OT: Deadly 'Misguided Assumptions' Were Built Into Boeing's

[Winfield Hill]

Details of an error in engineering procedures
and decision-making:
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

The comments to the article are also interesting.


--
Thanks,
- Win

 

[Rick C]

On Sunday, June 2, 2019 at 9:59:01 AM UTC-4, bitrex wrote:

On 6/2/19 9:18 AM, Winfield Hill wrote:
Details of an error in engineering procedures
and decision-making:
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

The comments to the article are also interesting.



"Safety analysts said they would have acted differently if they had
known it used just one sensor. Regulators didn’t conduct a formal safety
assessment of the new version of MCAS."

IOW the safety analysts and regulators didn't have any idea how the
plane's flight controls actually worked. and most or all of the
employees they were talking to in the course of their duties as analysis
didn't have any idea, either.

That sounds about right. Let the FNG deal with those people

"In regulatory-speak, it meant that MCAS could trigger erroneously less
often than once in 10 million flight hours."

sounds like a management-dictated reliability estimate, a la Space
Shuttle NASA-management dictated reliability estimates of 1 catastrophic
accident per every 10 or 100 thousand flights and not 1 in 50 or 100 as
was more realistic.

I don't think that is the estimate, that is the requirement to be considered safe enough given the severity of impact.

10 million flight hours isn't all that much in the grand scheme of
things either given how many planes and flight hours there are intended
to be, if they erroneously downgraded what was actually a "catastrophic"
fault condition to "hazardous" even if the ~10 million hour figure is
correct for a plane like the Max it probably means a guaranteed crash
every 7-8 years or something.

I believe the 10 million flight hours is how often the MCAS would muck up, but not necessarily it would cause an accident or cause injuries. That's the point. If it were considered "catastrophic" meaning the impact were higher, 10 million hours would not be enough.

--

Rick C.

- Get 1,000 miles of free Supercharging
- Tesla referral code - https://ts.la/richard11209

 

On Sunday, June 2, 2019 at 9:18:59 AM UTC-4, Winfield Hill wrote:

Details of an error in engineering procedures
and decision-making:
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

The comments to the article are also interesting.


--
Thanks,
- Win

Still hard to fathom how this could come out of Boeing, that with all the
people involved, no one could see the serious crisis that a simple vane
sensor failing could cause. Some interesting parts:

"In those flights, they did not test what would happen if MCAS activated as a result of a faulty angle-of-attack sensor — a problem in the two crashes."


That's quite stunning, that no test was ever done to show what happens if
a simple vane sensor fails.


"They classified the event as “hazardous,” one rung below the most serious designation of catastrophic, according to two people. In regulatory-speak, it meant that MCAS could trigger erroneously less often than once in 10 million flight hours."

You would think a simple vane sensor that could get stuck, damaged, hit
by debris, by a bird, maybe frozen by ice, would have a failure rate way
higher than that. What else has Boeing given the wrong failure rates to?



"That probability may have underestimated the risk of so-called external events that have damaged sensors in the past, such as collisions with birds, bumps from ramp stairs or mechanics’ stepping on them. While part of the assessment considers such incidents, they are not included in the probability. "


Say what? Those events would have to be included in the probability
analysis for it to be valid at all.


"At a tense meeting with the pilots’ union at American Airlines in November, Boeing executives dismissed concerns. “It’s been reported that it’s a single point failure, but it is not considered by design or certification a single point,” said Mike Sinnett, a Boeing vice president, according to a recording of the meeting.

His reasoning? The pilots were the backup.

“Because the function and the trained pilot work side by side and are part of the system,” he said."

Stunning. So a single point failure isn't single point, if the pilots can
recover from it, assuming they do everything right?



A lot here sounds very wrong at Boeing, in their definitions, in their
probability calculations, in their assumptions. And it could very well
extend to planes beyond the Max, probably to all Boeing planes. I said
before that I will be confident that Boeing has this fixed, but seeing
what went on here, I no longer have the same faith I did in all Boeing
planes.

Norah O'Donnell had the first interview with the Boeing CEO since the
crashes. He finally did apologize, but it's way too late for that.
He should resign or be fired. And she never asked him the line of
questioning I would have asked. Have you done an internal investigation
to find out how this happened? What steps have you taken to check other
plane's designs and their teams to find out if there are any other
mistakes like this? How could this happen at Boeing? What steps have
you taken to make sure this never happens again?

 

[bitrex]

On 6/2/19 9:18 AM, Winfield Hill wrote:

Details of an error in engineering procedures
and decision-making:
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

The comments to the article are also interesting.

"Safety analysts said they would have acted differently if they had
known it used just one sensor. Regulators didn’t conduct a formal safety
assessment of the new version of MCAS."

IOW the safety analysts and regulators didn't have any idea how the
plane's flight controls actually worked. and most or all of the
employees they were talking to in the course of their duties as analysis
didn't have any idea, either.

That sounds about right. Let the FNG deal with those people

"In regulatory-speak, it meant that MCAS could trigger erroneously less
often than once in 10 million flight hours."

sounds like a management-dictated reliability estimate, a la Space
Shuttle NASA-management dictated reliability estimates of 1 catastrophic
accident per every 10 or 100 thousand flights and not 1 in 50 or 100 as
was more realistic.

