‘Grossly insufficient’: House report excoriates Boeing, FAA over mistakes that led to 737 Max crashes

From https://www.yahoo.com/news/grossly-insufficient-house-report-excoriates-090029704.html?guccounter=1

A cascade of false assumptions, mismanagement, rushed deadlines, miscommunication and outright deception led to the failure to catch the design flaws that led to two deadly crashes of Boeing’s now-grounded 737 Max jetliner, finds a congressional report released Wednesday. “Boeing failed in its design and development of the Max, and the Federal Aviation Agency failed in its oversight of Boeing and its certification of the aircraft,” concludes the House Transportation and Infrastructure Committee’s 238-page report on the jetliner.

The report pinpoints multiple times engineers questioned the safety of features that went into the jet, only to have their concerns dismissed as lacking importance or jeopardizing the development timeline or budget, the report finds. Employees charged with keeping the FAA informed about those debates didn’t pass on that information to the agency.

Despite ample opportunities to have realized the plane’s deadly shortcomings, the 737 Max passed muster with both Boeing and the FAA, which labeled it “compliant” in certifying it as safe to go into service with many airlines in the U.S. and abroad. “The problem is it was ‘compliant’ and not safe – and people died,” Rep. Peter DeFazio, D-Ore., the committee’s chairman, said in a brief statement to reporters.

A 737 Max operated by Lion Air plunged into the Java Sea 13 minutes after takeoff in Indonesia in October 2018, taking 189 lives. Five months later, an Ethiopian Airlines jet with 157 passengers and crew augered into the earth six minutes into its flight from Addis Ababa. As similar circumstances in both crashes came to light, the 737 Max has remained grounded worldwide. The FAA and other global aviation safety agencies are reviewing Boeing’s improvements to decide whether to allow it to fly again.

Those improvements focus primarily on software changes in a new system added to the jet and blamed for the crashes. In both the fatal Lion Air and Ethiopian Airlines flights, pilots wrestled with the new computer system, the Maneuvering Characteristics Augmentation System, or MCAS, that wasn’t on previous versions of the 737.

FAA’s fix-it list for 737Max

Source:  https://www.engineering.com/AdvancedManufacturing/ArticleID/20579/More-Details-on-the-FAAs-Fix-It-List-for-the-737-MAX.aspx

The Federal Aviation Administration (FAA) has given Boeing preliminary approval for its proposed fixes for the troubled 737 MAX-along with an airworthiness directive that the plane maker must comply with if it wants its planes back in the air.

Updated Flight Control Software
The agency will require that Boeing install a software patch to the Maneuvering Characteristics Augmentation System (MCAS) that implements new safeguards. The patch significantly alters the reliability of data the MCAS receives, the parameters under which the system will activate, and how the MCAS performs once it’s been triggered.

The MCAS is an anti-stall measure intended to activate only when the plane is at low speed, under manual pilot control, climbing with the flaps up, and the system detects that the aircraft is angling too high and at risk of stalling.

However, on Ethiopian Airlines Flight 302 and Lion Air Flight 610, the MCAS software kicked in at the wrong time: when the aircraft were taking off under manual control. In these cases, the MCAS forced the planes downward because it assumed the aircraft were stalling-when in fact they were operating safely. All passengers and crew were lost on those tragic flights, and the global MAX fleet has been grounded since-for almost two years.

Under the FAA’s proposed changes, the MCAS would now be governed by new flight control software, and the software would use new rules that send commands to the aircraft’s flight control surfaces, such as flaps, based on input from sensors or pilot actions.

In the case of the two crashes, the MCAS received faulty information from an angle-of-attack (AOA) sensor that told the system the plane was stalling when it was not. The MCAS then overrode the system and overpowered the crew, pushing the planes’ noses down into fatal dives.

The new flight control software would contain the following four new measures to prevent such tragic occurrences from being repeated:

1) More Than One Angle-of-Attack Sensor
The FAA requires that the MCAS rely on at least two AOA sensors. Many commercial jets rely on multiple AOA sensors; but typically, a 737 MAX relies on only one. These sensors are vulnerable to damage and malfunction-from sources such as lightning, bird strikes, freezing and faulty installation.

In the case of the two downed planes, black box data indicated that the aircrafts’ lone AOA sensor sent erroneously high input to the flight control system. This led the software to conclude that the planes were stalling, and triggered the MCAS-which repeatedly commanded the horizontal stabilizer to push the planes’ noses down.

