CAA bans Boeing 737 max 8

And the FAA. Has now become very clear that there is a link between the regulator and a supplier. Virtually all the main carriers (and countries) grounded them for safety pending investigation, yet the FAA carried on with their "nothing to see here, move along". Time is way overdue to drain the swamp.
The FAA, to be fair has traditionally been pretty good and proactive about stuff - sometimes maybe even a bit aggressive - but that's what you do when passenger safety is involved. But we are not in the "traditional" way of doing things anymore with the current administration and I bet there's a ton of pressure on whoever is in-charge to keep it at bay in terms of grounding the fleet for as long as possible. But, it kind of became inevitable that this would happen with so many sanctions around from major countries and airlines.
 
...
A third problem is that a lot of bugs, especially when hardware systems are included in the scope, are due to incorrect concepts or incorrect understandings about how the system will behave in the real world. There may be no solution to this sort of problem, even in theory.

In most of the modern software industry (I will leave aerospace and military out of the equation here) current best practice revolves around automated testing...The obvious one is that it doesn't test for problems that you didn't think of testing. Another is that if your ideas about of how something ought to work have some holes in them, then you may test for the wrong results.

Another much bigger problem is that writing the tests doesn't tick many milestone boxes on the project manager's charts, so this part of the project gets put off until "later", and "later" never comes because of course once the project gets shipped there's no more manpower budget for testing until the big panic starts when customers start filing bug reports. Related to this are situations where the tests get written, but when they fail the software the tests get turned off because dealing with them interferes with progress. A further problem is where software gets changed but the accompanying tests don't, they just get turned off.
...
Working in IT (NOT Military or Aviation) most of what you say rings true. Testing is ALWAYS the last thing to be costed, and is almost always the first to be trimmed, sometimes to the point of being abandoned a day into a two-week test period. I point to the highlighted bits in Terminal's post.
 
Working in IT (NOT Military or Aviation) most of what you say rings true. Testing is ALWAYS the last thing to be costed, and is almost always the first to be trimmed, sometimes to the point of being abandoned a day into a two-week test period. I point to the highlighted bits in Terminal's post.
That's the thing about IT testing, people alway assume you can do OTAs down the line so easily!
 
Working in IT (NOT Military or Aviation) most of what you say rings true. Testing is ALWAYS the last thing to be costed, and is almost always the first to be trimmed, sometimes to the point of being abandoned a day into a two-week test period. I point to the highlighted bits in Terminal's post.
The bits that you’ve highlighted certainly shouldn’t happen in safety critical software development if the correct standards are adhered to. I’m not involved in aviation software, but in subsea control systems development, the design processes, and testing regimes are very tightly interwoven and often subject to external audit.
 
Once again, safety critical software development is not just another branch of IT. It is a discipline in itself.
Yep Functional Safety is a dedicated branch - in every domain. I only ever briefly dealt with ISO 26262 in my past life at one point and the full time professionals who specialize in it are **** -which is a good thing.
 
Going back to the regulation of aircraft parts, didn't they conclude that the heavy 747 cargo that came down on a block of flats in Amsterdam, (Iirc) was due to some dodgy counterfeit engine bolts?
I also recall watching a programme on tv years ago where a bloke explained that even an ancient used coffee percolater with the correct paperwork was worth thousands and thousands of dollars.
 
There are methods of mathematically proving software correct. These are known as "formal methods".

There are standards for developing software for aircraft which claim to use formal methods, but they don't seem to be quite what most people in the software industry outside of that field understand the term to mean. They do however involve a systematic approach to design, review, and verification.

"Formal methods" as the term is understood to mean in most of the software industry, hasn't caught on much however because of several practical problems with it. The first is that it isn't possible to use proper formal methods for anything other than very simple applications because of the scale of complexity.

Another problem is that it even if you can apply automated formal methods, it just pushes the problem out from the target to the verifier. How do you know that the model you are using for verification is correct and free of bugs?

A third problem is that a lot of bugs, especially when hardware systems are included in the scope, are due to incorrect concepts or incorrect understandings about how the system will behave in the real world. There may be no solution to this sort of problem, even in theory.

In most of the modern software industry (I will leave aerospace and military out of the equation here) current best practice revolves around automated testing. You write a small bit of software which is supposed to do something you want, and you also write another small bit of software to test the first bit. In some systems you write the test first and the software that is actually intended to do something second. Automated testing can be integrated into the development process such that checking in some new code automatically kicks off the testing system.

