OT: Deadly 'Misguided Assumptions' Were Built Into Boeing's 737 Max

Details of an error in engineering procedures and decision-making:

formatting link

The comments to the article are also interesting.

--
 Thanks, 
    - Win
Reply to
Winfield Hill
Loading thread data ...

"Safety analysts said they would have acted differently if they had known it used just one sensor. Regulators didn?t conduct a formal safety assessment of the new version of MCAS."

IOW the safety analysts and regulators didn't have any idea how the plane's flight controls actually worked. and most or all of the employees they were talking to in the course of their duties as analysis didn't have any idea, either.

That sounds about right. Let the FNG deal with those people

"In regulatory-speak, it meant that MCAS could trigger erroneously less often than once in 10 million flight hours."

sounds like a management-dictated reliability estimate, a la Space Shuttle NASA-management dictated reliability estimates of 1 catastrophic accident per every 10 or 100 thousand flights and not 1 in 50 or 100 as was more realistic.

10 million flight hours isn't all that much in the grand scheme of things either given how many planes and flight hours there are intended to be, if they erroneously downgraded what was actually a "catastrophic" fault condition to "hazardous" even if the ~10 million hour figure is correct for a plane like the Max it probably means a guaranteed crash every 7-8 years or something.
Reply to
bitrex

Still hard to fathom how this could come out of Boeing, that with all the people involved, no one could see the serious crisis that a simple vane sensor failing could cause. Some interesting parts:

"In those flights, they did not test what would happen if MCAS activated as a result of a faulty angle-of-attack sensor ? a problem in the two crashes."

That's quite stunning, that no test was ever done to show what happens if a simple vane sensor fails.

"They classified the event as ?hazardous,? one rung below t he most serious designation of catastrophic, according to two people. In re gulatory-speak, it meant that MCAS could trigger erroneously less often tha n once in 10 million flight hours."

You would think a simple vane sensor that could get stuck, damaged, hit by debris, by a bird, maybe frozen by ice, would have a failure rate way higher than that. What else has Boeing given the wrong failure rates to?

"That probability may have underestimated the risk of so-called external ev ents that have damaged sensors in the past, such as collisions with birds, bumps from ramp stairs or mechanics? stepping on them. While part o f the assessment considers such incidents, they are not included in the pro bability. "

Say what? Those events would have to be included in the probability analysis for it to be valid at all.

"At a tense meeting with the pilots? union at American Airlines in November, Boeing executives dismissed concerns. ?It?s been reported that it?s a single point failure, but it is not considered by design or certification a single point,? said Mike Sinnett, a B oeing vice president, according to a recording of the meeting.

His reasoning? The pilots were the backup.

?Because the function and the trained pilot work side by side and a re part of the system,? he said."

Stunning. So a single point failure isn't single point, if the pilots can recover from it, assuming they do everything right?

A lot here sounds very wrong at Boeing, in their definitions, in their probability calculations, in their assumptions. And it could very well extend to planes beyond the Max, probably to all Boeing planes. I said before that I will be confident that Boeing has this fixed, but seeing what went on here, I no longer have the same faith I did in all Boeing planes.

Norah O'Donnell had the first interview with the Boeing CEO since the crashes. He finally did apologize, but it's way too late for that. He should resign or be fired. And she never asked him the line of questioning I would have asked. Have you done an internal investigation to find out how this happened? What steps have you taken to check other plane's designs and their teams to find out if there are any other mistakes like this? How could this happen at Boeing? What steps have you taken to make sure this never happens again?

Reply to
trader4

safety

I don't think that is the estimate, that is the requirement to be considere d safe enough given the severity of impact.

I believe the 10 million flight hours is how often the MCAS would muck up, but not necessarily it would cause an accident or cause injuries. That's t he point. If it were considered "catastrophic" meaning the impact were hig her, 10 million hours would not be enough.

--
  Rick C. 

  - Get 1,000 miles of free Supercharging 
 Click to see the full signature
Reply to
Rick C

safety

The classification as hazardous made the assumption that pilots were competent and able to identify and deal with what manifests itself as a runaway trim condition. All pilots are trained on that, yet we had at least 4 out of 7 that couldn't identify it and follow the procedure.

