Boeing 737 Max8 Aircraft Crashes and Investigations [Part 6] 17

[Sparweb]

This post is the continuation from this series of previous threads:

thread815-445840
thread815-450258
thread815-452000
thread815-454283
thread815-457125

This topic is broken into multiple threads due to the length to be scrolled, and images to load, creating long load times for some users and devices. If you are NEW to this discussion, please read the above threads prior to posting, to avoid rehashing old discussions.

Thank you everyone for your interest! I have learned a lot from the discussion, too.

Some key references:
Ethiopian CAA preliminary report

Indonesian National Transportation Safety Committee preliminary report

A Boeing 737 Technical Site

Washington Post: When Will Boeing 737 Max Fly Again and More Questions

BBC: Boeing to temporarily halt 737 Max production in January

 

[Sparweb]

So why when building new planes wouldn't you just avoid the single sensor concept from the outset?

Well, that's the big mystery. There's a safety requirement that requires reliability on all systems that affect the flight controls, including trim. There a standard for compliance that spells out how to assess how critical as system is to the safety of the aircraft, and how to deal with systems that fall into a "major" or "catastrophic" criteria. Somehow Boeing managers/engineers really put the blinders on, despite contrary opinions being expressed internally within the company, that were telling them from many sides that the system was glitchy as all hell. Some of them even seemed to know where the shortcomings were.

http://www.sparweb.ca

 

[Tomfh]

Well, that's the big mystery.

Could it have been an oversight to start with, and by the time they thought about it the design was too far advanced, and so they let it slide?

 

[waross]

Ahh Safety assessments.
A good manager can really shine when overruling engineering during a safety assessment.
I was once involved in a safety investigation.
A nose bag was lowered from a height.
It contained a rattle can of paint and some short pieces of steel angles.
It must have hit the ground too hard because something punctured the pressurized paint can and it was hissing.
A worker wondered why it was making a funny noise and picked it up and turned it towards himself.
He painted his face. I don't remember what colour.
He was very upset and in some distress.
First aid was called and they helped him to wash his face and sent him back to work.
Several weeks later I found myself in a safety investigation meeting.
We had a matrix to fill in.
There were five or seven headings and a numerical value under each heading.
We were making our way through the matrix and one heading was;
"How likely is this to happen again?"
The manager leading the investigation stated that it was very unlikely to ever happen again and assigned a low number.
Someone suggested that with the size of the project it may be a little more likely that such a thing could happen again.
The manager thought for few seconds and then stated that;
"No, the likely hood that this will happen again with that size of paint can, in that color, being lowered from that high line is very unlikely. We will stay with this number. (I forget the exact conditions that he stated but his assessment was very very much more restrictive than someone accidentally being sprayed in the face with spray paint.
No one had the temerity to challenge him further.
We finished the matrix and then added up the numbers from each column.
We compared this with another chart which gave us a course of action depending on the total.
Our number allowed us to handle the issue locally and for all intents and purposes that was the end of the inquiry.
Had our number been one digit higher a company vice president would have to be notified and review the incident.
And I thought to myself;
"So that's how the game is played here. I don't think that that is the intent but he plays the game very well."
I wonder where he is now. He could probably be working for Boeing. He knows how to spin the game and fudge the numbers.
Many of you will have had similar experiences.
Those who have not, if you are working for big business, wait for it. Your turn will come.
What did I learn?
If you don't want to be involved with this kind of charade:-
Don't be a witness;
"I was looking the other way and didn't see a thing until it was all over."
Two can play the game, but one may also opt out.


Bill
--------------------
"Why not the best?"
Jimmy Carter

 

[Alistair_Heaton]

Seems the next Boeing aircraft is going to be a clean sheet design.

https://www.seattletimes.com/busine...confidence-is-shaken-my-job-is-to-restore-it/

I suspect we will see a FBW Boeing system which can be ported across all new types.

I might add Airbus needs to go through this as well and update its FBW system and philosophy.

To be fair the first rule of blame the pilots is actually usually correct and it is the pilots.

But before all this work starts the regulators are going to have to define a sensible set of standards for data saturation and reaction times. Linked to the normal pilot profile of technical knowledge and thinking. Dump the average pilot mentality and design for the most clueless idiot that can get through basic training. Old days most pilots had an engineers head on them, they thought in energy and instinctively "knew" what to do with the controls to get an energy state. These days its all SOP's and call outs. The theory being that if you always do the SOP's precisely then everything will be safe. But the older designs still rely on the engineering head to recognise what the primary problem is and know which checklist you use to fix things.