Going forward, the flight control software would pull data from both sensors, significantly reducing the risk of a damaged sensor sending the wrong signal to the MCAS.

2) MCAS Disabled on Severe AOA Disagreement
To further strengthen the system against faulty AOA sensor readings, the updated flight control software would also compare the inputs from the two sensors to identify when a sensor is malfunctioning.

If the difference between the readings of the two sensors is above a certain threshold, the speed trim system-which includes the MCAS-would become disabled for the remainder of the flight. That threshold would be based on “the magnitude of the disagreement and the rate of change of the AOA sensor position values,” according to the FAA.

In addition, Boeing would be required to add an “AOA disagree” indicator in the cockpit to inform the flight crew of a potential sensor malfunction or failure. This should be a welcome addition for pilots: among other criticisms, Boeing has also been called out for not making an AOA disagree indicator light standard in the cockpit-a vital piece of information for a crew that was relying on a sole AOA sensor.

That indicator would have been even more important considering that Boeing had removed reference to the MCAS in its 737 MAX training materials, so many pilots-most notably the ones flying the downed aircraft-were not even aware that the MCAS existed.

3) One MCAS Activation per AOA Incident
The MCAS on board the Ethiopian Airlines and Lion Air planes were reacting to faulty sensor readings-and triggered repeatedly, which was too much for the pilots to handle. It appears that the pilots were briefly able to wrestle back some control of the aircraft-only to be overpowered by the MCAS activating again.

The new software would limit the MCAS to trigger only once during a high AOA incident-eliminating the repeated activations that contributed to the two crashes. This would allow the MCAS to properly carry out its original function as an emergency anti-stall measure.

It also means that, should the MCAS be overridden by either a faulty sensor reading, or activate during a genuine stall situation, the pilots will be unable to rely on the system for any further stall scenarios for the rest of the flight-they’ll have to handle it by themselves. But given the extensive training of most pilots, this seems like an acceptable consequence.

4) Less Aggressive MCAS When Triggered
Finally, should the MCAS kick in during a flight, its power would be significantly limited so that it can’t overpower the pilots.

The new software would keep a comparatively short leash on the MCAS, permitting it to activate and send signals to the flaps-while allowing the flight crew to retain pitch control, using the control column to maintain level flight, climb and descend. No longer would the anti-stall system be able to grab control of the aircraft away from the pilots: it would instead defer to their commands.

… But Wait, There’s More

While the software is the main focus of the fixes, the FAA will require additional corrective measures. A revised flight manual-this one actually mentioning the MCAS-would be required for all 737 MAX operators to use. Each plane’s AOA sensors would need to be tested, and each aircraft would have to undergo an operational test flight before it can be brought back into service. And finally, the wiring for the jet’s horizontal stabilizers will need to be reconfigured to comply with FAA standards.

Lots on the Line

The crashes brought both Boeing and the FAA under intense global scrutiny and scathing criticism for their repeated oversights in designing, manufacturing and certifying the 737 MAX.

So a lot is riding on these proposed fixes: the airworthiness of one of the world’s most popular aircraft, Boeing’s reputation and bottom line, the legitimacy and authority of the FAA–and the confidence of travelers around the world. If the plane maker and the regulator don’t get this right, the consequences could be severe for both-and could cause more chaos in an aerospace market already reeling from the MAX’s grounding and the COVID-19 pandemic.

Boeing will have to make significant changes to its best-selling plane.

The FAA is accepting public comment on the proposed fixes for the MCAS until September 21, 2020. If recertification goes as anticipated, we could be seeing 737 MAXs take to the air again by Halloween … but global confidence in the MAX could take much, much longer to recover.

Flying over the poles

An interesting article from https://thepointsguy.com/news/radiation-flights-over-north-pole/

Racing around the world at 43,000 feet, you may think that the biggest threat is hitting the ground below you. However, have you ever thought of what’s hitting the aircraft from above?
Cosmic radiation is all around us, but its effects are seen more at altitude, and particularly at the Poles, than on the ground. However, some of the most time and fuel-efficient flight routes take aircraft well into the Arctic Circle and close to the North Pole.
So how does this radiation affect us and how do pilots fly these remote routes?