More shocking is that the one in ten million probability didn't include the odds of things like a bird strike, leaving one to wonder what the probabilities of failure do include and exclude and what that means for other systems and other aircraft.

Reply to
trader4

It sounds like par for the course at say a very top-heavy organization where you have perhaps like, 5 greybeards who actually know how to design planes. All major (and most minor) design decisions route through them. Then you have hundreds of "titled-engineers" who all work on small subsystems and don't get a big picture overview, with little design authority outside their own small area.

I don't know that Boeing actually operates this way but it sounds suspiciously like the case. All large tech companies compartmentalize and specialize to some degree on big projects it's impossible to do otherwise but the article seemed to state that Boeing made an extreme habit of it.

Reply to
bitrex

al safety

s

c

red safe enough given the severity of impact.

"

, but not necessarily it would cause an accident or cause injuries. That's the point. If it were considered "catastrophic" meaning the impact were h igher, 10 million hours would not be enough.

Agree. Boeing/FAA classified MCAS failure as hazardous, so that meant that it had to have a predicted failure rate of less than one in ten mil flight hours. Hazardous means that it could cause injuries or fatalities, but not the expected loss of the aircraft. Related to that, it states that bird strikes and similar were not a part of the probabilities. That seems shocking. And it's a mechanical vane, subject to damage, icing, etc, how that gets less than one in 10 mil hours failure rating, IDK. It makes you wonder what else has been similarly rated.

Reply to
trader4

Or maybe the proper term is "bottom-heavy", here.

Reply to
bitrex

al safety

s

c

"

sorta kinda,

formatting link

Reply to
Lasse Langwadt Christensen

The airlines have a history of this kind of risk taking. "According to the NTSB, a fuel tank explosion happens on average every four and a half years. In May 1990, six years before TWA 800, a center tank exp loded on a Philippine Airlines 737 shortly before take off, killing eight p eople. Four years and eight months after TWA 800, the center tank of a Thai Airways jet exploded on the ground, killing one person."

formatting link

Up to the TWA flight 800 disaster, they were spending way more money on the ir in-flight entertainment system than a fuel tank oxygen removal system co uld ever cost.

As for the NYT article, they have the basic facts but as usual their interp retation is pathetically naive. The FAA is incapable of certifying a design as complex as the 737 MAX. They in fact handed the entire certification off to Boeing with the certificati on reports being "reviewed" by semi-comatose swivel chair operators with pr obably less than 10% (on the high end) comprehension of what they were read ing. And when NYT reports Boeing delivered this or that information to FAA, it only means it was part of a probably huge documentation package most of which was simply glossed over by the FAA. As is typical of most politicize d bureaucracies, they're just not going to pay much attention to anything t hat's not already a high visibility issue. I agree with Boeing about the MCAS not being a single-thread catastrophic f ailure mechanism because the pilot is always available to pull the system o ut of MCAS control, and the MCAS was relatively slow acting, taking 10 seco nds to do anything. And you can't implement a voting scheme with just two s ensors. The only good a second sensor would serve is if it was something th e pilot could switch in when/if the first sensor gave him trouble with the MCAS. The fault lies with the airlines for not properly training their pilots.

Reply to
bloggs.fredbloggs.fred

Has anyone told Boeing there's no point to using two sensors? Cuz as part of their fix to this issue, according to the article, using two sensors continually seems to be central to the plan, not just a second sensor that's switchable/optional.

Reply to
bitrex

four and a half years. In May 1990, six years before TWA 800, a center tank exploded on a Philippine Airlines 737 shortly before take off, killing eig ht people. Four years and eight months after TWA 800, the center tank of a Thai Airways jet exploded on the ground, killing one person."

their in-flight entertainment system than a fuel tank oxygen removal syste m could ever cost.

terpretation is pathetically naive.