My first type rating on the BAe Jetstream 31/32 technical training went down to how the fuel controller worked metering the fuel and how the Propeller pitch controller worked. My last rating on the Q400 we were told each engine has a FADEC which is powered by its own generator. They look after the engines, failure tree is powerplant for advisory, yellow cap for caution, and red cap for Major. And that was it, half a A4 page on the subject where as the Jetstream had some 32 pages on the subject. Personally I found the Jetstream a bit to much detail but the Q400 its a definite policy to only tell the pilots a defined amount of information so they can't get creative. It used to annoy me when I first started flying the Q400 but over the last 2500 hours have come to realise that its probably for the best, having people getting creative pulling CB's trying to fix things will be fatal.

 

[Alistair_Heaton]

Could it have been an oversight to start with, and by the time they thought about it the design was too far advanced, and so they let it slide?

I extremely doubt it was oversight, I can't prove it and don't have any data to back my opinion up.

It all revolves around not triggering critical software certification, using as much grandfather certification as possible. And this requirement that pilots can get away with 30mins looking at an Ipad for training.

I really don't think the current MAX is the aircraft that the people in the design shop wanted to produce. And even after they have re certified it people will not have any feeling of pride when they see one flying because basically its not the aircraft they wanted to make.

 

[Sparweb]

its probably for the best, having people getting creative pulling CB's trying to fix things will be fatal.

Yes, before the plane takes its first flight, as many disaster scenarios as possible are pictured in advance, and the response planned in such a way that the procedure gets you on the ground in one piece. The history of aviation has put a lot of smoking pits in the ground to inform the engineers what kinds of mistakes and failures are likely to happen. Indeed, this process of testing the assumptions and evaluating the aircraft response to the emergency procedures in simulators before flying the real thing is the subject of many (maybe most) of the e-mail and IM traffic that was released in those documents.

AH, if you still want the information overload for your turboprops, just sit down to read the maintenance manual. When you're done (a month later) then you'll have more insight into every actuator and pump on the thing than you ever thought you'd need to know. The OEM's haven't really intentionally dumbed down the AFM's, they've just concentrated the data in other books. It's not actually better that way. The maintenance crews can't see the operations books and vice-versa.

http://www.sparweb.ca

 

[Alistair_Heaton]

We are not allowed to read them, even the fleet technical pilot has limited access to them as information has a tendency to propagate via galley FM.

The Jetstream I had access to everything, was qualified to do daily and weekly checks on them. Had dupe authorisation for signing off control run maint. I could change tyres..etc

I even did an engine change on one and re rigged it with one of the B1's checking things at crucial points. I still have the wire lock scars from that one.. I thoroughly enjoyed it though.

I could sign off MEL's and differ things and clear them.

I used to have a knack of finding out what electrical issues were occurring. Which was more about trouble shooting technique, isolation of the problem and tracing it. It wasn't an in depth knowledge of the systems per say just an engineers logic. The technicians tended to just swap boxes in the hope it would fix the problem.
But when it came to finding out which 3 way microswitch was acting up on an intermittent fault that technique used to fall over.

Q400 I am not allowed to change a light bulb. Only thing we are authorised to do as Captains is the Overspeed Governor Check. I am more than happy with this situation.

I do know where you coming from though with differences between manuals. The required O2 pressure for 3 crew in the front is a classic example. Our book says 1800 psi at 5 deg temp and the maint book says 1600 I think. Thankfully management top cover has settled that particular issue and when the jump seat is to be used then they fill the bottle up to max what ever its reading.

 

[waross]

Following the feelgood pep talk link by Calhoun posted by Alistair I came across this interesting article.
Longtime Boeing advocate Maria Cantwell formally criticizes report on FAA’s certification process for 737 MAX
Some excerpts:
Maria Cantwell, Washington’s junior U.S. senator and longtime Boeing advocate, criticized Friday a government advisory committee’s findings this week that largely endorsed how the Federal Aviation Administration oversaw the certification of the 737 MAX, saying it “defends a system that is in clear need of improvement.”

That report concluded that federal regulators followed established procedures when they certified the Boeing 737 MAX and did not delegate too much safety oversight for the plane to the airplane manufacturer itself.

In a letter to U.S. Secretary of Transportation Elaine Chao, Cantwell wrote that the special committee’s report “falls short” and contradicts findings and recommendations for safety improvements that have been made by other review panels.
...
Cantwell’s criticism joins that of at least two key House lawmakers who’ve said they plan to seek legislative reforms to the FAA’s certification process. Rep. Peter DeFazio, an Oregon Democrat who chairs the House Transportation and Infrastructure Committee, and Rep. Rick Larsen, an Everett Democrat who chairs the House panel’s aviation subcommittee, each criticized the report’s findings in statements this week.
....
Like Larsen, Cantwell is a longtime Boeing advocate who supported the FAA Reauthorization Act of 2018 that changed the certification process to allow for more delegation of regulatory oversight to Boeing and other manufacturers.

