737-Max 8 safety concerns
#271
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,507
If that's what you think, that you most certainly have misunderstood me.
Two completely separate issues.
1. Why did the unscheduled MCAS activations occur?
2. Why were two of the three properly trained and experienced crews unable to successfully land after the unscheduled MCAS activations?
The media, and almost all of the posters in these threads, are only interested in the first.
Two completely separate issues.
1. Why did the unscheduled MCAS activations occur?
2. Why were two of the three properly trained and experienced crews unable to successfully land after the unscheduled MCAS activations?
The media, and almost all of the posters in these threads, are only interested in the first.
Unless, of course, agencies other than the FAA disagree with that. Which may very well happen.
#272
A FlyerTalk Posting Legend
Join Date: Feb 2000
Location: Cambridge
Posts: 63,623
If that's what you think, that you most certainly have misunderstood me.
Two completely separate issues.
1. Why did the unscheduled MCAS activations occur?
2. Why were two of the three properly trained and experienced crews unable to successfully land after the unscheduled MCAS activations?
The media, and almost all of the posters in these threads, are only interested in the first.
Two completely separate issues.
1. Why did the unscheduled MCAS activations occur?
2. Why were two of the three properly trained and experienced crews unable to successfully land after the unscheduled MCAS activations?
The media, and almost all of the posters in these threads, are only interested in the first.
That's true.
And also unfair.
If the 737-Max can only be saved by a minority of trained flight crews when the poorly-designed/implemented MCAS software kicks in, that means the 737-Max is unsafe for commercial aviation.
Boeing should be held responsible for the poor assumptions and bad design which allowed such an unsafe aircraft to be sold.
The fact that tens of thousands of flights were safely completed doesn't alter the fact that the 737-Max has a critical design flaw (software) that makes it unacceptable for use in passenger travel.
#273
Join Date: Feb 2002
Location: BNA
Programs: HH Gold. (Former) UA PP, DL PM, PC Plat
Posts: 8,184
If someone said, for example, that the original MCAS design is fine as-is and shouldn't be changed I'd disagree with them but that is not what people have been posting.
#274
FlyerTalk Evangelist
Join Date: Nov 2009
Location: SEA (the REAL Washington); occasionally in the other Washington (DCA area)
Programs: DL PM 1.57MM; AS MVPG 100K
Posts: 21,373
I spent three years in Boeing Commercial Flight Test (analysis engineer, operations engineer, and Test Director), another 18 in systems integration and test program planning on the military side of the company, and about as many leading and supporting development of systems engineering and technical management policy/guidance for the USAF and DoD
while I have no direct knowledge of anything that went into the initial 737MAX design, development, analysis, testing, training, and certification, I'm confident that Boeing, the FAA, and other worldwide regulatory authorities have been working assiduously to dissect their technical and oversight processes, as well as the actual physical and digital artifacts, in their efforts to develop and verify the necessary changes BEFORE they allow the jet to return to passenger service
moreover, I'm sure that they are extremely conscious of the power of internet-enabled public opinion that is seldom willing to wait for facts to emerge
#275
Join Date: Jun 2012
Programs: FB, M&B, UA, AA
Posts: 2,489
In the memory items (completely quickly from memory) in both the UNRELIABLE AIRSPEED and STABILIZER RUNAWAY checklists are steps to disengage the autothrottles. This keeps you from getting into such a high-speed condition that you can't manually operate the stabilizer without unloading.
.....
The primary electric trim switches override MCAS activation and are fully functional for returning the stabilizer to a trimmed-state after each MCAS activation. The Ethiopian Captain did this through 21 MCAS activations which would have taken roughly 2:30 to 3:00 minutes. This isn't a "procedures", it is what a pilot does everytime the airplane he's flying becomes out of trim. It happens many dozens of times on every flight.
.
.....
The primary electric trim switches override MCAS activation and are fully functional for returning the stabilizer to a trimmed-state after each MCAS activation. The Ethiopian Captain did this through 21 MCAS activations which would have taken roughly 2:30 to 3:00 minutes. This isn't a "procedures", it is what a pilot does everytime the airplane he's flying becomes out of trim. It happens many dozens of times on every flight.
.
#276
Join Date: Feb 2002
Location: BNA
Programs: HH Gold. (Former) UA PP, DL PM, PC Plat
Posts: 8,184
Mr. LarryJ, with all due respect. 21 MCAS activations? Wasn't that the Lionair case? Not the Ethiopian case? How can we trust your view as almost the only one in this thread that suggests in the end the almost 350 death was fully or mainly pilot error, if you yourself make these kind errors in presentation?
If that mistake is enough to make everything I write suspect then your standard must certainly disqualify nearly every media report and opinion we've seen posted or reported.
Yours as well, since my view is not that the cause of the accidents is "fully or mainly pilot error". See post #270 .
