By Scott Hamilton
Jan. 7, 2020, © Leeham News: Boeing internally sees production suspension of the 737 MAX of at least 60 days, LNA has learned.
The last inventory MAX fuselages entered final assembly this week and will roll out of the factory shortly.
Then, production is suspended. Boeing publicly has not said how long the suspension will last and it’s unclear how much information has been passed down the supply chain. Without knowing when the FAA will recertify the MAX, Boeing can’t truly gauge when production will resume.
There have been published reports, citing unidentified sources within the Federal Aviation Administration, that the FAA may recertify the MAX as early as mid-February. The same reports, however, suggest certification may not occur until sometime in March.
But even March is only speculative.
The FAA is proceeding slowly and flight testing is going at a snail’s pace, LNA is told. Only one airplane has been authorized for flight testing by the FAA. This compares with three or four normally used by Boeing for tests of this nature.
Also, issues unrelated directly to the MCAS continue to arise.
A flaw in the Flight Control Computer, or FCC, system was identified months ago. A failure mode was identified in a highly unlikely set of circumstances. Nevertheless, with the heightened scrutiny, Boeing and the FAA now have this on a list of things to fix before recertification.
The FCCs on the MAX one could not handle the processing demands ( there are two for redundancy). It’s the same FCCs used from the classic days.
Boeing changes in the software code requiring that both will now be turned on to manage the demand. Both are now required for dispatch; the aircraft can no longer be a Minimum Equipment List item for one unit
Over the weekend, the New York Times reported that Boeing discovered a wiring safety issue with the MAX and reported it to the FAA. At this point, it’s unclear how serious the issue is and what the remedy may be. Nevertheless, it’s another box to check before MAX can be recertified.
Also over the weekend, the Wall Street Journal reported that in a reversal from its previous position, the FAA may decide to require flight simulator training before the MAX can return to service in the US. Transport Canada previously said it was leaning in this direction. Europe’s EASA hasn’t taken a public position on the issue.
If the FAA requires sim training, return to service will be delayed even after recertification, and this, too, will delay restarting production.
Last month, Seattle radio station KUOW published a Boeing graphic that showed only two of 12 steps toward recertification and return to service had been completed.
These yet-to-do lists and the new developments raise additional questions over the timeline to restart production.
Furthermore, Boeing has run out of places to park new-production aircraft if production outpaces deliveries.
Boeing Field, Paine Field, Moses Lake and Renton Airport in Washington as well as Boeing’s facility in San Antonio (TX) are full or nearly so.
Boeing wants to add Victorville (CA) to its authorized storage facilities, but lacks FAA authority to make this a major storage area, LNA is told. Boeing needs what’s called PC 700 certification authority.
PC 700 is Boeing’s FAA-issued Production Certificate.
Boeing has asked the FAA for this authority to cover Victorville, but this, too, is in process, LNA is told.
All airplanes prior to title transfer (delivery) are owned by Boeing and therefore fall under the PC 700 certificate authority. Boeing had to get PC 700 approval by the FAA to store planes at San Antonio and Moses Lake. Once issued, the FAA provides oversight and audits.
With all these factors casting continued uncertainty over the recertification of the MAX, restarting production appears highly unlikely though March—90 days from now. Internally, Boeing so far doesn’t see production restarting through February.
It’s also likely production won’t re-start in March.
Business has been very healthy over the last 3 years. Hopefully the supply chain has reserves to handle this interruption without to many people losing income
Any time there is a break you loose income.
It is a fact of life and not a reason to keep production going, but it will have a major impact on both employees and the suppliers.
No hopeful here, big companies can easily weather it, smaller one not.
Makes one wonder how much of the supply chain might not be there when the restart date comes and even if they are, how many employees will have moved on.
I think Boeing learned from the 787 debacle you have to keep an eye on it.
But its for sure an area that they have to be deeply concerned about.
The wrong missing widget and no viable aircraft.
And not good at all for anyone
https://www.flightglobal.com/airlines/ukraine-737-reportedly-crashes-in-tehran-after-take-off/136032.article
Good example (if we needed it) why its in no ones interest to have hostilities going on.
You have to wonder why this is going so slow, its not like there are not innumerable 737MAX to be used as test aircraft.
They all belong to Boeing (sans the delivered ones) and I can’t imagine an airline that would not be happy to get this done.
Breaking News:
https://www.bnnbloomberg.ca/boeing-reverses-itself-to-back-simulator-training-for-max-pilots-1.1370382
Off Topic but most interesting
https://simpleflying.com/airbus-us-assembly-lines/
Also, assuming supply chain follow, Chinese FAL is fully equiped and has well trained workforce can add to A320 capacity and pushing airlines with 737 orders to cancell those if more A320 slots become available
BUT get companies like Spirit or CFM adjusting workforce and supplies from B737 to A320 may take a LONG time !!
And the impact starts:
https://simpleflying.com/spirit-aerosystems-job-cuts/
So much for hope
I believe you have to ask the FAA why only 1 test aircraft has been authorized.
How long will it be before the supply chain dies completely?
6 months? 12 months?
Boeing kept it going through 3 years of the 787 debacle.
Publicly the new MAX version of the 737 was sold as
“New Engines, pylons, a longer NLG, streamlined tail structure for that additional % of efficiency.” ( can’t have Airbus catching up :-))
Nothing about having to add MCAS ( ok, we’ve talked that to death and stuck a pickle fork in it. )
but also nothing about widely scoped changes all over the plane .. … their integration now being cause for further problems and/or investigations.
All under everyone’s radar ( FAA, airlines, pilots, … ).
Any chance to garner some more or less complete list of ( unconnected to engine upgrade ) design changes done from NG to MAX ?
But, but, it was sold as simply a more efficient NG, what do you mean design changes? I was sold a pup!
Uwe, some of the differences listed here
=====================
http://www.b737.org.uk/737maxdiffs.htm#features
=================
or you can start on page 64 of this document and use a fine toothed comb
===========
http://www.b737.org.uk/a16we.pdf
===============
(I think MCAS is covered under “Stability Augmentation and Automatic and
Power-Operated Systems”)
Thanks for the link. I’ve been there ( before )
I didn’t memorize the pdf though.
Lots of little rearrangements done.
How well are the FBW^Helectric actuated spoilers tested?
Boeing still has its head in the sand and saying nothing about EASA requirement to address trim forces. March 2021 more likely than 2020!
It not just a MAX issue and I wish posters would read and understand that before flipping KAC type comments out.
EASA backed off the Trim Force Aspect.
As I have repeatably said and have consistently listed it as the biggest REAL issue – not just on MAX, but NG and many other aircraft of that non FBW era.
As its not a MAX issue alone, actually with something like 5000 NGs and a number of other aircraft (numbers unknown) its also an economic decision, is it enough of a problem to ground 5000+ aircraft.
As 757 and 767 are also mechanical as are early A330/310, do you ground all of those? Do any of those have remedial systems that allow it to be a non issue?
Are you saying we should affect something like 40% of all aircraft in the world and cause innumerable airline failures ?
@TransWorld
On which basis you claim that manual trim systems in other aircrafts as B767 or A330 are flawed the same way as NG’s or MAX’s ??? Trim wheels had been miniaturised in new versions of 737, we know that. Do you know something else? If both cars have 4 stroke gasoline engine, it doesn’t mean that these engines are the same.
Pablo:
Really helps if you stick to facts.
What you do not answer nor respond to is what do we do about all the aircrat (737 for sure) that have that system?
If you ground the MAX for it (certainly agreed if its assessed as that serious) then you have to have the balls to ground every other aircraft that has the same setup.
The Trim wheel on the MAX was not miniaturized, it was made smaller. 20%? Have to look but certainly not much if any more.
One is a dog whistle statement the other is factual. In a serious discussion as opposed to bomb throwing it makes a huge difference.
My statements are I don’t know what the 767/757 or the Early A300/310(?) have but they are all mechanical aircraft.
I would be interested in knowing if they did have a different setup or some kind of augmentation to assist the manual trim.
And factually, regardless of the MAX trim wheel reduction, they had to use the yo yo maneuver in 707, 727 and all 737s to relief pressure on the stabilizer so it could be moved.
And in fact a frozen motor was almost if not impossible to move the manual as well in the NG (the Classic and the Original 737 had two trim motors and I am not sure how that works or does not for manual backup) j
So lets have that discussion of removing all NG, Classics from the fleets if the MAX is not allowed.
I am not against it, but there is a huge impact to be discussed.
@TransWorld
So you don’t know nothing about possible issues in B767 or A330 and you are panicly calling to ground them all.
And at the start you are stating “Really helps if you stick to facts.”, well… would be even funny in other circumstances.
Both are manual trim wheels, so what, could be different gearing, different system – not all 4stroke gasolime engines are the same because are 4stroke and gasoline. I agree that multiple engines on FBW aircraft are far better solution.
Pablo:
Tell me what it is?
Happy to have someone else wrinkle the facts out for us for a change.
Or do you just throw stuff out with no work –
Pablo, the difference in trim wheel size is about 1 inch out of a roughly 10 inch wheel. So that is a reduction of 10% in the applied manual trim force.
the lever on the trim wheel is about 0.75 inches away from the outer diameter. constant over types.
This increases relative delta. lever changes from 4.25″ to 3.75″
And it is an awkward position to work to begin with.
Rob, You really mean that one has to impose an additional 11% on a 9 inch wheel to accomplish the same force, as you would with a 10 inch wheel, don’t you? Reducing the size of the wheel, increases the effort a pilot has to use to impose the same force. Unless some other part of the pulleys, gears and cables is changed. A smaller wheel is tougher to turn. It offers less mechanical leverage.
Yes, and the reduction is 10%. Torque = force x distance. If the distance is reduced by 20%, the force must increase by 10%.
The wheel size had been about 11 inches, it’s now about 10 inches, if my memory is correct.
Uwe, if the lever distance is 4.75 inches as you say. then the reduction in the wheel size would be irrelevant. I don’t know the exact distance to the crank, but in the on-line photos, the crank is at the edge of the wheel circumference. That would make the most sense as it provides the most leverage.
Getting into the weeds and missing the fact that its always been in issue without the Yo you going back to the 737-100.
The big picture is, enough of an issue to need a fix and if it needs fixed, then every 737 ever made needs a fix.
Its possible that the manual trim wheel is no longer acceptable under current FAR 25 regulations and standards irrespective of diameter and lever moment arm. Other factors to this are historical increases in stabiliser size and the deletion of a secondary standby electric drive.
It just doesn’t pass the ‘feel right’ test. There are plenty of smaller framed pilots and female pilots so the ‘frame’ of what could be expected from a pilot in terms of physical strength has changed.
We’ll have to see if the grandfathering of the regulations will be revoked. The trim wheels have some 280 million hours of safe flight time in the 737 series, without being involved in an accident, before ET302. That case was clearly due to overspeed, which was itself a dangerous condition, with or without trim wheels.
There has not been an outcry among pilots that the trim wheels are a problem. The main pilot complaint has been banged shins from the handle. Most pilots should have no problems moving the wheels, unless the stabilizer is heavily loaded at high speed.
I would think clear training would be an effective solution, so that pilots understand what could happen with overspeed or severe mis-trim, as well as strategies for dealing with it. Forewarned is forearmed.
@Rob:
“then the reduction in the wheel size would be irrelevant. ”
Think again.
The handle axis is a fixed distance from the outer diameter. Then you change the outer diameter.
percentage wise the lever arm for the handle
has a higher reduction ( in % ) than the diameter reduction ( again in % ) at the offered size about 12..13% versus 10% on the rim.
Note that shorter turning levers are overproportionally awkward to use.
@TimM, yes indeed.
I don’t think that Boeing or the FAA are really getting what it is they’d be asking foreign aviation safety agency officials to personally risk, if they’re simply expecting them to take Boeing’s or the FAA’s word that, “trust us, all is well” without solid data to back that up.
I mean, it’s not an FAA official that’d end up in a Chinese court on a negligence charge, is it? They execute people there for gross wilful negligence, especially in the face of a very public disaster (such as another crashed MAX) which, arguably, the government could have prevented.
I’d be astonished if the FAA can come up with convincing technical reasons why recommendations made in the JATR report aren’t necessary, especially when FAA personnel were part of the JATR and signatories to the report (AFAIK). That would take an extraordinary degree of organisational schizophrenia.
Fingers crossed for the EASA / FAA / CAAC / etc. reaching a good concensus on the MAX and its future, whatever that is. If not, the future ain’t looking good for a cohesive world aviation industry, and I can’t see that being good for Boeing at all.
As I’ve said before, Boeing’s best brand has been FAA; it was kinda taken for granted that if Boeing built it the FAA would have approved it. Now that that’s gone wrong, Boeing’s future is tied up with restoring global acceptance of the FAA, and not with anything that Boeing might do themselves.
Boeing still perform a number of test flights after production of the 737MAX, do we know if there has been any issues with those, the software loaded MCAS as certified or the new MCAS software?
Has the training requirement review been done and agreed with different CAA’s? Is the 737MAX formally in a recertification program or just await the MCAS incorporation SB and training program approval before getting FAA OK?
What is the legal / cert position?
Does Boeing actually have leeway what software they load for “displacing” those new builds?
They won’t have done any hardware changes, did they?
List of uncovered MAX issues is quite long but we only hear from Boeing about sudden remedy to MCAS flaws or no simulator training mantra. Good point @TimM – head in the sand.
They will be very lucky if restart production after 6 months.
Did we not suddenly hear of A320NEO stability issues when this got rolling?
You can always find problems, you can also fix them.
It’s just tweaking FBW system of NEO, nothing fatal or real dangerous, a little bit annoying because has to take more care of luggage and passengers allocation. And you know this, and compare this to MAX stability problem anyway.
Pablo:
Same identical problem on tow different type systems.
MAX was a software tweak as well. Fatally done yes, but no different.
What you are attempting to do is say the A320NEO is pure as far as stability goes and the MAX is a lethal deranged killer.
You are factually wrong.
The A320 can barley be flown level if all its computers go.
The MAX will fly fine.
And in fact with Egypt 804 we may have seen what happens to an FBW when its computers are taken away.
Central electronics bays are in fact a risk, they of course try to ensure that the system are isolated, but its not a guarantee they in fact are right in their assessment.
I have seen too many paper assessments be wrong. You don’t know until there is a trigger and its tested.
Often the assessments are wrong the bad way.
Have they ever set fire to an FBW electronics bay and see what happens?
And in fact, even if they did, there are a large variation in fire propagation that one test proves nothing.
In fact, the 787 got to test is fault isolation and it failed.
Why? The real world (probably a wrench across the phases) was not duplicated the same as was done in the test world.
If it was easy, anyone could do it.
Pablo:
Wrong about training, Boeing agrees its needed now.
Talk about bad timing.
@TransWorld
“What you are attempting to do is say the A320NEO is pure as far as stability goes and the MAX is a lethal deranged killer.” Hmmmm, I never said that. You can’t tweak MAX & MCAS as you tweak FBW aircraft, because MAX & MCAS are not designed as FBW. And MCAS is a band aid for troubled placement of engines there were never imagined to be placed when aircraft was designed. Simplifying: MCAS comparing with FBW is quite simplified and blind automation with partial aweerness, FBW is more like artificial intelligence.
“The A320 can barley be flown level if all its computers go.” I’m always astonished from where people dragging such stories. If it was really unstable without computers it wouldn’t be certified never. You clearly mistaken a civil FBW aircraft with a military FBW jet fighter, which are unstable by design to gain exceptional maneuveribility. I now, you just hate FBWs.
For all of this time I have ascribed error to the response that Boeing has given to the MCAS crisis. Perhaps I am wrong to do so. Is it possible that the number of marginal decisions signed off to update a very old design has tipped the MAX into a cascade of unacceptability. Marginal control surface area, limited computing capacity, over-reliance on undersized trim wheel, repeated single point redundancy, sticking plaster MCAS etc etc.
Each decision on its own was probably acceptable, bring all those marginal decisions together conflating into a miasma of uncertifiability.
Not taking the lid of Schroedinger’s Cat Box was intentional.
The statistical probability of _unintentionally_ lining up all those little oversights is ZERO.
painted into a corner.
The paint is a contact poison. 🙂
That actually is what you get when you shave all margins and then some. You no longer get localized contained damage but the whole thing collapses on cascading issues.
Sowerbob:
There is a galaxy’s width of different between an architecture that does no lend itself to larger engines on the wing and your statement (red hearing)
This is the same successful design that was the original, classic and NG.
Its track record as as good as the A320.
Its a shame to see deliverate use of smear vs facts.