Radiation exposure
Every time you get out of bed (and when you’re in it for that matter) your body is exposed to radiation. It’s all around us and is, for the most part, unavoidable. Some of this radiation is useful and other types are not so useful.
The effects of non-ionizing radiation, such as ultraviolet light, radio waves and microwaves, very much depend on the intensity of the radiation received. It can damage the skin and eyes (hence why we wear sunglasses and sunscreen) and if it penetrates the body, can cause damage to organs by heating them.
For the most part, this is the type of radiation we put up with day to day, utilizing the benefits to rapidly heat food in our microwaves and give our skin a much sought-after sun-kissed glow.
Ionizing radiation, such as cosmic rays, X-rays and that from radioactive material is the kind which tends to get peoples’ attention. The greatest worry about ionizing radiation is the increased risk of malignant diseases and genetic malfunctions.
Once again, the risks of ionizing radiation very much depend on the amount of exposure.

Cosmic radiation and the earth’s magnetic field
Cosmic radiation originates from two sources. Most of it originates from outer space, but some of it comes from the sun, which produces a constant stream of particles that billow out into space at almost one million mph. This is known as the solar wind and consists primarily of protons and electrons.

Meanwhile, back on earth, currents of electricity which flow deep in the molten core create a magnetic field. These currents are hundreds of miles wide and flow at thousands of miles an hour as the earth rotates. The magnetic field extends out thousands of miles into space where it acts as a shield against incoming radiation.

As the charged incoming particles hit the magnetic field, they are deflected away and are prevented from coming into contact with the atmosphere. However, there is a weakness in the magnetic field.

Due to the shape of the geomagnetic field, the intensity of the charged cosmic radiation is higher at the poles than it is in equatorial regions
Due to the shape of the geomagnetic field, the intensity of the charged cosmic radiation is higher at the poles than it is in equatorial regions.
The magnetic field is thickest at the equator and virtually nonexistent at the poles. Added to this, parts of the magnetic field deflect the incoming particles to the areas around the poles.
As a result of this gap in the shield, a greater amount of radiation gets into the earth’s atmosphere at the poles than at the equator. The earth’s atmosphere does a good job of stopping most of the radiation from reaching the ground and it’s this interaction which causes the Aurora Borealis.
However, the amount of radiation in the upper atmosphere remains higher than on the ground.

Great circle routing
This is all very interesting but what relevance does it have to commercial aviation? Why would aircraft need to be flying by the North Pole anyway?
The answer lies in the curvature of the earth (sorry, flat earthers) and the shortest distance between two points on the surface. This is known as a Great Circle.
Everyone knows that the U.S. is west of the U.K. In fact, most of it is southwest. However, if you’ve ever flown from London to the west coast of the U.S. and watched the moving map, you will have noticed that the flight initially routes north toward Scotland.
This isn’t because the pilots are lost, its because it is actually the most direct route.
When planning the route of a flight, airlines will naturally try and take the shortest route possible, the Great Circle track. However, sometimes its beneficial to deviate off this route to take advantage of (or to avoid) strong winds. Even though the distance may be longer, the flight time (and subsequently the cost) will be reduced.
So with flights routing over the North Pole, what risk is there to the passengers and crew from cosmic radiation?

Radiation study
A December 2019 study looked to see whether the length of the flight or the routing of the flight had the greatest effect on the amount of radiation an aircraft was exposed to.
It sampled 15 of the longest commercial flights in operation, including four of which flew over the Arctic. These included flights to Los Angeles from Doha, Abu Dhabi and Dubai.
The image above shows the routes taken to Los Angeles by flights from the three Middle Eastern hubs and also the route from London for comparison.
Contrary to what the scientists were expecting, the study found that it wasn’t the duration of the flight but the route which has the greatest effect on cosmic radiation exposure. Aircraft that flew closer to the North Pole experienced greater radiation than those flying more southerly routes, even if they were airborne for longer.

Do I need to be worried?
A study by NASA found that polar flights during the solar storm of 2003 we exposed to 12% of the annual radiation limit recommended by the International Committee on Radiological Protection. Whilst this isn’t a problem for individual flights, it could start to pose problems for those who fly these routes frequently. Such as pilots and flight attendants.
Airline crew are categorized as “radiation workers” by the U.S. federal government, a classification that includes X-ray technicians and nuclear power plant workers. According to NASA, the average airline pilot receives more radiation a year than does a fuel-cycle worker in a nuclear power plant.
A survey of flight attendants in Europe and North America also found higher rates of skin, breast and prostate cancer, as well as acute myeloid leukemia than the average person.
For the average passenger, there is little to worry about. Even for the frequent flyer, the doses of radiation experienced on normal flights are not considered to be excessive. However, if you find yourself regularly flying between the Middle East and North America, you may want to give this some thought.