10 million flight hours isn't all that much in the grand scheme of
things either given how many planes and flight hours there are intended
to be, if they erroneously downgraded what was actually a "catastrophic"
fault condition to "hazardous" even if the ~10 million hour figure is
correct for a plane like the Max it probably means a guaranteed crash
every 7-8 years or something.

 

[Lasse Langwadt Christense]

søndag den 2. juni 2019 kl. 17.00.47 UTC+2 skrev tra...@optonline.net:

On Sunday, June 2, 2019 at 9:59:01 AM UTC-4, bitrex wrote:
On 6/2/19 9:18 AM, Winfield Hill wrote:
Details of an error in engineering procedures
and decision-making:
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

The comments to the article are also interesting.



"Safety analysts said they would have acted differently if they had
known it used just one sensor. Regulators didn’t conduct a formal safety
assessment of the new version of MCAS."

IOW the safety analysts and regulators didn't have any idea how the
plane's flight controls actually worked. and most or all of the
employees they were talking to in the course of their duties as analysis
didn't have any idea, either.

That sounds about right. Let the FNG deal with those people

"In regulatory-speak, it meant that MCAS could trigger erroneously less
often than once in 10 million flight hours."

sounds like a management-dictated reliability estimate, a la Space
Shuttle NASA-management dictated reliability estimates of 1 catastrophic
accident per every 10 or 100 thousand flights and not 1 in 50 or 100 as
was more realistic.

10 million flight hours isn't all that much in the grand scheme of
things either given how many planes and flight hours there are intended
to be, if they erroneously downgraded what was actually a "catastrophic"
fault condition to "hazardous" even if the ~10 million hour figure is
correct for a plane like the Max it probably means a guaranteed crash
every 7-8 years or something.

The classification as hazardous made the assumption that pilots were
competent and able to identify and deal with what manifests itself as a
runaway trim condition. All pilots are trained on that, yet we had at
least 4 out of 7 that couldn't identify it and follow the procedure.

sorta kinda, https://youtu.be/n4qDLR4s45U

 

[bitrex]

On 6/2/19 11:01 AM, bitrex wrote:

On 6/2/19 10:26 AM, trader4@optonline.net wrote:

A lot here sounds very wrong at Boeing, in their definitions, in their
probability calculations, in their assumptions.  And it could very well
extend to planes beyond the Max, probably to all Boeing planes.  I said
before that I will be confident that Boeing has this fixed, but seeing
what went on here, I no longer have the same faith I did in all Boeing
planes.

It sounds like par for the course at say a very top-heavy organization

Or maybe the proper term is "bottom-heavy", here.

 

On Sunday, June 2, 2019 at 10:29:21 AM UTC-4, Rick C wrote:

On Sunday, June 2, 2019 at 9:59:01 AM UTC-4, bitrex wrote:
On 6/2/19 9:18 AM, Winfield Hill wrote:
Details of an error in engineering procedures
and decision-making:
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

The comments to the article are also interesting.



"Safety analysts said they would have acted differently if they had
known it used just one sensor. Regulators didn’t conduct a formal safety
assessment of the new version of MCAS."

IOW the safety analysts and regulators didn't have any idea how the
plane's flight controls actually worked. and most or all of the
employees they were talking to in the course of their duties as analysis
didn't have any idea, either.

That sounds about right. Let the FNG deal with those people

"In regulatory-speak, it meant that MCAS could trigger erroneously less
often than once in 10 million flight hours."

sounds like a management-dictated reliability estimate, a la Space
Shuttle NASA-management dictated reliability estimates of 1 catastrophic
accident per every 10 or 100 thousand flights and not 1 in 50 or 100 as
was more realistic.

I don't think that is the estimate, that is the requirement to be considered safe enough given the severity of impact.


10 million flight hours isn't all that much in the grand scheme of
things either given how many planes and flight hours there are intended
to be, if they erroneously downgraded what was actually a "catastrophic"
fault condition to "hazardous" even if the ~10 million hour figure is
correct for a plane like the Max it probably means a guaranteed crash
every 7-8 years or something.

I believe the 10 million flight hours is how often the MCAS would muck up, but not necessarily it would cause an accident or cause injuries. That's the point. If it were considered "catastrophic" meaning the impact were higher, 10 million hours would not be enough.

--

Agree. Boeing/FAA classified MCAS failure as hazardous, so that meant
that it had to have a predicted failure rate of less than one in ten mil
flight hours. Hazardous means that it could cause injuries or fatalities,
but not the expected loss of the aircraft. Related to that, it states
that bird strikes and similar were not a part of the probabilities.
That seems shocking. And it's a mechanical vane, subject to damage,
icing, etc, how that gets less than one in 10 mil hours failure rating,
IDK. It makes you wonder what else has been similarly rated.

Rick C.

- Get 1,000 miles of free Supercharging
- Tesla referral code - https://ts.la/richard11209

 

[bitrex]

On 6/2/19 10:26 AM, trader4@optonline.net wrote:

A lot here sounds very wrong at Boeing, in their definitions, in their
probability calculations, in their assumptions. And it could very well
extend to planes beyond the Max, probably to all Boeing planes. I said
before that I will be confident that Boeing has this fixed, but seeing
what went on here, I no longer have the same faith I did in all Boeing
planes.