#277
Join Date: Jun 2012
Programs: FB, M&B, UA, AA
Posts: 2,489
Can I respectfully disagree? Maybe 10% of the media reports and the post in this thread made such obvious errors of fact? Do not get me wrong, I certainly accept that people can put in the wrong airline name when typing in a hurry, and I appreciate your quick acknowledgmen of this highly. This is the proper standard of having discussions like this, again appreciated. But then to jump to the conclusion that all internet posts on the B737MAX data are to be disqualified....seems a bit of a bridge too far for me.
#278
Join Date: May 2009
Location: South Park, CO
Programs: Tegridy Elite
Posts: 5,678
while I have no direct knowledge of anything that went into the initial 737MAX design, development, analysis, testing, training, and certification, I'm confident that Boeing, the FAA, and other worldwide regulatory authorities have been working assiduously to dissect their technical and oversight processes, as well as the actual physical and digital artifacts, in their efforts to develop and verify the necessary changes BEFORE they allow the jet to return to passenger service
moreover, I'm sure that they are extremely conscious of the power of internet-enabled public opinion that is seldom willing to wait for facts to emerge
moreover, I'm sure that they are extremely conscious of the power of internet-enabled public opinion that is seldom willing to wait for facts to emerge
The thing is, the more facts emerged about this, they generally only made things look worse for Boeing and the FAA. And as we've seen, concerns have been not just from the public but from some airline pilots and others in the industry.
#279
FlyerTalk Evangelist
Join Date: Nov 2009
Location: SEA (the REAL Washington); occasionally in the other Washington (DCA area)
Programs: DL PM 1.57MM; AS MVPG 100K
Posts: 21,373
Unfortunately, most everyone had confidence that all of the above had taken place before the MAX was certified and fielded in the first place. Whether they have succeeded this time remains to be seen, as no regulatory agency has yet approved its return to service.
The thing is, the more facts emerged about this, they generally only made things look worse for Boeing and the FAA. And as we've seen, concerns have been not just from the public but from some airline pilots and others in the industry.
The thing is, the more facts emerged about this, they generally only made things look worse for Boeing and the FAA. And as we've seen, concerns have been not just from the public but from some airline pilots and others in the industry.
there are probably two dozen reasons for that decay that people with actual knowledge of the corporate environment could cite; there are also probably two hundred reasons that armchair analysts, engineers, managers, and bloggers have already cited
that said, it seems that Boeing, FAA, customer airline, and international regulatory leadership are starting to acknowledge that, whatever the reasons and whatever the associated clamor, they’re not yet on the glide slope to fully recovering their reputation
#280
A FlyerTalk Posting Legend
Join Date: Feb 2000
Location: Cambridge
Posts: 63,623
In what way is that relevant to your effort to address "misunderstandings, inaccurate media reports, and unsubstantiated conclusions"?
Given your experience as a pilot, I don't feel I'm qualified to question your assertions about the appropriate and expected pilot response.
Unless you have decades of experience configuring and optimizing automation software, I would think you lack the qualifications to address whether MCAS is a piece of crap software that never should have passed a QA team.
while I have no direct knowledge of anything that went into the initial 737MAX design, development, analysis, testing, training, and certification, I'm confident that Boeing, the FAA, and other worldwide regulatory authorities have been working assiduously to dissect their technical and oversight processes, as well as the actual physical and digital artifacts, in their efforts to develop and verify the necessary changes BEFORE they allow the jet to return to passenger service
That's why it's wrong to claim that the 737 Max only "had" a critical design flaw. It still does.
I disagree with your "correction".
Whatever software changes Boeing is developing/testing - it is not currently approved or deployed. Therefore the present tense is appropriate.
As of this moment, every Boeing 737 Max HAS a critical design flaw (software) that MAKES it unacceptable for use in passenger travel.
It would only be appropriate to use the past-tense after FAA and other regulatory agencies approve Boeing's proposed changes and it's actually deployed. Trying to put the failure into the past is inappropriate at this time.
I would refer you to VW's attempts to "fix" their E190 diesel engine in the past. In the end, VW couldn't provide a fix that would make their diesel engine clean enough to meet American EPA standards, although they were able to do so for the more-lax EU standards.
A company which covered up a design flaw pledged to fix the flaw, but it was beyond their capabilities. It was simply not viable.
It's possible that regulators reject Boeing's proposed fix but instead demand that MCAS be removed entirely and that pilots be re-trained to handle the different characteristics of the 737 Max.
As a personal opinion, I think that's the best course of action to restore trust.
Last edited by Plato90s; Jun 1, 2019 at 3:22 pm
#281
Join Date: Feb 2002
Location: BNA
Programs: HH Gold. (Former) UA PP, DL PM, PC Plat
Posts: 8,184
If true, why are autopilots similarly designed to use only single-source inputs for all operations other than autolands? Why is that okay but a single-source to MCAS is not?