Flying across the Poles
So how do we fly polar routes and do we do anything different to avoid the cosmic radiation? Simply put, not really. As the radiation depends more on the route than the altitude, there is little we as pilots can do to reduce the exposure when flying these routes.
However, any flight across the Poles requires a bit more thought before departure. By definition, the routes are particularly isolated and careful consideration has to be given to diversion airfields. Cold air masses may affect fuel temperatures, potentially taking them below the minimum allowed temperature.

Polar routes
For aircraft to be able to take advantage of routes across the North Pole, very much like across the North Atlantic, a Polar Track structure has been created. However, unlike the North Atlantic tracks which move in location depending on the winds, the polar tracks are fixed. To ensure that there is no conflict between the two sets of tracks, the polar tracks are well north of the airspace used by the North Atlantic tracks.
The use of the polar tracks is similar to those crossing the Atlantic. Before reaching the start of the track, pilots must receive an ATC clearance. This includes the flight level, speed and track which the crew must adhere to.
However, as the polar tracks are less busy than the North Atlantic ones, pilots can normally plan on flying the track at the altitude and speed of their choice, normally those optimum for the flight.

Low fuel temperatures
While you’re seated enjoying a glass of wine in a pleasant 70 degree Fahrenheit cabin, outside your window it’s bitterly cold, normally around minus 67 degrees Fahrenheit in temperate regions. In Arctic areas, it can get even colder, minus 97 degrees Fahrenheit over Siberia is my personal record. When temperatures get this low, a conventional fuel would freeze.
The Jet A-1 powering the engines has a freezing point of minus 52 degrees Fahrenheit, so why doesn’t the fuel freeze when it’s minus 67 degrees Fahrenheit outside?
Take an average spring day out of London where it’s 59 degrees Fahrenheit. For this example, let’s say the fuel is also 59 degrees Fahrenheit. As the aircraft climbs, the outside air temperature decreases. Nominally by 35 degrees Fahrenheit every 1,000 feet. This means that by the time it reaches 35,000 feet, the outside temperature will be minus 67 degrees Fahrenheit. This is called the static air temperature, or SAT. This is the temperature you’d feel if you were stood on a passing cloud.
If the aircraft was just sitting on that cloud with you, the surfaces would chill to minus 67 degrees Fahrenheit, as would fuel in the wings. However, the aircraft isn’t stationary. It’s flying through this cold air mass at hundreds of miles per hour.
The speed of air over the wings creates friction, which actually heats the surfaces. By knowing the airspeed, you can work out what this heating effect will be. Adding this value to your SAT gives you your total air temperature or TAT. It is this TAT value that is chilling the wings and thus affecting the fuel temperature.
If I was to tell you that a typical TAT value at 38,000 feet is just minus 6 degrees Fahrenheit, you’ll now be able to understand why the fuel doesn’t freeze.
he wing material also has an effect on this chilling. The composite structure of the 787 Dreamliner wing means that it cools far slower than a conventional aluminum wing resulting in much warmer fuel temperatures.
What happens if the fuel temperature gets close to minus 52 degrees Fahrenheit?
It is possible that, if flying for prolonged periods in extremely cold air masses, the fuel temperature could drop toward the freezing point. However, pilots are alert to this possibility and will take proactive steps to ensure that this doesn’t happen. Each aircraft type has a threshold at which the crew are alerted to low fuel temperature.
On the 787, that threshold is around minus 35 degrees Fahrenheit. If this happens, the crew have two options. Either fly faster to increase the heating effect of the air or descend into warmer air. Since aircraft tend to fly as fast as they are designed, normally the only viable option is to descend.

Communications
Communications can also be problematic. Most areas of the world are well served by SATCOM. Pilots simply pick up the Sat phone, dial a number and can be connected to any telephone in the world in an instant. Unfortunately, when flying above 82 degrees north, SATCOM is unavailable.
In order to maintain communication with the ground, pilots must ensure that they establish high frequency (HF) communications with the relevant ATC unit. Fortunately, they do not need to listen to the painful static for the whole flight.