Boeing employees collectively contributed nearly $62,000 to her reelection bids since 2015, according to opensecrets.org. A spokeswoman said Cantwell doesn’t take money from corporate political action committees.
Is this a display of moral courage or am I missing something?


Bill
--------------------
"Why not the best?"
Jimmy Carter

 

[Alistair_Heaton]

Notice though they have a Semi realistic time scale for it flying again.

I don't think they will manage it though, but would love to be wrong. This time next year is my gut feel.

 

[Alistair_Heaton]

I really don't understand the legal aspects though of the various committees and investigations.

As far as I can tell there 7 different processes going on.

How they could effect it flying again and the people involved I have no clue.

 

[Tomfh]

It all revolves around not triggering critical software certification, using as much grandfather certification as possible

Ok sure.

What was the AoA sensor setup on the NG? How many feeding into computers and in what configuration? And what did the pilots know?

 

[Alistair_Heaton]

Same as the MAX.

AoA feeds into multiple computers, stall protection, Flight management computers to work out current weight and a few others.

So 2 sensors. And I believe even the part numbers are the same from the 737-300 right the way through to the MAX.

There were options to have a AoA gauge on the NG on the EFIS screen like the MAX. But very few airlines paid for it.

https://www.satcom.guru/2019/10/flawed-assumptions-pave-path-to-disaster.html#more

if you dig through that blog I think he does a comparison between the two.

 

[Tomfh]

So 2 sensors. And I believe even the part numbers are the same from the 737-300 right the way through to the MAX.

How come it would void automatic recertification to have the MAX use both sensors?

Thank link says Boeing was already working on a two sensor fix after Lion air?

 

[LittleInch]

I think the basic problem is with only two sensors, and not three, and only two FCC and not three, which one do you believe if the readings diverge?

An average?

Just forget about the reading if they are xx degress apart? But then how do you decide on x?

Basic problem is that the MAX needs MCAS to work when the AoA is high. Just making the input zero when it should be working might cause a stall to occur. Fix one problem to create another.

Also the FCCs are ancient technology, but probably fairly simple and hence high reliability. Now you need to get them talking to each other in a reliable manner. Not easy. And again how will the other one know which reading is correct.

This is really the issue - the airplane needs a higher level of computer reliability and operation than it is built for to correct a fault in the physical make up of the airplane because the landing gear is too short for the engines they want to use.

That's why your grandfather needs to retire eventually and go and sit on the porch watching the other airplanes fly past....

Remember - More details = better answers
Also: If you get a response it's polite to respond to it.

 

[Alistair_Heaton]

Changing the logic of the way you use the sensor data is counted as a major change and you need to certify the changes. So if the NG only uses 1 input at a time and you do the same with the next then that system is deemed grandfathered and no further testing required. Start using two inputs then you have to recertify the changes.

As said above using 1 or 2 doesn't actually add in any failure protection because you can't know which data is good and which is bad. You can only stop using both.

The problem they have is that the MCAS that requires that data is required for the flight envelope to be certified as fit for use by the pilots. Loosing all the data then dumps everything on the pilot with an uncertifiable aircraft. If there would be 2 or 3 additional failure levels before dumping it on the pilot then that would be deemed acceptable.

Because there is computers involved then what they are deemed to do defines what certification level they require. if their job is not deemed to be critical then they are certified to a lower level. Critical which is required for anything to do with FBW controlling of critical flight surfaces then the standard is much higher.

There is another huge area which Boeing might have issues in, is MCAS actually an anti stall system or not. If it is deemed to be one then the certification requirements are again higher and different.


But this is sparwebs area of competence. I am just an end user who used to dabble in such things for minor changes of a none structural nature. So if he comes back and says no your wrong AH then I will have zero issue with that.

 

[waross]

A few tidbits that I have come across in the Dept of Transportation report (pp 31 & pp 60)
Statement by a poster:
Changing the landing gear would require re-certification of the gear.

General Description of the Aircraft

The 12 changes identified by Boeing at the time of application as “significant” under the changed product rule, in accordance with 14 CFR 21.101 are
2.A longer nose landing gear strut to provide greater engine ground clearance;
8.Strengthening the main landing gear to accommodate heavier engines;

Statement by a poster:
Changes to the wing would trigger re-certification

10.Strengthening of the local empennage and fuselage to accommodate heavier engines;
12.Wing strengthening to accommodate heavier engines.

