User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Mon Jan 13, 2020 10:59 pm

patrickjp93 wrote:
PW100 wrote:
patrickjp93 wrote:
I've read the JT610 report. You're misinterpreting it. It's not the designation that matters. It's the end system that does. They'd have been a fault-tolerant system if allowed, and not because any designation said so, but because common sense said so as all of us prove.


The end system requirements are driven by the designation.

Designation matters a great deal. Unless you want to apply a risk ratio of 10 E-9 (or even 10 E-12) to each and every individual piece of software (and hardware?).


No they are not in a proper bottom-up engineering effort. They may clarify edge cases, but the vast majority of the requirements come from common sense. Having the designation does not matter. Knowing the system has to be fault-tolerant or else you risk killing thousands of people matters when it comes to gathering requirements. You don't need to go through the formal criticality assessment to know point blank that MCAS needed the requirements JTAR (JATR?) experts said it should have had from the beginning. Give me a break engineers are far smarter than bureaucrats' procedures.

That's pretty much what I do by default, and it's usually less costly to do that than spend the time justifying the risk away (and especially so when you do so fraudulently and the ghost of Christmas Past comes back to haunt you).

Yes, the safety classification designation matter in aircraft safety, because that designation is part of the aircraft safety standard internationally set by the regulators. You can't avoid it to carry passengers, really.
No, the requirements do not come from common sense in aircraft safety, because it's a very complex system involving performance, delay, cost, insurance, production, subcontractors, operators, pilots, passengers, maintenance, training, logistic, international laws, years of safety records, massive history of accident analysis, etc...

The safety assessment resulting in the safety classification designation as "major" of the MCAS was exactly what was wrong on the 737-8/9 MAX. This is because the safety classification designation was only "major" that the redundancy requirement did not apply to the MCAS as it should have. This is precisely why the 737-8/9 MAX is grounded and why this is a so big mess for Boeing to clean now.: the change in the safety classification designation imply a lot of redesign and probably a pilots training.
Last edited by PixelFlight on Mon Jan 13, 2020 11:20 pm, edited 4 times in total.
 
asdf
Posts: 584
Joined: Tue Mar 18, 2014 12:03 am

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Mon Jan 13, 2020 11:02 pm

phollingsworth wrote:
....Without having access to Boeing's specific tech trades it is really impossible to know where they would have sited the engines on a clean sheet design; and therefore, how much augmentation they would need.


so unbelivable ...
what are you guys writing of here?

one never ever needed augmentation of stickforce in any manual controlled airplane before the clown&monkey 737MAX
 
asdf
Posts: 584
Joined: Tue Mar 18, 2014 12:03 am

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Mon Jan 13, 2020 11:19 pm

DenverTed wrote:
Looking at the critical path for RTS for US airlines, once the training is approved, how many months will it take to train all the pilots? Or will they just train a subpool of 737 pilots that fly the MAX? Otherwise, training them all might be what, 3 to 6 months?


most airlines can only accept a small number of 737MAX deliveries per month
that should give the nessesary time to get the crew in sufficient numbers through the simulators

but its going to be a tough time for operations .... they need to sync the MAX approved crews to the MAXs planes pretty consequent for the first few months
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 12:04 am

PixelFlight wrote:
patrickjp93 wrote:
PixelFlight wrote:
Yes it does, per regulation requirements and as described into the relevant standards.

https://www.faa.gov/regulations_policie ... 241996.pdf
https://en.wikipedia.org/wiki/AC_25.130 ... riticality
https://en.wikipedia.org/wiki/DO-178C#Software_level
"The number of objectives to be satisfied (some with independence) is determined by the software level A-E"

Please read the JT610 final report. Start at E.1 "Functional Hazard Assessment" and see the Figure 2: "Failure Effect Categories"

Sigh, you're not listening. Separate the facts from the story. If Boeing's engineers had built the system as they wanted, the designation wouldn't have mattered. Redundancy and failover would have been built in by default. It's how their brains work for crying out loud. The only thing that the system engineers might have missed is mandating the AoA disagree light in the cockpit, but to be fair the avionics architects and designers most certainly would not have since management wouldn't have been mandating the costs of doing so away.

I've read the JT610 report. You're misinterpreting it. It's not the designation that matters. It's the end system that does. They'd have been a fault-tolerant system if allowed, and not because any designation said so, but because common sense said so as all of us prove.

Fact is that it's not the manufacturer engineers that can deliver a type certificate. Only safety regulators can. The manufacturer have to demonstrate the conformity to the safety regulation. Part of the documentation are safety assessment that define how critical a system is in different categories. Then each category have it own set of objectives in term of conformity to be demonstrated. It's about the same for avionic safety with DO-178C, as for automotive safety (ISO 26262), medical safety (IEC 62304) and nuclear safety (IEC 61513)
https://en.wikipedia.org/wiki/Avionics_software
https://en.wikipedia.org/wiki/Safety-critical_system
There are a lot of peoples in those avionic safety business, and some of them are the experts that produced the JT610 final report, the NTSB report, and the JATR review. There use a common standardized denomination to keep some coherency between the vast number of documents involved. A main task of AC 25.1309–1 is to provide standard definitions of terms (including hazard and probability classifications) for consistent use throughout the framework set up for the accomplishment of functional airplane safety.
https://en.wikipedia.org/wiki/AC_25.130 ... ifications

The fact also is a type certificate does not make a plane safe, as the MAX has proven.