#282
A FlyerTalk Posting Legend
Join Date: Feb 2000
Location: Cambridge
Posts: 63,623
1) the pilot is fully trained on how the autopilot is suppose to work
2) the automation software is configured to alert the pilot when there's unexpected values
3) the automation functions within well documented and well understood parameters by both the operator (pilot) and the regulator (FAA)
All 3x of these factors are NOT applicable when it comes to MCAS
1) the pilot is specifically NOT trained on MCAS because it was a secret
2) the automation software is configured to NOT provide any alerts to the pilot when there's unexpected values
3) the automation functions within a secret regime which 737 Max pilots were not informed of and apparently not even the FAA was fully aware of
When it comes to software which is designed to act unattended (no operator input expected), the threshold for action should be higher and the action should have inherent limits (# of activations should be capped) and the software architect should be aware of failure conditions.
MCAS fails every one of those criteria.
#283
Join Date: Jul 2013
Location: DAY/CMH
Programs: UA MileagePlus
Posts: 2,474
I'd think this issue could be easily trained for, but it does seem like a reason for the MCAS to be able to handle AOA-sensor failures better.
#284
A FlyerTalk Posting Legend
Join Date: Feb 2000
Location: Cambridge
Posts: 63,623
NY Times coverage from today, June 1st
https://www.nytimes.com/2019/06/01/b...max-crash.html
(bolding mine)
So it seems the original build of MCAS was suitable.
It relied on dual inputs and it was a edge-case tools only - something to use only in extreme emergency.
Retasking that emergency-only system for routine-use without realizing the implication is why, IMO, Boeing deserves the blame/responsibility for those 2x crashes.
https://www.nytimes.com/2019/06/01/b...max-crash.html
A year before the plane was finished, Boeing made the system more aggressive and riskier. While the original version relied on data from at least two types of sensors, the ultimate used just one, leaving the system without a critical safeguard. In both doomed flights, pilots struggled as a single damaged sensor sent the planes into irrecoverable nose-dives within minutes, killing 346 people and prompting regulators around the world to ground the Max.
...
At first, MCAS — Maneuvering Characteristics Augmentation System — wasn’t a very risky piece of software. The system would trigger only in rare conditions, nudging down the nose of the plane to make the Max handle more smoothly during high-speed moves. And it relied on data from multiple sensors measuring the plane’s acceleration and its angle to the wind, helping to ensure that the software didn’t activate erroneously.
Then Boeing engineers reconceived the system, expanding its role to avoid stalls in all types of situations. They allowed the software to operate throughout much more of the flight. They enabled it to aggressively push down the nose of the plane. And they used only data about the plane’s angle, removing some of the safeguards.
....
The current and former employees, many of whom spoke on the condition of anonymity because of the continuing investigations, said that after the first crash, they were stunned to discover MCAS relied on a single sensor.
“That’s nuts,” said an engineer who helped design MCAS.
“I’m shocked,” said a safety analyst who scrutinized it.
“To me, it seems like somebody didn’t understand what they were doing,” said an engineer who assessed the system’s sensors.
...
At first, MCAS — Maneuvering Characteristics Augmentation System — wasn’t a very risky piece of software. The system would trigger only in rare conditions, nudging down the nose of the plane to make the Max handle more smoothly during high-speed moves. And it relied on data from multiple sensors measuring the plane’s acceleration and its angle to the wind, helping to ensure that the software didn’t activate erroneously.
Then Boeing engineers reconceived the system, expanding its role to avoid stalls in all types of situations. They allowed the software to operate throughout much more of the flight. They enabled it to aggressively push down the nose of the plane. And they used only data about the plane’s angle, removing some of the safeguards.
....
The current and former employees, many of whom spoke on the condition of anonymity because of the continuing investigations, said that after the first crash, they were stunned to discover MCAS relied on a single sensor.
“That’s nuts,” said an engineer who helped design MCAS.
“I’m shocked,” said a safety analyst who scrutinized it.
“To me, it seems like somebody didn’t understand what they were doing,” said an engineer who assessed the system’s sensors.
So it seems the original build of MCAS was suitable.
It relied on dual inputs and it was a edge-case tools only - something to use only in extreme emergency.
Retasking that emergency-only system for routine-use without realizing the implication is why, IMO, Boeing deserves the blame/responsibility for those 2x crashes.
#285
Join Date: Feb 2002
Location: BNA
Programs: HH Gold. (Former) UA PP, DL PM, PC Plat
Posts: 8,184
The reason why I see the autopilot has a higher risk is that it has direct control of all of the primary flight controls. An A/P hard-over happens quickly and requires an immediate pilot response. MCAS affects only pitch and only indirectly. It's activation is relatively slow and can be stopped by and overridden by primary trim or stopped with the stab trim disconnect.