It sounds like par for the course at say a very top-heavy organization
where you have perhaps like, 5 greybeards who actually know how to
design planes. All major (and most minor) design decisions route through
them. Then you have hundreds of "titled-engineers" who all work on small
subsystems and don't get a big picture overview, with little design
authority outside their own small area.

I don't know that Boeing actually operates this way but it sounds
suspiciously like the case. All large tech companies compartmentalize
and specialize to some degree on big projects it's impossible to do
otherwise but the article seemed to state that Boeing made an extreme
habit of it.

 

On Sunday, June 2, 2019 at 9:59:01 AM UTC-4, bitrex wrote:

On 6/2/19 9:18 AM, Winfield Hill wrote:
Details of an error in engineering procedures
and decision-making:
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

The comments to the article are also interesting.



"Safety analysts said they would have acted differently if they had
known it used just one sensor. Regulators didn’t conduct a formal safety
assessment of the new version of MCAS."

IOW the safety analysts and regulators didn't have any idea how the
plane's flight controls actually worked. and most or all of the
employees they were talking to in the course of their duties as analysis
didn't have any idea, either.

That sounds about right. Let the FNG deal with those people

"In regulatory-speak, it meant that MCAS could trigger erroneously less
often than once in 10 million flight hours."

sounds like a management-dictated reliability estimate, a la Space
Shuttle NASA-management dictated reliability estimates of 1 catastrophic
accident per every 10 or 100 thousand flights and not 1 in 50 or 100 as
was more realistic.

10 million flight hours isn't all that much in the grand scheme of
things either given how many planes and flight hours there are intended
to be, if they erroneously downgraded what was actually a "catastrophic"
fault condition to "hazardous" even if the ~10 million hour figure is
correct for a plane like the Max it probably means a guaranteed crash
every 7-8 years or something.

The classification as hazardous made the assumption that pilots were
competent and able to identify and deal with what manifests itself as a
runaway trim condition. All pilots are trained on that, yet we had at
least 4 out of 7 that couldn't identify it and follow the procedure.

More shocking is that the one in ten million probability didn't include
the odds of things like a bird strike, leaving one to wonder what the
probabilities of failure do include and exclude and what that means for
other systems and other aircraft.

 

On Sunday, June 2, 2019 at 9:18:59 AM UTC-4, Winfield Hill wrote:

Details of an error in engineering procedures
and decision-making:
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

The comments to the article are also interesting.

The airlines have a history of this kind of risk taking.
"According to the NTSB, a fuel tank explosion happens on average every four and a half years. In May 1990, six years before TWA 800, a center tank exploded on a Philippine Airlines 737 shortly before take off, killing eight people. Four years and eight months after TWA 800, the center tank of a Thai Airways jet exploded on the ground, killing one person."

http://www.cnn.com/2006/US/07/14/twa.main/index.html

Up to the TWA flight 800 disaster, they were spending way more money on their in-flight entertainment system than a fuel tank oxygen removal system could ever cost.

As for the NYT article, they have the basic facts but as usual their interpretation is pathetically naive.
The FAA is incapable of certifying a design as complex as the 737 MAX. They in fact handed the entire certification off to Boeing with the certification reports being "reviewed" by semi-comatose swivel chair operators with probably less than 10% (on the high end) comprehension of what they were reading. And when NYT reports Boeing delivered this or that information to FAA, it only means it was part of a probably huge documentation package most of which was simply glossed over by the FAA. As is typical of most politicized bureaucracies, they're just not going to pay much attention to anything that's not already a high visibility issue.
I agree with Boeing about the MCAS not being a single-thread catastrophic failure mechanism because the pilot is always available to pull the system out of MCAS control, and the MCAS was relatively slow acting, taking 10 seconds to do anything. And you can't implement a voting scheme with just two sensors. The only good a second sensor would serve is if it was something the pilot could switch in when/if the first sensor gave him trouble with the MCAS.
The fault lies with the airlines for not properly training their pilots.

--
Thanks,
- Win

 

[bitrex]

On 6/2/19 8:15 PM, trader4@optonline.net wrote:

On Sunday, June 2, 2019 at 7:55:36 PM UTC-4, bitrex wrote:
On 6/2/19 4:37 PM, bloggs.fredbloggs.fred@gmail.com wrote:
On Sunday, June 2, 2019 at 9:18:59 AM UTC-4, Winfield Hill wrote:
Details of an error in engineering procedures
and decision-making:
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

The comments to the article are also interesting.

The airlines have a history of this kind of risk taking.
"According to the NTSB, a fuel tank explosion happens on average every four and a half years. In May 1990, six years before TWA 800, a center tank exploded on a Philippine Airlines 737 shortly before take off, killing eight people. Four years and eight months after TWA 800, the center tank of a Thai Airways jet exploded on the ground, killing one person."

http://www.cnn.com/2006/US/07/14/twa.main/index.html

Up to the TWA flight 800 disaster, they were spending way more money on their in-flight entertainment system than a fuel tank oxygen removal system could ever cost.