The other fact also is regulators can be bought off.

The fact remains that Boeing COULD build a clean sheet design without giving a flying flamingo about regulations, launch it into the skies, and it could never see a problem. However much that infuriates your sensibilities as a rules man, it's the truth. If you let good engineers do good work, there's pretty much a zero percent chance a sound regulatory requirement will be missed. I was actually party to one such case in software development. No one could interpret the law, the lawyers were worse than useless, and what we built had compliant security when the auditors and regulators came knocking. Rules may be rules, but they are not at all what make an airplane safe. Compliance with them does not make an airplane safe. You can be compliant with a terrible rule that actually undermines another good one and essentially make your design less safe. It has never been laws that have protected you. It has been the values of the society you live in. When those Boeing engineers called the FAA agents monkeys, there's an incredibly high likelihood their contempt was justified. I have yet to meet a regulator as smart as the dumbest people I've worked with in a corporate environment. It's not unique to Australia. American regulatory bodies are filled with the same ivory tower untouchables as the twits who came up with IFRS 17. It doesn't matter if it's the forestry service or the FAA. There are idiots aplenty when it comes to government anything.
 
MSPNWA
Posts: 3585
Joined: Thu Apr 23, 2009 2:48 am

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 12:07 am

patrickjp93 wrote:
No they are not in a proper bottom-up engineering effort. They may clarify edge cases, but the vast majority of the requirements come from common sense. Having the designation does not matter. Knowing the system has to be fault-tolerant or else you risk killing thousands of people matters when it comes to gathering requirements. You don't need to go through the formal criticality assessment to know point blank that MCAS needed the requirements JTAR (JATR?) experts said it should have had from the beginning. Give me a break engineers are far smarter than bureaucrats' procedures.

That's pretty much what I do by default, and it's usually less costly to do that than spend the time justifying the risk away (and especially so when you do so fraudulently and the ghost of Christmas Past comes back to haunt you).


Very well said. Honestly I think the risk designations have now been exposed as much too simplistic because of the failure rate "bands" that may not appropriately match the risk. It's just a name in the end. What matters is the system, not the name attached to it. For example, it was reported early on that the MCAS risk designation of "hazardous" wasn't even right by only using one sensor. We can argue over which name the FAA agreed to, but even that sign-off has proven itself unreliable. in the end all that matters was whether it actually had a low risk. MCAS didn't have that low risk no matter the name. Boeing didn't need the FAA to tell them that.

It appears like Boeing tried to justify the risk away, and why that is we may never know. There doesn't seem to be any advantage gained by doing so. This would have never happened if they had implemented a two-sensor system from the start, which was what the "hazardous" label should have required, and it's not like that was a monumental task. If anything it points to just mistakes in the cloud of meeting regulations.
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 12:12 am

PixelFlight wrote:
patrickjp93 wrote:
PW100 wrote:

The end system requirements are driven by the designation.

Designation matters a great deal. Unless you want to apply a risk ratio of 10 E-9 (or even 10 E-12) to each and every individual piece of software (and hardware?).


No they are not in a proper bottom-up engineering effort. They may clarify edge cases, but the vast majority of the requirements come from common sense. Having the designation does not matter. Knowing the system has to be fault-tolerant or else you risk killing thousands of people matters when it comes to gathering requirements. You don't need to go through the formal criticality assessment to know point blank that MCAS needed the requirements JTAR (JATR?) experts said it should have had from the beginning. Give me a break engineers are far smarter than bureaucrats' procedures.

That's pretty much what I do by default, and it's usually less costly to do that than spend the time justifying the risk away (and especially so when you do so fraudulently and the ghost of Christmas Past comes back to haunt you).

Yes, the safety classification designation matter in aircraft safety, because that designation is part of the aircraft safety standard internationally set by the regulators. You can't avoid it to carry passengers, really.
No, the requirements do not come from common sense in aircraft safety, because it's a very complex system involving performance, delay, cost, insurance, production, subcontractors, operators, pilots, passengers, maintenance, training, logistic, international laws, years of safety records, massive history of accident analysis, etc...

The safety assessment resulting in the safety classification designation as "major" of the MCAS was exactly what was wrong on the 737-8/9 MAX. This is because the safety classification designation was only "major" that the redundancy requirement did not apply to the MCAS as it should have. This is precisely why the 737-8/9 MAX is grounded and why this is a so big mess for Boeing to clean now.: the change in the safety classification designation imply a lot of redesign and probably a pilots training.

It only matters because the law says it does and law enforcement exists, but it has no actual fundamental effect on the engineering. If you'd like a boolean table to prove this beyond any doubt, I can easily make one. In terms of the ACTUAL engineering and implementation, they don't matter one iota. They're just a rigid set of rules that more often than not get in the way of innovation or provide ass coverage for unscrupulous actors like Boeing's management who complied with the law as written and convinced the FAA that they had. If instead you had audited the design with a team of engineers to simply poke holes in everything rather than braindead monkeys looking at rule books so long you fall asleep before you finish reading, they'd have found these flaws, Boeing would have to have fixed them, and we wouldn't be having this discussion. Rules do not matter. Values matter. That's why we're now saying Boeing has a safety culture problem.