This approach can work pretty well, but it does have some shortcomings. The obvious one is that it doesn't test for problems that you didn't think of testing. Another is that if your ideas about of how something ought to work have some holes in them, then you may test for the wrong results.

Another much bigger problem is that writing the tests doesn't tick many milestone boxes on the project manager's charts, so this part of the project gets put off until "later", and "later" never comes because of course once the project gets shipped there's no more manpower budget for testing until the big panic starts when customers start filing bug reports. Related to this are situations where the tests get written, but when they fail the software the tests get turned off because dealing with them interferes with progress. A further problem is where software gets changed but the accompanying tests don't, they just get turned off.

I expect that these types of problems are less prevalent in fields where safety is heavily regulated, as there are outside parties looking to see if anyone is bypassing or ignoring proper procedures. All of that regulatory oversight though takes time and costs money which is why it isn't used except where required by law.
Many years ago, I worked with Honeywell on the SCOMP system. This was an Orange Book A1 certified TCP/IP network guard; we used mathematical algorithms in Gypsy to prove the core security-enforcing functions were secure. It was painstaking work, and, whilst Gypsy provided the proofs that the code was ‘perfect’, I showed them that their kernel’s library implementation of ‘malloc ()’ would lead to a system crash if the program asked for more than 1Mb. This was a system that was intended to filter MLS network traffic across the entire US and NATO infrastructure.

Les Fraim was a really nice guy; brain the size of a planet but always had time to explain.
 
Here's a collection of US news links which I saw referenced in another story that have some rather interesting information.

The first is that pilots had been repeatedly complaining in regards to safety concerns about the Boeing 737 Max 8 to US authorities well before the Ethiopian crash. One called the flight manual "inadequate and almost criminally insufficient". These complaints were made to US authorities through official channels which were set up to receive and evaluate complaints of this nature.
Several Boeing 737 Max 8 pilots in U.S. complained about suspected safety flaw | Airlines | Dallas News
Pilots repeatedly voiced safety concerns about the Boeing 737 Max 8 to federal authorities, with one captain calling the flight manual "inadequate and almost criminally insufficient" several months before Sunday's Ethiopian Air crash that killed 157 people, an investigation by The Dallas Morning News found.
The complaints were in connection with the same system which is suspected in the two crashes currently under scrutiny.
The complaints are about the safety mechanism cited in preliminary reports about an October Boeing 737 Max 8 crash in Indonesia that killed 189.
Last November one 737 Max pilot called it "unconscionable" that the planes were being allowed to be flown without the problems being addressed.
Records show that a captain who flies the Max 8 complained in November that it was "unconscionable" that the company and federal authorities allowed pilots to fly the planes without adequate training or fully disclosing information about how its systems were different from those on previous 737 models.
On Tuesday the head of the US senate committee in charge of overseeing air safety said that the US should ground the planes.
U.S. Sen. Ted Cruz of Texas, who leads a Senate subcommittee overseeing aviation, said in a statement Tuesday that U.S. authorities should ground the planes.

Another story notes that the current Boeing stall prevention system relies on a single sensor functioning correctly. The new revision will take input from multiple sensors. Pilots and safety experts are puzzled as to why it didn't do that in the first place.
Boeing to Make Key Change in 737 MAX Cockpit Software
When the plane was first designed, engineers determined that using a single sensor—measuring what is technically known as the angle of attack—would be simpler and was in line with the plane maker’s long-held philosophy to keep pilots at the center of cockpit control, a person familiar with the matter said.

That earlier design of the system, known as MCAS, has puzzled some pilots and safety experts, who wondered why the system didn’t rely on multiple feeds.