SATCOM doesn’t work above 82 degrees north.  A system called SELCAL enables the crew to turn the volume off when they are not communicating with ATC. A SELCAL notification activates in the flight deck, very much like a phone ringing, to let the crew know that ATC needs to speak with them.

True versus magnetic
As the aircraft gets closer to the Pole, the magnetic compass becomes less reliable as the position of the aircraft relative to the Pole is changing so quickly. It gets to the point where pilots consider it totally useless. Instead of using magnetic headings and tracks, we use true headings and tracks.
Unlike the magnetic North Pole, the true North Pole doesn’t move. It is in effect the “top” of the earth. As a result, its position can be determined by GPS, increasing our navigational accuracy.

Bottom line
Whilst cosmic radiation should not be of concern to most passengers, it’s an occupational hazard of the job for the crew. There is greater exposure to radiation when flying routes over the Poles than those closer to the equator. This is down to the lack of protection from the earth’s magnetic field at the poles.
That said, the threat of radiation over the poles does not alter how pilots fly their aircraft. The cold temperatures and lack of communications do provide more of a challenge than on other routes but flight safety is never compromised. No matter what route your flight takes, your pilots will ensure that you arrive safely at your destination – leaving you blissfully unaware of the challenges such flying poses.

EASA: Proposed Deviation on CS 25.1301, 25.1302, 25.1309 and 25.1523 at Amendment 15 – User Defined Approaches

In the certification activity of a new Flight Management System, the Applicant reported the presence of the
User Defined Approach (UDA) function accessible to the crew. This feature allows to support operations on
airfields for which no approved or published approach procedures are available.
Presence of this function within the FMS impairs compliance with the related CS 25 specifications CS 25.1301,
25.1302, 25.1309 and 25.1523.  The Applicant is not intending to perform neither a physical removal of the item (e.g. equipment, switches, antennas, etc.) not the inhibition of the function (e.g. SW pin-programming).
The Agency therefore intends to accept the proposal of the applicant to prohibit the use of this function for
the certification of the FMS, hence requesting a Deviation to the requirements applicable to the UDA
function.  See https://www.easa.europa.eu/document-library/product-certification-consultations/proposed-deviation-cs-251301-251302-251309-and

Note the ultimate acceptability criteria in this statement:  “Fulfilment of those mitigation factors has been assessed to comply with the following Essential Requirements of Annex II of Regulation (EU) 2018/1139: point 1.3.2, point 1.3.3, point 1.3.4, point 1.3.5, point 2.1, point 2.1(a), point 2.1(b), point 2.1(e), point 2.3, point 2.3(c).”

Example Particular Risk Analysis (PRA): Birdstrike

A400M damaged following bird strikes, see:

Certification criteria might not extend beyond 4lb birds at a certain velocity, but that should not preclude an assessment of vulnerabilities and subsequent implications of threat with more kinetic energy.