TW
This is not a smear, it is an observation as to the risks associated with the development of the MAX within the multiple limitations placed upon the design crew by the senior management. I stand by my comment that in isolation such changes are in all likelihood going to be acceptable but each and every marginal decision has a cumulative effect. There are clearly design weaknesses in the MAX that are now receiving more attention. Some are carry overs from the previous models. Could and should the MAX have been better and more safely engineered? The answer must be yes, it was done on the cheap and hurriedly without sufficient consideration
Sower:
I would call that purely conjecture based on no facts.
In fact we know of two 737MAX issue, one was software, the other was wring.
All the rest are legacy not MAX.
Argue that the 737 was a crap aircraft, then apply that to every other manual controlled aircraft.
“”I would call that purely conjecture based on no facts.
In fact we know of two 737MAX issue, one was software, the other was wring.””
I would call your thinking ALZHEIMER
“”Argue that the 737 was a crap aircraft, then apply that to every other manual controlled aircraft.””
How can Boeing criminal self-certifications applied to others?
It should surprise nobody that the self-certification by Boeing in combination with the time and cost pressure has lead to quite a few “easy” solutions in the development of the MAX. I’m 100% there will be more “surprise” findings like the cable issue.
2 of 12 steps for re-certification by the FAA after how many months? Zero of how many for EASA?
The FCC issue could prove absolutely crucial in this whole scenario. What if the FAA or the EASA come to the conclusion that this system it’s overloaded and a new, more capable computer would be required to safely process all the software?
And what if FAA and/or EASA decide that the stability/trims system,… are not certifiable?
If you’d do a proper risk analysis you would probably come to the result that Boeing should not plan with any cash coming in from the MAX over the next 1-3 years. You would also come to the result to launch a replacement asap. Fail that and you open the doors wide for the competition to take all your market share over the next 5-10 years. In my view Boeing can not wait for any new propulsion technology or more economic CFRP-production technology. What they need to do now is to use as many components, systems and infrastructure to develop an NSA with today’s technology in an all-out effort. Such a plane should be a good enough competitor to the A320 family and would of course also outperform the A321XLR. Still, I sadly don’t see this happening. Though they seem to be playing with the idea of the FSA, I doubt that is serious. Also, the title Future Single Aisle implies that they are heading for something very advanced that would take a looong time to develop. Time, Boeing doesn’t have.
Could Boeing be lingering in the aisles, dragging their feet, waiting to get their rubber stamp back?
A major turn about would look “different” afaics.
Could be wrong but are we potentially looking at (minor) hardware changes required, larger horizontal stabilizer, etc?
The recent news about the FAA and Boeing, finding wiring being bundled too closely is nice, but, are they looking at fixing the trim wheel issues? The smaller trim wheel which is the manual backup when the electric trim fails? Could the FAA re-certify the MAX for immediate flight, if they concurrently issued an AD saying that pilots had to switch the electric trim off until Boeing has a fix for the MCAS problems, using only the manual trim wheel for all trim changes? Not unless they had some immediate solution for the high AoA, pitch force requirement. Using MCAS, with no fail safe computers, only two AoA sensors, no OFF switch, no way to differentiate between an Autopilot trim runaway, STS trim runaway, and MCAS runaway, until the pilot notices that opposite elevator doesn’t stop the runaway, dependent on the smaller trim wheel, and quick pilot response time, is a bad design, with not much margin for error. Boeing would need to change their trim runaway procedure. I’d like to see what it would look like. I’d rather they rip out MCAS and either, find an aerodynamic fix, or a stick pusher solution. Airbus has had enough issues with pitch control using Three AoA’s, Fail Safe, FBW computer systems. I want the lack of column pitch force to be corrected by an addition of column pitch force, not by forcing the nose of the aircraft down by moving tail surfaces of the aircraft. You can end up with a QF72 type of “computer glitch”.
=======
http://www.aviation-accidents.net/qantas-airbus-a330-303-vh-qpa-flight-qf72/
=======
Boeing seems to be stuck in the mud, insisting on using MCAS. Trying to get a complex, poorly designed system working is not the solution I’d go with. It’s only compounding the problem. There are too many moving parts, and area’s to fail. I’d stick to proven, simple designs that have worked in the past, rather than trying to debug a new concept that is totally
dependent on software, running on non Fail Safe computers, with no manual “OFF” switch. For example a stick pusher.
Richard:
What is your approach for NG and any other aircraft that shares this mechanical trim system?
We know it affects virtually any aircraft from the NG back (MDs?, 767? 757?)
While I have said the same thing, what you do not do is deal with the whole issue.
Which is in fact a grounding of all aircraft that are affected by this.
And why did the AHJs allow this (and how did the simulators get hashed that they no longer reflect the issue and why did the AHJs who inspect and certify Simulators not catch it?)
Its easy to throw out hash but are you prepared for the impact this would have?
I don’t know what EASA setup is, but any change in the US is required to also look at the economic impacts (and yes that is subjective between safety and said impact)
Is there really a viable solution? If so what is it?
Anyone can talk about problems, what are the solutions is where the real work begins. Or the willingness to stand up and say, we are shutting down 40+% of the worlds air traffic.
“The recent news about the FAA and Boeing, finding wiring being bundled too closely is nice, but, are they looking at fixing the trim wheel issues? The smaller trim wheel which is the manual backup when the electric trim fails? ”
The change in manual trim wheel diameter is relatively insignificant, since the aero forces was a function of speed is many times more than the small torque-leverage invo0lved. In simplistic terms- aero force on stabilizer varies as the square of airspeed. And in either case the awkward position makes anything but very low speed and minimum turns almost impossible without some method of unloading the Aero forces- thus the ancient – old- decades ago mention- training of yo yo or roller coaster method- great if you have several thousand feet AGL and not too many bells, whistles, alarms, blink lights, stick shaker, audio ‘ pull up ‘ at the same time. Even in a sim with expectation and non life issues, many seem to ‘ crash’
Boeing just announced they will- did recommend sim training for ALL MAX pilots…
The trim wheel issue is not just a MAX item- it applies also to 5000 plus NG. Still seems to be the ‘ That which must not be named ‘ PR.
Bubba, the trim wheels are perfectly operable in normal modes of flight. Many videos of plots using them on-line.
As you said, the required force increases as the square of the airspeed. At Vmo or above, the force is very high, especially at low altitude.
The yo-yo or roller-coaster method was developed for the case of operating at high speed, at lower altitude, with the aircraft severely out of trim, and no electric trim available. In that case, you have to unload the stabilizer before you can move it manually.
All pilots are trained not to let the aircraft get very far out of trim, and that the more out of trim you are, the greater the risk to the aircraft. Especially for an aircraft with an all-moving horizontal stabilizer.
Rob:
I think we have seen how training and reality conflict?
Regardless of cause, both crashes were cases of where the pilot did let the aircraft get away from them.
There is also the issue of a seized motor you can’t turn the trim wheel in reality.
A key point being its been an issue since at least the NG and depending on how the two motor setup was back to the start (707).
Boeing made the assumption that pilots would treat MCAS the same as runaway trim.
Its not, but they also made assumptions (or cooked the books) on risk of AOA issues.
I call it an open question that needs serious discussion, mitigated by it not having been a crash cause in 40 some years.
“As you said, the required force increases as the square of the airspeed. ”
That is gradual.
BUT:
The required _corrective_ forces strongly increase with applied yoke displacement to counter results from that miss-trim. ( reason for the see saw / jo-jo method of fixing trim: unload jacksrew, change its position, … rinse, repeat)
I do thank you for returning to manual trim. It’s a catastophic hazard. That means the MAX carn’t fly until it’s fixed.
I accept it get buried in all the other issues. But we are watching.
That is actually good for a change.
Now, commit yourself, so we ground every aircraft in the world that is manual land has the same issues?
There are a few points in this article that make me continue to wonder.
Flight testing
Flight testing is going at a snails pace with only one airplane certified by the FAA.
We have been told that Boeing have performed 1800 hours of flight test. That raised my eyebrows. Airbus typically do 500 hours of flight testing to calibrate control laws. So 1800 hours was excessive. It suggested to me that Boeing were having difficult calibrating the control laws. Not surprising, the stabiliser moves at a snails pace.
Now we are being told that actual flight testing is only just starting. Three months is far too short.
Dual FCCS
Dual FCCs means one FCC is a copy of the other. So if one FCC fails the other takes over.
We are being told that each FCC shares the processing because the 80286 chips are too small. This may just be a faux pas. Each FCC has two 80286 chips that did run active/passive. Perhaps they are now running active/active.
It may be a faux par. But if the FCCs are sharing the processing then we are back to a single point of failure. Specifically if an FCC fails then the control laws are gone.
On the basis of this article, the changes to the FCCs are enormous.
Again, three months of flight testing is far too short.
MCAS
The question still remains. Is MCAS required or optional? If required then the stabiliser’s electric motor represents a single point of failure. There is only one motor. That’s not allowed.
Pitch instability
Still no answer to any of it.
The White Elephant. Is MCAS not MCAS, but anti stall really.
EASA wants to check it out themsleves, with MCAS pulled, high speed, turns etc.
I would make sure to have suffient airspace below the aircraft..
keexje, MCAS vs stall warning, vs stall prevention. MCAS operates off of the AoA, and Mach speeds etc. Stick shaker also. Can you have the stick shaker activate without MCAS triggering? In Theory, MCAS will trigger a few knots or a few AoA degrees below stick shaker. but, in a high thrust, pitch up situation, how many seconds are we talking about? Does MCAS trigger immediately after sensing a high AoA for a brief moment, in gusty winds? Or does it compute a time factor, smoothing the wind gust spikes out of the AoA sensors? Can a sudden gust of wind cause MCAS to trigger? Will MCAS trigger for one cycle and then reset, and trigger again in a second wind gust? Or is there a time out between wind gusts? I assume stick shaker is live, so that two wind gusts will cause two stick shaker activation’s. But, do you want MCAS triggering twice on two wind gusts? Does MCAS immediately reset upon a sudden wind gust or not? Does it move back to the original stabilizer position after AoA is back to normal? If you can’t tell, I’m not a fan of the MCAS concept in order to fix stick forces on the elevator.
Philip:
You make false statements and conjecture then you twist that into an alternative Universes.
MAX Linked Computers: In fact this is way beyond MCAS and in conjunction with going overboard on detail, 1800 hours testing is a whole different aspect (as noted the A320 that has the same issue as the MAX is ok in 500 hours which tell you how simple the problem is/was)
So for 20+ years the 737 has flown with the fatal computer flaw and its never occurred. My take is politics raised its head and the FAA is attempting to look engaged.
As the FCC are not the same as a computer in an FBW, there is no direct comparison.
Linking them avoids a failure that has never occurred.
That does not mean that a failed computer crashes the aircraft, it simply revert to the good one. All it does is mean it is not allowed to depart with one gone.
A320 had a serious flaw that was allowed a 5 year fix period, I loved that, my wife was on one of those. So don’t tell me EASA does not play games.
And further, as its a mechanical aircraft, it can fly without any computers.
By the way, if all your computers on an FBW fail its barely controlled in level flight and a landing is a controlled crash at best.
How did Airbus deal with the A320NEO instability ? (or is that one mans instability is another mans pitch up behavior?) yup, they wrote some software.
You can be a hypocrite and say its not the same but that does not make it true.
TW,
Your post doesn’t make sense. But then you never do make sense.
Philip:
Its called confirmation bias, unless it agrees with your totally discredited opinion that the MAX is unstable, you don’t see it.
I don’t expect that to change but at least the real facts can be kept front and center for the discussion.
TW,
As always, the other way round. As you Americans say, when you point the figure three point back at you.
With regard to being discredited. The JATR and Lion Air crash report both state the existence of pitch instability. So presumably they are also discredited.
So all evidence is to be discredited if it doesn’t agree with you.
The biggest evidence is that airplanes aren’t grounded for 10 months and counting for nothing. It’s called deductive reasoning.
Philip:
Once again you attempt to make a pitch up characteristic into instability .
If the 737 is unstable then the A320NEO is as well.
In fact, an A320 with no computers is virtually uncontrollable.
Any 737 in fact is fully controllable without its computers.
Keejse:
Clearly EASA is going to check this themselves, that is not remotely new.
Pilots only stall aircraft at safe altitudes (ie with major safety factor for recovery). In any stall for a LCA I would guess 25,000 feet. I don’t have the book but Sutter listed that for the 747.
If you arrange it with EASA I will be happy to ride the test aircraft.
I think MCAS will be a no-go MEL item but if the MCAS is off in flight you are allowed to continue to your destination. Other issues as flight Control wires redundancy, Trim Wheel forces, Electrical wire separations and FCC logic might catch EASA and CAAC attention waiting for Boeing replies.
claes:
MCAS is software. If the computer is not working its a no go item.
I think it actually resides in the speed trim computer though.
Not sure if that is a no go item or not.
“We have been told that Boeing have performed 1800 hours of flight test. That raised my eyebrows.”
IMU most of that time spent (1800 hours) is simulator activity? ( Like the majority of published PR pics is CGI 🙂
Then flying up and down the air lanes in the center of the flight envelope “cruise” wouldn’t bring any new information on a feature designed in to protect against excursion at the fringe of the required performance envelope.
Uwe, the radar tracking data for those flights is posted on line, they are doing all sorts of maneuvering, with the wind-up turn being very prevalent.
The 1800 hours is actual flight time, there has been an additional 1200 hours of simulator time, with 240 hours performed by regulators. That was in early December so I’m sure more have accumulated since then.
I think Boeing’s frustration with flight testing is that there is not much more to test until the regulators complete the software audit, and are ready to either begin their own testing, or ask for additional changes to the flight software.
Agreed.
They can only move at the pace of the FAA and the FAA is going very slowly.
Its a self inflicted wound but only one aircraft allowed for testing?
If I’ve understood our “proprietor” fully Boeing has yet to provide anything worthwhile for entering any certification activity?
Boeing has submitted the materials needed for the software audit, as of early December. They cannot submit the final form for certification until the audit is complete. They are following the requirements set up by the regulators.
“”Boeing has submitted the materials needed for the software audit, as of early December. They cannot submit the final form for certification until the audit is complete.””
So why is Boeing barking at the FAA to certificate the MAX or provide a timeline?
Completely desperation!
Is Boeing too stupid to recognize that MCAS is a stall system?
It seems so.
Muilenburg said “We own safety”, no joke.
Leon, this is your usual rant. Boeing was asking for some degree of certainty, as that has been lacking from the process thus far.
Back in August and September, FAA and EASA were also saying recertification in the December/January time frame, and Boing obviously did some planning based on those words, which is now undone.
We shouldn’t try to rush the process, but on the other hand it has real costs, and not just to Boeing. But Boeing should have asked privately rather than publicly announcing or predicting RTS.
Nicely designed Catch-22! If Boeing had reported 500 hours of flight testing the criticism would have been that that was too little. Boeing reports 1800 and the criticism is that this is too much and “must indicate other problems” rather than indicating a President or VP saying “I don’t care how much fuel you burn – get out there and test everything at every edge 7 times to be absolutely sure”. Heads you lose, tails you should have lost and it will be so marked. Well done!
Not true. If Boeing had done 500 hours of testing and had concrete positive results verified by muliple regulators I would be jumping for joy.
I don’t want Boeing to fail. They will fail if they continue doing what they are doing.
There’s a great article in the Seattle Times were one commentator made clear that Boeing need to return to their roots as a company of engineering excellence. Could not agree more with the commentator.
sPH: Agreed, not to mention its an apples and turnip comparisons. One was to solve an A320NEO pitch instability (per Phillip definition) vs a whole new computer linkup.
Phillip: You ignore the fact that Boeing was founded by an attorney (you know – Mr. Boeing?) who was followed by another attorney as wel Mr. Allen.
In fact if you actually read the history of Boeing, you will find that major issues were fought over engineering and safety. It never was a slam dunk. I would suggest Joe Sutter on the 747 build and another book called Widebody.
Its easy to just mouth someone else s comments, like pitch up and stability, you really need to understand the fundamental aspects of what that does or does not mean.
When they say Boeing needs to go back to it’s roots, I think they mean back to pre McDonnel Douglas take over/merger.
I found this an interesting read on the topic:
https://www.theatlantic.com/ideas/archive/2019/11/how-boeing-lost-its-bearings/602188/?utm_content=edit-promo&utm_campaign=the-atlantic&utm_term=2019-11-20T11%3A00%3A04&utm_source=twitter&utm_medium=social
Julian:
The point is that if you read Joe Suttter or Widebody, there alwyas has been politics involved in build of aircraft (at Boeing and I assume the same disagreement occurred at Airbus)
Granted its speculation, Airbus at least originally would have had a solid base to make sure it was very right.
A350 was well supported in not repeating the Boeing debacle.