On Tuesday morning Trump talked to the head of Boeing, who told him that the plane was safe and they didn't need to ground them. Later on that day US officials announced the plane would continue to fly.
Ties Between Boeing and Trump Run Deep
Muilenburg told Trump in Tuesday's morning call that the aircraft was safe and did not need to be grounded, two people briefed on the conversation said.
Later in the day, aviation officials repeated that U.S. flights of the plane would continue.
This story also notes that a group of US senators were questioning why the plane wasn't being grounded, and that the head of the senate committee in charge of air safety said he intended to initiate an investigation into the matter. This was prior to the US announcement of the grounding there.
U.S. officials, including a bipartisan group of five Senators, are asking why the FAA is not doing the same. U.S. Senator Ted Cruz, a Republican who chairs the Senate subcommittee on aviation and space, said he intends to convene a hearing to investigate.
Trump has close ties with Boeing. For example Trump has used Boeing factories as location settings in which to announce major policy changes.
But while the relationship hasn't all been cozy, ties between Boeing and the Trump administration run deep.
Trump has used Boeing products and sites as a backdrop for major announcements over the course of his presidency. In March 2018 he touted the impact of his tax overhaul bill as he visited a plant in St. Louis.
The current US defence minister was a long time Boeing senior executive.
Before joining the Pentagon, acting Defense Secretary Patrick Shanahan, who is expected to be named to the post, worked for 31 years at Boeing, where he was general manager for the 787 Dreamliner passenger jet.
One of Trump's close supporters has been named to join Boeing's board of directors at the end of next month after the Boeing shareholder's meeting.
Boeing has nominated Nikki Haley, Trump's former U.S. ambassador to the United Nations who continues to be a close ally, to join its board of directors at the company's annual shareholders meeting on April 29.
Trump regularly puts pressure on US allies to buy Boeing products.
Trump has also put pressure on U.S. allies to buy products from Boeing, the country's second largest defense contractor which received $104 billion in unclassified defense contracts between 2014 and 2018.
U.S. officials and defense industry sources said that weeks after Trump pressed the Emir of Kuwait in 2018 over a long-delayed deal for Boeing's F/A-18 Super Hornet fighter jets, Kuwait said it would proceed with the order.
Boeing is one of the US's biggest exporters to China, and it has been announced that having China buy more Boeing products was to be part of US demands in the current trade negotiations between the US and China.
Boeing is also one of the largest U.S. exporters to China, and Muilenburg told an aviation summit in Washington that purchases of its U.S.-made aircraft by China could be part of a sweeping trade deal currently being negotiated.
 
There was huge pressure on Boeing to bring out a plane that was ahead of the A321 in terms of fuel economy. Overall fuel burn is the current big thing as fuel costs are the the major issue in the airline industry at the present time, far ahead of the costs of the airframe.

Part of the Boeing strategy was to increase the number of passengers and minimise the fuel consumption per passenger mile to the absolute minimum.

But then they realised that a new design would have massive costs in terms of pilot re-training, would need lots of sim time and lots of lost pilot hours and airframe hours for check flights. This was a major bummer since the savings in fuel would be largely negated by the cost of the additional training required whereas Airbus had commonality of flight controls etc.

The Boeing strategy was therefore to "frig" [technical term] the control software to make the Max8 feel like the 737NG (previous model). This would, in theory, be cool, except that the Max8 had several undesirable flight characteristics which meant changes to the rudder, tailplane and, of course engines, engine mounts and main wing spars.

Boeing managed to convince the FAA that the changes made to the plane were "minor" and did not require complete re-training and re-validation of pilots. Except that this was complete b*ollocks. The plane is a major change from the 737NG and requires extensive retraining, especially for the software updates which are nothing like the 737NG.

The other massive mistake was to rely on the readings from a single sensor for the MCAS system so that a single failure puts the aircraft into and unstable and dangerous flight regime.

Now I do a lot of stuff with safety instrumented systems in the chemical and fuel industries (IEC 61508 and 61511) and I know damn fine that relying on a single instrument for safety is a complete no-no unless that particular instrument and all other elements of the control system can be proven to have a suitable reliability.

Unfortunately, Mr Boeing doesn't seem to understand Safety instrumented Systems and has completely cocked up the control system to the point that they are effectively relying on a single sensor to prevent the aircraft from stalling. This is not big and it isn't clever, nor is the fact that Boeing sppear to have neglected full and proper testing of the software under all flight regimes.

Heads should roll for this at a high level within Boeing, and probably within the FAA.
 
There was huge pressure on Boeing to bring out a plane that was ahead of the A321 in terms of fuel economy. Overall fuel burn is the current big thing as fuel costs are the the major issue in the airline industry at the present time, far ahead of the costs of the airframe.

Part of the Boeing strategy was to increase the number of passengers and minimise the fuel consumption per passenger mile to the absolute minimum.

But then they realised that a new design would have massive costs in terms of pilot re-training, would need lots of sim time and lots of lost pilot hours and airframe hours for check flights. This was a major bummer since the savings in fuel would be largely negated by the cost of the additional training required whereas Airbus had commonality of flight controls etc.