What you need to know about the aircraft safety and certification reform Act

Over the last year, in the wake of the 737 MAX crisis, the US government has been considering ways to reform the aviation safety process. Today, a bill has been presented to the US senate known as the “Aircraft Safety and Certification Reform Act of 2020.” Here’s what you need to know about the act.
In short, the bill will address the following issues:
  • Mandating direct Federal Aviation Administration (FAA) approval of manufacturers’ engineers acting on behalf of the FAA, the Organization Designation Authorization (ODA) unit members, and rescission of additional FAA authority to allow self-certification
  • Assigns FAA safety advisors whose role will be to communicate with and monitor ODA unit member compliance involved in the certification of large commercial airplanes and their engines
  • Require new National Transportation Safety Board (NTSB) safety recommendations on flight automation, pilot response, and safety management systems for aircraft manufacturers
  • Establish whistleblower protections and fortify channels for reporting safety problems during the certification process
  • Eliminate industry-friendly panels and roll back performance incentives that do not prioritize safety in the aircraft certification process as a first and foremost goal
  • Build FAA technical capacity to address advanced technology (like automation in the cockpit) through a new Center for Excellence for flight automation and human factors; continuing education and training for inspectors and engineers on new technology; and increased funding for scientific and technical advisors
  • Essentially, this bill will give Boeing and other aircraft manufacturers less influence in the aircraft certification process. This bill will provide the FAA with more room to select its own trusted safety personnel over company employees- one of the biggest concerns for aviation safety advocates in the wake of the 737 MAX crisis.
  • Reforming the ODA program:  The Organization Designation Authorization (ODA) is a program within the FAA. Through this program, the FAA grants the designee authority to organizations or companies. These people will then have a role when it comes to issuing certificates for new aircraft, or else any sort of testing or examinations in issuing certificates on behalf of the FAA Administrator.  These ODA holders are private persons not directly employed by the safety organization. While there is some oversight in the program, this bill enhances the FAA’s role in the program.
  • Protecting whistleblowers:  Back in 2016, some of Boeing’s staff discussed concerns with the 737 MAX via instant messaging. However, those concerns did not make it to the FAA and did not impede the aircraft’s certification program. Now, the bill would give whistleblowers some additional protections. The goal is to give employees concerned about the safety of a plane type additional channels and protections for reporting those concerns. Whistleblower protections will, in theory, provide more people protection from retribution for raising aircraft safety concerns.
  • Studying new technology:  Aircraft technology is changing. Over the last few decades, automation in the cockpit has increased in more ways than one. As technology evolves, this bill will give the FAA a chance to devote more time to studying those automation systems and developing safety guidelines for them.
Will this bill go into effect?
The bill has been introduced, but it will take some time before it takes effect. Other members of the federal government will likely have some concerns or changes they want to see to the legislation. Then, there will be the matter of approval from the President, any potential legal challenges, and the FAA’s implementation. So, there is no guarantee that this bill will go into effect, for now.
Nevertheless, this is a good step forward. Aviation has gotten safer over the last few decades, but also more technologically sophisticated. Now, the FAA will need to start getting acquainted with new technologies and be able to ensure that all passengers can step onboard an aircraft and know it is safe to fly.
Source:  https://simpleflying.com/aircraft-safety-certification-reform-act/

FAA issues Directive to address HIRF particular risk on 737 MAX

The Federal Aviation Administration (FAA) on Wednesday finalized a directive requiring airlines to complete inspections of a key component of Boeing 737 MAX airplanes that, if faulty, could result in a loss of power to the engines.

The FAA, in response to a service bulletin issued by Boeing in December, proposed an airworthiness directive in February to mandate inspections.

The directive addressed concerns that some 737 MAX exterior panels on top of the engine may not have electrical bonding necessary to ensure adequate shielding of underlying wiring from the electromagnetic effects of high-power radio frequency transmitters and other sources.

That, the FAA warned, “could potentially lead to a dual-engine power loss event and/or display of hazardously misleading” data. The agency added that the issue could result in a “forced off-airport landing.”

The 737 MAX, Boeing’s best-selling plane, has been grounded since March 2019, after crashes in Indonesia and Ethiopia killed 346 people.

Boeing said it supports “the FAA’s airworthiness directive, which makes our recommended action mandatory” to address the possible impact of electrical energy on the plane.

The FAA said in February the directive would also address the potential safety risks of lightning strikes, but Boeing told the agency that was not accurate. The FAA agreed in its final directive to remove the reference to lightning, saying it had conducted further analysis since February.

Boeing said in December the issue affected airplanes built between February 2018 and June 2019, and as a result “the protective foil inside the composite panels may have gaps.”

After the inspections, airlines will replace any excessively reworked panels and modify an assembly to ensure adequate electrical bonding.

Reuters reported on June 10 that Boeing is aiming to conduct a key flight certification test in late June. That test could take place as early as next week or could be set for early July, a person briefed on the matter said.

Source:  https://www.insurancejournal.com/news/national/2020/06/25/573474.htm

Too many airplane systems rely on too few sensors

Too many airplane systems rely on too few sensors

“Sensors do fail, but even when that happens, automated systems can be safer and more efficient than human pilots. As flight becomes more automated and increasingly reliant on sensors, it is imperative that flight systems cross-check data from different sensor types, to safeguard against otherwise potentially fatal sensor faults” See full article here: https://theconversation.com/too-many-airplane-systems-rely-on-too-few-sensors-114394

Author
Carlos Varela
Associate Professor of Computer Science, Rensselaer Polytechnic Institute

In test of 737Max, pilots had 40 seconds to fix error

In test of 737Max, pilots had 40 seconds to fix error

A 737 Max 8 at Boeing’s plant in Renton, Wash. In simulations of a suspected problem in the crash of a Max 8 in Indonesia last fall, pilots had just moments to disengage a faulty system.CreditCreditRuth Fremson/The New York Times

During flight simulations recreating the problems with the doomed Lion Air plane, pilots discovered that they had less than 40 seconds to override an automated system on Boeing’s new jets and avert disaster.