No, the requirements come from common sense. They come from sound engineering principles. Everything you just listed is a value, not a rule. Physics determines the real rules, nothing else.

Subcontractors are not a necessity, and in fact things like the MAX prove they're more often a liability for engineering firms. If you want your IP to stay inside and have your software come out right, keep your own IT department. It's really that simple, and a cost-benefit analysis will show it's cheaper in the long run.

That designation doesn't matter except to cover management's rear end. The engineers knew it was wrong and had designed a redundant system to start on the KC-46. The engineers had the values that essentially made that designation redundant and pointless. That's what you don't seem to get. That designation was worse than useless. It does not and should not matter. Sound engineering didn't require it to do the job well, and having it caused more problems than it solved.
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 12:15 am

MSPNWA wrote:
patrickjp93 wrote:
No they are not in a proper bottom-up engineering effort. They may clarify edge cases, but the vast majority of the requirements come from common sense. Having the designation does not matter. Knowing the system has to be fault-tolerant or else you risk killing thousands of people matters when it comes to gathering requirements. You don't need to go through the formal criticality assessment to know point blank that MCAS needed the requirements JTAR (JATR?) experts said it should have had from the beginning. Give me a break engineers are far smarter than bureaucrats' procedures.

That's pretty much what I do by default, and it's usually less costly to do that than spend the time justifying the risk away (and especially so when you do so fraudulently and the ghost of Christmas Past comes back to haunt you).


Very well said. Honestly I think the risk designations have now been exposed as much too simplistic because of the failure rate "bands" that may not appropriately match the risk. It's just a name in the end. What matters is the system, not the name attached to it. For example, it was reported early on that the MCAS risk designation of "hazardous" wasn't even right by only using one sensor. We can argue over which name the FAA agreed to, but even that sign-off has proven itself unreliable. in the end all that matters was whether it actually had a low risk. MCAS didn't have that low risk no matter the name. Boeing didn't need the FAA to tell them that.

It appears like Boeing tried to justify the risk away, and why that is we may never know. There doesn't seem to be any advantage gained by doing so. This would have never happened if they had implemented a two-sensor system from the start, which was what the "hazardous" label should have required, and it's not like that was a monumental task. If anything it points to just mistakes in the cloud of meeting regulations.

THANK YOU! Finally, someone who can read AND reason.

It was done to make the plane cheaper to produce while staying within the grandfathering envelope and not require pilot training. It was pure greed. There is no other reason. Regulations are a double-edged sword, because the signoff is still made by corruptible humans, and the rules are written by fallible, sloppy humans too, in a language as imprecise as English.
 
dtw2hyd
Posts: 7469
Joined: Wed Jan 09, 2013 12:11 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 12:20 am

Reading today's posts it appears someone decided blame its own engineers for MAX issues.

No engineer will cut corner if there is solid support from top management.

The more I learn, I empathize more with MAX employees. Antiquated overall architecture, dated systems hardware, half cooked software, brand new oversized engines, cost cutting everywhere, no training mantra, low cost simulators crashing, planes in simulators crashing even for the most experienced test pilots, still did their best to bring MAX to the market. Lot of beers at work I guess.
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 12:36 am

patrickjp93 wrote:
PixelFlight wrote:
patrickjp93 wrote:
Sigh, you're not listening. Separate the facts from the story. If Boeing's engineers had built the system as they wanted, the designation wouldn't have mattered. Redundancy and failover would have been built in by default. It's how their brains work for crying out loud. The only thing that the system engineers might have missed is mandating the AoA disagree light in the cockpit, but to be fair the avionics architects and designers most certainly would not have since management wouldn't have been mandating the costs of doing so away.

I've read the JT610 report. You're misinterpreting it. It's not the designation that matters. It's the end system that does. They'd have been a fault-tolerant system if allowed, and not because any designation said so, but because common sense said so as all of us prove.

Fact is that it's not the manufacturer engineers that can deliver a type certificate. Only safety regulators can. The manufacturer have to demonstrate the conformity to the safety regulation. Part of the documentation are safety assessment that define how critical a system is in different categories. Then each category have it own set of objectives in term of conformity to be demonstrated. It's about the same for avionic safety with DO-178C, as for automotive safety (ISO 26262), medical safety (IEC 62304) and nuclear safety (IEC 61513)
https://en.wikipedia.org/wiki/Avionics_software
https://en.wikipedia.org/wiki/Safety-critical_system
There are a lot of peoples in those avionic safety business, and some of them are the experts that produced the JT610 final report, the NTSB report, and the JATR review. There use a common standardized denomination to keep some coherency between the vast number of documents involved. A main task of AC 25.1309–1 is to provide standard definitions of terms (including hazard and probability classifications) for consistent use throughout the framework set up for the accomplishment of functional airplane safety.
https://en.wikipedia.org/wiki/AC_25.130 ... ifications

The fact also is a type certificate does not make a plane safe, as the MAX has proven.