They in fact handed the entire certification off to Boeing with the certifi cation reports being "reviewed" by semi-comatose swivel chair operators wit h probably less than 10% (on the high end) comprehension of what they were reading. And when NYT reports Boeing delivered this or that information to FAA, it only means it was part of a probably huge documentation package mos t of which was simply glossed over by the FAA. As is typical of most politi cized bureaucracies, they're just not going to pay much attention to anythi ng that's not already a high visibility issue.

ic failure mechanism because the pilot is always available to pull the syst em out of MCAS control, and the MCAS was relatively slow acting, taking 10 seconds to do anything. And you can't implement a voting scheme with just t wo sensors. The only good a second sensor would serve is if it was somethin g the pilot could switch in when/if the first sensor gave him trouble with the MCAS.

.

switching it off if the AoAs disagree and reducing the maximum trim it can do when it is working, would fix the problem of it crashing the plane

but it does pose the question, if it isn't a problem turning it off or reducing its power why was added in the first place

Reply to
Lasse Langwadt Christensen

four and a half years. In May 1990, six years before TWA 800, a center tank exploded on a Philippine Airlines 737 shortly before take off, killing eig ht people. Four years and eight months after TWA 800, the center tank of a Thai Airways jet exploded on the ground, killing one person."

their in-flight entertainment system than a fuel tank oxygen removal syste m could ever cost.

terpretation is pathetically naive.

They in fact handed the entire certification off to Boeing with the certifi cation reports being "reviewed" by semi-comatose swivel chair operators wit h probably less than 10% (on the high end) comprehension of what they were reading. And when NYT reports Boeing delivered this or that information to FAA, it only means it was part of a probably huge documentation package mos t of which was simply glossed over by the FAA. As is typical of most politi cized bureaucracies, they're just not going to pay much attention to anythi ng that's not already a high visibility issue.

ic failure mechanism because the pilot is always available to pull the syst em out of MCAS control, and the MCAS was relatively slow acting, taking 10 seconds to do anything. And you can't implement a voting scheme with just t wo sensors. The only good a second sensor would serve is if it was somethin g the pilot could switch in when/if the first sensor gave him trouble with the MCAS.

.

The idea to two seems to be that if they disagree by a substantial amount, then MCAS will take no action, because something is wrong and the cure is potentially far worse than the problem.

Reply to
trader4

That makes sense. you can have a "voting system" such as it is with two sensors but it can't actually _do_ anything other than to take itself offline and provide a gripe signal that its internal state is inconsistent.

The Space Shuttle had four main computers in a voting system, and IIRC the plan was if there was a time when there was a repeated two-two split on some decision of importance then all four would be taken offline and a fifth normally out-of-the-loop computer would be brought online, which was hardcoded with only what was necessary for de-orbit and landing, and return home immediately. Also IIRC there was never a two-two split on anything during operation of the Shuttle.

Reply to
bitrex

also the de-orbit and landing code on the 5th was clean-room written by a different team to the same specifications.

Reply to
bitrex

l

y four and a half years. In May 1990, six years before TWA 800, a center ta nk exploded on a Philippine Airlines 737 shortly before take off, killing e ight people. Four years and eight months after TWA 800, the center tank of a Thai Airways jet exploded on the ground, killing one person."

on their in-flight entertainment system than a fuel tank oxygen removal sys tem could ever cost.

interpretation is pathetically naive.

. They in fact handed the entire certification off to Boeing with the certi fication reports being "reviewed" by semi-comatose swivel chair operators w ith probably less than 10% (on the high end) comprehension of what they wer e reading. And when NYT reports Boeing delivered this or that information t o FAA, it only means it was part of a probably huge documentation package m ost of which was simply glossed over by the FAA. As is typical of most poli ticized bureaucracies, they're just not going to pay much attention to anyt hing that's not already a high visibility issue.

phic failure mechanism because the pilot is always available to pull the sy stem out of MCAS control, and the MCAS was relatively slow acting, taking 1

0 seconds to do anything. And you can't implement a voting scheme with just two sensors. The only good a second sensor would serve is if it was someth ing the pilot could switch in when/if the first sensor gave him trouble wit h the MCAS.

ts.

nt, then

t.

voting can also fail,

formatting link
ht_888T

Reply to
Lasse Langwadt Christensen

that really unlucky situation might inspire a black-comedy joke about redundancy like "Two is better than one, except when one is better than three. Four is intrinsically better than three but sometimes worse than two. Five, is right out."

Well I'll work on it, if it hasn't been done already. because then my labor would be redundant.

Reply to
bitrex

l

y four and a half years. In May 1990, six years before TWA 800, a center ta nk exploded on a Philippine Airlines 737 shortly before take off, killing e ight people. Four years and eight months after TWA 800, the center tank of a Thai Airways jet exploded on the ground, killing one person."

on their in-flight entertainment system than a fuel tank oxygen removal sys tem could ever cost.

interpretation is pathetically naive.

. They in fact handed the entire certification off to Boeing with the certi fication reports being "reviewed" by semi-comatose swivel chair operators w ith probably less than 10% (on the high end) comprehension of what they wer e reading. And when NYT reports Boeing delivered this or that information t o FAA, it only means it was part of a probably huge documentation package m ost of which was simply glossed over by the FAA. As is typical of most poli ticized bureaucracies, they're just not going to pay much attention to anyt hing that's not already a high visibility issue.

phic failure mechanism because the pilot is always available to pull the sy stem out of MCAS control, and the MCAS was relatively slow acting, taking 1

0 seconds to do anything. And you can't implement a voting scheme with just two sensors. The only good a second sensor would serve is if it was someth ing the pilot could switch in when/if the first sensor gave him trouble wit h the MCAS.

ts.

, then

That's the least reliable option because you lose MCAS if either/or the ang le sensors fail. Maybe they think it's important to have MCAS, making the s witchable option the most reliable to that end. In both crashes the sensor activated MCAS because it thought the angle was too high and the aircraft was in danger of stalling. So it put the nose dow n at a steep angle causing the crash. I don't know why it just as easily co uld have sensed the nose was down too much and put the nose up causing the plane to stall and crash. The basic problem is the pilot doesn't have any w iggle room when he's coming in for a landing. It only takes a few seconds o f bad control to put the aircraft in a bad spot it can't get out of. Maybe they should just shut the damn thing off below a certain ground height and ground speed.

Reply to
bloggs.fredbloggs.fred

On Sunday, June 2, 2019 at 8:11:17 PM UTC-4, Lasse Langwadt Christensen wro te:

l

y four and a half years. In May 1990, six years before TWA 800, a center ta nk exploded on a Philippine Airlines 737 shortly before take off, killing e ight people. Four years and eight months after TWA 800, the center tank of a Thai Airways jet exploded on the ground, killing one person."

on their in-flight entertainment system than a fuel tank oxygen removal sys tem could ever cost.

interpretation is pathetically naive.

. They in fact handed the entire certification off to Boeing with the certi fication reports being "reviewed" by semi-comatose swivel chair operators w ith probably less than 10% (on the high end) comprehension of what they wer e reading. And when NYT reports Boeing delivered this or that information t o FAA, it only means it was part of a probably huge documentation package m ost of which was simply glossed over by the FAA. As is typical of most poli ticized bureaucracies, they're just not going to pay much attention to anyt hing that's not already a high visibility issue.

phic failure mechanism because the pilot is always available to pull the sy stem out of MCAS control, and the MCAS was relatively slow acting, taking 1

0 seconds to do anything. And you can't implement a voting scheme with just two sensors. The only good a second sensor would serve is if it was someth ing the pilot could switch in when/if the first sensor gave him trouble wit h the MCAS.

ts.

n

Apparently the aircraft last minute corrections on landing approach were pr oducing too much acceleration for the comfort of the passengers, making it seem like the pilot was fighting for control and it was miracle they landed in one piece.

Reply to
bloggs.fredbloggs.fred

The way the article framed it was that there was feature-creep in the design of the MCAS system. from an emergency system that would only engage in exceptional circumstances to being just another part of the normal flight controls that was always operating in the background to make it a more comfortable aircraft to fly.

Reply to
bitrex

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.