The pilots tested a crisis situation similar to what investigators suspect went wrong in the Lion Air crash in Indonesia last fall. In the tests, a single sensor failed, triggering software designed to help prevent a stall.

Once that happened, the pilots had just moments to disengage the system and avoid an unrecoverable nose dive of the Boeing 737 Max, according to two people involved in the testing in recent days. Although the investigations are continuing, the automated system,known as MCAS, is a focus of authorities trying to determine what went wrong in the Lion Air disaster in October and the Ethiopian Airlines crash of the same Boeing model this month.

The software, as originally designed and explained, left little room for error. Those involved in the testing hadn’t fully understood just how powerful the system was until they flew the plane on a 737 Max simulator, according to the two people.

Compounding the flaws, pilots received limited training about the system before the first crash. During the final minutes, the captain of the Lion Air flight flipped through a technical manual trying to figure out what was happening.

In a tacit acknowledgment of the system’s problems, Boeing is expected to propose a software update that would give pilots more control over the system and make it less likely to trigger erroneously, according to three people, who spoke on the condition ofanonymity to describe the private meetings.

There are common procedures in place to counteract MCAS, as currently designed. If the system starts pushing the plane’s nose down, pilots can reverse the movement via a switch at their thumb, a typical reaction in that situation. In doing so, they can potentiallyextend the 40-second window, giving them more time to avoid a crash.

To fully neutralize the system, pilots would need to flip two more switches. That would shut off the electricity to a motor that allows the system to push the plane toward the ground. Then the pilots would need to crank a wheel to correct whatever problemshad emerged.

The pilots, in the simulations, followed such procedures to successfully shut off the system and land safely. But they did so with a far better understanding of how it worked and prior knowledge that it would be triggered – benefits that the pilots of the fatal737 Max crashes did not have.

If pilots don’t act hastily enough, attempts to disable the system can be too late. In the Lion Air crash, pilots used the thumb switch more than two dozen times to try to override the system. The system kept engaging nonetheless, most likely because of badreadings from a sensor, until the plane crashed into the Java Sea, killing all 189 people on board.

John Cox, an aviation safety consultant and a former 737 pilot, said pilots are highly likely to use the thumb switch to extend the 40-second window to several minutes. But that may still not be enough time to diagnose and solve the problem, especially if thepilots, like the Lion Air crew, were not informed of the system.

“There is a limited window to solve this problem, and this crew didn’t even know that this system existed,” he said.

A Boeing spokesman said that existing procedures for flying the 737 Max include how to respond to similar conditions. The spokesman added that Boeing had reinforced those procedures in a bulletin to pilots after the Lion Air crash.

“Our proposed software update incorporates additional limits and safeguards to the system and reduces crew workload,” the spokesman said in a statement.

The new software system was designed to be a safety feature, operating in the background to help avoid a stall. Taking data from a sensor, the system would engage if the nose of the jet was too high. It would then push down the nose of the plane to keep itfrom stalling.

The planes flew in similar erratic patterns, suggesting to experts that an automated system might have malfunctioned on both flights.

In the current design, the system engages for 10 seconds at a time, with five-second pauses in between. Under conditions similar to the Lion Air flight, three engagements over just 40 seconds, including pauses, would send the plane into an unrecoverable dive,the two people involved in the testing said.

That conclusion agreed with a separate analysis by the American Airlines pilots’ union, which examined available data about the system, said Michael Michaelis, the union’s top safety official.

One of the people involved in the training said MCAS was surprisingly powerful once tested in the simulator. Another person found the system controllable because it was expected. Before the Lion Air crash, Boeing and regulators agreed that pilots didn’t needto be alerted to the new system, and training was minimal.

At least some of the simulator flights happened on Saturday in Renton, Wash., where the 737 Max is built. Pilots from five airlines – American, United, Southwest, Copa and Fly Dubai – took turns testing how the Max would have responded with the software runningas it was originally written, and with the updated version, known as 12.1.

In the simulations running the updated software, MCAS engaged, though less aggressively and persistently, and the pilots were also able to control the planes.

