a life changing (or ending, as it may be) event occurs whilst on said plane.
Biting the hand that feeds IT © 1998–2020