In the end earl Boeing jets were done right but the margin is not as wide as many think, nor were they perfect as noted by the hand down Manual Trim system.
There were a number of 707 and 727 crashes as Boeing assumed any piston pilot could handle a jet. That was fatally flawed as the handling characteristics are quite different (as was engine response)
My reading was that Boeing had a combination of good luck and engineers who stuck to their guns.
I don’t know how you could created that in the modern corporate world.
Many mass produced products get rigorously tested and fixed (ie you get fast feedback on how you are doing)
You only have one shot with a jet and its rare for all new one.
It should be clear there is a lot of Myth in the Boeing image. Just reading Joe Sutter and Widebody you could see how things could be vastly different.
In fact the first 737 apparently was a severely troubled program, which I had never heard of before.
The 747 has some serious problems that took some real work to resolve and in that case, resistance to re-deigning the whole wing and the engineers cheated (per some) and twisted the wing to correct.
Philip & Uwe, Boeing has conducted extensive testing, equivalent to about 40% of the flight hours required to certify a new type. Some of that has bean testing MCAS, for which the scrutiny is now intense, and requires many more cases to be flown. There are still more cases that the regulators want to fly themselves. That level of scrutiny is unprecedented.
Some of it has been testing the dual-master FCC re-configuration, which was an extensive change. And I’m sure a large part of it is to make sure they get it absolutely right. I would have the same concern in their shoes, in view of the MCAS 1.0 bungle.
Also I believe they are relying more on real flying and less on the simulator. Most of the software development occurred in the simulator before the first MAX was ever built, which is common in the industry. But now they have the real thing to test. I would do that as well, in their shoes.
So I don’t think testing is a bad thing or an indicator of a smoking gun. But I realize you guys will never agree with that.
Your last sentence is right.
I think you said you were a Web developer. As such you should know there is no such thing as dual master.
In any federated computer system there can only be one master controlling the federation. If the master computer fails then another computer in the federation assumes the role of master.
But thanks.
Philip, the design of peered systems is well established. You can have as many peered masters as you wish. There does not need to be a federated authority presiding over them. That thinking pertains to an earlier time before parallel or peer-to-peer processing.
Federation would be important for distributed tasks, to optimize processing and eliminate redundancy. In this case, there is no distribution, because the computers carry out the exact same functions, for the express purpose of achieving redundancy.
@Rob
“Philip, the design of peered systems is well established. ”
afaics you talk about “high availability Systems” and their failover design.
“failsave redundant realtime” is something entirely different.
( Over the years I’ve done hard realtime and railway type “stopped is save” fail save stuff )
Uwe, you’re talking about one thing and I another. Both types of systems exist. There is no failover or handoff in what I am describing, because none is needed. It’s a peer form of redundancy, without formal hierarchy. Which type of system to use is a design choice.
You have to differentiate between flight activity for “testing” and for “showing certification conformance”.
Compare to TransWorld’s misconception about “early certification flights done without MCAS”.
“failed to show ..” does not count towards the process goal.
I had a similar question about the flight control computer. I’m not sure what to understand. What is fact about the computer operating the Max? There were two. One was sort of a passive, back up system. So the proposal was to use it to check data and check the other, creating redundancy where there was none (the Max is competing on the market with systems that have 3 to five separate, modern, independent systems as I understand from this site). But now all of the software modifications have transformed what were two computers into one? Is that what the following means?
“Boeing changes in the software code requiring that both will now be turned on to manage the demand. Both are now required for dispatch; the aircraft can no longer be a Minimum Equipment List item for one unit.”
Does this mean a complete loss of redundancy here?
Answer to your question is no.
Ufnroanly when someone spins altneaive facts the picutre get muddies for those who don’t undersand the funalanal invole.
THe first hting to keep in mind is that the 737 of any type (as well as MAX) is a mechaily controled aircrt. The computers can all quit and its fully controalbe.
That is not true of FBW, their fix is to have 3 computers. What no one talks about is what happens if all 3 are shut down?
We hear a lo of talk about separation of systems etc, but the reality is that it all comes together in an electronics bay (regardless of the aircraft). While you can locate the computers in different corners of that bay, if the bay catches fire, you are going to loose the whole electronics system.
Egypt Air lost an A320 over the med due to fire. Note they had fire signals form a Lav (unknown front or back) and the electronics bay
https://en.wikipedia.org/wiki/EgyptAir_Flight_804
The MAX computers are not transformed into one, they share tasking, so its split 50 x 50 %, but, any single computer running alone is probably no more than 60% (that is a guess based on my work, it could be that with two processors its only 300% and any single processor in a single computer can handle the whole ops)
Sharing tasking vs capacity are two different metrics regardless of how unstable Phillip presents it.
And like all 737s, the MAX is a mechanical aircraft and final reversion is direct mechanical control. That is in affect the third computer in an FBW.
The only question not answered is loss of a computer the same as an engine loss where you divert to the nearest airport that you can land at?
Electronics bays are located in multiple different locations. have you heard of single point of failure ?
@TransWorld
I thought that was already cleared to you that computers in FBW aircraft are not in the same electronic bay, but dispersed all over the aircraft, exactly in order if one catches fire (or get hit by bullet in case of military aircraft) others will survive and work.
No, it was made clear there is isolation. There is a huge difference between isolation (computer in an electronics bay located as far away from each other as possible)
Where in fact in a FBW are the computer located ?
If you are going to disagree you should present facts, not opinions.
I have yet to read about an aircraft that does not have a main electronics bay and if you actually read the Egypt 804 posting, you would see they mention just one as well.
Here you are, for example:
“Electrical Flight Controls, From Airbus A320/330/340 to Future Military Transport Aircraft: A Family of Fault-Tolerant Systems” by
Dominique Briere, Christian Favre, Pascal Traverse
[12.3.1.6] “The links between computers are limited, the links used for monitoring are not routed with those used for control. The destruction of a part of the aircraft is also taken into account; the computers are placed at three different locations, certain links to the actuators run under the floor, others overhead, and others in the cargo compartment.”
3 DIFFERENT LOCATIONS !!!
Google it pls.
Pablo:
It say 3 different location
It does not say 3 different electronics bays.
3 different locations within the electronics bay as isolated from each other as they can get.
Until you have a link with a diagram the verbiage is torn apart and I have yet to read of different electronics s bays on any aircraft.
In fact, they are always located forward usually under the cockpit.
You may know that there are also mechanical computers? Some design aspects of 737 controls are such computers with a fixed program.
Fly by wire does not need a computer in between (called “direct law” on an Airbus). You have one system translating input in signals, than a wire and at the end another system decoding the signal for the actuators. The computers in between are for smoothing the ride. Just like the mechanical ones on a 737 e.g. speed trim.
Fly by wire is just a different system to move your control surfaces than cables but far more easy to adapt for different situations.
MCAS is an additional system not required for a fly-by-wire system because that’s what fly-by-wire already does.
RealSteve, the reporting on the FCC being too slow or unable to manage the demand, is incorrect. I think Scott may be referring to the original reporting from June.
Since then it’s been corrected to state that the issue was uncovered during cosmic ray testing, where bits within the computer are intentionally flipped to simulate the effect of a cosmic ray strike in flight, at altitude. This means that the computer’s internal state is changed without any change in input, to see if the output will change.
After the MAX accidents, the number of simultaneous bit flips in testing was increased to 5, and they were also concentrated in the horizontal stabilizer circuits, in an attempt to force MCAS 1.0 behavior. This was successful, they triggered un-commanded stabilizer movement and pilots then needed to recover. All but one pilot did, but the margin of safety was deemed too low. Boeing was asked to increase the margin of safety.
Since the error is undetectable from outside the computer, apart from the resultant problem it causes, the only way to increase the margin is to have another computer monitoring and replicating the results of the first. In the Airbus FBW system, the two other computers could outvote the one with the flipped bits.
In the Boeing system, there are two computers so they instead work as dual masters. Depending on the error, the computers working together decide the outcome. In some cases they may be able handle it internally, in others they may alert the pilot to the issue and do nothing, But the main thing is, they won’t create an un-commanded movement for the bit-flip issue.
So as dual masters there is still redundancy. Each computer has redundant processors, but if one were to completely fail the other would continue without backup, except for its own internal redundancy.
Prior to this change, the FCC’s rotated for each flight, with one serving as primary master and the other serving as secondary backup.
@Rob
“reporting on the FCC being too slow or unable to manage the demand, is incorrect” it is correct, the flaw has been discovered by FAA few months ago, and still actual, at least neither Scott, neither I heard about ready to go fix. Where from you are drawing your “facts”?
Opposite. With dual masters computers and lack of third one on board there is no redundancy. Don’t mislead. Computer in modern era aircraft consists of two separate inside units but are one computer, at least by everybody in aviation industry it is counted this way, apart you @Rob somehow.
You are giving PR made smooth synthesis based nor facts nor technical knowledge, I would say based on half-truths.
Pablo, we’ve been over this numerous times before. Here is the link as has always been presented in the past:
https://www.seattletimes.com/business/boeing-aerospace/newly-stringent-faa-tests-spur-a-fundamental-software-redesign-of-737-max-flight-controls/
I realize this is a long article with many technical details, but if everyone here could please read it, we could lay this issue to rest once and for all.
For those unwilling to do this, here is the relevant soundbite:
“He added that early published accounts of the fault suggesting that the microprocessor had been overwhelmed and its data-processing speed slowed, causing the pilot-control column thumb switches that move the stabilizer to respond slowly, were inaccurate.”
Is Scott Hamilton presenting new updated reporting or old, flawed reporting on the type and capacities of the computers in the 737 Max. Rob can’t be the only one who knows the basic facts about the two computer systems in the Max. What are the basic facts here. I’m not in need of opinions, but a strong fact that shouldn’t be up to conjecture.
RealSteve, if you read the article above from last August, that should answer your questions. Scott was following the earlier reporting on this issue from when it first arose in June. I still see that being quoted in different places, because on the Internet, information lives forever.
If I was engaging in conjecture, I would be clear about that. I don’t believe I am in this case, but you can read the article and decide for yourself.
@Rob
Are you listening yourself?
You invented “a fact” that Boeing already fixed problem woth FCCs of MAX, however nobody heard about finalizig a fix. And as “a proof” to invented “fact” you are citing a press article from have a year ago about discovering this flaw.
You are so pro-Boeing that you inventing things. Stop misleading.
It’s also very hypocrite that you accuse on left and right others for not being factual, and obviously you are not factual, even close.
Boeing is still working on the FCC fixes, as of last week.
Rob doesn’t know anything about computers. He’s proven that in his posts. I’ve begun to address it below. But it’s a long conversation.
I never said the FCC solution was in final form, I said that the audit was in progress. The audit could not begin until there was something final enough to audit. Boeing could not do extensive testing unless they had something final enough to test.
The article and my statements stand on their own. They are not an invention as they are supported by fact. If any of you disagree, you are free to give your reasons and evidence and facts for discussion. None of you have done that.
Accusations and insults are not evidence. I have not defended Boeing, I have offered facts and explanation to get at the truth. You are all welcome to do the same. I’m open to other positions, but there has to be some basis for it. I don’t see that in your responses.
Pablo, in the previous column you made blatantly false statements about the altitude of ET302. When I gave you the proof from the preliminary report, you denied it. You are doing that same thing again here. That’s not an attempt at informed discussion.
“”Boeing is still working on the FCC fixes, as of last week.””
My God, how can Boeing ask for certification or even suppose RTS when they didn’t finish fixing.
No @Rob, you exactly said there is a final fix, for example:
“reporting on the FCC being too slow or unable to manage the demand, is incorrect. I think Scott may be referring to the original reporting from June.”
“Since then it’s been corrected to state that the issue….”
You can deny however you want. You just invent “facts” to match your pro-Boeing synopsis.
A week ago you claimed that KC 47 / B767 is a FBW aircraft ! Ups..
Go back pls to posts about ground level around Addis Abbeba and read them again.
Pablo, you’ve misunderstood what I said, and not for the first time. I know that English is not your first language, so let me try again.
The “it’s been corrected” was not in reference to the final form of the FCC software, which is still waiting on the audit. It was in reference to the reporting that the FCC lacked the needed performance or capacity. That reporting was incorrect, and has since been corrected.
On the KC-46 FBW issue, I made a mistake and admitted it in that forum. But my basic point, that MCAS was very different on the KC-46 than the MAX, was correct.
To make a mistake and accept correction, is very different than making untrue statements and then defending them as true. The ground level at Addis Ababa has no relevance to the flight data recorder radar altimeter data of ET302, which was well above 5,000 feet AGL and not 1,000 feet as you said.
Also you have still not offered any evidence or facts to refute either the article I quoted, or my matching statements. You’re welcome to do that at any time.
Huge mistake @Rob, mistaken FBW aircraft with FBC one, and you didn’t admit, just tried put things upside-down in twisted way.
Stop inventing stories and we will be good. If you don’t have a knowledge don’t try to shine. Listen to others.
It bacame very off topic so I end it here.
PS. ET302 almost touched the ground when MCAS activated because ground level rises around and struggled to gain real altitude in spite of the lots of trust in engines.
Pablo, your statement is again false, the minimum altitude was 1,000 feet, not the maximum, and represented a descent of about 1,000 feet from about 2,000 feet.
That is consistent with the normal procedure of flaps up around 1,000 feet, with subsequent MCAS activation, temporary descent, and recovery to resume climbing, eventually rising above 5,000. This is all AGL based on radar altimeter.
Symplyfing, 737 were flying with 1st computer switched on, and 2nd switched off as backup, but those computers were crosschecking each other. Pilot was manually switching of/off 1st or 2nd at his will or when he saw that one computer failed. And that was totally fine, because 737 is not FBW, is only automated stell cable aircraft. But now both computers needed to be switched on and crosschecking eaxh other, and because there is no third computer on board a question arises – where is redundancy? where is backup?
I believe that is incorrect.
Both computes are on, one is in standby until the the standby computers pilots position has been switched to Active .
the non flying computer then went to standby.
It takes computers time to boot up so it makes less than zero sense to say its off.
Error, shall be “Symplyfing, 737 were flying with 1st computer switched on, and 2nd switched off as backup, but those computers were NOT crosschecking each other.” My mistake :/
Now both computers are ON and crosschecking.
Checker and failover switcher is the crew.
PF: my stickshaker is active yours is not.
flight attitude is sane.
your side has it!
IMU 737 flight data and stuff is a bifurcated design.
This worked as long as the electronics suite is aid and not actor.
MCAS introduced strong execution powers to an unreliable and unchecked “system lobe”
not mentioning MCAS frustrated my top line function:
“Checker and failover switcher is the crew”.
Steve,
The physical set up is two FCCs each with two CPUs. I think the two CPUS within a FCC are now sharing the processing, so the loss of a CPU causes the FCC to be lost.
The two FCCs will be in a master/secondary configuration. If the master fails then the secondary assumes the role of master. If the secondary fails, then the master continues.
There is no such thing as dual master. Think about it. If the first master says move the elevators 10° but the second master says move the elevators 20°, what happens. Do the elevators move 10° or 20°?
This is why Airbus have triple computers. It allows voting. If two agree, then the two win. But there is one master and two secondaries. The master receives the calculations of the two secondaries. It also performs it’s own calculation. The master then compares the results for the purpose of voting.
Basic computer science
Philip, this is quite completely and spectacularly wrong. Please see my post and link above for the true story, as explained in a technical article quoting many experts, in the Seattle Times.
Please note that I would not have posted what I did without thorough research and acquiring some understanding of the topic. I realize that is not required by Leeham for people posting here, but it wouldn’t hurt to do a basic fact-check of your views before you post.
Nice work Rob.
I have started to file the links in a folder.
Memory is not a good thing to rely on and it makes the point of facts vs fiction.
Your methodly is supeiro to mine for sure.
I tend to get the overall right but the details can be wrong and in this case, details are extely imporant.
How much force the Trim wheel has is really not as the Yo Yo was required even before.
Should that have been allowed? That is certainly a good (right) question to ask as is:
Why Did They Not Address This before certification of NG or sooner?
I assume EASA was aware of the history of jet aircraft flight controls as would be the Chinese etc.
Philip:
Once again you present alternative facts.
Its not why FBW has 3 computers. The 3 computers are to replace the third backup redundancy of mechanical system.
The FBW has a similar fall back, if one computer is voted out, then you have reverted to a 737 like Master Slave relationship.
Its actually called a master slave relationship, both are hot and on line, one is controlling, if one fails the other takes over.
And a test: What happen if the last two computers still working disagree? How do two computer resolved that?