Boeing’s software update would require the system to rely on two sensors, rather than just one, and would not be triggered if the sensors disagreed by a certain amount, according to the three people. Given that the 737 Max has had both sensors already, manypilots and safety officials have questioned why the system was designed to rely on a single sensor, creating, in effect, one point of failure.

The update would also limit the system to engaging just once in most cases. And it would prevent the system from pushing the plane’s nose down more than a pilot could counteract by pulling up on the controls, the three people said.

In conversations with pilots and airline officials over the weekend, Boeing executives didn’t directly address why MCAS was designed with such flaws, one person with direct knowledge of the meetings said. Instead, the company stayed focused on the softwareupdated, the person said.

The software changes still require approval by the Federal Aviation Administration. Pilots’ unions have said they are comfortable with the proposed changes but want to review them before making a decision. Pilots will be required to complete a training on theupdated system on their iPads.

https://www.nytimes.com/2019/03/25/business/boeing-simulation-error.html

Boeing fix will prevent repeated activation of anti-stall system

Boeing fix will prevent repeated activation of anti-stall system

SEATTLE/LONDON, March 25 (Reuters) – A Boeing Co software fix for the grounded 737 MAX will prevent repeated operation of an anti-stall system at the centre of safety concerns and deactivate it altogether if two sensors disagree widely, two people familiar with pilot briefings said.

The anti-stall system – known as MCAS, or Maneuvering Characteristics Augmentation System – has been pinpointed by investigators probing October’s fatal Lion Air crash and faces new scrutiny in the wake of another fatal accident in Ethiopia.

Those accidents, which killed nearly 350 people, triggered the worldwide grounding of Boeing’s flagship 737 MAX aircraft and ignited a debate over the proper balance between man and machine in piloting the latest version of the 50-year-old 737.

The MAX has bigger engines, mounted further forward, which can force the plane’s nose higher, threatening a stall. MCAS was designed to counter this but some experts say it overcompensated and the latest changes give some authority back to the pilot.

Airline briefings on the software upgrade, which is designed to address the situation faced by pilots of the doomed Lion Air jet last October, started on Saturday.

Pilots have been told that the MCAS system – which forces the nose downwards to avoid a stall, or loss of lift – will only operate one time for each event rather than impose repeated corrections like those believed to have pushed the Lion Air jet into a dive, the two people familiar with the briefings said.

Additionally, MCAS will be disabled whenever two sensors that measure the ‘angle of attack’ – a parameter that determines how close a plane is to an aerodynamic stall – differ too much.

“Otherwise it would be garbage in, garbage out,” a third person familiar with the briefings said.

This is a change from the previous set-up which only linked MCAS to one sensor at a time, ignoring the other, and which may have resulted in a single point of failure on Lion Air 610.

The pilot will be able to deduce that MCAS is no longer working in the background because the system will show a warning message labelled “AOA disagree”, indicating the two sensors are producing values that differ by an excessive margin.
Previously the “AOA disagree” warning would not have halted the MCAS software because the system was designed to focus on either the left or right sensor, alternating between flights. It was oblivious to whether readings from the sensors were aligned.
Boeing said on Monday its software patch would incorporate more than one angle of attack input, limit trim commands and limit authority but gave few details.
“We’ve been working diligently and in close cooperation with the FAA on the software update. We are taking a comprehensive and careful approach to design, develop and test the software that will ultimately lead to certification,” a statement said.

FAA APPROVAL NEEDED
The change sheds light on Boeing’s previously reported decision to make the warning light a standard feature, since the change in flight control laws now makes it indispensable.

The third person said Boeing would need to give pilots in their training a full explanation of what the fix is and why it is being implemented. Both the software fix and the training have to be approved by the Federal Aviation Administration.

Other methods for holding the nose of the aircraft in the right position, known as manual or electric trim, are unchanged as is the ability to cut out the automated trim system altogether using a standard step-by-step checklist.

Boeing has previously said that existing crew procedures, which include using a pair of cut-out switches, would have addressed a condition known as a stabilizer trim runaway and by doing so, automatically deal with any problem with MCAS.

But it has faced criticism for designing a system that potentially out-runs the ability of pilots to recover by repeatedly forcing the nose down using hefty forces, as the pilots in the doomed Lion Air flight experienced. (

(Reporting by Eric M. Johnson in Seattle, Tim Hepher in London, Allison Lampert in Montreal; Editing by Lisa Shumaker