As for the NYT article, they have the basic facts but as usual their interpretation is pathetically naive.
The FAA is incapable of certifying a design as complex as the 737 MAX. They in fact handed the entire certification off to Boeing with the certification reports being "reviewed" by semi-comatose swivel chair operators with probably less than 10% (on the high end) comprehension of what they were reading. And when NYT reports Boeing delivered this or that information to FAA, it only means it was part of a probably huge documentation package most of which was simply glossed over by the FAA. As is typical of most politicized bureaucracies, they're just not going to pay much attention to anything that's not already a high visibility issue.
I agree with Boeing about the MCAS not being a single-thread catastrophic failure mechanism because the pilot is always available to pull the system out of MCAS control, and the MCAS was relatively slow acting, taking 10 seconds to do anything. And you can't implement a voting scheme with just two sensors. The only good a second sensor would serve is if it was something the pilot could switch in when/if the first sensor gave him trouble with the MCAS.
The fault lies with the airlines for not properly training their pilots.

Has anyone told Boeing there's no point to using two sensors? Cuz as
part of their fix to this issue, according to the article, using two
sensors continually seems to be central to the plan, not just a second
sensor that's switchable/optional.

The idea to two seems to be that if they disagree by a substantial amount, then
MCAS will take no action, because something is wrong and the cure is
potentially far worse than the problem.

That makes sense. you can have a "voting system" such as it is with two
sensors but it can't actually _do_ anything other than to take itself
offline and provide a gripe signal that its internal state is inconsistent.

The Space Shuttle had four main computers in a voting system, and IIRC
the plan was if there was a time when there was a repeated two-two split
on some decision of importance then all four would be taken offline and
a fifth normally out-of-the-loop computer would be brought online, which
was hardcoded with only what was necessary for de-orbit and landing, and
return home immediately. Also IIRC there was never a two-two split on
anything during operation of the Shuttle.

 

[bitrex]

On 6/2/19 8:30 PM, bitrex wrote:

On 6/2/19 8:15 PM, trader4@optonline.net wrote:
On Sunday, June 2, 2019 at 7:55:36 PM UTC-4, bitrex wrote:
On 6/2/19 4:37 PM, bloggs.fredbloggs.fred@gmail.com wrote:
On Sunday, June 2, 2019 at 9:18:59 AM UTC-4, Winfield Hill wrote:
Details of an error in engineering procedures
   and decision-making:
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

   The comments to the article are also interesting.

The airlines have a history of this kind of risk taking.
"According to the NTSB, a fuel tank explosion happens on average
every four and a half years. In May 1990, six years before TWA 800,
a center tank exploded on a Philippine Airlines 737 shortly before
take off, killing eight people. Four years and eight months after
TWA 800, the center tank of a Thai Airways jet exploded on the
ground, killing one person."

http://www.cnn.com/2006/US/07/14/twa.main/index.html

Up to the TWA flight 800 disaster, they were spending way more money
on their in-flight entertainment system than a fuel tank oxygen
removal system could ever cost.

As for the NYT article, they have the basic facts but as usual their
interpretation is pathetically naive.
The FAA is incapable of certifying a design as complex as the 737
MAX. They in fact handed the entire certification off to Boeing with
the certification reports being "reviewed" by semi-comatose swivel
chair operators with probably less than 10% (on the high end)
comprehension of what they were reading. And when NYT reports Boeing
delivered this or that information to FAA, it only means it was part
of a probably huge documentation package most of which was simply
glossed over by the FAA. As is typical of most politicized
bureaucracies, they're just not going to pay much attention to
anything that's not already a high visibility issue.
I agree with Boeing about the MCAS not being a single-thread
catastrophic failure mechanism because the pilot is always available
to pull the system out of MCAS control, and the MCAS was relatively
slow acting, taking 10 seconds to do anything. And you can't
implement a voting scheme with just two sensors. The only good a
second sensor would serve is if it was something the pilot could
switch in when/if the first sensor gave him trouble with the MCAS.
The fault lies with the airlines for not properly training their
pilots.

Has anyone told Boeing there's no point to using two sensors? Cuz as
part of their fix to this issue, according to the article, using two
sensors continually seems to be central to the plan, not just a second
sensor that's switchable/optional.

The idea to two seems to be that if they disagree by a substantial
amount, then
MCAS will take no action, because something is wrong and the cure is
potentially far worse than the problem.


That makes sense. you can have a "voting system" such as it is with two
sensors but it can't actually _do_ anything other than to take itself
offline and provide a gripe signal that its internal state is inconsistent.

The Space Shuttle had four main computers in a voting system, and IIRC
the plan was if there was a time when there was a repeated two-two split
on some decision of importance then all four would be taken offline and
a fifth normally out-of-the-loop computer would be brought online, which
was hardcoded with only what was necessary for de-orbit and landing, and
return home immediately. Also IIRC there was  never a two-two split on
anything during operation of the Shuttle.

also the de-orbit and landing code on the 5th was clean-room written by
a different team to the same specifications.

 

On Sunday, June 2, 2019 at 7:55:36 PM UTC-4, bitrex wrote:

On 6/2/19 4:37 PM, bloggs.fredbloggs.fred@gmail.com wrote:
On Sunday, June 2, 2019 at 9:18:59 AM UTC-4, Winfield Hill wrote:
Details of an error in engineering procedures
and decision-making:
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

The comments to the article are also interesting.

The airlines have a history of this kind of risk taking.
"According to the NTSB, a fuel tank explosion happens on average every four and a half years. In May 1990, six years before TWA 800, a center tank exploded on a Philippine Airlines 737 shortly before take off, killing eight people. Four years and eight months after TWA 800, the center tank of a Thai Airways jet exploded on the ground, killing one person."

http://www.cnn.com/2006/US/07/14/twa.main/index.html

Up to the TWA flight 800 disaster, they were spending way more money on their in-flight entertainment system than a fuel tank oxygen removal system could ever cost.

