Boeing 737 Max8 Aircraft Crashes and Investigations [Part 3] 36

[Sparweb]

This is the continuation from:

thread815-445840
thread815-450258

This topic is broken into multiple threads due to the long length to be scrolled, and many images to load, creating long load times for some users and devices. If you are NEW to this discussion, please read the above threads prior to posting, to avoid rehashing old discussions.


Some key references:

Ethiopian CAA preliminary report

Indonesian National Transportation Safety Committee preliminary report

The Boeing 737 Technical Site

No one believes the theory except the one who developed it. Everyone believes the experiment except the one who ran it.
STF

 

[RVAmeche]

But there must be some sort of defined testing/simulator envelope? Ensure the plane can takeoff/land in xyz worst case scenario, what happens if x system goes out, etc.

Or am I just being too naive and optmistic since all that would cost precious money?

 

[IRstuff]

Sure, but that's all real-time simulation, which means that even the two crashes under discussion would take hours to configure and vet, and they are simply two out of possibly thousand of similar, but different, scenarios that might require simulation.

Moreover, such simulations are only as good as the person coming up with the faults to test, which is why there are so many latent zero-day exploits in browsers. How many people would think that a buffer overrun would be a backdoor into an operating system?

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert!

https://www.youtube.com/watch?v=BKorP55Aqvg

faq731-376 forum1529 Entire Forum list

http://www.eng-tips.com/forumlist.cfm

 

[RVAmeche]

I see your point but an AoA sensor fault/failure seems like a pretty basic parameter to test, especially given this new control scheme.

 

[btrueblood]

"If you begin to cost your employer significant amounts of time and money, they will do something about it.
Sometimes the squeaky wheel gets the grease, sometimes it is removed and replaced with a ready spare.
If the FAA needs someone to act on their behalf, that person should be an FAA employee."

That in response I believe to the Seattle Times article quotes posted by waross. The article got into the FAA Authorized Representative (AR) situation a little deeper, and noted how the rules had changed, and not to the better:

The old model was: FAA appoints a Boeing engineer as a AR. Boeing pays his salary, he reports on design changes to the FAA, but does not have anybody at Boeing "managing" him. Any retaliatory actions against said employee by Boeing is dealt with harshly by the FAA. New model is Boeing appoints the AR, pays his salary, and said employee is managed by Boeing. Worse, some of the anti-retaliation stuff got written out of the laws/procedures, or at least is being ignored by the FAA.

see

https://www.seattletimes.com/busine...-in-race-to-certify-planes-including-737-max/

The episode underscores what The Seattle Times found after a review of documents and interviews with more than a dozen current and former Boeing engineers who have been involved in airplane certification in recent years, including on the 737 MAX: Many engineers, employed by Boeing while officially designated to be the FAA’s eyes and ears, faced heavy pressure from Boeing managers to limit safety analysis and testing so the company could meet its schedule and keep down costs.

That pressure increased when the FAA stopped dealing directly with those designated employees — called “Authorized Representatives” or ARs — and let Boeing managers determine what was presented to the regulatory agency.
“The ARs have nobody supporting them. Nobody has their backs,” said one former Authorized Representative who worked on the 737 MAX and who provided details of the engineer’s removal from the program. “The system is absolutely broken.”

FAA-designated oversight engineers are supposed to enjoy protection from management pressure. Removing one who proves a stickler for safety regulations will inevitably produce a chilling effect on others who see the consequences of being too rigid about safety concerns, said John Goglia, former member of the National Transportation Safety Board (NTSB).

“It negates the whole system,” said Goglia. “The FAA should have come down on that really hard.”

 

[SwinnyGG]

For two planes to have crashed and at least two reports in the U.S. of this planes behavior, the situation could not have been that odd for so many people to have stumbled into it.

By the time of the second accident, Boeing had delivered about 325 of these aircraft.

March 10, 2019, is the 72nd day of the year.

