Stories
Slash Boxes
Comments

SoylentNews is people

posted by chromas on Saturday March 30 2019, @08:12PM   Printer-friendly
from the press-X-to-not-dive dept.

Initial Findings Put Boeing's Software at Center of Ethiopian 737 Crash:

At a high-level briefing at the Federal Aviation Administration on March 28, officials revealed "black box" data from Ethiopian Airlines Flight 302 indicated that the Boeing 737 MAX's flight software had activated an anti-stall feature that pushed the nose of the plane down just moments after takeoff. The preliminary finding officially links Boeing's Maneuvering Characteristics Augmentation System (MCAS) to a second crash within a five-month period. The finding was based on data provided to FAA officials by Ethiopian investigators.

The MCAS was partly blamed for the crash of a Lion Air 737 MAX off Indonesia last October. The software, intended to adjust the aircraft's handling because of aerodynamic changes caused by the 737 MAX's larger turbofan engines and their proximity to the wing, was designed to take input from one of two angle-of-attack (AOA) sensors on the aircraft's nose to determine if the aircraft was in danger of stalling. Faulty sensor data caused the MCAS systems on both the Lion Air and Ethiopian Airlines flights to react as if the aircraft was entering a stall and to push the nose of the aircraft down to gain airspeed.

On March 27, acting FAA Administrator Daniel Ewell told the Senate Commerce, Science, and Transportation Committee's aviation subcommittee that there had been no flight tests of the 737 MAX prior to its certification to determine how pilots would react in the event of an MCAS malfunction. He said that a panel of pilots had reviewed the software in a simulator and determined no additional training was required for 737-rated pilots to fly the 737 MAX.

What follows is from memory from what I've gleaned from reading several news accounts over the past few weeks. I am not a pilot, so take this with the proverbial $unit of salt.

The design of the MAX version of the Boeing 737 used a larger diameter engine so as to improve fuel economy. Because the original 737 was designed to be low to the ground to facilitate boarding (no jetways back then), it required the engines to be mounted forward and higher than in previous models. This introduced a change in the flight dynamics. Adding throttle in certain conditions would cause the plane to "nose up". Because of the shear size of the engine nacelles, this further increased the lift of the nose (more surface exposed at an angle to the air flow). This would cause further lift and would exacerbate the situation. Boeing wanted pilots to be able to fly the MAX without undergoing expensive retraining. How can they make a different aircraft behave like its predecessor, the 737-NG? The solution Boeing came up with was MCAS which — in certain circumstances — was designed to push the plane's nose back down. So much authority was provided to this adjustment, and its repeated application in some cases, that it could lead to driving the plane downward in spite of the pilot's efforts to maintain level flight. Complicating matters, there was no mention of MCAS in any of Boeing's training materials: pilots were not even aware it was there.

It would be easy to "armchair quarterback" Boeing's decisions. The airline industry was transitioning from its hub-and-spoke system (which favored larger planes) to having a greater number of direct (no layover) flights which favored smaller aircraft. In the meantime Airbus had come out with a new model of more efficient aircraft which fit this flight profile. Boeing could have come up with a clean-slate design for a new aircraft, but that would require several years from design to construction to certification. They elected to modify the 737, instead. As long as it was sufficiently similar (I'm waving my hands around a bit here), it could be sold based on the certification of its earlier models. So, they decided to modify the 737... but not too much so as to avoid the time-consuming recertification process.

I've heard it said, "The longest distance between two points is a shortcut." It is sad that this shortcut appears to have been responsible for two flights crashing shortly after takeoff and killing nearly 350 people.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Saturday March 30 2019, @09:54PM (10 children)

    by Anonymous Coward on Saturday March 30 2019, @09:54PM (#822485)

    Note that Mr. Travis is not an aircraft designer.

    If in fact the revised engine location tends to create a pitch-up moment in some flight conditions, there are many small compensating changes possible to the airframe -- slightly larger or longer span rear horizontal tail is one obvious one. Another would be stretching the rear of the fuselage slightly (behind the main wing) to give the tail surfaces more leverage. Until all the facts are in, I'm not holding my breath because I think it's quite possible that one or more small changes were made during the design of this 737 variant.

    I think Travis has a bone to pick with Boeing, anyone have any ideas why he might be mad at the company?

  • (Score: 5, Informative) by c0lo on Saturday March 30 2019, @10:13PM (9 children)

    by c0lo (156) Subscriber Badge on Saturday March 30 2019, @10:13PM (#822493) Journal

    Note that Mr. Travis is not an aircraft designer.

    Note that neither are you.
    Also note that Mr Travis owns a Cesna and have quite a big number of hours of real flight and flying commercial simulators.

    From the linked:

    It just so happens that, during the timeframe between the first 737 MAX crash and the most recent 737 crash, I’d had the occasion to upgrade and install a brand-new digital autopilot in my own aircraft. That aircraft, a 1979 Cessna 172, is the most common aircraft in history, at least by production numbers. Its original certification also predates that of the 737’s by about a decade (1955 vs. 1967).