@TransWorld
Here are the answers for you:
“… each computer is divided into two physically separated channels (Figure 12.5). The first one, the control channel, is permanently monitored by the second one, the monitor channel. In case of disagreement between control and monitor, the computer affected by the failure is passivated, while the computer with the next highest priority takes control. The repartition of computers, servo-controls, hydraulic circuit, and electrical bus bars and priorities between the computers are dictated by the safety analysis including the engine burst analysis.”
“Each computer can be considered as being two different and independent computers placed side by side (see Figure 12.5). These two (sub)computers have different functions and are placed adjacent to each other to make aircraft maintenance easier. Both command and monitoring channels of the computer are
simultaneously active or simultaneously passive, ready to take control. Each channel includes one or more processors, their associated memories, input/output circuits, a power supply unit, and specific software. When the results of these two channels diverge significantly, the links between the computer and the exterior world are cut by the channel or channels which detected
the failure. The system is designed so that the computer outputs are then in a dependable state (signal interrupt via relays). Failure detection is mainly achieved by comparing the difference between the control and monitoring commands with a predetermined threshold. As a result, all consequences of a single computer fault are detected and passivated, which prevents the resulting error from propagating outside
of the computer. This detection method is completed by permanently monitoring the program sequencing and the program correct execution.”
“The system incorporate sufficient redundancies to provide the nominal performance and safety levels with one failed computer, while it is still possible to fly the aircraft safely with one single computer active.”
You can google it and read yourself – the source is the same as I posted somewhere above in response to your doubts about placement computers in different locations (there are 3) in FBW airliner as A320.
Philip there are two cases here. One requires three computers and one only 2.
The first case is the Airbus one where the system controlled by the computers is critical to flight, and the system must be able to make a decision (i.e. a redundant design is needed). In this case you need 3 computers. This way if one generates the wrong results the other two can out-vote it and take the correct action.
The other case is where the system is not essential to flight but it is imperative the wrong action not be taken (a fail safe design is needed). This is the MCAS situation. In this case you need only 2 computers. This way a failure of one can be detected, though the correct action can’t be determined. But since the system is not essential to flight if there is a disagreement between the two is is sufficient that the system disengages (fails in a safe way).
Having two computers controlling MCAS is not to provide redundancy, it does not. But it can prevent the wrong actions being taken based on a single point of failure.
Jbeeko, this is a good summary and captures the difference well. In Boeing FBP system, the pilot has full authority. With Airbus FBW system, the computers have full authority.
Only thing further I would add, is that with the 2 computer dual-master system, there is redundancy, as if one computer fails, the other will continue, but without backup or being checked. So this solution achieves cross-checking without losing redundancy.
Jbeeko,
This is what I want to find out. Is MCAS essential to flight?
Non essential (secondary) control systems can use two computers. I’ve always said that and always will. But there is still a master and a secondary.
Anyway, can’t argue with your post.
To Rob,
I be kind to you and explain peer to peer. Peer to peer still as a controller, a coordinator. The controller, the coordinator, the master can be external or internal. If external, it’s typically called a server. In internal, the control, coordination, the decisions of the master are embedded in a peer. The terminology is to say a peer is designated as the master.
The internal form is always used by airplanes. But one or other must be used.
Philip, peer systems don’t require a master, that’s why they’re called peers. Peer means all the same. Or if you prefer, they lack a hierarchical structure. You could instead define it as a mesh or ad-hoc structure.
You can add a master to the peers if you wish, but then they are slaves to the master, although possibly still peers to each other. And you’ve created a hierarchy.
A dual-master means both are active at the same time, and cross-check the other. Results are sent back and forth across one or more data channels reserved for the cross-check purpose.
Imagine two students doing homework together. Each does their own work, but they compare answers. If the answers agree, they have confidence they are right. If they don’t agree, they ask their professor to resolve the disagreement. But neither has mastery over the other. And in our case, the professor is the pilot.
In the Windows Server operating system, there once was a designation for primary and secondary controllers. Now that distinction is gone, there are only members of the controller group. Any one serves as the controller and any one can go off-line without upset.
Network routing also works this way. Routers determine the shortest upstream route for the next step to the destination, but don’t need to look further ahead than that. There is no master telling them how to route. There are more advanced routing protocols that optimize by looking a lot further ahead, but they are still implemented on a peered network of routers.
Rob,
I’ll reply at the bottom.
Rob,
This may be a part of why BA have now recommended training.
In the dual master scenario, where the ‘professor is the pilot’, when the two computers disagree, the pilot needs to know what to do. If it’s to follow a checklist, they need to follow the correct one.
It will be interesting to see the logic, and course of actions if for instance an AOA sensor is sending faulty data to one FCC, and the decision is handed to the pilot.
1) Flying straight, and level in clear sky, be aware MCAS is not functioning, continue to destination, and remedy, or will it be land immediately at nearest alternate.
2) Aircraft encounters high angle of attack when maneuvering to avoid some obstacle or encountering severe wake turbulence, FCCs disagree handing the decision to the pilot. Training required so that pilots understand the ‘feel’ of the yoke is not the same as NG series aircraft, and will be aware of the possibility of entering stall if the pitch attitude is not managed correctly.
Personally I think it’s essential that all MAX pilots have realistic simulator experience of the ‘feel’ of the yoke at high AOA with MCAS off if they are to have the final decision if MCAS is disabled in flight.
There will be the statistical argument that the pilots should never be in that area of the flight envelope (but then MCAS wouldn’t be needed), and that on top of that, statistically how often would MCAS have failed, and the pilot been landed with the decision process. Unfortunately statistics sometimes fail in real world conditions.
I still don’t understand the logic of managing what may be a relatively minor (trainable) issue by adding a system that if it fails increases the hazard of the original issue very significantly.
As training is now going to be required, and the issue MCAS is there to manage could potentially be dealt with in training, why not remove MCAS entirely, and certify MAX pilots with an additional sub-type.
Creating a precedent to the pitch moment curve regulations I think is a red herring, FBW aircraft are now / will be the de-facto standard way of controlling aircraft. An exception could be made for the MAX.
You will no doubt recognise the phrase “Simplify, simplify, simplify!”
@jbeeko
If MCAS is not essential 2 FCCs are enough, of course, but if it is – the big problem arises, if one FCC will fail you are in proper danger.
EASA will check it out in live test flights and we will know – is it a “mstall protection like or similar primary system”, or just “comfy cruise control”
JakDak, I agree. If the pilot has full authority then training is critical.
Some disagreements might be handled in software, with an alert to the pilot but continued operation. But most will result in turning over to the pilot. That was the case before as well, so is nothing new.
MCAS should never have created a hazard, and should not now. The tanker version is not viewed as a hazard. We’ll have to see how the new version is viewed by the regulators.
@Rob:
” as if one computer fails, the other will continue, but without backup or being checked. ”
you lack topic comprehension.
Who is to decide which one failed?
As I wrote before this is not a high availability setup where you have a pool of takers and one dropping out passive just reduces the pool.
Here you have one channel doing the expected thing and the other making an error. ( which could be minor or insiduous.)
The only safe statement from the outside is that the combo of those two is defective due to mismatch of output.
You at least need a third voice to get at the false ticker.
Same for sensors. Two sensors for the same observation can tell you OK(+value) or BAD().
Again you need a third source to vote out the the bad source.
Redundant inputs like described break on common mode defects ( like all frozen )
Uwe, the pilot decides, is the third voice.
Common mode failures occur for the Airbus triple sensor system as well. On Flight XL888, two of the AoA sensors froze at the same angle, they outvoted the third sensor so that the computer ignored the good sensor and the aircraft crashed.
Same thing happened again on Flight LH1829. Luckily just an upset and no crash that time.
For any system design, there can be scenarios for which it fails. I think having the pilot alerted and deciding is as good an option as any.
Rob,
I’m afraid what I said is in every walk of life and in every science. Even if you do have voting, you need something to collect the votes. That something is the master. But you can’t have voting with only 2.
So if the first FCC wants to go left and the second FCC want to go right who wins if both are the master.
The master means the controller, the coordinator the ultimate decision maker, the ultimate authority etc.
If there are two masters with ultimate authority who wins if there is a disagree?
There’s one president, one commander in chief, one chief engineer, one chief scientist, one chief physician etc.
You use the term peer to peer. But something must coordinate the peers. That something is the master.
Or, do your peers just do there own thing without any control, coordination and so on. It sound like how the MAX was built and flys. No control, no coordination in building and no control, no coordination in flying
So you are spectacularly wrong. But you have identified why the MAX is the MAX. No control, coordination and so on.
Philip, the pilot is the commander. The dual-master is not a voting system, there are two results for every outcome, and either they agree or they disagree, so the comparison is a binary result.
Dual-master agreement constitutes either good data, or a highly improbable identical error in both units. So the flight control decision can proceed.
Dual-master disagreement, that is not a recognizable condition in the disagree matrix, does nothing and alerts the pilot. Pilot takes control and makes the decision. Boeing is fly-by-pilot. Pilot has full authority.
There is no dual master. It’s a fallacy. I explain below.
Well I worked with PLC system that there were two masters.
One was Primary (and I was wrong, the other was backup)
We had two failure possibility. The Primary detected a fault in its systems (self monitored) and dropped out, the backup took over with no loss as it was active but not in control.
We could force a swap by removing power.
The reality is that how they did it is deep into programing and how you detect a fault.
We did not have 3 with two out of 3 voting.
This is a standard setup in a high priority and critial application.
Anyway – it is nice to see that huge corruption seems to end.
It is a text book case where corruption leads to.
“end of (legalized) corruption”
Iran needs money and wants to sell some ancient cultural sites on shot notice.
Interested?
I of course meant in this specific case – not in Congo or else where.
Great informative article.
Good that only one plane will be used for flight testing. I wonder if FAA/EASA use security personal to watch this plane at night.
I thought the FCC was fixed long time ago, unbelievable. Will fixing it need another audit?
At least Boeing can start to fix the wiring issue on 800 planes.
Sim training. It seems the FAA is checking well and is doing its job. Will airlines cancel MAX orders because sim training is expensive? I wonder how the contracts are worded with the promisses Boeing made.
Of course Airlines will cancel all MAX orders due to Sim required, then go to wait in line for an A320, in 5 years if they are lucky!
Less waiting for A220? Less for C919???
We can expect some cancellations of B737 MAX but some airlines are to much stick in to make it.
At 600 orders-in-hand, and Airbus/Bombardier just getting up to 50 aircraft delivered per year (and 500 more to go) the A220 might have a wait greater than five years, unless the Mobile plant is pretty fast.
About 400 firm orders. Still, it’s a long wait while Airbus works on increasing the production rates.
A Failure Condition being classified as CAT has enormous impacts in the architecture for compliance with EWIS, HIRF, EMI, and 25.1309 rules. Analysis of physical segregation to avoid common point faults is highly scrutinized by authorities nowadays on new projects. With some focus, without trying to find shortcuts, Boeing can get all this done. It is not a 7 headed hydra.
Overall Boeing has been appalling at forecasting anything. I don’t see how they can resume production in 60 days, at this point I can barely see them resuming MAX deliveries in 60 days
Mark:
In this case its just a moving operational point that will change daily if the certification’s is not moving ahead the way they think it should.
Internally they need to be watching two or 4 months ahead so that they can start to trigger supply and production ramp up if its approved.
Taken out of context its just a red haring.
I don’t have any sympathy for Boeing and what they put themselves into but is just standard aspect of business keeping a look ahead and seeing if things are progressing and you simply push the date ahead if you see they are not.
Its possible that the logjam breaks tomorrow and things start moving. If the managers are not looking ahead and they get caught with their pants down they are going to rightfully get dinged or fired. Its their job to keep an eye on it and be ready to move when they can.
We don’t know why the FAA is only allowing one test aircraft so the data set for understanding what is going on is simply not there.
You miss the fact that there were a number of MAX aircraft delivered.
They are parked. All they need is software load and some flight testing (having sat for a while)
Biggest initial holdup will be Sim time if needed and pilot scheduling.
Then there are hundreds of built and parked but not delivered aircraft that have to go through the full delivery process.
As there are only so man flight test pilots and the delivery centers have only so many trained people, that will take some time.
Boeing will hold production until they see the backlog cleared or clearing and the normal delivery times are available.
In short they will try to mesh the two aspects of built and non delivered and new production.
Call it Kentucky windage in trying to mesh it all.
Are thy delivered as in the title has changed hands? I don’t really see why anyone would do that since they have to pay finance, parking and incur depreciation. If fact Boeing has a GIANT lot full of 2019 models and will take a haircut on them…
Mark:
We have had two crashes of MAX aircraft.
From memory there was something around 200 that were acualy delivered and belong to the airlines.
So there are two categories.
1. Delivered and owned but parked that can be got going soon.
2. Not delivered, painted, but not flight tested (moved to Mosses Lake etc but not tested) let along any other transfer to owner activity (which includes the legal paperwork with payments, checks, credit cards etc that has to be done and done right).
This what Airbus says about delivery process , Im assuming Boeing is very similar
https://www.airbus.com/aircraft/how-is-an-aircraft-built/delivering-to-the-customer.html
1st day: ground checks: external surfaces, bays and cabin visual inspection, static aircraft system and cockpit checks, engine tests.
2nd day: acceptance flight: checks during flight of all aircraft systems (including cabin systems) and aircraft behaviour in the whole flight envelope.
3rd day: physical rework or provision of solutions for all technical and quality snags open in delivery.
4th day: completion of technical acceptance. Technical closure of the aircraft and all associated documents attesting the aircraft’s compliance to the type certificate and conformity to the technical specification allowing the issuance of the Certificate of Airworthiness.
5th day: transfer of the aircraft’s title deeds to the customer airline: the aircraft changes owner. Preparation of the aircraft for the ferry flight to its home base.
This is a bit old ( 2004) but it describes the 737NG pre delivery process including the customer handover. Would be shorter time period now as the production rate ( was) so much higher
https://www.boeing.com/news/frontiers/archive/2004/february/ts_sf.html
What is the timeline of resume production relating to first revenue flight of return to service? Before, same time, 3 months after, six months after? I could see a 7-1-2020 RTS and 10-1-2020 resume production.
Boeing will get certficion aproval first.
Production resumption has nothign to do with RTS, that is a matter of the produced aircraft meeting the requirements.
Clearly one is the software update which should be fast.
Another is ops testing of each aircraft.
Another is Sim time for the pilots and scheduling by the Airlines.
Another is Boeing personal to do the software load.
If an airline wanted to move fast and they had a delivered 737MAX you could have RTS within a week of certification’s if Boeing could do their end.
Not likely due to scheduling aspects of the pilots and sim time.
But if someone is desperate for aircraft capacity they could make it happen quite quickly.
Scott
You state that it’s the same FCC as used from classic days. Is the integrated air data system separate from the FCC? In Dominic Gates article of October 2nd, he quotes Carlos Ruelos about the proposed synthetic airspeed software that he wanted to put into the MAX. Ruelos said that the MAX had a new integrated air data system that had more computational power than that installed on the NG. Hence it was a good fit for synthetic airspeed until it was denied due to costs and training ramifications.
Steve, the ADIRU units are separate from the FCC. The synthetic air data would either be generated from within an existing ADIRU, or perhaps another ADIRU would be added, if the synthetic data were treated as a third set of instruments.
The technology in the ADIRU can be moved forward more readily with each generation, because it just pre-processes air and inertial reference data for the FCC, it doesn’t make any flight control decisions. So it very well may have sufficient processing power in the MAX.
The synthetic air data is an interesting development and I hope it continues to successful implementation. One of the hurdles is discontinuity in output, the synthetic data can jump rapidly from one value to the next, in a manner that physical instruments would never do. Computers don’t respond well to that, so there needs to be some intelligent smoothing interpolation if that happens.
Obviously a pilot would respond to that much better, he/she would understand the discontinuity as an artifact and would be able to reason out an approximate value. So we might see it implemented first as a non-control third set of instruments.
Rob
Thanks for the clarification! I forgot to mention that the Dominic Gates article stated that the 787 is the only Boeing aircraft with a version of synthetic airspeed.
@Ted
Nobody knows. Everyone are guessing and saying simultaneously that they know.
Not me:
I don’t know.
Am I not part of everyone?
Sorry, but you can be quite irritating….. Scott give you too much freedom with your ongoing commentary. i look forward to the inputs from professional folks, but, you keep on chiming in just to make noise, IMU. sorry Scott, telling it as it is.
No need to bring Scott in.
I am fully open to criticism.
I believe I am vastly more professional and technically informed than many commentators but don’t disagree you are fully allowed and encouraged (by me as well as Scott hopefully) to express than opinion.
No need to apologize. I do like to throw out what I think are funny remarks from time to time and some or many may not find them so.
And a new build rate of 23/Mo once the plane is flyable for at least the next year.