As for the NYT article, they have the basic facts but as usual their interpretation is pathetically naive.
The FAA is incapable of certifying a design as complex as the 737 MAX. They in fact handed the entire certification off to Boeing with the certification reports being "reviewed" by semi-comatose swivel chair operators with probably less than 10% (on the high end) comprehension of what they were reading. And when NYT reports Boeing delivered this or that information to FAA, it only means it was part of a probably huge documentation package most of which was simply glossed over by the FAA. As is typical of most politicized bureaucracies, they're just not going to pay much attention to anything that's not already a high visibility issue.
I agree with Boeing about the MCAS not being a single-thread catastrophic failure mechanism because the pilot is always available to pull the system out of MCAS control, and the MCAS was relatively slow acting, taking 10 seconds to do anything. And you can't implement a voting scheme with just two sensors. The only good a second sensor would serve is if it was something the pilot could switch in when/if the first sensor gave him trouble with the MCAS.
The fault lies with the airlines for not properly training their pilots..

Has anyone told Boeing there's no point to using two sensors? Cuz as
part of their fix to this issue, according to the article, using two
sensors continually seems to be central to the plan, not just a second
sensor that's switchable/optional.

The idea to two seems to be that if they disagree by a substantial amount, then
MCAS will take no action, because something is wrong and the cure is
potentially far worse than the problem.

 

[Lasse Langwadt Christense]

mandag den 3. juni 2019 kl. 01.55.36 UTC+2 skrev bitrex:

On 6/2/19 4:37 PM, bloggs.fredbloggs.fred@gmail.com wrote:
On Sunday, June 2, 2019 at 9:18:59 AM UTC-4, Winfield Hill wrote:
Details of an error in engineering procedures
and decision-making:
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

The comments to the article are also interesting.

The airlines have a history of this kind of risk taking.
"According to the NTSB, a fuel tank explosion happens on average every four and a half years. In May 1990, six years before TWA 800, a center tank exploded on a Philippine Airlines 737 shortly before take off, killing eight people. Four years and eight months after TWA 800, the center tank of a Thai Airways jet exploded on the ground, killing one person."

http://www.cnn.com/2006/US/07/14/twa.main/index.html

Up to the TWA flight 800 disaster, they were spending way more money on their in-flight entertainment system than a fuel tank oxygen removal system could ever cost.

As for the NYT article, they have the basic facts but as usual their interpretation is pathetically naive.
The FAA is incapable of certifying a design as complex as the 737 MAX. They in fact handed the entire certification off to Boeing with the certification reports being "reviewed" by semi-comatose swivel chair operators with probably less than 10% (on the high end) comprehension of what they were reading. And when NYT reports Boeing delivered this or that information to FAA, it only means it was part of a probably huge documentation package most of which was simply glossed over by the FAA. As is typical of most politicized bureaucracies, they're just not going to pay much attention to anything that's not already a high visibility issue.
I agree with Boeing about the MCAS not being a single-thread catastrophic failure mechanism because the pilot is always available to pull the system out of MCAS control, and the MCAS was relatively slow acting, taking 10 seconds to do anything. And you can't implement a voting scheme with just two sensors. The only good a second sensor would serve is if it was something the pilot could switch in when/if the first sensor gave him trouble with the MCAS.
The fault lies with the airlines for not properly training their pilots..

Has anyone told Boeing there's no point to using two sensors? Cuz as
part of their fix to this issue, according to the article, using two
sensors continually seems to be central to the plan, not just a second
sensor that's switchable/optional.

switching it off if the AoAs disagree and reducing the maximum trim it can
do when it is working, would fix the problem of it crashing the plane

but it does pose the question, if it isn't a problem turning it off or
reducing its power why was added in the first place

 

[bitrex]

On 6/2/19 4:37 PM, bloggs.fredbloggs.fred@gmail.com wrote:

On Sunday, June 2, 2019 at 9:18:59 AM UTC-4, Winfield Hill wrote:
Details of an error in engineering procedures
and decision-making:
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

The comments to the article are also interesting.

The airlines have a history of this kind of risk taking.
"According to the NTSB, a fuel tank explosion happens on average every four and a half years. In May 1990, six years before TWA 800, a center tank exploded on a Philippine Airlines 737 shortly before take off, killing eight people. Four years and eight months after TWA 800, the center tank of a Thai Airways jet exploded on the ground, killing one person."

http://www.cnn.com/2006/US/07/14/twa.main/index.html

Up to the TWA flight 800 disaster, they were spending way more money on their in-flight entertainment system than a fuel tank oxygen removal system could ever cost.

