737-Max 8 safety concerns
#286
A FlyerTalk Posting Legend
Join Date: Feb 2000
Location: Cambridge
Posts: 63,623
I doubt it since I have no idea what those character-combinations signifiy.
From a software perspective, I can tell you that a powerful piece of software which is well understood and has operator interfaces like autopilot is far less of a risk than malware which is designed to evade attention and operate without notification.
Consider this as a parallel.
Virtually every major bank uses a scheduler program to run its overnight batch cycles which reconcile all the transactions of the prior business day. Deposits, transfers, debits, etc.... are all collated, processed, reported, etc... It's an enormously powerful software that's highly complex and it has pretty much all the authority that the CEO of the bank has - similar to autopilot. Because it's so powerful, the scheduler is also tightly scrutinized, heavily monitored, and has well defined procedures to hold specific jobs, rerun others, etc... Large institutions would have runbooks of hundreds of pages dedicated to that overnight-processing scheduler. The monitoring team has gone through literally thousands of different error conditions over the last few years and they've never actually lost any money or caused the entire system to melt down.
That's not risky. It's a well understood and well documented part of the normal operating procedure of the bank. The software is powerful but under control.
In that context, MCAS would be software written by a small team of compliance folks who didn't bother telling the other business units they were doing this. It'd run silently because compliance decided it'd be best if the overnight-operators weren't made aware that compliance was monitoring certain transactions. But the program can, with some bad input, decide to hold specific transactions from going through. That's all it can do, which is very limited in power compared to the massive scheduler software.
Then one day, the entire process crashes and nobody can access their money because some unknown hold on a bunch of transfers. The team frantically searches for the root cause. Turns out it was that compliance program that decided to strangle the institution, and it was because the certificate expired on the software and nobody thought about that failure scenario (which actually happens frequently). Without valid data, the compliance program placed a lock on specific transactions which puts the institution into a death-dive. Now the regulators are freaking out, retail customers are angry as heck, etc...
So, which is riskier? The powerful but well documented/understood scheduler or the secret undisclosed compliance-program?
The secret program acting as malware is the far, far, far riskier one.
The reason why I see the autopilot has a higher risk is that it has direct control of all of the primary flight controls. An A/P hard-over happens quickly and requires an immediate pilot response. MCAS affects only pitch and only indirectly. It's activation is relatively slow and can be stopped by and overridden by primary trim or stopped with the stab trim disconnect.
Consider this as a parallel.
Virtually every major bank uses a scheduler program to run its overnight batch cycles which reconcile all the transactions of the prior business day. Deposits, transfers, debits, etc.... are all collated, processed, reported, etc... It's an enormously powerful software that's highly complex and it has pretty much all the authority that the CEO of the bank has - similar to autopilot. Because it's so powerful, the scheduler is also tightly scrutinized, heavily monitored, and has well defined procedures to hold specific jobs, rerun others, etc... Large institutions would have runbooks of hundreds of pages dedicated to that overnight-processing scheduler. The monitoring team has gone through literally thousands of different error conditions over the last few years and they've never actually lost any money or caused the entire system to melt down.
That's not risky. It's a well understood and well documented part of the normal operating procedure of the bank. The software is powerful but under control.
In that context, MCAS would be software written by a small team of compliance folks who didn't bother telling the other business units they were doing this. It'd run silently because compliance decided it'd be best if the overnight-operators weren't made aware that compliance was monitoring certain transactions. But the program can, with some bad input, decide to hold specific transactions from going through. That's all it can do, which is very limited in power compared to the massive scheduler software.
Then one day, the entire process crashes and nobody can access their money because some unknown hold on a bunch of transfers. The team frantically searches for the root cause. Turns out it was that compliance program that decided to strangle the institution, and it was because the certificate expired on the software and nobody thought about that failure scenario (which actually happens frequently). Without valid data, the compliance program placed a lock on specific transactions which puts the institution into a death-dive. Now the regulators are freaking out, retail customers are angry as heck, etc...