The other fact also is regulators can be bought off.

The fact remains that Boeing COULD build a clean sheet design without giving a flying flamingo about regulations, launch it into the skies, and it could never see a problem. However much that infuriates your sensibilities as a rules man, it's the truth. If you let good engineers do good work, there's pretty much a zero percent chance a sound regulatory requirement will be missed. I was actually party to one such case in software development. No one could interpret the law, the lawyers were worse than useless, and what we built had compliant security when the auditors and regulators came knocking. Rules may be rules, but they are not at all what make an airplane safe. Compliance with them does not make an airplane safe. You can be compliant with a terrible rule that actually undermines another good one and essentially make your design less safe. It has never been laws that have protected you. It has been the values of the society you live in. When those Boeing engineers called the FAA agents monkeys, there's an incredibly high likelihood their contempt was justified. I have yet to meet a regulator as smart as the dumbest people I've worked with in a corporate environment. It's not unique to Australia. American regulatory bodies are filled with the same ivory tower untouchables as the twits who came up with IFRS 17. It doesn't matter if it's the forestry service or the FAA. There are idiots aplenty when it comes to government anything.

You make a confusion between laws and the engineering part of the aviation safety certification. The engineering part of the aviation safety certification was largely setup by engineers to avoid accident, because many in flight issue can potentially end in a crash, as many tragedy have show the history of aviation. This process is absolutely vital for the actual civil commercial aviation. Over the last few decades this long process very successfully lowered the number of accident and fatalities to a historically low level despite the massive augmentation of flying aircraft every single day. The 737-8/9 MAX is an unbelievable mess because it suddenly show that this process can be cheated. The response of that event is not less regulation but clearly more regulation, as all majors regulators have very loudly show to Boeing. So sorry to disagree with you, but when it come to the reality, regulator, requirement, compliance, type certificate is what have made the today civil commercial aircraft so safe. No one want to go backward, and the 737-8/9 MAX fiasco absolutely show why.
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 12:41 am

PixelFlight wrote:
patrickjp93 wrote:
PixelFlight wrote:
Fact is that it's not the manufacturer engineers that can deliver a type certificate. Only safety regulators can. The manufacturer have to demonstrate the conformity to the safety regulation. Part of the documentation are safety assessment that define how critical a system is in different categories. Then each category have it own set of objectives in term of conformity to be demonstrated. It's about the same for avionic safety with DO-178C, as for automotive safety (ISO 26262), medical safety (IEC 62304) and nuclear safety (IEC 61513)
https://en.wikipedia.org/wiki/Avionics_software
https://en.wikipedia.org/wiki/Safety-critical_system
There are a lot of peoples in those avionic safety business, and some of them are the experts that produced the JT610 final report, the NTSB report, and the JATR review. There use a common standardized denomination to keep some coherency between the vast number of documents involved. A main task of AC 25.1309–1 is to provide standard definitions of terms (including hazard and probability classifications) for consistent use throughout the framework set up for the accomplishment of functional airplane safety.
https://en.wikipedia.org/wiki/AC_25.130 ... ifications

The fact also is a type certificate does not make a plane safe, as the MAX has proven.

The other fact also is regulators can be bought off.

The fact remains that Boeing COULD build a clean sheet design without giving a flying flamingo about regulations, launch it into the skies, and it could never see a problem. However much that infuriates your sensibilities as a rules man, it's the truth. If you let good engineers do good work, there's pretty much a zero percent chance a sound regulatory requirement will be missed. I was actually party to one such case in software development. No one could interpret the law, the lawyers were worse than useless, and what we built had compliant security when the auditors and regulators came knocking. Rules may be rules, but they are not at all what make an airplane safe. Compliance with them does not make an airplane safe. You can be compliant with a terrible rule that actually undermines another good one and essentially make your design less safe. It has never been laws that have protected you. It has been the values of the society you live in. When those Boeing engineers called the FAA agents monkeys, there's an incredibly high likelihood their contempt was justified. I have yet to meet a regulator as smart as the dumbest people I've worked with in a corporate environment. It's not unique to Australia. American regulatory bodies are filled with the same ivory tower untouchables as the twits who came up with IFRS 17. It doesn't matter if it's the forestry service or the FAA. There are idiots aplenty when it comes to government anything.

You make a confusion between laws and the engineering part of the aviation safety certification. The engineering part of the aviation safety certification was largely setup by engineers to avoid accident, because many in flight issue can potentially end in a crash, as many tragedy have show the history of aviation. This process is absolutely vital for the actual civil commercial aviation. Over the last few decades this long process very successfully lowered the number of accident and fatalities to a historically low level despite the massive augmentation of flying aircraft every single day. The 737-8/9 MAX is an unbelievable mess because it suddenly show that this process can be cheated. The response of that event is not less regulation but clearly more regulation, as all majors regulators have very loudly show to Boeing. So sorry to disagree with you, but when it come to the reality, regulator, requirement, compliance, type certificate is what have made the today civil commercial aircraft so safe. No one want to go backward, and the 737-8/9 MAX fiasco absolutely show why.