As for the NYT article, they have the basic facts but as usual their interpretation is pathetically naive.
The FAA is incapable of certifying a design as complex as the 737 MAX. They in fact handed the entire certification off to Boeing with the certification reports being "reviewed" by semi-comatose swivel chair operators with probably less than 10% (on the high end) comprehension of what they were reading. And when NYT reports Boeing delivered this or that information to FAA, it only means it was part of a probably huge documentation package most of which was simply glossed over by the FAA. As is typical of most politicized bureaucracies, they're just not going to pay much attention to anything that's not already a high visibility issue.
I agree with Boeing about the MCAS not being a single-thread catastrophic failure mechanism because the pilot is always available to pull the system out of MCAS control, and the MCAS was relatively slow acting, taking 10 seconds to do anything. And you can't implement a voting scheme with just two sensors. The only good a second sensor would serve is if it was something the pilot could switch in when/if the first sensor gave him trouble with the MCAS.
The fault lies with the airlines for not properly training their pilots.

Has anyone told Boeing there's no point to using two sensors? Cuz as
part of their fix to this issue, according to the article, using two
sensors continually seems to be central to the plan, not just a second
sensor that's switchable/optional.

 

[bitrex]

On 6/2/19 9:30 PM, bitrex wrote:

On 6/2/19 9:20 PM, bloggs.fredbloggs.fred@gmail.com wrote:
On Sunday, June 2, 2019 at 8:15:39 PM UTC-4, tra...@optonline.net wrote:
On Sunday, June 2, 2019 at 7:55:36 PM UTC-4, bitrex wrote:
On 6/2/19 4:37 PM, bloggs.fredbloggs.fred@gmail.com wrote:
On Sunday, June 2, 2019 at 9:18:59 AM UTC-4, Winfield Hill wrote:
Details of an error in engineering procedures
   and decision-making:
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

   The comments to the article are also interesting.

The airlines have a history of this kind of risk taking.
"According to the NTSB, a fuel tank explosion happens on average
every four and a half years. In May 1990, six years before TWA 800,
a center tank exploded on a Philippine Airlines 737 shortly before
take off, killing eight people. Four years and eight months after
TWA 800, the center tank of a Thai Airways jet exploded on the
ground, killing one person."

http://www.cnn.com/2006/US/07/14/twa.main/index.html

Up to the TWA flight 800 disaster, they were spending way more
money on their in-flight entertainment system than a fuel tank
oxygen removal system could ever cost.

As for the NYT article, they have the basic facts but as usual
their interpretation is pathetically naive.
The FAA is incapable of certifying a design as complex as the 737
MAX. They in fact handed the entire certification off to Boeing
with the certification reports being "reviewed" by semi-comatose
swivel chair operators with probably less than 10% (on the high
end) comprehension of what they were reading. And when NYT reports
Boeing delivered this or that information to FAA, it only means it
was part of a probably huge documentation package most of which was
simply glossed over by the FAA. As is typical of most politicized
bureaucracies, they're just not going to pay much attention to
anything that's not already a high visibility issue.
I agree with Boeing about the MCAS not being a single-thread
catastrophic failure mechanism because the pilot is always
available to pull the system out of MCAS control, and the MCAS was
relatively slow acting, taking 10 seconds to do anything. And you
can't implement a voting scheme with just two sensors. The only
good a second sensor would serve is if it was something the pilot
could switch in when/if the first sensor gave him trouble with the
MCAS.
The fault lies with the airlines for not properly training their
pilots.

Has anyone told Boeing there's no point to using two sensors? Cuz as
part of their fix to this issue, according to the article, using two
sensors continually seems to be central to the plan, not just a second
sensor that's switchable/optional.

The idea to two seems to be that if they disagree by a substantial
amount, then
MCAS will take no action, because something is wrong and the cure is
potentially far worse than the problem.

That's the least reliable option because you lose MCAS if either/or
the angle sensors fail. Maybe they think it's important to have MCAS,
making the switchable option the most reliable to that end.
In both crashes the sensor activated MCAS because it thought the angle
was too high and the aircraft was in danger of stalling. So it put the
nose down at a steep angle causing the crash. I don't know why it just
as easily could have sensed the nose was down too much and put the
nose up causing the plane to stall and crash. The basic problem is the
pilot doesn't have any wiggle room when he's coming in for a landing.
It only takes a few seconds of bad control to put the aircraft in a
bad spot it can't get out of. Maybe they should just shut the damn
thing off below a certain ground height and ground speed.


The way the article framed it was that there was feature-creep in the
design of the MCAS system. from an emergency system that would only
engage in exceptional circumstances to being just another part of the
normal flight controls that was always operating in the background to
make it a more comfortable aircraft to fly.

That is to say it might be expected it would also be operating at low
ground height/ground speed because it was operating in the other
regimes, also. Shut it down in that area and suddenly you're flying a
different plane. Which could also be pretty hazardous if you're not
expecting it.

 

On Sunday, June 2, 2019 at 7:55:36 PM UTC-4, bitrex wrote:

On 6/2/19 4:37 PM, bloggs.fredbloggs.fred@gmail.com wrote:
On Sunday, June 2, 2019 at 9:18:59 AM UTC-4, Winfield Hill wrote:
Details of an error in engineering procedures
and decision-making:
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

The comments to the article are also interesting.

The airlines have a history of this kind of risk taking.
"According to the NTSB, a fuel tank explosion happens on average every four and a half years. In May 1990, six years before TWA 800, a center tank exploded on a Philippine Airlines 737 shortly before take off, killing eight people. Four years and eight months after TWA 800, the center tank of a Thai Airways jet exploded on the ground, killing one person."

http://www.cnn.com/2006/US/07/14/twa.main/index.html

Up to the TWA flight 800 disaster, they were spending way more money on their in-flight entertainment system than a fuel tank oxygen removal system could ever cost.