So, which is riskier? The powerful but well documented/understood scheduler or the secret undisclosed compliance-program?
The secret program acting as malware is the far, far, far riskier one.
#287
Join Date: Feb 2002
Location: BNA
Programs: HH Gold. (Former) UA PP, DL PM, PC Plat
Posts: 8,184
MCAS is DAL C, as is the autoflight system, which is why they use single-source inputs.
#288
A FlyerTalk Posting Legend
Join Date: Feb 2000
Location: Cambridge
Posts: 63,623
Umm, okay. I definitely didn't reference that software-spec standard. You're thinking of someone else entirely.
With regards to MCAS's designation level by FAA, I'd note that the NY Times coverage cited the MCAS-trigger as "hazardous" which is class B, not C. Do you have information which suggests that the press coverage is wrong?
Which matches earlier coverage
https://www.theverge.com/2019/5/2/18...error-mcas-faa
If class "C" means single-source input is acceptable but the FAA issued the classification of "B" to what the FAA believed was true about MCAS, that means Boeing is even MORE guilty.
Not only did Boeing submit incorrect/false information to get the rating - they failed to actually meet the actual rating.
I would speculate that Boeing gave the FAA documentation that claimed that MCAS was still the original design - using both AoA as well as the acceleration-sensor so that the dual-input criteria was met.
In reality, Boeing not only increased the dangers posed by MCAS by permitting it to make much, much, much bigger changes - they also removed the redundancy in sensor input.
The re-conceived MCAS should, IMO, be classified as level A.
It's a rating which is deserved given there were indeed 2x catastrophic kill-everyone crashes.
With regards to MCAS's designation level by FAA, I'd note that the NY Times coverage cited the MCAS-trigger as "hazardous" which is class B, not C. Do you have information which suggests that the press coverage is wrong?
Boeing engineers did consider such a possibility in their safety analysis of the original MCAS. They classified the event as “hazardous,” one rung below the most serious designation of catastrophic, according to two people
https://www.theverge.com/2019/5/2/18...error-mcas-faa
MCAS received a “hazardous failure” designation. This meant that, in the FAA’s judgment, any kind of MCAS malfunction would result in, at worst, “a large reduction in safety margins” or “serious or fatal injury to a relatively small number of the occupants.” Such systems, therefore, need at least two levels of redundancy, with a chance of failure less than 1 in 10 million.
MCAS, however, does not meet any of these standards.
MCAS, however, does not meet any of these standards.
Not only did Boeing submit incorrect/false information to get the rating - they failed to actually meet the actual rating.
I would speculate that Boeing gave the FAA documentation that claimed that MCAS was still the original design - using both AoA as well as the acceleration-sensor so that the dual-input criteria was met.
In reality, Boeing not only increased the dangers posed by MCAS by permitting it to make much, much, much bigger changes - they also removed the redundancy in sensor input.
The re-conceived MCAS should, IMO, be classified as level A.
It's a rating which is deserved given there were indeed 2x catastrophic kill-everyone crashes.
#289
Join Date: Aug 2014
Location: 42.1% in PDX , 49.9% in PVG & 8% in the air somewhere
Programs: Marriott Ambassador Elite, UA 1K, AS MVP GLD 75K, DL Pt
Posts: 1,086
NY Times coverage from today, June 1st
https://www.nytimes.com/2019/06/01/b...max-crash.html
(bolding mine)
So it seems the original build of MCAS was suitable.
It relied on dual inputs and it was a edge-case tools only - something to use only in extreme emergency.
Retasking that emergency-only system for routine-use without realizing the implication is why, IMO, Boeing deserves the blame/responsibility for those 2x crashes.
https://www.nytimes.com/2019/06/01/b...max-crash.html
(bolding mine)
So it seems the original build of MCAS was suitable.
It relied on dual inputs and it was a edge-case tools only - something to use only in extreme emergency.