No, the answer is far less, more open-ended regulation on the engineering, and far more regulation on the management. The process is not what makes planes safe. Good engineering does that. Good engineering can and DOES happen with absolutely zero regard for regulations. This is because engineers are smart, introspective, reflective, and iterative. Listen to the testimonials from Boeing engineers who say how much the company has changed, how it used to be management just let the engineers do what they want once a target capacity, range, and cargo load were set. When that happened, Boeing was peerless. Until the A330 NEO and A350, Airbus was essentially the also-ran, not a truly worthy competitor. The engineers are far better than the regulators, and at some point, regulators need to be strung up by their oversized balls and put back in their place. Rip the whole system down and start again, because it's the very institution of regulation that failed here.
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 12:45 am

MSPNWA wrote:
patrickjp93 wrote:
No they are not in a proper bottom-up engineering effort. They may clarify edge cases, but the vast majority of the requirements come from common sense. Having the designation does not matter. Knowing the system has to be fault-tolerant or else you risk killing thousands of people matters when it comes to gathering requirements. You don't need to go through the formal criticality assessment to know point blank that MCAS needed the requirements JTAR (JATR?) experts said it should have had from the beginning. Give me a break engineers are far smarter than bureaucrats' procedures.

That's pretty much what I do by default, and it's usually less costly to do that than spend the time justifying the risk away (and especially so when you do so fraudulently and the ghost of Christmas Past comes back to haunt you).


Very well said. Honestly I think the risk designations have now been exposed as much too simplistic because of the failure rate "bands" that may not appropriately match the risk. It's just a name in the end. What matters is the system, not the name attached to it. For example, it was reported early on that the MCAS risk designation of "hazardous" wasn't even right by only using one sensor. We can argue over which name the FAA agreed to, but even that sign-off has proven itself unreliable. in the end all that matters was whether it actually had a low risk. MCAS didn't have that low risk no matter the name. Boeing didn't need the FAA to tell them that.

It appears like Boeing tried to justify the risk away, and why that is we may never know. There doesn't seem to be any advantage gained by doing so. This would have never happened if they had implemented a two-sensor system from the start, which was what the "hazardous" label should have required, and it's not like that was a monumental task. If anything it points to just mistakes in the cloud of meeting regulations.

The risk designation is a standard in aircraft safety. When Boeing use a lower classification for MCAS, this is not just changing a name, but also change on the mitigation or risk control that will be allowed in case of failure, and change how deep the failure analysis will be done. Because of the wrong classification, the mitigation or risk control was allowed to be done by the pilots, and the risk of a single erratic AoA sensors was not correctly addressed.
 
MSPNWA
Posts: 3585
Joined: Thu Apr 23, 2009 2:48 am

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 12:57 am

PixelFlight wrote:
You make a confusion between laws and the engineering part of the aviation safety certification. The engineering part of the aviation safety certification was largely setup by engineers to avoid accident, because many in flight issue can potentially end in a crash, as many tragedy have show the history of aviation. This process is absolutely vital for the actual civil commercial aviation. Over the last few decades this long process very successfully lowered the number of accident and fatalities to a historically low level despite the massive augmentation of flying aircraft every single day. The 737-8/9 MAX is an unbelievable mess because it suddenly show that this process can be cheated. The response of that event is not less regulation but clearly more regulation, as all majors regulators have very loudly show to Boeing. So sorry to disagree with you, but when it come to the reality, regulator, requirement, compliance, type certificate is what have made the today civil commercial aircraft so safe. No one want to go backward, and the 737-8/9 MAX fiasco absolutely show why.


Do you really think that the MAX is the first aircraft that "cheated" the process? I think this is a reflection of the root of the problem with how we're not getting anywhere. This isn't to single you out, but if your worldview is something to the effect of "Boeing sucks", you're forced to trip over yourself and ignore some realities to stay in that worldview.

The very thing that supposedly was one of the problems with the MAX (the regulators and regulations allowing it through), are now the solution. The MAX is far from the first aircraft that had a major issue that regulations didn't prevent, and it won't be the last. Regulations are only as good as the people writing them. More regulation by itself isn't the answer. Even less regulation could be better if it's more relevant in its mission. The answer is better regulation, not necessarily more. It's doesn't make any sense that you're going to trust some of the very people that messed up with fixing the problem. The way I see it, I suspect the only reason why you're "trusting" them now and advocating for more regulations on the MAX alone is that they're now perceived as an enemy of Boeing and actively harming it. The months of changing posts line up when you align the statements with the worldview I talked about earlier.
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 1:01 am

patrickjp93 wrote:
PixelFlight wrote:
patrickjp93 wrote:

No they are not in a proper bottom-up engineering effort. They may clarify edge cases, but the vast majority of the requirements come from common sense. Having the designation does not matter. Knowing the system has to be fault-tolerant or else you risk killing thousands of people matters when it comes to gathering requirements. You don't need to go through the formal criticality assessment to know point blank that MCAS needed the requirements JTAR (JATR?) experts said it should have had from the beginning. Give me a break engineers are far smarter than bureaucrats' procedures.

That's pretty much what I do by default, and it's usually less costly to do that than spend the time justifying the risk away (and especially so when you do so fraudulently and the ghost of Christmas Past comes back to haunt you).