    My new autopilot consists of several very modern components, including redundant flight computers (dual Garmin G5s) and a sophisticated communication “bus” (CANBUS) that lets all the various components talk to each other, irrespective of where they are located in my plane. CANBUS derives from automotive “drive by wire” technology but is otherwise very similar in purpose and form to the various ARINC buses that connect together the components in the 737MAX.

    My autopilot also includes electric pitch trim. Meaning it can make the same types of configuration changes to my 172 that the flight computers and MCAS system in the 737 MAX can make to it. During the installation, after the first 737 MAX crash, I remember remarking to a friend that it was not lost on me that I was potentially adding a hazard similar to the one that brought down the Lion Air crash (see “normal failure,” below). Finally, my new autopilot also implements “envelope protection.” If my Cessna is NOT being flown by the autopilot, the system nonetheless constantly monitors the airplane to make sure that I am not about to stall it, roll it inverted, or a whole host of other things. Yes, it has its own “bitey dog” mode.

    As you can see, the similarities between my $20K autopilot and the multi-million dollar autopilot in every 737 are direct, tangible, and relevant. What, then, are the differences?

    For starters, the installation of my autopilot required paperwork in the form of what’s called a “Supplemental Type Certificate,” or STC. In other words, the autopilot manufacturer and the FAA both agreed that my 1979 Cessna 172 with their (Garmin’s) autopilot was so significantly different from what it was when it rolled off the assembly line that it was no longer the same Cessna 172. It was a different aircraft, altogether.

    In addition to now carrying a new (supplemental) aircraft type certificate (and certification), my 172 required a very large amount of new paperwork to be carried in the plane, in the form of revisions to and addendums to the aircraft operating manual. As you can guess, most of those addendums revolved around the autopilot system.

    Of particular note in that documentation, which must be carried in the plane at all times and must be studied and understood by whomever pilots it, are various explanations of the autopilot system, including its command of the trim control system and its envelope protections.

    There are instructions on how to detect when the system malfunctions, through terms such as “pitch trim runaway,” and how to disable the system, immediately. Disabling the system means pulling the autopilot circuit breaker and instructions on how to do that are strewn throughout the documentation, repeatedly. Every pilot who flies my plane becomes intimately aware that it is NOT the same as any other 172.

    This is a big difference between what pilots of my plane are told and what pilots stepping into a 737 MAX are (or were) told.
    ...
    Perhaps the biggest difference between the system in my 172 and the 737 MAX is the amount of physical force it takes for the pilot to override the computers. In my 172 there are still cables linking the controls to the flying surfaces. There is no computer to mediate and what computer is there has to press on the same things that I have to press on. And its strength is nowhere near as much as mine. So, even if there were to be an error – the computer in my plane thought it was about to stall when it wasn’t -- I can easily overcome the computer.

    In my Cessna, unlike the 737 MAX, the humans still win a battle of the wills, every time. That used to be a design philosophy of every Boeing aircraft, as well, and one they used against their arch-rival Airbus (who had a different philosophy). But it seems that, with the 737 MAX, Boeing has changed philosophies about human/machine interaction as quietly as they’ve changed their aircraft operating manuals.

    ---

    I think Travis has a bone to pick with Boeing, anyone have any ideas why he might be mad at the company?

    Some hundred of deaths isn't a bone enough for you?

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
    • (Score: 0, Interesting) by Anonymous Coward on Saturday March 30 2019, @11:28PM (6 children)

      by Anonymous Coward on Saturday March 30 2019, @11:28PM (#822528)

      It is obvious that he doesn't know what he is talking about in regards to the 737 and I'm almost positive has never been a commercial pilot. I can play

      First is the implication that the 737 is a fly-by-wire airplane, which it isn't. The 737 autopilot has to "press on the same things that I have to press on." This is especially true when talking about the MCAS, which turns the same trim wheels as the pilots do, using the same motors for fast adjustment that the autopilot and actual pilots use.

      Second is that the 737 absolutely has a checklist for runaway trim, including the memory items, and that checklist disables the MCAS system. Diagnosing a problem with the MCAS isn't really the pilots job, but it is mentioned in the checklist for some airlines anyway.

      Third is that there was training for the new aircraft that did mention the MCAS. People are complaining that it wasn't a point of emphasis, in the memory items or explicitly disable on all versions of the checklist, but the memory items already disabled the MCAS. Plus, it is easier for everyone to just follow the same 737 memory checklist for all variants, rather than introducing new ones just for this one variation.

      As to the "battle of wills thing," the elevators cannot overpower the horizontal stabilizer, but that is true on most planes, including most jet aircraft and ALL 737s. However, a human can overpower the computer adjusting the trim wheels and they always had the option of turning it off.

      • (Score: 0) by Anonymous Coward on Sunday March 31 2019, @02:05AM

        by Anonymous Coward on Sunday March 31 2019, @02:05AM (#822573)

        Boeing 737's had a bit of a edge condition (design flaw) with its rudder actuators in the 80's as well. It was a hydraulic double-action actuator, IIRC. Anyways, at a certain set of conditions and inputs, instead of continuing to push the rudder the direction it'd been pushing it, it'd suddenly kick back the opposite direction. The usual result of these edge cases were a few rather mysterious 737 crashes.