Retasking that emergency-only system for routine-use without realizing the implication is why, IMO, Boeing deserves the blame/responsibility for those 2x crashes.
Required reading for anyone, LOL
#290
Join Date: Feb 2002
Location: BNA
Programs: HH Gold. (Former) UA PP, DL PM, PC Plat
Posts: 8,184
I'm back at work today so don't have time to get into more detail now.
#291
FlyerTalk Evangelist
Join Date: Nov 2004
Location: ORD
Programs: UA 1K
Posts: 16,901
My speculation? The Max will never fly again and it may bring down Boeing with it. Every day a new piece of dirt comes out. From the best to the worst. Really sad.
#292
FlyerTalk Evangelist
Join Date: Jan 2014
Location: San Diego, CA
Programs: GE, Marriott Platinum
Posts: 15,508
I think Boeing's death is unlikely, but it is possible that the MAX is only allowed to fly in the US for the foreseeable future (with future US orders drying up due to its poor reputation).
#293
FlyerTalk Evangelist
Join Date: Nov 2004
Location: ORD
Programs: UA 1K
Posts: 16,901
i think this is beyond the Max. I know we all have short memories but the bad Boeing press is unbelievable. Hard to recover from.
#294
FlyerTalk Evangelist
Join Date: Nov 2013
Location: Los Angeles
Posts: 12,598
The thing with the slat rails is only news because there are already reporters watching the max closely. Supplier issues aren't unusual in aerospace and there are mechanisms for addressing them that are being used to address this one - the fan blade & uncontained enginer failure in the CFM engines on WN1380 was a much broader reaching and probably more safety critical even than the slat rails and it's essentially completely blown over, even though there are still many thousands of engines of the same type out there that didn't fully contain the fan blade failure.
Worst case from an airworthiness point of view is that it gets declared a distinct type and needs its own rating to fly, causing logistical problems at the airlines using it for a while. From a marketing perspective, it might get a new name.
#295
Join Date: Feb 2006
Posts: 545
Would be a different matter if there were several aircraft in the same situation and there was too much to remember. But at the moment it's very simple to remember from the flyer point of view. "No 737 MAX 8".
Boeing will need to kill this product brand one way or another.
#296
FlyerTalk Evangelist
Join Date: Nov 2013
Location: Los Angeles
Posts: 12,598
MD11s hardly even got mention after Swissair 111
MD80s and AS survived AS261
Airbus suvivived AF296 and AA587
#297
Join Date: Jun 2014
Location: Madison, AL
Posts: 195
Some more bad news for the 737Max that also affects some 737NG models: https://www.msn.com/en-us/money/comp...cid=spartandhp Short summary, Boeing has notified the FAA of a manufacturing problem with the leading edge slats on 133 NG models and 179 Max models.
#298
formerly smoaky
Join Date: Jan 2018
Posts: 303
Some more bad news for the 737Max that also affects some 737NG models: https://www.msn.com/en-us/money/comp...cid=spartandhp Short summary, Boeing has notified the FAA of a manufacturing problem with the leading edge slats on 133 NG models and 179 Max models.
#299
FlyerTalk Evangelist
Join Date: Feb 2003
Location: Denver, CO, USA
Programs: Sometimes known as [ARG:6 UNDEFINED]
Posts: 26,704
The 737MAX had two crashes, five months apart, with the exact same model type. And for, apparently, the exact same reason. @:-)
Last edited by DenverBrian; Jun 3, 2019 at 12:43 pm
#300
FlyerTalk Evangelist
Join Date: Nov 2004
Location: ORD
Programs: UA 1K
Posts: 16,901
I don't believe any of the above uncovered the depth of corporate mishandling that the MAX has. I've asked some regular folk and they all know the word MAX, they know there were multiple crashes, and they've heard that Boeing cut corners, were sloppy (they've followed the SC 878 news), and some think they are in the pocket of Trump. That's quite a bit more than a single plane falling from the sky.