tmiw

Speaking of (2), apparently there's not going to be any additional training to help the 1/3 who couldn't: https://www.cnn.com/2019/05/30/polit...tor/index.html.

Unless, of course, agencies other than the FAA disagree with that. Which may very well happen.

Plato90s

And it seems you are very interested in the latter while dismissing the first question, in effect taking Boeing off the hook by focusing on how the pilots *could* have saved the passengers from Boeing's design mistake.

That's true.

And also unfair.



If the 737-Max can only be saved by a minority of trained flight crews when the poorly-designed/implemented MCAS software kicks in, that means the 737-Max is unsafe for commercial aviation.

Boeing should be held responsible for the poor assumptions and bad design which allowed such an unsafe aircraft to be sold.

The fact that tens of thousands of flights were safely completed doesn't alter the fact that the 737-Max has a critical design flaw (software) that makes it unacceptable for use in passenger travel.

LarryJ

I have been addressing misunderstandings, inaccurate media reports, and unsubstantiated conclusions.

If someone said, for example, that the original MCAS design is fine as-is and shouldn't be changed I'd disagree with them but that is not what people have been posting.

jrl767

fixed that for you

I spent three years in Boeing Commercial Flight Test (analysis engineer, operations engineer, and Test Director), another 18 in systems integration and test program planning on the military side of the company, and about as many leading and supporting development of systems engineering and technical management policy/guidance for the USAF and DoD

while I have no direct knowledge of anything that went into the initial 737MAX design, development, analysis, testing, training, and certification, I'm confident that Boeing, the FAA, and other worldwide regulatory authorities have been working assiduously to dissect their technical and oversight processes, as well as the actual physical and digital artifacts, in their efforts to develop and verify the necessary changes BEFORE they allow the jet to return to passenger service

moreover, I'm sure that they are extremely conscious of the power of internet-enabled public opinion that is seldom willing to wait for facts to emerge

atflyer

Mr. LarryJ, with all due respect. 21 MCAS activations? Wasn't that the Lionair case? Not the Ethiopian case? How can we trust your view as almost the only one in this thread that suggests in the end the almost 350 death was fully or mainly pilot error, if you yourself make these kind errors in presentation?

LarryJ

That's correct. I typed the wrong airline name.

If that mistake is enough to make everything I write suspect then your standard must certainly disqualify nearly every media report and opinion we've seen posted or reported.

Yours as well, since my view is not that the cause of the accidents is "fully or mainly pilot error". See post #270 .

atflyer

Can I respectfully disagree? Maybe 10% of the media reports and the post in this thread made such obvious errors of fact? Do not get me wrong, I certainly accept that people can put in the wrong airline name when typing in a hurry, and I appreciate your quick acknowledgmen of this highly. This is the proper standard of having discussions like this, again appreciated. But then to jump to the conclusion that all internet posts on the B737MAX data are to be disqualified....seems a bit of a bridge too far for me.

84fiero

Unfortunately, most everyone had confidence that all of the above had taken place before the MAX was certified and fielded in the first place. Whether they have succeeded this time remains to be seen, as no regulatory agency has yet approved its return to service.

The thing is, the more facts emerged about this, they generally only made things look worse for Boeing and the FAA. And as we've seen, concerns have been not just from the public but from some airline pilots and others in the industry.

jrl767

Plato90s

I have been addressing the fact that Boeing made fundamental errors in automation software design which endangers the aircraft.

In what way is that relevant to your effort to address "misunderstandings, inaccurate media reports, and unsubstantiated conclusions"?

Given your experience as a pilot, I don't feel I'm qualified to question your assertions about the appropriate and expected pilot response.

Unless you have decades of experience configuring and optimizing automation software, I would think you lack the qualifications to address whether MCAS is a piece of crap software that never should have passed a QA team.
True, and all of that is in the FUTURE.

That's why it's wrong to claim that the 737 Max only "had" a critical design flaw. It still does.
I disagree with your "correction".

Whatever software changes Boeing is developing/testing - it is not currently approved or deployed. Therefore the present tense is appropriate.

As of this moment, every Boeing 737 Max HAS a critical design flaw (software) that MAKES it unacceptable for use in passenger travel.

It would only be appropriate to use the past-tense after FAA and other regulatory agencies approve Boeing's proposed changes and it's actually deployed. Trying to put the failure into the past is inappropriate at this time.



I would refer you to VW's attempts to "fix" their E190 diesel engine in the past. In the end, VW couldn't provide a fix that would make their diesel engine clean enough to meet American EPA standards, although they were able to do so for the more-lax EU standards.

A company which covered up a design flaw pledged to fix the flaw, but it was beyond their capabilities. It was simply not viable.

It's possible that regulators reject Boeing's proposed fix but instead demand that MCAS be removed entirely and that pilots be re-trained to handle the different characteristics of the 737 Max.

As a personal opinion, I think that's the best course of action to restore trust.

LarryJ

If true, why are autopilots similarly designed to use only single-source inputs for all operations other than autolands? Why is that okay but a single-source to MCAS is not?

Plato90s

Based on my (limited) knowledge of aeronautic software, I would speculate it's because

1) the pilot is fully trained on how the autopilot is suppose to work
2) the automation software is configured to alert the pilot when there's unexpected values
3) the automation functions within well documented and well understood parameters by both the operator (pilot) and the regulator (FAA)


All 3x of these factors are NOT applicable when it comes to MCAS

1) the pilot is specifically NOT trained on MCAS because it was a secret
2) the automation software is configured to NOT provide any alerts to the pilot when there's unexpected values
3) the automation functions within a secret regime which 737 Max pilots were not informed of and apparently not even the FAA was fully aware of



When it comes to software which is designed to act unattended (no operator input expected), the threshold for action should be higher and the action should have inherent limits (# of activations should be capped) and the software architect should be aware of failure conditions.

MCAS fails every one of those criteria.

ajGoes

I can venture an opinion here. When the autopilot fails, the pilot identifies the failure, disables the system, and hand-flies the plane — which handles exactly as it always does. An MCAS failure changes the feel of the elevator in very high angle-of-attack situations. An accidental stall becomes slightly more likely as the pilot could over-control by pulling the stick back against less-than-expected resistance. After all, keeping predictable resistance ​​against pulling back the stick is the purpose of the MCAS.

I'd think this issue could be easily trained for, but it does seem like a reason for the MCAS to be able to handle AOA-sensor failures better.

Plato90s

NY Times coverage from today, June 1st

https://www.nytimes.com/2019/06/01/b...max-crash.html
(bolding mine)

So it seems the original build of MCAS was suitable.

It relied on dual inputs and it was a edge-case tools only - something to use only in extreme emergency.

Retasking that emergency-only system for routine-use without realizing the implication is why, IMO, Boeing deserves the blame/responsibility for those 2x crashes.

LarryJ

Was it you who posted about DO-178C some weeks ago?

The reason why I see the autopilot has a higher risk is that it has direct control of all of the primary flight controls. An A/P hard-over happens quickly and requires an immediate pilot response. MCAS affects only pitch and only indirectly. It's activation is relatively slow and can be stopped by and overridden by primary trim or stopped with the stab trim disconnect.