The Boeing strategy was therefore to "frig" [technical term] the control software to make the Max8 feel like the 737NG (previous model). This would, in theory, be cool, except that the Max8 had several undesirable flight characteristics which meant changes to the rudder, tailplane and, of course engines, engine mounts and main wing spars.

Boeing managed to convince the FAA that the changes made to the plane were "minor" and did not require complete re-training and re-validation of pilots. Except that this was complete b*ollocks. The plane is a major change from the 737NG and requires extensive retraining, especially for the software updates which are nothing like the 737NG.

The other massive mistake was to rely on the readings from a single sensor for the MCAS system so that a single failure puts the aircraft into and unstable and dangerous flight regime.

Now I do a lot of stuff with safety instrumented systems in the chemical and fuel industries (IEC 61508 and 61511) and I know damn fine that relying on a single instrument for safety is a complete no-no unless that particular instrument and all other elements of the control system can be proven to have a suitable reliability.

Unfortunately, Mr Boeing doesn't seem to understand Safety instrumented Systems and has completely cocked up the control system to the point that they are effectively relying on a single sensor to prevent the aircraft from stalling. This is not big and it isn't clever, nor is the fact that Boeing sppear to have neglected full and proper testing of the software under all flight regimes.

Heads should roll for this at a high level within Boeing, and probably within the FAA.

I'm a PPL with a few hundred hours on 152's - so I feel qualified to comment on this ;) As well as a few hours on the Millenium Falcon (succesfully conducted short-field landing in Bodmin).

What is this individual sensor you speak of, and is it the only sensor that acftuates the "stick shaker" when exceedencies are met?

Fuel efficiency -would the cost index used by the individual airline have any bearing on this in FMC fuel calcs?



Concerned of Compass building.
 
The 737 ban in Canada is causing ongoing problems in scheduling, due to the number of aircraft out of service and the lack of extra capacity. Boeing has grounded its 737 Max jets. Here are some of the disruptions Canadians can expect | CBC News
Boeing has grounded its entire fleet of 737 Max aircraft in a move expected to cause significant disruptions for domestic airliners now forced to scramble to rebook thousands of Canadian passengers. (...)

"Nowadays, there simply is not really spare capacity, and most airlines are flying full," said Fred Lazar, a York University economics professor.
Airlines are scrambling to find planes they can lease. However there just aren't lots of plans sitting about waiting to be used.
Mike Doiron, a New Brunswick-based aviation expert, said the challenge to airlines is finding planes to replace their lost fleet.
"If they are able to get airplanes, the passengers probably won't even notice anything. If they are unable, then that's a whole different kettle of fish.
"It's not like going out and renting a car."
Lots of companies lease airplanes, but most of their planes are already on leases, he said.
"There's no parking lot where they have a whole bunch of these airplanes just sitting there waiting to get picked up."
"I would imagine the airlines will start looking very seriously at 'where do we get more airplanes of the type that we already have on a short term lease?' They do have options. However they're very limited."
Bringing in planes registered outside Canada is a problem, as they need to have their documentation, including inspection and maintenance verifications lined up.
Bringing in a planes for domestic use from outside of Canada can be an onerous task.
"The fact that [an] airplane is registered outside of Canada, they would have to jump through a whole bunch of hoops and regulations and inspections and maintenance verifications prior to them letting that aircraft fly," Doiron said.
Flights are being cancelled, scheduled routes being suspended, and passengers are finding themselves routed through other airports as airlines scramble to find planes and spare seats. The additional problem is that this time of year happens to be a busy period anyway, which means there wasn't a lot of spare capacity to begin with.
 
Going back to the regulation of aircraft parts, didn't they conclude that the heavy 747 cargo that came down on a block of flats in Amsterdam, (Iirc) was due to some dodgy counterfeit engine bolts?
I also recall watching a programme on tv years ago where a bloke explained that even an ancient used coffee percolater with the correct paperwork was worth thousands and thousands of dollars.
Suspicions about the use of dodgy spare parts were raised at the time of the accident but ultimately, the official enquiry determined the probable cause as:
"The design and certification of the Boeing-747 pylon was found to be inadequate to provide the required level of safety. Furthermore the system to ensure structural integrity by inspection failed. This ultimately caused – probably initiated by fatigue in the inboard midspar fuse-pin – the no. 3 pylon and engine to separate from the wing in such a way that the no. 4 pylon and engine were torn off, part of the leading edge of the wing was damaged and the use of several systems was lost or limited.
This subsequently left the flight crew with very limited control of the airplane. Because of the marginal controllability a safe landing became highly improbable, if not virtually impossible."