The full list:
The 12 changes identified by Boeing at the time of application as “significant” under the changed product rule, in accordance with 14 CFR 21.101 are:
1.The use of more powerful engines with better fuel efficiency;
2.A longer nose landing gear strut to provide greater engine ground clearance;
3.New strut and nacelle to account for heavier engines and new engine positioning;
4.Advanced technology winglets to maximize the overall efficiency of the wing and reduce fuel use;
5.A reshaped tailcone to reduce drag;
6.A digital engine bleed system for increased optimization of the cabin pressurization and ice protection systems, giving reduced fuel use;
7.A fly-by-wire spoiler system to improve production flow, reduce weight and improve stopping distances;
8.Strengthening the main landing gear to accommodate heavier engines;
9.A modified fuel system;
10.Strengthening of the local empennage and fuselage to accommodate heavier engines;
11.System revisions (note: changes to flight controls, including the introduction of MCAS, were covered by this listing);
12.Wing strengthening to accommodate heavier engines.(See Appendix 6.2.)

With the many mentions of Fly By Wire in this thread I thought that item #7 was interesting.

n the FAA’s certification of the Boeing 737 MAX 8aircraft, which took place from 2012to 2017.

Bill
--------------------
"Why not the best?"
Jimmy Carter

 

[Tomfh]

Changing the logic of the way you use the sensor data is counted as a major change and you need to certify the changes. So if the NG only uses 1 input at a time and you do the same with the next then that system is deemed grandfathered and no further testing required. Start using two inputs then you have to recertify the changes.

Ok.

Is that what they did with the NG when they upgraded to using two sensors after the other crash?

 

[waross]

Apparently the NG alternated between the right and left flight control computers and each computer had its own sensors.
Except that the automatic throttles did not alternate and always used the same sensor.
Apparently the pilots knew that the left sensor was dodgy, but thought that they were OK because they were using the right control computer.
They had never been told that the automatic throttle never alternated sensors.

When the auto pilot unexpectedly reduced the throttles to idle they were unprepared and they did correct but it was too late.

Uhm, Only one sensor.
Unexpected activation of a system that had not been fully disclosed to the pilots.
Boeing knew about the problem and deployed a fix for the newer planes.
BUT
They did not think that it was serious enough to alert the pilots of the older planes.
Then the accident report;
Pressure on the regulators to get the spin that they wanted.
Down playing and minimizing the seriousness of possible consequences seems to be SOP to slip borderline issues past the FAA.
We only have to fudge one metric to get this matrix below the decision line .
Deja vu all over again, Yogi?

Please, if I have seriously misunderstood the events, correct me.


Bill
--------------------
"Why not the best?"
Jimmy Carter

 

[Alistair_Heaton]

They will have gone through a certification process for the new setup. And I presume the MAX will use 2 rad alts as well due to grand father certification from the NG fixing that problem. But maybe not!!!! as Boeing seems to love using single sensors for flight critical systems.

The Q400 uses 2 and one can fail and all you get is "RAd Alt # fail" on the central screen but it doesn't effect anything. You can still do CAT II approaches. If one fails during a CAT II approach its about the only tech issue you can continue the approach. But that's the limit of what pilots are meant to know. Its 10 days to get it fixed but you can continue to operate without any restrictions.

There are different grades of changes and depth of testing after they are done. I can't remember the full list. The level of change is also subject to interpretation. It depends on what things are connected to, and what authority over the aircraft the data has. I have only ever dealt with minor changes which are really only very expensive paper work exercises.

Rad alt complete failure is a funny one it worms its way into 3/4 safety systems such as EGPWS and TCAS on turboprops without AT, 15 years ago you really didn't care about if the Rad alt was working. You would loose CAT II/III capability and you would run quiet happily without it for 10 days. These days it triggers a cascade through the MEL taking out other systems which means if its gone your pretty much limited to 3 days in most places and 6 sectors if your flying in German airspace. But per say its nothing to do with the rad alt itself, its the systems hanging off its data that are the limitation.

The OEM's don't really seem to care about this mid life modifications and certifications as long as the planes are flying and are coming out the production hanger and money is rolling in. Now the MAX is grounded and the can of worms opened with the regulators there is a raft of issues surfacing which would normally be fixed anyway before the product is deemed mature. I am sure as well some of the issues would never have surfaced because nothing would happen in the real world to highlight them. It seems the NG is a perfect example of this. Great safety record but the MAX is highlighting now a chunk of issues which made it past certification on the NG and were then grandfathered onto the MAX and now under increased scrutiny are raising the question how they hell was that certified on the NG.

So Boeing has the original MCAS issue to deal with, which a lot of us think was a distraction fix for an uncertifiable flight envelope. But even if they fix the MCAS the underlying issue which it was created to fix/hide is now out in the open and needs fixed as well. That issue was not simple or cheap to fix in both time and money during initial design. But its certainly cheaper than the current 11 billion bill increasing by the day that is the current situation. The real issue for Boeing is the aircraft is grounded and all the issues which would have normally been fixed in the first 5 years of it flying are having to be done now under intense scrutiny on the ground with no money coming in.

 

[Tomfh]

I don't know much about aviation, but it sure sounds like a mess. If I was Boeing CEO and I was offered Jan 2021 for commercial resumption I'd take it!