As for the NYT article, they have the basic facts but as usual their interpretation is pathetically naive.
The FAA is incapable of certifying a design as complex as the 737 MAX. They in fact handed the entire certification off to Boeing with the certification reports being "reviewed" by semi-comatose swivel chair operators with probably less than 10% (on the high end) comprehension of what they were reading. And when NYT reports Boeing delivered this or that information to FAA, it only means it was part of a probably huge documentation package most of which was simply glossed over by the FAA. As is typical of most politicized bureaucracies, they're just not going to pay much attention to anything that's not already a high visibility issue.
I agree with Boeing about the MCAS not being a single-thread catastrophic failure mechanism because the pilot is always available to pull the system out of MCAS control, and the MCAS was relatively slow acting, taking 10 seconds to do anything. And you can't implement a voting scheme with just two sensors. The only good a second sensor would serve is if it was something the pilot could switch in when/if the first sensor gave him trouble with the MCAS.
The fault lies with the airlines for not properly training their pilots..

Has anyone told Boeing there's no point to using two sensors? Cuz as
part of their fix to this issue, according to the article, using two
sensors continually seems to be central to the plan, not just a second
sensor that's switchable/optional.

Two sensors is just a way of shutting it off if any part of it is not working, cuts the pilot out of the loop. So what happens is you have the pilot, who's banking on MCAS for a successful landing, crashes the aircraft with a bad approach angle. This is what happened to certain crew, whose nationality will not be named, that crashed into the pier at San Francisco when they took the ILS offline for a few minutes.

 

[bitrex]

On 6/2/19 9:20 PM, bloggs.fredbloggs.fred@gmail.com wrote:

On Sunday, June 2, 2019 at 8:15:39 PM UTC-4, tra...@optonline.net wrote:
On Sunday, June 2, 2019 at 7:55:36 PM UTC-4, bitrex wrote:
On 6/2/19 4:37 PM, bloggs.fredbloggs.fred@gmail.com wrote:
On Sunday, June 2, 2019 at 9:18:59 AM UTC-4, Winfield Hill wrote:
Details of an error in engineering procedures
and decision-making:
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

The comments to the article are also interesting.

The airlines have a history of this kind of risk taking.
"According to the NTSB, a fuel tank explosion happens on average every four and a half years. In May 1990, six years before TWA 800, a center tank exploded on a Philippine Airlines 737 shortly before take off, killing eight people. Four years and eight months after TWA 800, the center tank of a Thai Airways jet exploded on the ground, killing one person."

http://www.cnn.com/2006/US/07/14/twa.main/index.html

Up to the TWA flight 800 disaster, they were spending way more money on their in-flight entertainment system than a fuel tank oxygen removal system could ever cost.

As for the NYT article, they have the basic facts but as usual their interpretation is pathetically naive.
The FAA is incapable of certifying a design as complex as the 737 MAX. They in fact handed the entire certification off to Boeing with the certification reports being "reviewed" by semi-comatose swivel chair operators with probably less than 10% (on the high end) comprehension of what they were reading. And when NYT reports Boeing delivered this or that information to FAA, it only means it was part of a probably huge documentation package most of which was simply glossed over by the FAA. As is typical of most politicized bureaucracies, they're just not going to pay much attention to anything that's not already a high visibility issue.
I agree with Boeing about the MCAS not being a single-thread catastrophic failure mechanism because the pilot is always available to pull the system out of MCAS control, and the MCAS was relatively slow acting, taking 10 seconds to do anything. And you can't implement a voting scheme with just two sensors. The only good a second sensor would serve is if it was something the pilot could switch in when/if the first sensor gave him trouble with the MCAS.
The fault lies with the airlines for not properly training their pilots.

Has anyone told Boeing there's no point to using two sensors? Cuz as
part of their fix to this issue, according to the article, using two
sensors continually seems to be central to the plan, not just a second
sensor that's switchable/optional.

The idea to two seems to be that if they disagree by a substantial amount, then
MCAS will take no action, because something is wrong and the cure is
potentially far worse than the problem.

That's the least reliable option because you lose MCAS if either/or the angle sensors fail. Maybe they think it's important to have MCAS, making the switchable option the most reliable to that end.
In both crashes the sensor activated MCAS because it thought the angle was too high and the aircraft was in danger of stalling. So it put the nose down at a steep angle causing the crash. I don't know why it just as easily could have sensed the nose was down too much and put the nose up causing the plane to stall and crash. The basic problem is the pilot doesn't have any wiggle room when he's coming in for a landing. It only takes a few seconds of bad control to put the aircraft in a bad spot it can't get out of. Maybe they should just shut the damn thing off below a certain ground height and ground speed.

The way the article framed it was that there was feature-creep in the
design of the MCAS system. from an emergency system that would only
engage in exceptional circumstances to being just another part of the
normal flight controls that was always operating in the background to
make it a more comfortable aircraft to fly.

 

On Sunday, June 2, 2019 at 8:11:17 PM UTC-4, Lasse Langwadt Christensen wrote:

mandag den 3. juni 2019 kl. 01.55.36 UTC+2 skrev bitrex:
On 6/2/19 4:37 PM, bloggs.fredbloggs.fred@gmail.com wrote:
On Sunday, June 2, 2019 at 9:18:59 AM UTC-4, Winfield Hill wrote:
Details of an error in engineering procedures
and decision-making:
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

The comments to the article are also interesting.