737s fly mixed length flights, so let's be semi-conservative and say they make an average of 3 turns per day. I think this is probably low but I'm not a pilot. Alistair, have an opinion?

If all the above is true, from the first day of 2018 to the day of the second crash, 737 Max airframes flew approximately 426,000 flights. That's 426,000 takeoffs, 426,000 landings, Probably at least 1.5 million flight hours, and more than 100 million air miles flown.

Two crashes and two known incidents is a rate of 4 in 426,000- that's a rate of 0.0009%.

.0009% is pretty odd.

 

[IRstuff]

"but an AoA sensor fault/failure seems like a pretty basic parameter to test, especially given this new control scheme."

Sure, but there are probably hundreds of "basic" parameters that would also need to be tested, and, note that the AoA disagree warning was supposedly erroneously implemented, and probably doesn't even match the simulator, so testing on the simulator might not have shown any problems anyway.

Note the simulator is a truckload of code written around a simplification of the real plane. There are lots of opportunity for the simulator to diverge from reality, particularly in the tiny "basic" things. Just making sure the simulator matches actual hardware implementation down to that level is whole separate vetting task.

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert!

https://www.youtube.com/watch?v=BKorP55Aqvg

faq731-376 forum1529 Entire Forum list

http://www.eng-tips.com/forumlist.cfm

 

[charliealphabravo]

...an AoA sensor fault/failure seems like a pretty basic parameter to test, especially given this new control scheme.

From the link that VE1BLL provided, Boeing is basically doubling down on their original design philosophy for the MAX (retaining commonality with the NG). And maybe they are reversing the CEOs initial statement that they would "own it" or whatever was meant by that. They are clearly stating that the AOA related indicators are supplemental and, by implication, that even failure of the AOA sensors themselves does not present a scenario that pilots are not readily equipped to handle.

On every airplane delivered to our customers, including the MAX, all flight data and information needed to safely operate the aircraft is provided in the flight deck on the primary flight deck displays. This information is provided full-time in the pilots’ primary field of view, and it always has been.

Air speed, attitude, altitude, vertical speed, heading and engine power settings are the primary parameters the flight crews use to safely operate the airplane in normal flight. Stick shaker and the pitch limit indicator are the primary features used for the operation of the airplane at elevated angles of attack. All recommended pilot actions, checklists, and training are based upon these primary indicators. Neither the angle of attack indicator nor the AOA Disagree alert are necessary for the safe operation of the airplane. They provide supplemental information only, and have never been considered safety features on commercial jet transport airplanes.

The Boeing design requirements for the 737 MAX included the AOA Disagree alert as a standard, standalone feature, in keeping with Boeing’s fundamental design philosophy of retaining commonality with the 737NG.

It will be interesting to see how this plays out for Boeing. It looks like classic corporate triangulation. Watching the CEO give his latest statement to the shareholders was like watching Scientology's David Miscavige with the affectations and the excessive confidence and the obtuseness when answering questions. I guess I'll be a project engineer for life.

 

[VEBill]

"Two crashes and two known incidents is a rate of 4 in 426,000- that's a rate of 0.0009%."

Of course, the math works the other way too.

"0.0009%" multiplied by some big numbers equals two major crashes in relatively quick succession.

Both are accurate, but the perception of one is encumbered by some human cognitive bias about seemingly 'small' numbers.

 

[Alistair_Heaton]

Accident rates are done fatal accidents per million flight hours.

The max is over 3 most swept wing jets are in the 0.2 to 0.5 region. Turbo props are 0.4 to 0.8.

Ng 737 is less than 0.1 the classics are higher.

Concorde is over 11 with only 1 fatal accident.

 

[SwinnyGG]

Both are accurate, but the perception of one is encumbered by some human cognitive bias about seemingly 'small' numbers.

My point was in response the the implication that this failure mode was, quote, "not that odd" i.e. not rare.

The point I was making is that 4 incidents in 400,000+ is the definition of a rare event, which you could not expect to reliably catch in any type of test plan that had a reasonable duration.