Reporting is that Boeing is meeting with regulators this week in Seattle to discuss the software audit results thus far, then they will return to Collins in Cedar Rapids next week to continue the work.
So there has been progress, but I suspect it’s a large undertaking and undoubtedly they will find some things to correct. That shouldn’t surprise anyone. I’ve worked with many auditors, both financial and IT systems, they always find something and have recommendations for improvement. That’s just in the nature of an audit.
My world was the application of software of making machinery work.
No lack of good faith by the good techs, but there always was problems.
Fully agreed there are iterations where you test, its questioned, if a problem is found you correct and test again.
That in fact is a fully healthy process and what should be occurring.
I for one am perfectly happy they are doing so.
Its a major change that deserves full attention as opposed to the obvious fixes that MCAS needed.
I also think its totally unneeded, 7376s have been flying for 40 years with that system and its never been an issue.
I would prefer that they address real issue (Manuel Trim is one for sure)
A worst case scenario is the FAA insisting on fixes to existing NG 737’s based on their Max testing. While a 737NG grounding is inconceivable, a selected timeframe will likely be given for Boeing and airlines to effect the fix.
I predict further complications for 777X testing as well, as previous practices of grandfathered rights may have to be shed for more comprehensive testing as if the new planes are new from the ground up.
Curious to know – just how does a radio station publish a graphic?!
I’ll get my coat…
Well, if Philip can use his imagination you can to!
@TransWorld
You felt better now? Maybe you would to stick with arguments, aviation ones, instead of personal excursions?
@Matthew: On its website.
@Scott, sorry Scott, I couldn’t resist. Here in the UK on BBC Radio 4 there’s frequent jokes about how well something visual works on the medium of “radio”. Apologies for lowering the tone of this site of excellent analyses.
I thought it was funny as well as good comic relief despite it being a serious subject.
How far is the current travials of the Max away from the Comet tragedies of 65 years ago — one more fail and then it is curtains for the model?
At the moment it looks like the Max is the Comet in slow motion — lots of happy talk about a quick return to service but behind the scenes all hell seems to have been let loose with no end in sight.
Possibly all a bit tabloid but when does the Max bring BA down?
Six months production shutdown?
Twelve months … ?
And what will be BA left with when it does make it back into service — a cashflow crisis as deposits have to be refunded?
BA was an emporer without clothers.
The Max is a facelift too far — pilots sitting in the same seats their granfathers sat in.
The NMA is a dog that would win Crufts — no wonder they couldn’t get it to fly financially. It would have come second to a Super Sixty re-visit.
B787 is going the same way as the B707 and the B727.
Sell the sizzle and flood the market with them to keep the good times rolling and to hell with accounting credibility and passenger comfort.
B7double7 — great plane being destroyed by crush-a-pleb economics up the back and a stretch too far.
Peak BA — engineering led not share price driven was the B7double7 platform.
Before was tri-jet nonsense and little competition.
After was moon-shots and cash cow slaughter.
Hurricane Harry — to shut down one company was unfortunate but two is beyond belief.
Don’t hold back
@Fat Block on Tour.
Despite my serial serious doubts about the future viability of Boeing, I have little doubt that should it become non-viable as a trading company the US government will step in and take over, at least financially. The company is simply too important economically, strategically, tactically, and hence above all else politically important for it to fail.
To restore Boeing to normalcy will likely require taking the entire company to pieces and starting again, just to get it to the point where it’s taking a sensible approach to how it goes about specifying, designing, developing and building aircraft. Only then can they actually begin work on a new product portfolio.
So what it may really come down to is,
1) If it becomes necessary, does the US government and political establishment have the financial willpower to see this process through, no matter what the cost, no matter what political changes may be required? If they flinch momentarily, that might be terminal for the industry.
2) Is there actually any person inside the US who is capable of heading this transformation up?
This second point is important because if they simply replace the current failed management with another crop of people of a similar background, that too is going to fail. What they need is a company ethos that is untroubled by concerns about share price, cost efficiency, production rates, etc. I’m not convinced there’s anyone left who can instill such an ethos, or even knows what that feels like.
Off hand the only organisation that I can think of that has the right kind of approach is Toyota (or another large concern that follows the same principles). Thing is, US companies / industry leaders have a reputation for not doing things the Toyota Way. There’s lots that *claim* they’ve adopted Toyota’s approach – even Boeing do – but the results generally end up speaking for themselves.
For the record, Toyota’s secret is that they know how to train people to train people to train people to develop designs and run factories, the difficult bit being that you’ve got to have already done that before you can start. And they make sure that they don’t lose those people. If that sounds very “meta”, it is.
Leeham (I think) has previously put out analyses of Boeing finances, and estimated that they’d need new funding from around about now if MAX revenues failed to return. So the answer to your question, “When does the MAX bring BA down?” might be that it already has, but no one has noticed yet. There’s many things a company in trouble can do to hide this for a short while, and it’s possible that this is already going on. I must emphasise that I have no idea if that’s the case. If it gets to the point where the staff aren’t getting paid then the game is up.
The decline of the ship building industry in Glasgow is a history worth analysing. Old companies, set in their ways, seeing no need to change, obsolete product portfolios, government had no cash to support it, but it was of enormous economic, strategic importance. There’s now nothing left. Sounds familiar?
Toyota is not quite what it used to be. I lost count of the number of recalls on my Sienna. It must be about 7. Still, I can imagine Boeing taking a page from the Toyota playbook and getting special exemptions to anti-trust legislation. In the 90s GM put out a Toyota Corolla under an American brand: Geo Prism. Maybe, Being could eat some crow and then produce it’s own, new single aisle, by licensing the A220-500 while it gets it’s stuff together. Or semething like that. The world might be better for it.
Some time ago I had offered the idea that B could sell a rebranded A320 as ???
Fix the backlog and gives Boeing something up to date to work with. ( Look around where Linux has been infiltrated into products. invisible to users. M$-OS is more or less dead. It had the same issues that the 737 has: too many layers, to many quantum tunnels in interfacing.)
I figured DOS was more like the Max.
DOS would be the original 707 (or even 737-100 or would that compare to windows 1.0).
Then various flashy stuff was layered on the 16 bit base frame. guess why Windows was any hackers nirvana.
To quote someone else: “32 bit extensions and a graphical shell [on top of] a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor, written by a 2 bit company, that can’t stand 1 bit of competition.”
And that description is so very much like Boeing.
compare to the starkness of a unix style OS ( to draw the connection to “FBW from the get go” designs )
“”And that description is so very much like Boeing.””
Yeah, Boeing has no clue.
They invented MCAS2.0 and said an MCAS failure will never happen again, making the MAX the safest plane ever. All this without sim training again. Barking at FAA to certificate.
Now Boeing agrees that sim training is needed.
Boeing has no clue what is needed. They are in kindergarden and fail the test for elementry school again and again.
This will take a long time and then finally EASA flight test without MCAS recognizing MCAS is a stall system. At that point Boeing might have lost $50b.
Where is the final TAB report? They said MCAS is safe and follows regulations.
Till now nothing has changed. Boeing is still digging its hole deeper. Completely inept. Finding short circuit issues on the wiring and Trump is unhappy that EASA is in a complete recertification process.
Why is Muilenburg and Co still not handcuffed?
EASA is checking the MAX. Someone else should check the 787.
Boeing concede theneed for simulator training. Call me cynical, but I suspect that this has nothing to do with science and neither did their refusual to accept it until now.
No one should underestimate how serious the situation now is, nor how much pressure will be applied
Grubbie, I think this reflects the recent management change at Boeing. As I wrote in a previous column, the emphasis has shifted from technical remediation, to re-establishing trust. The technical problems must still be solved, but even with that being done successfully, it won’t matter if people don’t trust or believe you.
You can’t establish trust by opposing pilot training, when everyone understands that training enhances safety. It makes no sense to do that. In fact it never made any sense, except in economic terms. Airlines incentivize manufacturers to keep their costs low, but that ends up sending the wrong message. It favors the lack of innovation and change. And by favoring an absence of training, it enhances the odds of future accidents, rather than decreasing them. That’s just nuts.
My hope would be that after this debacle, the entire aviation industry would recognize that training is a required part of the promotion of safety, and not something to be avoided or reduced as a cost reduction measure.
This will level the playing field and manufacturers would be incentivized to innovate and change, if training is always on the table and can’t be removed to favor one aircraft or the other.
Maybe this means the type certifications would mandate minimum training time, with a smaller amount for sub-types and a larger amount for new types. Or maybe abolish the sub-types, and instead have only new types, but have training areas that could be pre-attained by prior experience with older types.
I’m sure there are many ways to think about this, and people are out there who would know better how to implement it. But change is definitely needed. Hopefully Boeing is making a first step here.
Rob:
I think this reflects Boeing change on 737 issue because its public.
I think its far to early to say culturally what upper management means (nor is the new management established or even long term) – I don’t hold out a lot of hope.
The issue with the 727 fuel tanks would seem to indicates that if its not in the public view, the previous approach still applies.
I am waiting to see what comes out of the blatantly illegal act of changing the 787 wing protection system without even telling the FAA.
The same with the FAA. What I see now is political posturing but I am not a believer in that they have changed their culture.
In the case of the FAA, because of the administration, the FAA goes into a fight with Boeing with both hands tied behind their backs.
With the 737 they have the public backing, the rest, depends far too much on knee jerk decisions at the top.
TW, perhaps you are right that the motivations are not as positive as I think. I would hope by now that Boeing sees clearly that they cannot win the public relations battle by insisting they are right and everyone else is wrong. I think that’s why Mullenberg had to go. Fairly or unfairly, he had become the poster boy for that response. His departure creates the potential to form a new impression.
For example, we haven’t seen any new declarations of RTS. I think now the strategy will be to privately communicate the pain of the supply chain to the regulators, to remind them that their actions have a real cost. Government agencies tend to forget that about themselves.
It’s absolutely true that much of the Boeing criticism has been flawed and misinformed. That is readily observable even in this forum. But at some point that no longer matters. If you can’t win hearts and minds with facts, then you have to do it by actions they can understand as being cooperative and wanting to improve. At least in the US, people still respond to that, if they see a sincere effort. They want a good outcome to this, but they need to feel it as well as see it.
If the regulators are smart, this presents an opportunity to have a real impact on Boeing, to help them address internal problems and the ODA process. But the regulators also have to be seen as moving the process along, and working toward a good outcome. If they are seen to be obstructing, that will strongly resonate with causally unemployed people.
So I think there is pressure in the right directions to improve and have a good outcome all around, if all parties are good and honest actors. I guess we’ll see what happens.
People seem to be overlooking that Spirit has kept producing 52 fuselages per month, and Boeing has been paying for them, but they have been shipping (by rail) only 42/month to Renton for final assembly. I’d hope that Spirit have been paying all their downstream suppliers at ‘full rate’. If Spirit stop their line now – and I haven’t seen any information one way or another – they will have about a hundred fuselages stockpiled.
Assuming the MAX is certified quite soon, maybe Boeing can restart production on, say, 1st April. Spirit *and all their suppliers* will not be able to restart production until most of the completed fuselage backlog has been used up: three or four months depending on the Renton ramp-up.
That means that whole supply chain will be at a standstill until at least northern summer, maybe Fall.
There will be business failures in that scenario.
Mike, that’s a good point. I suspect when Boeing has some certainty about the schedule, they will resume ordering from the supply chain. Whatever costs are incurred from that, will be less than those required to find and tool new suppliers, or have those suppliers train new staff.
As Spirit mentioned, the core problem here is uncertainty. So anything the regulators could do to help establish certainty, would be very welcome say this point.
Storage of 400x 737 MAX at list price of $100m each. Inventory of those on the balance must be around $20B. Question is if the value of a 737-8 is what it was two years ago.
Rob,
You are misusing the word peer. Peer is used when the computers don’t make decisions. E-mails are an example. This blog is an example. All forms of social media are examples.
Having said that E-mail still need to be distributed. This blog needs to be distributed. All social media needs to be distributed. The server performs the function of distribution in peer to peer computing.
So the server is the master for without it nothing gets distributed. Scott, showed us the power of the master. He stopped all commentary on an article because the commentary got out of hand. The master exerted it’s authority.
There is only one master, even in peer to peer computing, as clearly demonstrated by Scott. We posters must all bow to the master.
Peer to peer terminology is not appropriate for airplanes. Computers on airplanes make decisions. Those decisions must be coordinated. That’s the job of the master. But there is only one master.
You may be confused with regard to backing up the master for the purpose of redundancy. This involves a secondary that takes over from the master if the master fails. A secondary to secondary can also exist. So if the master fails and the first secondary fails, the second secondary takes over. And so on, for a secondary to a secondary to a secondary etc. can exist. But at any time there is only one master.
To go further. Secondaries don’t have to sit there doing nothing waiting for the master to fail. They can be used for voting thereby further enhancing safety by isolating failure states. That’s the purpose of voting for sometimes computer carry on running even though it isn’t working. In other words, the computer shows no visible sign that it’s failed. The blue screen on Windows.
The same principle applies to power sources.
The elevators on the MAX have three power sources, three hydraulic lines. Two can fail and the elevators will still work. If all three fail then the MAX is done. But the chances of all three failing simultaneously is beyond small.
In contrast, the stabiliser on the MAX uses a single power source. That fine if stabiliser movement is non-essential. It’s not fine if stabiliser movement is essential.
If stabiliser movement is essential, the stabiliser needs three power sources to meet the definition of redundancy. Equally there needs to be three computers in a master, first secondary and second secondary configuration. There also needs to be three sensors.
Jbeeko,
I said your post was fine, but didn’t read it properly. If knowing is essential then three of everthing is necessary. It’s this word essential. Secondary control systems are non-essential. Primary control systems are essential.
Primary control systems need to be redundant and responsive. Neither is happening to MCAS and the stabiliser.
Rob,
Do more research. You are mis-using the word peer. You are applying the word to how computer work when you must apply it to what computers are used for.
Philip, peer systems are common in today’s world, and they do not use a master. A network router is a peer with no master, yet it makes decisions about where to send packets. Obviously that works quite well or we wouldn’t have an Internet. A meshed wireless network can form itself without instruction or supervision, the decisions are reached by the peers negotiating with each other.
I also gave the example of Windows Server controllers, that may be the most relevant to the case here. All controller group members are active and act as one, so the loss of one is not critical. There is no failover because none is needed.
The designer makes a choice as to whether to use a hierarchical structure or not. There are advantages and disadvantages to both. Microsoft realized that the peer method was more robust so they moved away from primary/secondary. Boeing realized that the peer method is safer so they are moving away from primary/backup.
The coordinator in a Boeing system is the pilot. The FCC’s need no other master.
If you can’t be taught you can’t be taught. A network router does have a master, otherwise were does it get it’s routing information from. With regard to the Internet, the route domain – the master – is in America and America has made clear it will stay there. Look up DNS, the domain name register.
I do want to add to my comment. There are two kinds of redundancy, active/passive and active/active.
In active/passive the secondaries do nothing. Instead they wait until the master fails. When the master fails, the first secondary starts-up and becomes the master. And so on.
In active/active the secondaries are processing. With regard to airplanes typically they copy the master. So they do the same calculations as the master. The results are then shared for the purpose of voting.
If the vote says the master is wrong, the master is demoted and the first secondary is promoted to be master. The flight crew are informed of the demotion and promotion.
I do accept that the MAX appears not to have a master. My first thought after reading the FAA’s emergency AD after the Lion Air crash was a flight deck meltdown. Everything sounded off giving the pilots contradictory information. That means the computers are not coordinated by a controller, a master. Every computer does it’s own thing.
But then we were told that the amendments to the FCCs were to eliminate each computer doing it’s own thing. But, if there are two or more masters, then each master has a right to do it’s own thing. Just like two captains of equal standing on the flight deck doing their own thing. Not allowed. One of the captains is designated as the senior and is the master.
Philip, network routers are based on IP subnetting, they can make the routing decision based on the information embedded in all network packets. They do not need master routing information. That’s why they can act as peers. They only need to know the source and destination addresses.
The DNS system and delegation by IANA is completely separate from routing. You can route networks within private IP space and with no DNS present at all. Any residence with a router is probably doing this.
As explained, the dual or peered masters do not vote, they function as a comparator. A comparator only has two states, agree or disagree. We know this is acceptable because aircraft already have disagree alarms for multiple sensors. That concept is being extended to the FCC as well.
As explained, the dual or peered masters run exactly the same program and do exactly the same thing. For each result, they compare and thus flag each other’s errors. They are running/sync’d in parallel for the express purpose of duplication and redundancy. In no way do they “do their own thing”.
Philip:
I don’t bow to anyone, I leave that to the Brits. We got rid of official royalty a long time ago.