The airlines have a history of this kind of risk taking.
"According to the NTSB, a fuel tank explosion happens on average every four and a half years. In May 1990, six years before TWA 800, a center tank exploded on a Philippine Airlines 737 shortly before take off, killing eight people. Four years and eight months after TWA 800, the center tank of a Thai Airways jet exploded on the ground, killing one person."

http://www.cnn.com/2006/US/07/14/twa.main/index.html

Up to the TWA flight 800 disaster, they were spending way more money on their in-flight entertainment system than a fuel tank oxygen removal system could ever cost.

As for the NYT article, they have the basic facts but as usual their interpretation is pathetically naive.
The FAA is incapable of certifying a design as complex as the 737 MAX.. They in fact handed the entire certification off to Boeing with the certification reports being "reviewed" by semi-comatose swivel chair operators with probably less than 10% (on the high end) comprehension of what they were reading. And when NYT reports Boeing delivered this or that information to FAA, it only means it was part of a probably huge documentation package most of which was simply glossed over by the FAA. As is typical of most politicized bureaucracies, they're just not going to pay much attention to anything that's not already a high visibility issue.
I agree with Boeing about the MCAS not being a single-thread catastrophic failure mechanism because the pilot is always available to pull the system out of MCAS control, and the MCAS was relatively slow acting, taking 10 seconds to do anything. And you can't implement a voting scheme with just two sensors. The only good a second sensor would serve is if it was something the pilot could switch in when/if the first sensor gave him trouble with the MCAS.
The fault lies with the airlines for not properly training their pilots.

Has anyone told Boeing there's no point to using two sensors? Cuz as
part of their fix to this issue, according to the article, using two
sensors continually seems to be central to the plan, not just a second
sensor that's switchable/optional.

switching it off if the AoAs disagree and reducing the maximum trim it can
do when it is working, would fix the problem of it crashing the plane

but it does pose the question, if it isn't a problem turning it off or
reducing its power why was added in the first place

Apparently the aircraft last minute corrections on landing approach were producing too much acceleration for the comfort of the passengers, making it seem like the pilot was fighting for control and it was miracle they landed in one piece.

 

On Sunday, June 2, 2019 at 8:15:39 PM UTC-4, tra...@optonline.net wrote:

On Sunday, June 2, 2019 at 7:55:36 PM UTC-4, bitrex wrote:
On 6/2/19 4:37 PM, bloggs.fredbloggs.fred@gmail.com wrote:
On Sunday, June 2, 2019 at 9:18:59 AM UTC-4, Winfield Hill wrote:
Details of an error in engineering procedures
and decision-making:
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html

The comments to the article are also interesting.

The airlines have a history of this kind of risk taking.
"According to the NTSB, a fuel tank explosion happens on average every four and a half years. In May 1990, six years before TWA 800, a center tank exploded on a Philippine Airlines 737 shortly before take off, killing eight people. Four years and eight months after TWA 800, the center tank of a Thai Airways jet exploded on the ground, killing one person."

http://www.cnn.com/2006/US/07/14/twa.main/index.html

Up to the TWA flight 800 disaster, they were spending way more money on their in-flight entertainment system than a fuel tank oxygen removal system could ever cost.

As for the NYT article, they have the basic facts but as usual their interpretation is pathetically naive.
The FAA is incapable of certifying a design as complex as the 737 MAX.. They in fact handed the entire certification off to Boeing with the certification reports being "reviewed" by semi-comatose swivel chair operators with probably less than 10% (on the high end) comprehension of what they were reading. And when NYT reports Boeing delivered this or that information to FAA, it only means it was part of a probably huge documentation package most of which was simply glossed over by the FAA. As is typical of most politicized bureaucracies, they're just not going to pay much attention to anything that's not already a high visibility issue.
I agree with Boeing about the MCAS not being a single-thread catastrophic failure mechanism because the pilot is always available to pull the system out of MCAS control, and the MCAS was relatively slow acting, taking 10 seconds to do anything. And you can't implement a voting scheme with just two sensors. The only good a second sensor would serve is if it was something the pilot could switch in when/if the first sensor gave him trouble with the MCAS.
The fault lies with the airlines for not properly training their pilots.

Has anyone told Boeing there's no point to using two sensors? Cuz as
part of their fix to this issue, according to the article, using two
sensors continually seems to be central to the plan, not just a second
sensor that's switchable/optional.

The idea to two seems to be that if they disagree by a substantial amount, then
MCAS will take no action, because something is wrong and the cure is
potentially far worse than the problem.

That's the least reliable option because you lose MCAS if either/or the angle sensors fail. Maybe they think it's important to have MCAS, making the switchable option the most reliable to that end.
In both crashes the sensor activated MCAS because it thought the angle was too high and the aircraft was in danger of stalling. So it put the nose down at a steep angle causing the crash. I don't know why it just as easily could have sensed the nose was down too much and put the nose up causing the plane to stall and crash. The basic problem is the pilot doesn't have any wiggle room when he's coming in for a landing. It only takes a few seconds of bad control to put the aircraft in a bad spot it can't get out of. Maybe they should just shut the damn thing off below a certain ground height and ground speed.