"Aircraft accident report 92-11 : El Al Flight 1862 Boeing 747-258F 4X-AXG Bijlmermeer, Amsterdam 4 October 1992" (PDF). Nederlands Aviation Safety Board. 24 February 1994.
 

Goatman

ADC
Book Reviewer
The US defence minister is a former long time Boeing vice president. Boeing are also one of the "national champions" who are being promoted by the White House. I don't know if there is any connection these two and the reluctance to ground one of Boeing's key products.

Politically, Seattle ( Boeing's hometown) and Washington state are both Democrat turf....only three Republicans out of ten Representatives. Both Washington State senators are currently Dems.

Trump doesn't give a rap about anywhere that isn't pro Trump.

I bet there's a ton of pressure on whoever is in-charge to keep it at bay in terms of grounding the fleet for as long as possible. But, it kind of became inevitable that this would happen with so many sanctions around from major countries and airlines.
Sanctions implies a concerted global action to punish an American company....don't think that is the case.

This is a safety issue. Nobody wants loaded passenger jets dropping out of the sky over their backyard.

Hairy times for Boeing CEO.
 
I'm a PPL with a few hundred hours on 152's - so I feel qualified to comment on this ;) As well as a few hours on the Millenium Falcon (succesfully conducted short-field landing in Bodmin).

What is this individual sensor you speak of, and is it the only sensor that acftuates the "stick shaker" when exceedencies are met?

Fuel efficiency -would the cost index used by the individual airline have any bearing on this in FMC fuel calcs?



Concerned of Compass building.
The Gloster Javelin used to have a "deep stall" characteristic i.e. high AOA would blank the air flow to the tailplane and the aircraft would fall out of the sky in an uncontrollable stall. Gloster installed a sensor to detect the onset of stall - a little vane on the wing IIRC which would then activate a stick shaker to warn the pilot of impending stall. At least one passenger plant with a T tail was lost.

Deep stall
1552551168652.png

Found it:

1966 Felthorpe Trident crash - Wikipedia

The Max8 uses two sensors located one either side of the nose. However, my understanding is that the software only looks at the one on the side of the pilot in command at the time. Thus relying on a single sensor.

Max8 doesn't have deep stall characteristics as it has a conventional tail, but the software decides that the AOA is too high and shoves the nose down....
 
And the FAA. Has now become very clear that there is a link between the regulator and a supplier. Virtually all the main carriers (and countries) grounded them for safety pending investigation, yet the FAA carried on with their "nothing to see here, move along". Time is way overdue to drain the swamp.
The Unholy Trinity of Manufacturers, Operstors and Regulators have been playing fast an looose for years, their only God being cash. Plenty of scrap metal and numerous lives.

Don’t hold your breath.
 
The Gloster Javelin used to have a "deep stall" characteristic i.e. high AOA would blank the air flow to the tailplane and the aircraft would fall out of the sky in an uncontrollable stall. Gloster installed a sensor to detect the onset of stall - a little vane on the wing IIRC which would then activate a stick shaker to warn the pilot of impending stall. At least one passenger plant with a T tail was lost.

Deep stall
View attachment 382448
Found it:

1966 Felthorpe Trident crash - Wikipedia

The Max8 uses two sensors located one either side of the nose. However, my understanding is that the software only looks at the one on the side of the pilot in command at the time. Thus relying on a single sensor.

Max8 doesn't have deep stall characteristics as it has a conventional tail, but the software decides that the AOA is too high and shoves the nose down....
BAC1-11 on testing made a big hole in the ground for the same reason it was pushed into the stall to determine what would happen - pretty much fell vertically to the extent it wasn't so much a debris field as a crushed airframe.

Subsequent Test was equipped with a tail Parachute ( rather than than me though)

As a result of the Trident crash they fitted stick pushers - physically pushing the nose down when the stall warning went off -
 
Politically, Seattle ( Boeing's hometown) and Washington state are both Democrat turf....only three Republicans out of ten Representatives. Both Washington State senators are currently Dems.

Trump doesn't give a rap about anywhere that isn't pro Trump.
Minor point, but Boeing moved their corporate headquarters to Chicago several years ago. As to the politics of it all, they have major production facilities in Missouri and South Carolina, both of which vote Republican.
 

Similar threads


Latest Threads

Top