From: Niklas Holsti <niklas.holsti@tidorum.invalid>
Subject: Re: Boeing 737 and 737 MAX software
Date: Sat, 6 Apr 2019 21:45:24 +0300
Date: 2019-04-06T21:45:24+03:00 [thread overview]
Message-ID: <ggsae4F3nbuU1@mid.individual.net> (raw)
In-Reply-To: <5rnhael4n4dunnbrcs5o2t5tnua2t3iunh@4ax.com>
On 19-04-06 20:30 , Dennis Lee Bieber wrote:
> On Fri, 05 Apr 2019 14:16:20 -0700, Paul Rubin <no.email@nospam.invalid>
> declaimed the following:
>
>> Does anyone know anything about this? It has been under some criticism
>> lately.
As I've read more about these accidents than I usually do, I will boldly
(and perhaps foolhardily) describe how I have understood it. All info is
from public sources, I have no insider info. I am not a pilot, and
moreover I write from recollection of my reading and have no references
to give, so reader beware.
>> I have heard that the 777 software was almost entirely in Ada. It also
>> sounds as if Boeing's software operation may have slipped in recent
>> years, not good news for the 737 MAX.
>
> Unless things have changed severely -- GE Aviation (formerly Smith's
> Aerospace, formerly Lear Siegler) produces the 737 FMS software (and also
> the processor boxes).
>
> However, I have the impression (from TV news) the software is
> functioning /as designed/.
All info I have seen agrees with that.
> Some reports have indicated that Boeing designed
> the hardware (and corresponding software requirements) such that only one
> sensor is used for the MCAS subsystem
The are two angle-of-attack (AoA) sensors, one on each side of the nose.
They feed two redundant computers, each able to run MCAS. Normally only
one MCAS instance is running and it uses only its "own" AoA sensor.
The original design of MCAS gave it rather little control authority,
which is probably why this single-sensor approach was accepted.
> -- and a fault in that sensor results
> in MCAS attempting to prevent a (non) stall by pushing the nose down.
Yes, but MCAS does not apply a temporary nose-down command -- as if
pushing the stick forward -- it changes the pitch trim, the overall
angle of the horizontal stabilizer, giving the plane a permanent
tendency to dive. This trim change can be overridden by the pilots, but
only if they notice that it has happened.
In the original MCAS design, one activation of MCAS changed the pitch
trim by a small amount, at most 0.6 degrees IIRC, and this limit was
reported in the MCAS design documentation to the authorities. During
testing, Boeing found that it was not enough, and they increased it
quite a lot, to over 2 degrees IIRC. One source I read claimed that this
change was _not_ updated in the documentation shown to the authorities.
Moreover, by design MCAS would repeat this trim change, with a certain
minimum interval, as long as the AoA sensor reading remained too large
and indicated a risk of stall. This iteration should converge and stop
if the sensor is working, but if the sensor fails and is stuck at a high
AoA (the false value reported in the second accident was around 60
degrees, IIRC) then MCAS will incrementally and cumulatively keep
increasing the pitch trim and the diving tendency. If the pilots do not
understand what is happening, they will find it ever harder to
counteract the "dive" trim with stick inputs.
> Some
> hints in the news that Boeing is changing the requirements (well, in truth,
> the news only says Boeing is changing the software) to have MCAS
> cross-reference with other flight parameter data -- and making an optional
> bit of hardware (additional sensors) standard.
AIUI the modifed MCAS will read both AoA sensors and will disable itself
if they disagree, and the disagreement will also be reported by a
display. This display is the new piece of HW which used to be an option.
There are no new sensors, AIUI.
I believe Boeing are also changing the minimum interval between MCAS
activations -- perhaps even allowing only one activation -- so as to
prevent a cumulatively increasing "dive" trim.
In summary, it seems to me that the criticality of MCAS, and thus the
need for redundant sensors, was not realized for two reasons: (1) in its
initial design, MCAS command authority was small, and (2) the
possibility of multiple repeated commands (due to a stuck sensor) and
the resulting large cumulative command (large change of pitch trim) was
not considered.
A kind of "criticality creep".
--
Niklas Holsti
Tidorum Ltd
niklas holsti tidorum fi
. @ .
next prev parent reply other threads:[~2019-04-06 18:45 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-05 21:16 Boeing 737 and 737 MAX software Paul Rubin
2019-04-06 1:16 ` Jere
2019-04-06 19:05 ` Paul Rubin
2019-04-18 22:04 ` Paul Rubin
2019-04-19 9:13 ` tranngocduong
2019-04-06 17:30 ` Dennis Lee Bieber
2019-04-06 18:45 ` Niklas Holsti [this message]
2019-06-28 23:45 ` Paul Rubin
2019-06-29 2:52 ` Dennis Lee Bieber
2019-06-29 3:38 ` Paul Rubin
2019-06-29 16:29 ` Dennis Lee Bieber
2019-08-07 6:06 ` robin.vowels
2019-11-08 1:12 ` Paul Rubin
2019-11-08 15:32 ` Dennis Lee Bieber
2019-11-18 11:16 ` robin.vowels
2019-11-18 15:32 ` Optikos
2019-04-12 7:46 ` tranngocduong
2019-04-12 22:15 ` Dennis Lee Bieber
2019-04-17 17:27 ` Maciej Sobczak
2019-04-18 9:45 ` tranngocduong
2019-04-18 12:44 ` Maciej Sobczak
2019-04-18 13:53 ` tranngocduong
2019-04-18 15:13 ` Niklas Holsti
2019-04-18 16:21 ` tranngocduong
2019-04-18 18:20 ` Niklas Holsti
2019-04-20 0:29 ` tranngocduong
2019-04-18 20:36 ` Randy Brukardt
2019-04-18 20:51 ` Paul Rubin
2019-04-18 20:20 ` Paul Rubin
2019-04-18 16:39 ` Dennis Lee Bieber
2019-04-19 2:39 ` Dennis Lee Bieber
2019-04-22 19:36 ` Norman Worth
2019-04-28 18:27 ` russ lyttle
2019-04-18 13:50 ` Simon Wright
2019-04-18 15:07 ` tranngocduong
2019-05-05 14:29 ` robin.vowels
2019-05-06 13:54 ` robin.vowels
2019-05-06 15:12 ` Dennis Lee Bieber
2019-08-07 5:51 ` robin.vowels
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox