Thursday, August 22, 2019

BOEING 737 MAX 8 May Not Fly Until 2022 - If Then - Given All The Fixes, Testing Needed

  No photo description available.
Artist's sketch from Wall Street Journal ('Why The 737 MAX Failed',  Aug. 17-18, p. A10)  shows the fundamental problem with MCAS, which was only installed because the MAX 737 was aerodynamically unstable.


Several recent Wall Street Journal articles make clear the sheer scope of the problems, fixes and issues facing the return of the flawed Boeing MAX 8 jet.  From where I sit, and after analyzing and assessing the material provided in all the articles,  I can't see the 737 MAX getting back to commercial service before 2022, if then.

By far the most serious flaw in design concerns the MCAS (Maneuvering Characteristics Augmentation System) which is capable of catastrophic response especially if it is already being input erroneous sensor data. This is exactly what transpired with the October 28, 2018 Lion Air crash, from Denpasar, Indonesia to Jakarta. As reported in the WSJ ('Why The 737 MAX Failed',  Aug. 17-18, p. A10):

"Faulty data from a malfunctioning sensor set off a false stall alarm and caused MCAS to misfire."

The exact nature of the "misfire" is illustrated in the upper image (WSJ, Business & Finance, August 20, p. B1) and likely applies also to the Ethiopian Air crash (when a bird collided  with an external sensor that then triggered the MCAS detection sensor.)   In each case, especially with the Lion Air, the actual pitch was near horizontal as shown, but the misinterpretation of the pitch (e.g. as too high, from faulty sensor data) caused the MCAS to forcibly push the nose down repeatedly to correct what it believed to be a stall attitude.  The result? Catastrophe. With the Lion Air flight crashing into the sea and the Ethiopian plane hitting the ground at nearly the speed of sound,  leaving little behind other than shards and tatters.

AT the core of Boeing's folly (and mendacity - as it was in a rush with the Airbus for new plane contracts)  was the outrageous supposition that any pilot could - once the emergency began - correct the situation in 4 seconds.  (I.e. one or both pilots had to immediately correct for a "runaway stabilizer"). That was the time limit  Boeing's engineers allotted for correct response to avoid a calamity, and Boeing consistently maintained that "pilots didn't need to know why it was happening" (Ibid.) .  One wonders here whether Boeing's idiotic planners, managers and engineers actually believed advanced aliens from Tau Ceti's system were piloting these contraptions, as opposed to human beings.

The knock on the Lion Air crew at the time,  that they "should have disengaged the MCAS",  has now been exposed as  misplaced- and irrelevant-  given Boeing had already admitted its flight manual was incomplete- as well as its training (two 35 minute Ipad sessions, no flight simulators.   The last would have jacked up the costs).  

The other incredible hubris from Boeing involved its asinine belief that (ibid.): "A single sensor satisfied all certification and safety requirements" and further, additional training wasn't considered when assessing MCAS hazards.  This despite the fact the most basic article of airline safety is you never allow a single point of failure with even a minuscule chance of catastrophic outcome.

In other words, these dopes believed no simulator training of pilots was needed, and they could get by with a few Ipad lessons.  Well, we now know how absurd that expectation was - and I can assure one and all it will not fly with international regulators. They will demand simulator training - likely hundreds of hours - before letting any pilots fly this thing.

Let me also return to the issue that the MCAS was introduced precisely because of the flawed  aerodynamic design.   To remind readers,  in a rush to beat its Airbus competitor Boeing chose to retain an older airframe and 'marry' it to two newer, marginally more fuel efficient engines.  Boeing engineers then had to figure out a way to make the odd match fit properly.   So the engines were placed more forward on the wings,  altering the aircraft's lift characteristics, and placing more stress (at takeoff) on the horizontal stabilizers - oh and the jackscrews to control them.  

That ploy - uniting old plus new-  saved Boeing  four  years of development time, i.e. if they'd instead designed a totally new aircraft. The continuity with the older 737 was also part of Boeing’s pitch to the F.A.A. and airlines: Because the plane's basic design was retained it could be handled like previous 737s. Hence,  pilots would not need to be retrained to fly it.


According to Rick Ludtke, an engineer of 19 years at Boeing, quoted from a NY Times piece back in March: "The company was trying to avoid costs and trying to contain the level of change. They wanted the minimum change to simplify the training differences, minimum change to reduce costs, and to get it done quickly.”

Boeing, to make it short, created a problem via pure expediency, then added a 2nd problem (the MCAS) to correct the first.  Thus, the Boeing bunch kept the old airframe but imparted bigger MAX engines and mounted them farther forward on the aircraft's wings.  Tests then showed a configuration that could push the nose upward toward a stall in certain circumstances. Then to compensate for that, Boeing installed the MCAS to automatically push the nose down to counteract those forces.   Trouble is,  you've now engendered two unnecessary complexities to an otherwise perfectly working (but less fuel efficient)  aircraft.

And just about the worst travesty on top of  all this? Boeing's arrogant putzes didn't even have the courtesy or God-given sense to notify pilots who were to fly these damned monstrosities.  In the words of  former FAA engineer Tony Lambregts quoted in the WSJ piece:

"The pilots were hopelessly unprepared to deal with that (problem with the MCAS).  They hadn't been completely instructed and trained for it."

No surprise then on being blindsided, pilots across the MAX sphere wanted to know why Boeing's geniuses had excluded the MCAS from their manual - except for a brief mention in the glossary.   Especially given - on learning in hindsight- they were expected to be "the ultimate non-automated backstop for the system."