I think that we as a group are perhaps crossing a little too far into armchair quarterback territory. It's pretty easy for us to sit back and say "WHY DIDN'T THEY TEST THAT" when we already know the failure mode.

Let's not forget, this is a device with more than a quarter million parts and more than a half million fasteners. Design, development, and execution of robust and comprehensive testing schemes is very, very hard.

 

[waross]

Alistair, in your information,"Accident rates are done fatal accidents per million flight hours.", would the Max 8 count as 2 fatal accidents or as 346 fatal accidents?

Bill
--------------------
"Why not the best?"
Jimmy Carter

 

[waross]

Boeing's advantage is a contractor's dream.
Just think, if you don't like an inspector's ruling, just replace the inspector.
What a great way to stay on time and on budget.


Bill
--------------------
"Why not the best?"
Jimmy Carter

 

[3DDave]

FWIW the comments below are of some interest

https://forums.theregister.co.uk/fo...blames_software_737_max_aoa_warning_captions/

 

[VEBill]

"Why didn't they test that?"

Of course, formal proof of compliance for large projects is (these days) usually tracked and managed within a requirements tracking database tool such as DOORS. Everything should be linked from the specification requirements at one end to the test (or inspection, demonstration, or analysis) evidence at the other end. This process is supposed to ensure that nothing is missed, unless covered off with a waiver or deviation.

Those involved are supposed to track everything (aided and enforced by the database tool), pretty much leaving a 'defective specification' as the only escape.

Software development should be managed under DO-178 or equivalent. It's highly prescriptive, with traceability as its core.

Testing will prove compliance of even those requirements that would never be exercised in the real world in a million years, but they're still tested. Perhaps using an automatic test bench in mere minutes.

As an example of how waiting is not used, when an engine OEM needs to test the turbine blade containment system, they don't wait for a blade to fail by itself. They wire up an explosive charge to cause a blade to become detached on command.

 

[RVAmeche]

Waross,

I think the numbers are calculated based on fatalities per million hours?

 

[Alistair_Heaton]

http://www.airsafe.com/events/models/rate_mod.htm

Here is a site which gives numbers and also the method of calculating them.

We get per million flight hours from the safety officer at work but can't find any on the web using that method with description.

I susepct it per million flights penilises the long haul types who do 8-12 hour plus sectors.

 

[IRstuff]

It's about perceptions, but note that the MAX and the SST have extremely low total flight counts, which drive up the rates significantly. The DC10 numbers look tolerable, but there was a span of two years with 4 events in 1978-1979, which drove the rate up significantly. As you read through the major incidents, there will also be descriptions such as "design was dangerously flawed," that passed all inspections and testing.

When companies want really low accident rates, they'll use deaths per million passenger miles, as there tends to be fewer incidents in the middle phase of a flight, and long-haul planes tend to carry more passengers.

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert!

https://www.youtube.com/watch?v=BKorP55Aqvg

faq731-376 forum1529 Entire Forum list

http://www.eng-tips.com/forumlist.cfm

 

[VEBill]

40+ minute investigative report.

"Rogue Boeing 737 Max planes ‘with minds of their own’ " '60 Minutes Australia' via YouTube

"Liz Hayes investigates the disaster of Boeing’s 737 MAX jetliner. Why two supposedly state-of-the-art and safe planes crashed killing 346 people; why pilots now fear flying the 737 MAX; & whether Boeing could have averted the catastrophes."

I'm just about to watch it, so no comment on it.

 

[LionelHutz]

http://www.airsafe.com/events/models/rate_mod.htm

^ This is the accident rate per million flights, not million flight hours. That's a big difference and explains why the rate per million flight hours posted before seemed way too high. The fatal accident rate per million flight hours for the Concorde should be under 1.

 

[Alistair_Heaton]

It doesn't matter how they fiddle the numbers on the stats the max has got it's place in history on the same page as the comet.

Even that russian coal burning heap of an aircraft the ssj has better stats.