Yes, the safety classification designation matter in aircraft safety, because that designation is part of the aircraft safety standard internationally set by the regulators. You can't avoid it to carry passengers, really.
No, the requirements do not come from common sense in aircraft safety, because it's a very complex system involving performance, delay, cost, insurance, production, subcontractors, operators, pilots, passengers, maintenance, training, logistic, international laws, years of safety records, massive history of accident analysis, etc...

The safety assessment resulting in the safety classification designation as "major" of the MCAS was exactly what was wrong on the 737-8/9 MAX. This is because the safety classification designation was only "major" that the redundancy requirement did not apply to the MCAS as it should have. This is precisely why the 737-8/9 MAX is grounded and why this is a so big mess for Boeing to clean now.: the change in the safety classification designation imply a lot of redesign and probably a pilots training.

It only matters because the law says it does and law enforcement exists, but it has no actual fundamental effect on the engineering. If you'd like a boolean table to prove this beyond any doubt, I can easily make one. In terms of the ACTUAL engineering and implementation, they don't matter one iota. They're just a rigid set of rules that more often than not get in the way of innovation or provide ass coverage for unscrupulous actors like Boeing's management who complied with the law as written and convinced the FAA that they had. If instead you had audited the design with a team of engineers to simply poke holes in everything rather than braindead monkeys looking at rule books so long you fall asleep before you finish reading, they'd have found these flaws, Boeing would have to have fixed them, and we wouldn't be having this discussion. Rules do not matter. Values matter. That's why we're now saying Boeing has a safety culture problem.

No, the requirements come from common sense. They come from sound engineering principles. Everything you just listed is a value, not a rule. Physics determines the real rules, nothing else.

Subcontractors are not a necessity, and in fact things like the MAX prove they're more often a liability for engineering firms. If you want your IP to stay inside and have your software come out right, keep your own IT department. It's really that simple, and a cost-benefit analysis will show it's cheaper in the long run.

That designation doesn't matter except to cover management's rear end. The engineers knew it was wrong and had designed a redundant system to start on the KC-46. The engineers had the values that essentially made that designation redundant and pointless. That's what you don't seem to get. That designation was worse than useless. It does not and should not matter. Sound engineering didn't require it to do the job well, and having it caused more problems than it solved.

No, the technical requirements and objectives are not set by laws but by standards wrote by engineers and to help engineers to deliver safe product. Those standards do have massive effects on ACTUAL engineering and implementation. There allow to share a common understanding and designation between engineers working in aircraft safety. This allowed to standardize and rationalize a lot of things, from design, production, testing, maintenance, etc... And yes the regulation is also there to prevent manufacturer too much focused on money to kill peoples. This is exactly what failed with the 737-8/9 MAX and why this is a so big mess for the FAA.
 
DenverTed
Posts: 385
Joined: Wed Mar 27, 2019 11:12 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 1:02 am

What's the story on the landing gear of a 737? Is the wingbox and basic structural geometry from the landing gear inward to the fuselage the same on a 737-100 as a MAX? I know they put a new wing on the NG, but I assume that did not rework this structure.
How about on the 777? On the 777x was it a whole new geometry that could have been designed for longer gear, or was it the same as the 777-200?
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 1:10 am

PixelFlight wrote:
MSPNWA wrote:
patrickjp93 wrote:
No they are not in a proper bottom-up engineering effort. They may clarify edge cases, but the vast majority of the requirements come from common sense. Having the designation does not matter. Knowing the system has to be fault-tolerant or else you risk killing thousands of people matters when it comes to gathering requirements. You don't need to go through the formal criticality assessment to know point blank that MCAS needed the requirements JTAR (JATR?) experts said it should have had from the beginning. Give me a break engineers are far smarter than bureaucrats' procedures.

That's pretty much what I do by default, and it's usually less costly to do that than spend the time justifying the risk away (and especially so when you do so fraudulently and the ghost of Christmas Past comes back to haunt you).


Very well said. Honestly I think the risk designations have now been exposed as much too simplistic because of the failure rate "bands" that may not appropriately match the risk. It's just a name in the end. What matters is the system, not the name attached to it. For example, it was reported early on that the MCAS risk designation of "hazardous" wasn't even right by only using one sensor. We can argue over which name the FAA agreed to, but even that sign-off has proven itself unreliable. in the end all that matters was whether it actually had a low risk. MCAS didn't have that low risk no matter the name. Boeing didn't need the FAA to tell them that.

It appears like Boeing tried to justify the risk away, and why that is we may never know. There doesn't seem to be any advantage gained by doing so. This would have never happened if they had implemented a two-sensor system from the start, which was what the "hazardous" label should have required, and it's not like that was a monumental task. If anything it points to just mistakes in the cloud of meeting regulations.

The risk designation is a standard in aircraft safety. When Boeing use a lower classification for MCAS, this is not just changing a name, but also change on the mitigation or risk control that will be allowed in case of failure, and change how deep the failure analysis will be done. Because of the wrong classification, the mitigation or risk control was allowed to be done by the pilots, and the risk of a single erratic AoA sensors was not correctly addressed.

That is all immaterial. Seriously, read through what I am writing and take it absolutely literally. I do not give a damn what the standard is. If I had to design MCAS in a bubble, I'd have developed it to match and likely exceed the catastrophic requirements without even knowing them. I've even got logical analysis further up the thread on how to detect a faulty AoA vane with data from other systems, something Boeing decided not to do on the 737 MAX because grandfathering is too stringent and new type certificates require extensive training, even if in reality the handling would have been the same and differences training would have been sufficient (and some simulator time for new sensor displays and procedures associated).

You, and every absolutist rules lawyer like you who can't put aside the rules and use your head to think through the problem and solution are the single most detrimental force in the game. At some point, even a good design, including a regulatory institution, cannot be patched up and fixed, and a whole new solution has to be created carefully from the ground up. Boeing got greedy because the regulations were antagonistic and not fit for purpose. If Boeing could have raised the landing gear and kept within grandfathering, all of this would have been avoided. If Boeing could have implemented a redundant sensor system under grandfathering, we wouldn't be discussing this. If a hybrid of new type certification and grandfathering existed such that pilot training could have been minimized, the crashes wouldn't have happened. The regulations are both too heavy-handed and insufficient. And at the end of the day, they do not govern good engineering. They only govern what gets a rubber stamp and a piece of paper.

Yes, all it was was changing a name. If the engineers had been allowed to do what they knew was right unimpeded by regulation or management, we wouldn't be discussing this. That designation is only worth something to those who put stock in it, but the truth is it has zero actual effect on engineers who work in the field.
Last edited by patrickjp93 on Tue Jan 14, 2020 1:18 am, edited 1 time in total.
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 1:15 am

patrickjp93 wrote:
It was done to make the plane cheaper to produce while staying within the grandfathering envelope and not require pilot training. It was pure greed. There is no other reason. Regulations are a double-edged sword, because the signoff is still made by corruptible humans, and the rules are written by fallible, sloppy humans too, in a language as imprecise as English.

I mostly agree with you here. If the FAA was working as expected, Boeing would probably not be able to put the initial 737-8/9 MAX in exploitation. The failure was both at Boeing and at the FAA, and this is why the EASA appear in that subject: there temporarily could not trust Boeing nor the FAA until there clean there respective safety issue. Standards and regulation are a very useful in today technology safety. I have see myself so much products with defective safety that harmed peoples. Most of them was not in conformity with standards and regulation.
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 1:18 am

PixelFlight wrote:
patrickjp93 wrote:
PixelFlight wrote:
Yes, the safety classification designation matter in aircraft safety, because that designation is part of the aircraft safety standard internationally set by the regulators. You can't avoid it to carry passengers, really.
No, the requirements do not come from common sense in aircraft safety, because it's a very complex system involving performance, delay, cost, insurance, production, subcontractors, operators, pilots, passengers, maintenance, training, logistic, international laws, years of safety records, massive history of accident analysis, etc...

The safety assessment resulting in the safety classification designation as "major" of the MCAS was exactly what was wrong on the 737-8/9 MAX. This is because the safety classification designation was only "major" that the redundancy requirement did not apply to the MCAS as it should have. This is precisely why the 737-8/9 MAX is grounded and why this is a so big mess for Boeing to clean now.: the change in the safety classification designation imply a lot of redesign and probably a pilots training.

It only matters because the law says it does and law enforcement exists, but it has no actual fundamental effect on the engineering. If you'd like a boolean table to prove this beyond any doubt, I can easily make one. In terms of the ACTUAL engineering and implementation, they don't matter one iota. They're just a rigid set of rules that more often than not get in the way of innovation or provide ass coverage for unscrupulous actors like Boeing's management who complied with the law as written and convinced the FAA that they had. If instead you had audited the design with a team of engineers to simply poke holes in everything rather than braindead monkeys looking at rule books so long you fall asleep before you finish reading, they'd have found these flaws, Boeing would have to have fixed them, and we wouldn't be having this discussion. Rules do not matter. Values matter. That's why we're now saying Boeing has a safety culture problem.

No, the requirements come from common sense. They come from sound engineering principles. Everything you just listed is a value, not a rule. Physics determines the real rules, nothing else.

Subcontractors are not a necessity, and in fact things like the MAX prove they're more often a liability for engineering firms. If you want your IP to stay inside and have your software come out right, keep your own IT department. It's really that simple, and a cost-benefit analysis will show it's cheaper in the long run.

That designation doesn't matter except to cover management's rear end. The engineers knew it was wrong and had designed a redundant system to start on the KC-46. The engineers had the values that essentially made that designation redundant and pointless. That's what you don't seem to get. That designation was worse than useless. It does not and should not matter. Sound engineering didn't require it to do the job well, and having it caused more problems than it solved.

No, the technical requirements and objectives are not set by laws but by standards wrote by engineers and to help engineers to deliver safe product. Those standards do have massive effects on ACTUAL engineering and implementation. There allow to share a common understanding and designation between engineers working in aircraft safety. This allowed to standardize and rationalize a lot of things, from design, production, testing, maintenance, etc... And yes the regulation is also there to prevent manufacturer too much focused on money to kill peoples. This is exactly what failed with the 737-8/9 MAX and why this is a so big mess for the FAA.