No, folks, you cannot make this shit up.   This is for real.  But let's move on now to the specific  corrections (otherwise called "fixes") Boeing is going to have to make before any of its MAX 8 jets gets airborne again.

We can start with the MCAS and note the top graphic showing the basis for the necessary fix. In other words, we now need Boeing to devise a software patch with a less forceful nose down command. I note here that the critical problems arose (ibid.) after engineers had quadrupled the amount by which the MCAS could repeatedly move the stabilizer, i.e. from 0.6 degrees to 2.5 degrees.  As per the WSJ piece: "The changes ended up playing a major role in the Lion Air and Ethiopian crashes."

A return to the lesser (0.6 deg)  amount would make it easier for pilots to control the plane. In addition, Boeing now promises two sensors instead of one, to verify data accuracy.

A second fix, which I would not minimize, is the need for "angle of attack" agreement. As a more recent WSJ piece  (Business & Finance, 'Four Fixes Needed Before the 737 MAX Is Back in the Air', Aug. 20, p. B1) :

"Not working was an alert system to warn pilots when the two angle of attack sensors show conflicting information, making it more difficult for pilots to diagnose flight control problems"

Again, this also disclosed the idiocy in Boeing expecting pilots to correctly react to an emergency involving MCAS in four seconds!

The fix here?  Pilots "should be warned when angle of attack vanes provide conflicting information."

The next problem - and connected to the MCAS - is the runaway stabilizer.  This entails a "processor failure that could lead to the flight control computer commanding an unintended horizontal stabilizer movement." If that occurs you get the forced  downward pitch shown in the top graphic.

The fix? We learn: "Boeing intends to correct the problem with a software fix. If new hardware is required it could delay the MAX's return for additional weeks or months."

I am betting years.  First, because one cannot just fix one aspect of a problem using software and ignore many others that  may also be affected.    This is given the new redundancy in overall flight control computer functions. So now, going forward, "both critical computers will be functioning on each MAX flight, versus the original design of alternating between flights." (WSJ, linked article above)

The problem?  Matching the software operations of the two computer systems so they don't create a synchronous misfire and faulty data. I learned about complex software modularity  problems first hand while writing 510(k)s for stereotactic  radiosurgery software systems at a radiotherapy software corporation in the mid -90s. In effect, many internal software deviations can be traced directly to the modularity in a given program, or a software "fix" for that program.   While modularization enables a software designer to decompose a system into functional units, i.e. to impose a hierarchical ordering of use,  breakdowns often occur in the mutual exclusion ('M-E') needed to preserve modularity.   Basically then, M-E is needed to ensure multiple processes don't attempt to update the same components of the shared processing state at the same time.  This is likely an under emphasized aspect of the Boeing introduction of two flight control computers now proposed to operate for each MAX flight- and at the same time.

Bottom line? Your "fix"  of the software running in one or both critical computers may not only impact one module in one computer's software but  affect many other modules including in the counterpart.   But this is why critical testing is needed, especially in flight simulators. And hey, we've since learned (WSJ, 'Regulators Expand 737 MAX Tests'), e.g.

https://www.wsj.com/articles/737-max-safety-tests-covering-increasingly-remote-failure-risks-11564778841

That according to officials,  the assorted MAX reviews are "delving into other potential hazards beyond the specific software that controls the MCAS feature".  

And in addition,  "as part of the new focus regulators have now shifted their attention to the speed at which pilots react to a range of extreme emergencies involving various flight control features. A portion of the ongoing testing and analysis is delving into extremely remote but potentially catastrophic problems".

Then noting that:   "the results of one sequence of tests by European regulators weeks ago in a Boeing flight simulator  has extended the certification process by approximately three months, according to government officials familiar with the testing."


And you can bet your sweet bippy that won't be the end of such extensions!

Investigatory maze anyone? Anyone?  Oh and then there's this (ibid.):

"The revised timetable means the jet, which has been idled since March, likely won't resume commercial service until at least 2020."

Again, I'd say given all the hairy MAX issues, proposed fixes, and critical testing needed  - as well as testing after the fact, especially in flight simulators by dozens of pilots worldwide - plus regulatory oversight of certification,  that it's a fair bet you won't see a MAX flight before January, 2022, if then.   I could be wrong, but I'd still put a Vegas bet on it.

Finally, there is the issue with the trim wheel. Basically, at high speed some subset of pilots may lack the arm strength to manually counteract a dangerous motion of the horizontal stabilizer. (When problems with the stall prevention system arise, pilots have been advised to turn it off and manually turn the trim wheel to move the stabilizer.  The Ethiopians pilots - no weaklings- tried furiously to do this but failed.)

The fix? We are informed (WSJ, ibid.): "Regulators are considering changes to the emergency procedure to ensure pilots react quickly and appropriately to avoid extreme situations requiring excessive strength."

Translation?  The regulator mavens are burning up brain cells trying to figure out a decent design for a horizontal stabilizer so that even a 100 lb. female pilot of the MAX won't crash it when faced with an emergency.

MAX ready by next year? If you buy that I have an  acre of  oceanside land in Barbados to sell you for a Bajan buck. No lie.


 
See also:
 
https://www.seattletimes.com/business/boeing-aerospace/failed-certification-faa-missed-safety-issues-in-the-737-max-system-implicated-in-the-lion-air-crash/
 

No comments:

Post a Comment