I have a high degree of respect for Scott even if I disagree with him.
Hi – Disclaimer, I work in networking, not aero dynamics.
Sorry, but the routing examples mentioned in these comments seam to be a slightly misleading description of how routing on the Internet works.
Internet Service Provider Routers exchange routing information using Exterior Border Gateway Protocol. The international route table is > 800,000 routes and routers learn from each other by “peering via eBGP”; international routes are not entered locally.
This is different from an enterprise router, which can just have a single default route to the ISP and some “local” routes.
A key question I ask myself is “can the pilot always over-ride MCAS in normal operation with flight controls”. If the answer is “yes, the flight controls can always override MCAS” then MCAS is not in charge.
If the aircraft is safe to operate without MCAS in the case of MCAS failure, then the pilot as final authority is ok. It is different if the aircraft is not safe without MCAS, because then its essential for safe flight and will need to be more reliable. Its been widely reported that the assumptions about pilot responses were incorrect with respect to reaction times. This new information might be why Boeing are pushing for SIM training.
There seems to be a consensus that changes to aircraft certification are required and pendulum had swung to far; correcting this will take time – I note that Airbus has mentioned that these changes may affect them too.
Mark, in earlier posts I mentioned that more advanced routing protocols exist, and that they largely serve to optimize traffic. Also that the routing information is shared by peering. I was just making the point that true peer systems can work quite well, with no master.
With regard to MCAS 2.0, it can be overridden with the column, as well as by other means. That was always the intention, but it was poorly implemented in MCAS 1.5.
With regard to the change in decision regarding training, you may recall that the designed pilot reaction times were questioned in the hearings. So Boeing and regulators did some simulator studies with a range of pilot experience levels to find out.
The reporting on that is that some pilots went to their manual flying skills first, and/or ran incorrect checklists, rather than running the correct checklist first, as they are trained to do. So that introduced a delay in resolving the problems they were given. It also makes the result dependent on individual skill level. The checklists are meant to help level that out.
In the Boeing e-mails, there are discussions about pilot flying skills and if they have degraded over time, due to automation and more pilots coming from civilian training. That is a broader discussion that needs to take place.
In the meantime, since it’s clear that training is valuable and improves safety, it will go forward, and I hope it will it continue to emphasize both checklists and manual flying skills.
A corrupted system led to this all. Some say deregulation started under Reagan in the 1980s.
I assume there was a correct certification for the 737-100 and -200. The yo-yo rollercoaster was introduced much later in the 1980s too.
I have no problem with grandfathering of the manual trim wheels if the WHOLE system stays the same, but it didn’t stay the same. There were criminal self-certifications involved with the 737EPIC. If engine power and MTOW increase, the trim wheels need to be adjusted for it too if they are effected in the whole system. If elevators and stabs were made stronger the trim wheels need to be made stronger too. Decreasing trim wheel size and handling is just banana criminal.
Don’t know if the 737NG trim wheels are effected too but for sure it should be checked.
Same with many other parts of the 737EPIC. Can’t make elevators and stabs stronger and keep the jackscrew the same.
The 737NG should be checked for the jackscrew too. If regulations are not respected the jackscrew needs to be changed. Till changes are made reduce MTOW 20% or whatever number is necessary, don’t need to ground them all.
ALL criminal self-certifications need to be checked, not only the 737EPIC.
Lots of back and forth above.
In terms of realistic RTS date and process predictions – and resumption of production – I feel one of the key items is the sim requirement, which very likely will include a significant portion of “yo yo” refresher. Unless I miss my guess as to EASA ‘ focus, this sim requirement will also extend to NG pilot routine retraining.
Given the fact MAX simulators are few, and NG simulators are not accurately calibrated for the trim wheel forces and will need tweaking for this as well as approximately simulating the MAX, there is a huge implied bottleneck there.
How many thousands of pilots worldwide will need to get X hours per on simulators? How long will it take for a sufficient number of Southwest pilots for example to be trained in order to start operating their 34 hulls plus how many new new aircraft in their livery are sitting somewhere?
Realistically we are looking at a process requiring months or even years.
This will in turn impact Boeing’s production plans as they will not want to add any more hulls to the collection until they have a read as to the progress made with pilot retraining. The ramp up is also likely to be slow and gradual and stretch over many months/years.
Truly the MAX is the gift that keeps on giving!
Can the Leeham staff clarify whether the flight testing referred to in reports as of January 2020 is (a) continued internal Boeing flight testing or (b) flight tests of submitted design changes with regulatory authority pilots? Thanks.
@sPh: Mostly (a) but I believe FAA has been on some flights. The formal design submission hadn’t occurred as of Dec. 31, however.
Hamilton
We continue to witness a failure of transparency from Boeing.
I suggested that the JTAR team should be quorum with addressing pitch instability. The JTAR team performing their own flights with MCAS off.
Will it happen? Not without Boeing being forced into it. What will the JTAR team find. Nothing good.
Philip:
Did you miss he memo that if MCAS acted up that turning it off was the correct action?
Its grossly obvious you can fly without it.
Arguably the 737MAX was safer without it.
I’m still confused.
Are the physical FCC computers on the Max updateable? Are they being updated? Before all if this was one computer managing inputs and stabilizing flights and performing automatic pilot functions while being monitored be the second, backup computer? Have modifications melded the two computers (one active and another a backup) into one? Is there now no longer a redundant backup system? Does the original system of the Max have the computational capacity to perform substantially new tasks without being physically changed or updated? Is the architecture of the original system (and it’s processors) so deeply integrated into the avionics and functioning if the aircraft that quick physical updates or replacements are impossible?
I am now worrying, with all of these cascading issues and questions, and constantly rolling rts dates, that the Max may be a shareholding mcguffin and not an actual, one day serviceable aircraft at all.
B737 has two computers, only 1 is active, a 2 is off until pilot will turn it on. No crosschecking between them.
How it will be now? Some crosschecking will be, but will have to wait until B will finish a fix.
Updated? Software? No problem, as far as hardware will handle. Hardware? Not likely, it’s a whole new process of design, testing, certification.
If the pilot is the “master,” if the Max is fundamentally stable, and if the trim wheels are useful won’t a simple idiot light for the AoA sensor be more than sufficient?
RealSteve, in answer to your questions:
1. Are the physical FCC computers on the Max updateable? Are they being updated?
— Yes to both, in terms of software. The software is written by Collins Aerospace in Cedar Rapids. That is also where the current software audit has been on-going. The audit will resume there next week. The Collins software, including all changes requested thus far by Boeing, are what’s being audited.
2. Before all of this was one computer managing inputs and stabilizing flights and performing automatic pilot functions while being monitored be the second, backup computer?
— To the best of my knowledge, the two FCC’s were rotated between flights, with one serving as primary master and the other as secondary backup. There was not cross-checking, as far as I know. That is the feature being added now.
3. Have modifications melded the two computers (one active and another a backup) into one?
— Somewhat, what’s happened is that they are now both active and performing the same functions, but with the added requirement that each cross-checks results with the other. If the result agrees it’s considered good. If not, then a fault matrix is consulted to identify known issues, such as a failed off-scale sensor. If there is no resolution from the matrix, then the pilot is alerted and no action is taken.
4. Is there now no longer a redundant backup system?
— No, but the redundancy is in a different form. Since both computers are always on-line and active, with the loss of one the other keeps functioning, but it no longer cross-checks with the other that is now off-line. So it has reverted back to the original design, with only one active computer.
5. Does the original system of the Max have the computational capacity to perform substantially new tasks without being physically changed or updated?
— Yes, the computers are adequate for the tasks. There is no load-sharing between them, because that would become a non-redundant system. They have to remain perfectly redundant, with the same capabilities. The new tasks being asked of them, are the cross-check functions, as well as fault handling and alerting. Those do not have a substantial CPU loading or timing penalty.
6. Is the architecture of the original system (and it’s processors) so deeply integrated into the avionics and functioning if the aircraft that quick physical updates or replacements are impossible?
— Physical replacements with regard to changing out an FCC unit for an identical unit, are possible but rarely needed (reliability is very high). Physical updating with regard to upgrading to new hardware (more modern CPU or architecture), would be a very substantial undertaking that would require recertification of all flight controls and software. So very little chance of that happening without an extreme justification.
In the flight controls business, stability and reliability are highly valued. If you have an established system with many millions of trouble-free hours, you wouldn’t change that unless there was a very compelling reason. One such reason would be the development of a new type, for which recertification is needed anyway. But even then, you would try to capture as much of the previous system’s stability and reliability as possible. And you must then be prepared to deal with a spike in the new flaws that are inevitably introduced, but may not surface except in flight service.
This is a difference from consumer culture, where the idea of using an 80286 computer seems archaic and senseless. Obviously you value the newest and fastest. But while a consumer computer crash is not fatal, for an FCC it might be. So for flight, the valued characteristics are different.
7. I am now worrying, with all of these cascading issues and questions, and constantly rolling RTS dates, that the Max may be a shareholding McGuffin and not an actual, one day serviceable aircraft at all.
— This is a subjective judgement call and is up to you to decide. I don’t think most of the world sees it that way. The MAX performed well after introduction, until the accidents. Airlines, regulators, manufacturer, supply chain, all want to move forward and are expecting RTS. But as always, we can only wait to see what happens next.
8. If the pilot is the “master,” if the Max is fundamentally stable, and if the trim wheels are useful won’t a simple idiot light for the AoA sensor be more than sufficient?
— The AoA Disagree indicator has been made standard by Boeing as part of the changes. All MAX will have it. But MCAS was added to address the regulations for handling and control feel. So if MCAS is deleted, then some other mechanism for compliance will be needed.
A few questions on the 737 MCAS system follow….
Flying a severe out of trim 737 is not a good thing.
=====================
https://www.satcom.guru/2019/04/stabilizer-trim-loads-and-range.html
=====================
MCAS moves the horizontal stabilizer, using the high speed, trim motor setting.
For MCAS 2.0, is there a manual OFF switch?
For MCAS 2.0, is there a large yoke/column force cutout switch?
For MCAS 2.0, can you have repeated wind gusts causing repeated MCAS triggering after resets?
What is the reset criteria?
Is the FCC & Air data computer software the single point of control to MCAS?
No Manual override, or cutout switch?
Operating the only trim motor on the aircraft’s horizontal stabilizer’s system.
(there used to be a separate autopilot motor from the manual-electric trim control)
When a software/hardware failure happens, and a runaway trim is the result, if shutting down the trim motor is the only option, how many seconds does a pilot have to respond, before he’s trapped into a severe out of trim situation?
How many seconds will it take for the pilot to notice a runaway trim situation?
Does a light appear when MCAS is triggered?
Should MCAS be reworked to trigger a stick pusher? Or do you need the stabilizer these days to overcome the larger thrust engines, in a slow speed situation, where the elevator authority is limited?
Should MCAS have a separate trim motor, that can be cut off manually in an emergency, leaving the main trim motor under pilot control, allowing the pilot high speed electric control of the trim, rather than attempting to use a low speed manual trim wheel?
I would suggest research to answer your questions .
This has all been discussed extensively
I guess I could start cutting and pasting but life is too short.
Richard, these are all good questions. Many of them deserve longer answers but I tried to cover the basics in short answers below.
1. For MCAS 2.0, is there a manual OFF switch?
— Yes, but only in the form of disablement of the trim motor. There are not separate switches for manual and automatic trim, as there was in the NG series. Nor is there a switch dedicated to MCAS. I personally would advocate a return to the NG logic, since the physical switch is still present on the console and pilots are already trained on this arrangement.
2. For MCAS 2.0, is there a large yoke/column force cutout switch?
— No, the MCAS system is not included in the yoke cutout switch, because using that switch for MCAS would render it ineffective (column is already aft when MCAS is needed). That switch is still in effect for other forms of automatic trim that are active in level flight.
3. For MCAS 2.0, can you have repeated wind gusts causing repeated MCAS triggering after resets?
What is the reset criteria?
— We don’t know what the reset criteria are, but there is some form of hysteresis built into the control cycle. Also the stabilizer is rate-limited in it’s movement, so that would add a dampening effect for limit cycles resulting from rapid & repeated activation threshold crossing,
4. Is the FCC & Air data computer software the single point of control to MCAS?
— Yes, MCAS is part of the automatic trim software and does not have a separate manual control function. None of the automatic trim systems have that feature.
5. No Manual override, or cutout switch?
— Answered in 1. and 2. above
6. When a software/hardware failure happens, and a runaway trim is the result, if shutting down the trim motor is the only option, how many seconds does a pilot have to respond, before he’s trapped into a severe out of trim situation?
— The same amount of time required for any runaway trim situation. We know it takes 10 seconds for the stabilizer to reach the 2.5 degree maximum deflection for MCAS. We also know that elevators can override that level of trim, with larger column forces. So the pilot should be able to react with electric trim switches within that time. Assuming the worst case where correction doesn’t begin until after the 10 seconds, it would then take 20 seconds total for the full activation and reversal to occur. During that time, level flight can be maintained with increased column force.
Once level trim is established, the cutout switch can be used to prevent further stabilizer motion. If the stabilizer is in runaway but the electric trim switches aren’t responsive, then the cutout switch should be used immediately to minimize the out-of-trim state. Then until the end of the flight, correct trim with the manual wheels.
6. How many seconds will it take for the pilot to notice a runaway trim situation?
— The aircraft will begin to trim nose down or up as the stabilizer moves. The rate will be gradual at first but increasing with time. The motion is obvious in the cockpit due to corresponding instrument changes, trim wheel movement, and the stabilizer position is indicated on the center console. So it depends on how soon the pilot recognizes one of these changes. The assumption used by Boeing was 4 seconds reaction time. We know that 10 seconds would still be acceptable.
7. Does a light appear when MCAS is triggered?
— I don’t know if this feature has been implemented, it was suggested by several parties, including engineers within Boeing. It seems like an easy addition. I would include all other automatic trim systems, as well as electric trim, in the indicator as well, so the pilot has visual feedback on all possible trim states.
8. Should MCAS be reworked to trigger a stick pusher? Or do you need the stabilizer these days to overcome the larger thrust engines, in a slow speed situation, where the elevator authority is limited?
— A stick pusher would be trying to use the elevator to compensate for inconsistent forces on the column resulting from the elevator. That becomes circular and doesn’t make sense for the problem that MCAS was meant to solve. A pusher makes sense in a stall situation where the intent is to override the pilot and recover. For the MCAS situation where the intent is to provide control consistency, the stabilizer is the only control surface available to achieve correction of the elevator force, unless another aerodynamic solution can be found.
9. Should MCAS have a separate trim motor, that can be cut off manually in an emergency, leaving the main trim motor under pilot control, allowing the pilot high speed electric control of the trim, rather than attempting to use a low speed manual trim wheel?
— That is certainly possible and would be a design decision involving evaluation of safety and cost. For a system that has a low probability of being invoked in the aircraft’s lifetime, the cost would be relatively high.
Rob, Thanks for the quick and detailed responses. The Speed Trim System (STS) operates at high and low trim speed settings depending on the flap setting? High speed trim for flaps deployed, and Low speed trim for flaps up? Are the STS trim commands mutually exclusive of MCAS commands, or does one take precedence over the other? i.e. if both STS and MCAS have triggered, will both activate the trim motor, or will one override the other? In other words, does the FCC trim for speed or AoA in that instance? Can they issue conflicting commands canceling each other out? High speed Mach Tuck protection is commanded through the elevator only? Or is that also trim related? Other than AutoPilot, STS, MCAS, are there any other automated HS trim systems? The avoidance of the column force cutout switch for MCAS, is still being done via the column mounted override switch (I know that’s a double negative, but, that’s the way those switches seem to function) Thanks for all of the answers.
Richard, the interaction of all the various trim systems is complex. I don’t know the specific logic that governs them. Peter Lemme’s site describes many of the individual functions, but not the logic or precedence of their interaction.
I’ll try to prepare a summary but it will be incomplete at best. You’d need access to the Boeing engineering docs or their code itself to resolve the interactions.
Really gives you an appreciation for the evolution of aircraft controls. A huge amount of knowledge and experience in incorporated. Then FBW would be yet a another step upwards in complexity.
Rob,
“— A stick pusher would be trying to use the elevator to compensate for inconsistent forces on the column resulting from the elevator. That becomes circular and doesn’t make sense for the problem that MCAS was meant to solve. A pusher makes sense in a stall situation where the intent is to override the pilot and recover. ”
=======
MCAS is overriding the pilot and pushing the nose down via the stabilizer, rather than the elevator. That’s the confusing part to me. Is MCAS meant to correct for stick force, or correct for pitch, or both? A stick pusher would directly correct for stick force, stabilizer changes correct for pitch and doesn’t really change stick force, but, moves the plane’s AoA away from the area causing the inconsistent change in stick force. I”m missing something in the translation.
Richard, I think the confusion is between the intended behavior of MCAS (as represented by MCAS 2.0), and the misbehavior of MCAS (as represented by MCAS 1.5).
MCAS 1.5 improperly reacted to unrealistic AoA input, and pushed the nose over via the stabilizer, effectively overriding the pilot, just as you said. All of the criticisms of a design that did that are valid. But it was never intended to do that.
So for the future, we have to think in terms of MCAS 2.0. What is MCAS really intended to do?
It’s meant to apply a compensating force to he airframe, such that the pitch moment behavior remains linear, in the target range of A0A above 10 to 12 degrees, but below the clean-wing critical AoA of 14 to 16 degrees, where the aircraft begins to stall.
We know this target range is rarely encountered in flight because pilots are trained not to exceed 10 degrees in cruise, with a clean wing. Obviously the critical angle becomes much higher with flaps or slats deployed, at takeoff and landing, with higher AoA. But in cruise with a clean wing, the only way we get there, is the pilot intentionally pulling back on the column, and intentionally exceeding the 10 degree limit.
Without compensation, the pitch moment in this target range would become non-linear, which is reflected in the column as an unacceptably decreasing force, according to the regulations.
With MCAS 2.0 active, the airframe force compensation and linear pitch moment behavior, are reflected by the column forces remaining consistent, and as expected within the target range. This is the behavior required by the regulations, in order to present uniform control forces to the pilot.
Note very critically, that MCAS 2.0 should stop right there and not go any further. It definitely should not countermand or override the pilot by pushing the nose down. To achieve the right amount of compensation, it has a pre-determined lookup table in software, so as to adjust the amount of stabilizer movement for a given altitude, airspeed and AoA. In that sense it is open-loop, it applies a change but does not use feedback to monitor the change.
If the pilot continues to hold the aircraft in the target range, MCAS will hold the correction as well. If the pilot lets go or backs off and AoA comes down, MCAS will back out the correction it had previously made.
If the pilot pulls back further and intentionally stalls the aircraft, MCAS will not exceed it’s authority and will allow the stall to happen. That’s because its purpose is to compensate for the pitch moment non-linearity, not to prevent stall.
Note that EASA and JATR are skeptical of this reasoning. Their alternate reasoning is that if, in the absence of MCAS, the pilot rapidly and unintentionally advances from the target range into stall, then MCAS is in fact stall prevention. Also, the target range and stall may slightly overlap in some cases, creating a grey area. This is why they want to test without MCAS. It’s a valid question, and one of Boeing’s many mistakes was not to have it answered before relying on MCAS.
So now let’s look at other methods to meet the control consistency regulation. The one most frequently used is aerodynamic modification. Boeing said they tried this in the wind tunnel and could not get the right force balance. I suspect the reason is that the engine nacelles are both larger and farther in front of the CoL, such that the CoL actually moves forward with AoA. That requires an active & variable rather than passive & static solution.
We could get the right column force by using the EFS system. But this would only mask the true dynamics of the aircraft. It would tell the pilot he doesn’t have a non-linearity, when in fact he does. That would only encourage the transition into stall. MCAS actually reduces or removes the non-linearity in the aircraft dynamics, because it applies a compensating force.
We could also try to use the elevator itself. To do that properly, we’d need a system that divorces the elevator movement from the column movement, and then transmits the correct force back to the column as the elevator moves by greater amounts with increasing AoA (like the stabilizer does wih MCAS). That would basically be FBW combined with a reverse force-feedback to the column. The existing EFS might be able to provide the force-feedback part. But there is nothing in the MAX that would permit full authority FBW for the elevator.
So, just as MCAS must be implemented in software to get the right linearizing behavior from the stabilizer, the elevator control would have to be implemented in software as well (FBW). This would be a very large design change requiring complete recertification. MCAS was a much simpler way to achieve that goal.
Other solutions that have been suggested include increasing the size of the elevator. That obviously gives it more authority, but does not fix the non-linearity issue, so you still have the variation in aircraft dynamics and resultant column force behavior that is not permitted by the regulations.
Another suggested solution is the stick pusher. You can apply an external force and motion to the column, but that is taking control away from the pilot, and even further altering the control behavior in the target range of AoA. So by its nature, a stick pusher should not be used for handling, only for the express purpose of taking control and overriding the pilot. In that case you’re saying you don’t care what the control forces are, because the pilot is no longer in control.
Anyway, that’s a lot of information but maybe it will help provide the rational for MCAS, and how it was always supposed to work. Unfortunately we were all first introduced to MCAS in the accidents (another Boeing mistake) as the bad MCAS 1.5 form, which was not really representative of its true function and desired behavior. Hopefully we will finally see that in the MCAS 2.0 form. But we will have to see.
If I’m a pilot pulling back with 50lbs of force on the yoke, should MCAS be allowed to trim nose down, against me? Or, should a mechanical column cutout switch, set at 50 lbs of force kill MCAS, allowing manual electric trim nose up commands?
Richard, if the pilot has excessive column force dur to un-commanded mis-trim for any reason (not just MCAS), the trained action is to trim the aircraft correctly with electric trim to eliminate the excessive force, then use the cutout switch to prevent further un-commanded motion. If electric trim is non-responsive, then use the cutout switch immediately and use the manual wheels to establish the correct trim.
These are the memory items for runaway trim that are required of all pilots.
MCAS is software only and uses the existing infrastructure ( speed trim system ) .
“Just a little fiddling with STS” ( no interface change argued)
versus
adding a “stick shaker” and changing the cockpit interface. .. which obviously would be asking for training time.
( the whole thing looks like done by someone who finds sexual release from subverting good design metrics.)
From https://www.nytimes.com/2020/01/09/business/boeing-737-messages.html?smid=fb-nytimes&smtyp=cur
—————————
“I still haven’t been forgiven by God for the covering up I did last year,” one of the employees says in messages from 2018, apparently in reference to interactions with the regulator.
“Would you put your family on a Max simulator trained aircraft? I wouldn’t,” one employee said to a colleague in another exchange. “No,” the colleague responded.
—————————
So it seems some at Boeing knew the issues and lied to cover them. IMO this is no longer negligence. Anyone involved in this must serve jail term.
Those are private employee text messages representing private statements, that the authors copied into Boeing company e-mail to themselves, thus making them part of the company record. They were not communicated to anyone at Boeing, thus Boeing was unaware of them until found during discovery.
Also since these messages imply criminal wrongdoing, they have been turned over to the Department of Justice for investigation. And provided to FAA and Congressional investigators.
I’m still very confused by a lot of the discussion and what are the basic issues at hand. Many posts and threads ago, someone seemed to make a mocking comment (or I read it that way) about these discussions of the 737 Max that has really stuck with me. He used an unfamiliar term for me, since I’m not an engineer or a programmer. I think he used the phrase: “Cargo cult programming.” I had to google it. Wikipedia says: “cargo cult programmer may apply when an unskilled or novice computer programmer (or one inexperienced with the problem at hand) copies some program code from one place to another with little understanding of how it works or whether it is required […] Cargo cult programming can also refer to the practice of applying a design pattern or coding style blindly without understanding the reasons behind that design principle.” It’s an elegant idea, and I’m not sure if there is a more common English phrase for this. It reminds me of the sorcerers apprentice. I’m not sure how the commentor was applying it in the case of the Max. Did he mean that under the new airplane sits the old 737, like a copied piece of code, where unforeseen dangers lurk and wait to come out, frustrating engineers? Was he more directly referring to MCAS or MCAS 2.0, or to the flurry of code being written to get the Max in the air again? Or was he referring to posts on this site, that might copy and paste information from elsewhere and then justifying themselves, as they are forced into other elaborate directions pushed on and caught in the spell of something they don’t understand but try to repair? It’s amazing how discussions like this have embedded structures and patterns that repeat themselves in non-conscious ways. It’s like we are caught inside the logic of the original design of the 737 Max. I can’t say that I’m immune to all of this. Je suis le 737 Max.
RealSteve, the “cargo cult” refers to the World War II phenomena where Pacific island natives were surprised by the military forces that came to build airfields on their islands, but welcomed them and the goods they brought.
As the war moved on and other bases were created on other islands, some of the natives missed the traffic of goods, and so built primitive replicas of the aircraft, hoping that would attract the real aircraft to return.
I think the cargo cult programming, was a reference to building a less sophisticated replica that doesn’t work, of a more sophisticated system that does work. So in that sense it could be referencing Boeing copying the KC-46 MCAS software but botching it. Or it could be a reference for 737 controls trying to replicate features of the more sophisticated FBW, but poorly.
The MCAS failure opened up Boeing to criticisms like this, that they don’t know what they’re doing, but I don’t think that necessarily follows, or that MCAS cannot possibly work.
Rob,
I was tempted to spend a little time today going over newspaper coverage of the DC-10 and accidents of the past to see if even remotely resembles all of the constantly damning news that has been leaking out about the 737 Max since the first crash. That was a time probably of the most aggressive newspaper coverage in American history. But, I can’t imagine that the aircraft and all the decisions that led to it’s production and it’s faults were anything like what we are seeing with the Max.
I’m not sure why you felt the need to counter spin Wikipedia’s entry on cargo cult programming. Let no negative image be left standing.
What I take from the image might be wrong interpretation. But I can imagine resolving a problem by cutting and pasting and then permanently embedding a piece of code in a much larger, very complex program. Although it wasn’t intended for this purpose, and I don’t fully understand its complexities or how it works its deep magic, I imagine being satisfied because it was a quick and efficient shortcut that works for me and nobody is asking any questions. And when little things start showing up, like the butterfly effect, upsetting other things, presenting new complexities, I imagine that not even I will suspect that it is the poorly understood, inessential, useless, but still present bits of code doing their business deep within my paste job. But odd problems continue cropping up all over, here and there, sometimes cascading into bigger and bigger ones until some sort of unforseen disaster strikes.
As for the Max, with all of the unanswered questions, lack of transparency, rumors, negative expert opinions, and shocking comments by test pilots and workers — and don’t forget two crashes (never forget that) of a new plane in just a few months, it’s nearly certain that much of what remains unknown is worse than what is known. Why hide good things? Unfortunately, this is how things normally work. The whispered rumors end up being true and even worse! Just pick from any example in the news. It’s in the interest of just about everyone to see the Max in the air again. All those planes, all of those fuselages are not just sitting there because of red tape. There’s something deeply wrong and it’s not just a matter of spin and PR.
I just can’t imagine if you add everything up and compare it to anything that you know of in the past that you’ll see this thing ending up with Boeing in an enviable place. This represents a momentous change, and a lot of us will be hurt by it. Maybe spinning things positively will shore up investor confidence, but in the long run, it’s not doing most of them any favors.
RealSteve, I explained the “cargo cult” reference since you said you had not heard of it before. It’s been applied to many things to infer a basis of superstition or belief, rather than science.
I didn’t spin it at all, I just told you what it was, and what it might have represented with regard to the MAX. I don’t believe that it’s valid as applied to MCAS, but I can see how it might appear that way to others.
At present, every effort is being made to publicize things wrong with the MAX, based on the belief that you have expressed, that things must be wrong with the MAX. This is seen in the circular argument, that the MAX must be kept grounded because things must be wrong, but also that the length of the grounding is proof that things must be wrong. That becomes self-fulfilling.
To me, it’s an example of a belief basis, rather than a factual basis. But it comes down to what your premise is. If you presume the MAX is fundamentally flawed, as you do, then it must be proved that it contains no flaws. If you presume that it’s fundamentally good, but has documented issues, as I do, then it must be proved that those issues have been addressed.
So that is where we always end up, and will likely remain, until there is some resolution either way.
Rob,
Things are empirically wrong with the Max. Two brand-new airplanes crashed, killing nearly 350 people. I’m not sure that, as you say, “every effort is being made to publicize things wrong with the MAX, based on the belief.” Instead, negative information is trickling out and Boeing isn’t helping. The unprecedented grounding is indeed proof of something. Boeing has been working on an easy fix since the first crash and it hasn’t sufficiently demonstrated to regulators that it has found one. Highly reputed aeronautical engineers (with little provided information) have been puzzling over the crashes and coming up with disturbing information.
I must admit, that my own thinking about contemporary corporate corporate culture colors my “beliefs.” I “believe” (based on articles that I’ve read and my knowledge of contemporary corporate culture) that Boeing executives made a bad, greedy and short-sighted decision by trying to compete with state-of-the-art airplanes through short-cuts and grandfathering that enabled them to update the 737 and produce a cheap hybrid of an old workhorse — the 737 Max. My beliefs are structured by my own miserly (penny-wise, pound-foolish) experience trying to update old reliable things that couldn’t be updated any longer and the cascading problems that ensued until I had to begrudgingly throw them in the trash. I am like most laymen, who expected much more from a company and its products on which we stake our lives. I don’t “presume the Max is fundamentally flawed”; it is fundamentally flawed. The question is whether these fundamental flaws can be corrected the way Boeing is desperately trying to correct them.
Finally, I will participate in some circular arguments. The regulatory agencies charged with ensuring my safety when I board an airplane are the ones keeping the Max on the ground. So it is not passively grounded (“must be kept grounded”). They (these experts and engineers) hold the Max on the ground.
Finally, in all of my decades on this planet amateurishly following the aircraft business since I was a child, I have never seen anything like this: from the DC-10 accidents to the end of the Concorde. So, I have to ask what makes it exceptional and why does the issue fascinate me so much. Boeing says it was flawed but properly conceptualized programming. My “beliefs” suspect this. So, I do have beliefs, and see it is an object lesson in the problems of contemporary corporate culture and wide-spread, superstitious belief in the magic of inappropriately applied digital technology. I dislike anti-union, anti-labor practices; contracting-out jobs and production to save money; salary inequality; short-term planning to recognize profits; value based on stock price and not product quality; etc. Perhaps, I want to see the Max as an object lesson in the folly of the direction of our ways and thus resist actual facts.
Still, this whole story comes as a true disappointment to me. As I have said before, I loved the 737. It offered my first experience of flight. I loved Southwest, its safety, and its radical model of using just one aircraft type, the 737. I flew them whenever I cold. And I thought Boeing was a great, visionary company. I hated the joy stick of Airbuses and distrusted fly-by-wire technology. I was disappointed when I realized that Sully successfully piloted an Airbus and not a Boeing onto the Hudson River. I hated even, looking at the lack of elegance in Airbus wings as I peered through their windows. And even more, I feared the wide-spread consequences of such a huge debacle for a major American company — a country in which I live and must make a living.
So, here, finally, is the honest short end of my belief system that influences my posts. Corporate culture in the United States has to change and become less greedy, more mindful of labor and more attentive to the quality of its products and not the bottom line, share-holder value, and absurd, ill-rewarded executive salaries (the fired Denis Muilberge will get a $60 million payout upon leaving Boeing! What an obscenity). I “believe” its a pathological situation that must be changed. Lives — I admit I perhaps illogicaly “believe” the Max actually demonstrates — count on it.
That was me.
I was not referring to other posters.
I had both the programming connection ( transplanting MCAS “idea” from the 767 t the MAX )
as well as the cargo cult ( as observed during WWII ) itself in mind.
MY interpretation of what constitutes Cargo Cult is
“doing all the outside visible things, but only those, to replicate something ( process, … ) .”
I noticed this first when Boeing tried to emulate the Airbus model of distributed design and production with the 787 project ( and starting with an A330 clone to begin with :-)).
Share value management works the same way. You do the outer shell, appearances but there is no core or cause to those indicator observations.
mimikry, wagging the dog, … all points to similar things.
UWE,
Thank you so much. I think Cargo Cult, as I explain below, is a powerful metaphor. It seems an entire system ultimately gets held hostage to its unexpected consequences. Ultimately, it seems to structure ways of thinking, contaminate everything it its path, including even the thinking of “other posters” and me myself. Today, we have become so dependent on the work of programmers organizing our lives and give so little thought to the guts that underlie everything. Maybe the entire society has been transformed into a Cargo Cult spell-bound by the magic of computers it doesn’t understand. In other words, programmers now supply the language through which we understand our world.
hello.
In a way you mix the very popular “paradigm wrapper strategy” applied in user interface presentation with cargo cult. Then, Legal IP thinking too in a way is misled ( or misconstrued ) by way of wrapping. there is no intellectual “property”. What we have is privileged ideas ( i.e. patents, trade marks, … ). … which are not tangible one off items ( stealing ~= taking possession of a tangible good and making it inaccessible to the original owner. )
Where I see applied Cargo Cult today is in the commercial world of corporations, share holders, investors who really are not, … .
paradigm wrappers can completely taint the view on things and it is difficult to avoid their effect on thinking objectively.
bloomberg.com:
According to George Ferguson, Senior Aerospace, Defense & Airlines Analyst for Bloomberg Intelligence, Boeing would incur an estimated $5 billion if pilots need to be trained on simulator before flying the MAX.