        Boeing did quietly introduce a couple of changes to the system at some point, all the while professing there wasn't a problem in the system, but the ensuing FAA directives to make the changes at least made the news in the Seattle area back then...

      • (Score: 3, Insightful) by Runaway1956 on Sunday March 31 2019, @02:26AM (4 children)

        by Runaway1956 (2926) Subscriber Badge on Sunday March 31 2019, @02:26AM (#822582) Journal

        Diagnosing a problem with the MCAS isn't really the pilots job

        Since philosophy has become a part of this discussion - that is a major error in philosophy. The pilot/captain/commander/operator/driver of any vehicle is ultimately responsible for EVERYTHING that happens aboard his craft. This has been true since the first floaty thingy was hacked out of a tree trunk, and pushed out on the water. That philosophy predates the wheel.

        So, yes, it really is the pilot's job to diagnose problems with MCAS, and every other system found on his aircraft.

        • (Score: 0) by Anonymous Coward on Sunday March 31 2019, @03:35AM (2 children)

          by Anonymous Coward on Sunday March 31 2019, @03:35AM (#822606)

          So you are driving your truck and all of a sudden one of the brakes engages and locks solid or the thermostat readout spikes or the engine starts having ignition failures. Are you really suggesting that you would sit there and diagnose the problem? I'd hope not, you'd make sure you got control of your rig to the best of your ability and then stop when it is safe in a safe way. It is the mechanics job to actually diagnose and fix the problem.

          Similarly, the pilot isn't going to sit there and figure out why the trim motors decided to trim on their own, he is going to get control and then land when it is safe in as safe a way as possible. It is the mechanics job to actually diagnose and fix the problem. If we were talking past each other, fine; if not, please inform me how a pilot should handle such a situation and how they can diagnose the difference between an AOA sensor malfunction and a short in the trim motor wiring.

          • (Score: 2) by Runaway1956 on Sunday March 31 2019, @08:52AM

            by Runaway1956 (2926) Subscriber Badge on Sunday March 31 2019, @08:52AM (#822673) Journal

            To the pilot, there is no difference between the AOA sensor and a short in a trim motor. But, he must diagnose that the trim system is malfunctioning and bypass it. At that point, he returns to the terminal, and reports that the trim system has been bypassed, because it was misbehaving. You're right, it's not the pilot's job to diagnose the exact reason that the system failed. It's not his job to fix the problem. But, it IS his job to report as accurately as possible what the symptoms were, to help the maintenance crew to diagnose the exact problem.

            To the pilot, that is at least as obvious, as a rapidly rising pyrometer would be to me in a truck. To fix that pyrometer, all I need do is downshift, and stop standing on the accelerator. That is a common problem in mountain regions, while pulling heavy loads.

          • (Score: 1) by khallow on Sunday March 31 2019, @09:13PM

            by khallow (3766) Subscriber Badge on Sunday March 31 2019, @09:13PM (#822842) Journal

            So you are driving your truck and all of a sudden one of the brakes engages and locks solid or the thermostat readout spikes or the engine starts having ignition failures. Are you really suggesting that you would sit there and diagnose the problem?

            You might not have a choice, but to sit there and diagnose the problem. At least two of your three problems can result in truck no go.

            Similarly, the pilot isn't going to sit there and figure out why the trim motors decided to trim on their own, he is going to get control and then land when it is safe in as safe a way as possible.

            Such as happened in the two 737 accidents?

            if not, please inform me how a pilot should handle such a situation and how they can diagnose the difference between an AOA sensor malfunction and a short in the trim motor wiring.

            If the trim motor responses to efforts to adjust the trim, it's not the latter.

        • (Score: 1, Insightful) by Anonymous Coward on Sunday March 31 2019, @09:41PM

          by Anonymous Coward on Sunday March 31 2019, @09:41PM (#822860)

          Blaming the pilot for everything is simple but what has saved lives over the decades is treating the pilot as one component in a flow of information and control inputs.

          MCAS set a trap for the pilots. Just because they could have escaped it, I don't blame them for not escaping it.

    • (Score: 0) by Anonymous Coward on Saturday March 30 2019, @11:33PM (1 child)

      by Anonymous Coward on Saturday March 30 2019, @11:33PM (#822531)

      Also note that Mr Travis owns a Cesna and have quite a big number of hours of real flight and flying commercial simulators.

      I've flown Cessna aircraft and can load up a simulation of the Concorde on my simulator. Does that make me an expert on the SR-71 Blackbird?

      • (Score: 1) by khallow on Sunday March 31 2019, @09:15PM

        by khallow (3766) Subscriber Badge on Sunday March 31 2019, @09:15PM (#822843) Journal
        It certainly makes you more of one than if you hadn't done either. Knowledge is relative. Here, we have more than just a dude who flew a Cessna. He had experience with both operation of automated flight hardware and how the regulations deal with changes to an airplane from that automated flight hardware.