NYT:
The Boeing 737 MAX simulator marked is supplied by CAE Inc., L3 Harris Technologies Inc.,and Tru Simulation + Training Inc.. As of January 2020, there were 34 certified MAX flight simulators worldwide.
CAE supplies 80 per cent of the world market for flight simulators and provides training services. In November 2019, anticipating a high demand for training pilots when the MAX resumes flight, CAE increased production of simulators for the Boeing 737 MAX series. Chief executive Marc Parent said: “Our assumption is that there’s obviously going to be a lot of pent-up demand when those airplanes start flying”. Increasing production before customer orders is an unusual step in this industry. As of mid-November 2019, the company had received 48 orders and delivered 23 to airlines through December.
With what kind of info simulators’ manufacturers are able to build 737 Max approved machines ???
did Boeing already disclosed all and technically approved by FAA infos ???
Seattle Times:
A manufacturing fault was also found to have affected the lightning protection foil on two panels covering the engine pylons on certain MAX aircraft manufactured between February 2018 and June 2019.
The plan is to replace the defective panels and the sealant,which has to provide electrical conductivity. This was a manufacturing defect, they are not uncommon for a complex aircraft and are handled routinely, as this one is. Also affects a limited number of aircraft. But the MAX is in the spotlight right now so every issue is brought front and center.
At least they didn’t just ommit the conductive layer as done on the 787.
Lightning protection against igniting fuel is one thing.
The other is that lightning currents applied to CFRP can
cause deep and hidden damage. CFRP is just conductive enough to provide a strongly lossy ( i.e. thermally energetic ) path to lightning currents.
Uwe, on the 787, only the panels over the engines were ever protected from lightning, most of the wing was not. The engines are still protected, but the “sweep” area over the wing was removed.
The logic is that lightning tends to strike exposed points and then is swept onto the fuselage by forward motion of the aircraft. The swept area doesn’t bear the brunt of the strike.
How realistic that is depends on statistical modeling, since lightning is unpredictable. As I understand it, the FAA and Boeing are now reviewing that modeling to revisit the decision.
The main problem was that Boeing anticipated FAA approval and changed manufacturing before the ruling. Then when the ruling was negative, appealed partly based on aircraft already produced.
That wasn’t right, they should neither change manufacturing before the ruling, nor use the consequences of doing so as a basis for appeal.
I spend my days in the financial industry and a commentator I love is Matt Levine. He has a very smart take on the recent embarrassing communications coming out of Boing:
https://www.bloomberg.com/opinion/articles/2020-01-10/keep-the-clowns-out-of-email
Here is a taste, but the whole think is worth reading:
“The basic issue is, you are building a complicated thing, and there are lots of decisions to make, and you have lots of people involved in making those decisions, and sometimes they will disagree. One person will argue for using the size 5 widget, for safety, while another will argue for using the size 4 widget, for ease of use. Really you hope that they will frequently disagree, particularly about the hard decisions that involve real tradeoffs; if they always agree then that is a sign of bigger problems. (A lack of courage or creativity or commitment or intellectual diversity, etc.) If you hire good people who care deeply about their work, their disagreements will be passionate, and they will bring evidence and argument and rhetoric and sarcasm and hyperbole to bear to try to convince their colleagues that they are right. Using the size 5 widget would be the greatest crime against good design and common sense ever perpetrated by mankind, someone will say, if they care enough about widgets.”
I would very strongly disagree with this. To bring in hyperbole and sarcasm is an attempt to divert the argument from the relative strengths and weaknesses of various positions, by belittling the people who support positions different from yours. It moves the discussion from merit to personal rancor.
Being passionate means you commit yourself to developing the best argument possible, by doing research and developing evidence, and making the best possible case, then advocating for it strongly.
Being ethical means you acknowledge that there are strengths in other people’s viewpoints, and weaknesses in your own. Most decisions are not a slam-dunk, instead the group must decide which trade-offs are most consistent with the goal.
A case in point, the Challenger Shuttle disaster based on failure of 0-rings. In the go/no go meeting the evening before, Thiokol engineers expressed their concern that at 30 degrees, blow-by would occur in the secondary o-ring, as it had previously for the primary. And if it did, there was nothing left to prevent catastrophic failure. Any blow-by of the primary, absolutely had to be contained by the secondary.
NASA engineers countered that blow-by of the primary had always sealed itself in the past, the secondary would likely do the same, and that the rocket motor design was rated for 31 degrees. Also that there had been no temperature-dependence for blow-by. They calculated that the margin of safety of the design was reduced from 2.0 to 1.5 by the colder temperatures, but still sufficient.
But very critically, that design did not allow for blow-by at all, the blow-by was waivered in as an acceptable divergence from design. As Richard Feynman and Sally Ride pointed out, the safety factor went out the window with the waiver.
So it came down to NASA asking Thiokol, what is the lower launch limit on temperature? Thiokol would not go below the previous lowest launch temperature of 53 degrees. At that point, the NASA staff became exasperated, and began criticizing and belittling the arguments of the Thiokol staff. Their anger caused the Thiokol management to overrule their own engineers, in favor of the NASA position.
Later in the Rogers commission hearings, the NASA staff said they expected Thiokol to fight back and not relent if they really thought there was a problem, just as they had done, and that they had not applied undue pressure to Thiokol. The commission rightfully called BS on that. The argument went from technical to bullying at that point, and it killed people.
Thiokol obviously adopted an overly conservative position that angered NASA, but as the commission pointed out, the real cause of the divergence was that nobody had any data for those temperatures. So the discussion should have been, we don’t know, we can’t answer the question, so we obviously can’t launch.
It was also found that sealing of the primary o-ring, as put forth in the waiver, had occurred because the zone between primary and secondary became pressurized by the primary blow-by. Thus Thiokol was right that any blow-by of the secondary would be catastrophic, and it would not similarly seal itself, because the sealing mechanism was absent.
Hello Rob
Matt makes that point in the second paragraph.
“The tone of their disagreements will probably say something about the culture of your organization. If the disagreements are passionate but respectful, if everyone acknowledges that their colleagues are brilliant and well-intentioned while disagreeing deeply on the right answer, if they can shout at each other all day while remaining friends, then that’s probably a good sign about your process.”… and if the opposite is true that is a sign of a bad process.
Investment banking has a very in-your-face culture so you need to mentally translate to engineering culture.
But the larger point is that discussion of the pro’s and cons is healthy sign and there is a continuum of healthiness:
1. positive open discussion
2. discussion with signs of cynicism but points still being made
3. no discussion or just mutterings of discontent
What we see in the documents released seems to be discussion at level 2.
There is a scene in 20’th Century Jet – Making of the 777 where they are discussing the use of a fancy Al alloy for certain brackets to save weight. After a good discussion it came down to one engineer deciding they were not comfortable with the new alloy. That seemed like a healthy process.
I agree that diversity of views, and the freedom to express them openly, is a sign of health. But it depends a lot on how the discussion is conducted.
Shouting favors the blowhards, who excel at it, and leaves the more thoughtful people sidelined, whether or not they have valid information to present. It favors those who lose their tempers rather than those who keep their heads.
The way to ensure that all viewpoints are heard and evaluated fairly, is to have open and calm and civil discussion. If the discussion departs substantially from the facts at hand, that’s an unhealthy sign. It favors a lesser result than could otherwise be achieved.
I must say that I think that the flawed decision in the case of the Max was at a much higher level than arguments over rings, launch or a size 5 widget. It was whether or not to stake the future of the company on an old airplane that had been updated already too many times at a moment when aircraft technology had undergone a revolution and was rapidly evolving. It wasn’t arguments over engineering. It was greed and short sightedness.
Still, I see some of the problems you describe in the Boeing emails and even in some of these posts, which are somehow being contaminated from a distance by a corporate culture based more on perception than on belief in empirical facts and strong argument. It’s significant to see how corporate executives in the below message got convinced to act against their own interests through an argument that wasn’t one. It’s even stranger when one thinks this might be a test pilot — who should be an ultimate empiricist — writing.
August 2015
“I just Jedi mind tricked this fools. I should be given $1000 every time I take one of these calls. I save this company a sick amount of $$$$.”
“What did you convince them of?”
“To simply produce an email from me to the DCGA [an unnamed national aviation regulator] that states all the airlines and regulators that accept only the MAX CBT [basic training] to make them feel stupid about trying to require any additional training requirements
I think the misperception is that these comments were part of open discussions or strategy at Boeing. Actually they were private texts, most of them related to the simulator package that the author’s group was developing within Boeing. Many of the actual inter-Boeing emails are others at Boeing constantly complaining about that group.
Those things line up pretty well. If you have a senior guy that is thinking and talking like this, regarding others as fools and himself as superior, his department is not going to do well overall. Also if he believes that MAX transition training is not needed, the effort will go into convincing others of that, and not into developing a quality simulator on schedule and on budget. That appears to be what actually happened.
Obviously Boeing has some internal problems if things like this can go on. Other e-mails mentioned the pressure to get things done quickly. That’s not a good thing but is a pretty common corporate problem.
As far as the “old airplane” argument, the market obviously didn’t agree or there would be no sales. Even the previous generation of 737 is still being built and brought into service. It’s a proven workhorse even with an older design.
That’s not to say it couldn’t have been further improved, or that a new design wouldn’t have been better. But I don’t think you can say it’s not up to the job, or is not safe.
Some of the stuff published is nothing more than workforce patter. You find it in nigh every place.
( Most places workers are bright enough to only share around the coffee machine. with distributed workplaces this needs a virtual coffee machine like WhatsApp … 🙂
But things like “we’ve pulled the wool over customer or FAA heads, horray” carry much more incriminating weight.
This goes against “made an error, sorry” and points at “we fully understood the implications but surmounted them by not looking”.
This is off topic, but I see an analogy in the FBI investigation of Russian interference in the 2016 election.
A few of the people involved there exchanged text messages that reflected a strong personal bias. That was pointed out as an example of why the investigation results were wrong.
But I think as here, the overall results were not wrong, but you had some people doing inappropriate things, and using their authority inappropriately. That was confirmed by the investigation into the investigation.
It’s all been turned over to the Justice Department. There may be criminal actions with regard to the texters, and also within Boeing if it can be shown these people were ordered to deceive others, and that it was company policy to do so.
I also thought about the Russia investigation, but didn’t want to reference it because this is not a site for politics. I followed it closely and read lavish amounts of conspiracy reporting in the left-wing press about it and thought Mueller’s report would be devastating. I was very wrong. Still, I’m not sure what all of the reports led me to be wrong about. Was it the power and charge of the special prosecutor? Was it the acts of the attorney general? Meanwhile, anyone who has been close to the workings of government knows that the truth is often far more ominous and disturbing than what lies on the surface and can be easily known. The truth, for the most part, in this case as well, is hidden in plain site. I believe that. But, it doesn’t really matter to those for whom the object of the investigation is doing what they want him to do. And the investigation was improperly used to stop him from doing that. Which is wrong.
But this relates to the shady world and intrigue of the intelligence community and not the working of an Aerospace giant charged with producing a safe means of technologically advanced transportation in a highly competitive environment. Of course, much more will come out. The lives of people depend on it … and the wealth of shareholders. But, why is everything, now, so opaque? In most crashes, everything seems to be known in a few days or hours. Take for instance the downing of the plane in Iran, a highly charged geo-political environment. And I think that within a few months, everything was known about the Max, but spin and disinformation has made things opaque because the crisis facing the company is huge and will have an impact for decades. I suggested earlier that the Max now, is acting in this “plot’ like a McGuffin. What I meant by this is that it is distracting attention, while spin props up shareholder value and Boeing desperately tries to figure out how to disentangle itself from a mess caused by bad, decades-old corporate decisions.
RealSteve, the opaqueness is caused by the fact that we still don’t have an official ruling from the regulators, apart from the FAA directives that emerged after the Lion Air accident, the grounding that occurred after the Ethiopian accident, and the directive for Boeing to detect an internal fault in the FCC, which resulted in the dual-master reconfiguration.
So at this point, officially Boeing is mandated to correct the problems with MCAS, which it has tried to do but has not yet been officially tested. And to implement fault detection in the FCC, which it has tried to do but again is waiting to be officially tested.
We know the current hold-up is the software audit. But it’s still not clear what further remedial actions may be required for RTS, after the audit and testing are complete.
In other accidents, the focus has been on the known causes of the accident, which generally can be addressed quickly. In the MAX accidents, the scope has become far broader than that. Whether that was done fairly or unfairly, it’s difficult for Boeing to respond, make progress or take the needed actions, with that degree of opaqueness.
So we are all equally in the dark and equally must wait for the regulators to decide the next steps.
I was actually thinking about the probable test pilot’s “personal” message, that bragged about using an email message that revealed “all the airlines and regulators that accept only the MAX CBT to make them feel stupid about trying to require any additional training requirements” as a way of making what should be an empirical argument and going into why Max pilots don’t need additional training. (This, by the way, proved to be empirically, tragically, and horrifically false — despite the market’s desire for the airplane. And Boeing now seems to agree that pilots do, indeed, need more training to fly the Max).
I think they used to call this the “bandwagon” approach. And its akin to circular reasoning or saying something like the “engineers at Boeing are trained professionals or good people, so the Max …”. Or, I think that the idea “the market obviously didn’t agree” is this type of argument. The market could be wrong, or there could be pathologies in the market driving it to work in a certain way. I will dare opening a can of worms by thinking here about the way Bill Gates made “the market” dependent on his original DOS box despite its inadequacies.
As for Cargo Cult, I was thinking about it while walking my dog this morning. First of all, I do appreciate your etymology. The word has interesting if not somewhat racist origins, along with a similar term presented in Wikipedia, “voodoo programming.” This on its own tells us a lot about diversity in the field that we also will not go into here. Still, I like the way it works as an organizing metaphor, or like a string of code.
Cargo Cult engineering could apply to the original decision to shove the LEAP engines onto the 737 rather than develop a new aircraft. It was a bad decision that had serious ramifications. It forced competent engineers into the position of rationalizing a corporate decision and putting out fires on all kinds of cascading problems.
Or, I can think of the MCAS software as response to the aerodynamic problems produced by the engines. There are all kinds of arguments about this, but there is a clear issue. The Max is grounded and after more than a year, engineers have not produced and successfully tested and announced a safe, workable solution to the original, cascading problem.
I have to admit that I still think (and you make beautiful written and compelling counter-arguments using information that no one else seems to really have), perhaps very erroneously that MCAS is a work of Cargo Programming.
I use the term loosely here. I see MCAS as a decision that could be “rationalized” or argued for by good engineers in a contemporary environment of Fly By Wire technology. But things that I’ve read tell me that it sits within a physical system that was not originally designed to handle this type of cutting-edge programming. There are cascading problems involving the authority of the elevators; the rapid response of an inadequately designed “grandfathered in” stabilizer system; the antiquated, inadequate working of the trim wheels; pilot training and pilot response time; a dense, cramped hybrid cockpit sending off contradictory alarms; and an old fashioned FCC not originally designed with the high level of redundancy and computational capacity that makes such tweaks to aerodynamics easy in a Fly By Wire system with a redundant modern computer system but a cascading headache with the robust but obsolete computers in the 737 max.
The notion of Cargo Cult engineering organizes how I imagine the problem. It explains all of the rumors, employee banter and original newspaper reporting. It can even help explain the noble efforts of well-intentioned commenters and company executives who still feel that the effects of the original Trojan horse lying marginally in an otherwise robust and tried-and-true system can be creatively and elegantly handled to by lines of well-written code that cover up or respond to something that is still tirelessly working its cascading “deep magic” within the patched-up system.
RealSteve, all of the points you’ve raised above have been answered at one point or another, some of them multiple times. It’s clear that you don’t accept those answers, as you keep returning to the same points.
So I think your position is locked-in, and we just have to let events play out to see whether your viewpoint is upheld by the facts and the regulators.
Rob,
The points have been responded to, not definitively answered. My position is not “locked in” so much as it continues to be tainted by an ethic of suspicion. Forgive the repetition. It seems we both have narratives (not necessarily facts) that make the parts (known and unknown) fit. Still, your patient responses have enabled me to see and work through the logic of what is so fascinating and unsettling about this issue no matter the outcome.
Trojan horse.
Nice image.
A DIY Trojan horse that Boeing raised behind their walls. Another image is one of people taking their burning charcoal grill into the living room because it is so nice and cosy. ( range of accidental death here by way of CO poisoning.)