You have it entirely backwards, but you're not open to reasoning and debate apparently. Skill and respect of one's work are the only things that impact their engineering. Those standards are worthless for everyone but spectators. You design the system the sensible way. The rest is nothing but paperwork, pomp, and circumstance. If you build it right the regs don't matter. That's why I can get away with not reading them. You basically have to be a twit to be noncompliant apart from arbitrary value types of regulation, such as having 3 redundant sensors instead of two. If I build the software to allow for any number of them, then why do I need to read the long-winded legalese when you can just tell me "2" or "3" and I can change one variable in one loop and copy+paste a hardware interface on another socket or memory location?

when you do it right the first time, regulations do not matter beyond a trivial level. Like I said, I can mathematically prove this to you if it'll make you happy. You can easily be noncompliant with a bunch of FAA regulations and produce a safer plane for it, as evidenced by the fact the design of the 787 fuselage and wings was done long before the regs surrounding CFRP designs were complete, and no revisions came about as part of them. The EASA and FAA are not infallible, their decrees are not written by gods, and they will always be behind the best and brightest in the industry.
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 1:20 am

PixelFlight wrote:
patrickjp93 wrote:
It was done to make the plane cheaper to produce while staying within the grandfathering envelope and not require pilot training. It was pure greed. There is no other reason. Regulations are a double-edged sword, because the signoff is still made by corruptible humans, and the rules are written by fallible, sloppy humans too, in a language as imprecise as English.

I mostly agree with you here. If the FAA was working as expected, Boeing would probably not be able to put the initial 737-8/9 MAX in exploitation. The failure was both at Boeing and at the FAA, and this is why the EASA appear in that subject: there temporarily could not trust Boeing nor the FAA until there clean there respective safety issue. Standards and regulation are a very useful in today technology safety. I have see myself so much products with defective safety that harmed peoples. Most of them was not in conformity with standards and regulation.

Anyone willing to put out badly engineered products didn't care about the regulations anyway. That's why they don't matter from an engineering perspective. You either take pride in your work and do it right the first time or you don't. Regs be damned you don't need them to do a proper job.
 
hivue
Posts: 2000
Joined: Tue Feb 26, 2013 2:26 am

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 1:22 am

patrickjp93 wrote:
It was done to make the plane cheaper to produce while staying within the grandfathering envelope and not require pilot training. It was pure greed.


This is a non sequitur. By this logic, avoiding being greedy must involve making your product new from scratch and making it expensive.
"You're sitting. In a chair. In the SKY!!" ~ Louis C.K.
 
morrisond
Posts: 2130
Joined: Thu Jan 07, 2010 12:22 am

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 1:26 am

patrickjp93 wrote:
PixelFlight wrote:
MSPNWA wrote:

Very well said. Honestly I think the risk designations have now been exposed as much too simplistic because of the failure rate "bands" that may not appropriately match the risk. It's just a name in the end. What matters is the system, not the name attached to it. For example, it was reported early on that the MCAS risk designation of "hazardous" wasn't even right by only using one sensor. We can argue over which name the FAA agreed to, but even that sign-off has proven itself unreliable. in the end all that matters was whether it actually had a low risk. MCAS didn't have that low risk no matter the name. Boeing didn't need the FAA to tell them that.

It appears like Boeing tried to justify the risk away, and why that is we may never know. There doesn't seem to be any advantage gained by doing so. This would have never happened if they had implemented a two-sensor system from the start, which was what the "hazardous" label should have required, and it's not like that was a monumental task. If anything it points to just mistakes in the cloud of meeting regulations.

The risk designation is a standard in aircraft safety. When Boeing use a lower classification for MCAS, this is not just changing a name, but also change on the mitigation or risk control that will be allowed in case of failure, and change how deep the failure analysis will be done. Because of the wrong classification, the mitigation or risk control was allowed to be done by the pilots, and the risk of a single erratic AoA sensors was not correctly addressed.

That is all immaterial. Seriously, read through what I am writing and take it absolutely literally. I do not give a damn what the standard is. If I had to design MCAS in a bubble, I'd have developed it to match and likely exceed the catastrophic requirements without even knowing them. I've even got logical analysis further up the thread on how to detect a faulty AoA vane with data from other systems, something Boeing decided not to do on the 737 MAX because grandfathering is too stringent and new type certificates require extensive training, even if in reality the handling would have been the same and differences training would have been sufficient (and some simulator time for new sensor displays and procedures associated).

You, and every absolutist rules lawyer like you who can't put aside the rules and use your head to think through the problem and solution are the single most detrimental force in the game. At some point, even a good design, including a regulatory institution, cannot be patched up and fixed, and a whole new solution has to be created carefully from the ground up. Boeing got greedy because the regulations were antagonistic and not fit for purpose. If Boeing could have raised the landing gear and kept within grandfathering, all of this would have been avoided. If Boeing could have implemented a redundant sensor system under grandfathering, we wouldn't be discussing this. If a hybrid of new type certification and grandfathering existed such that pilot training could have been minimized, the crashes wouldn't have happened. The regulations are both too heavy-handed and insufficient. And at the end of the day, they do not govern good engineering. They only govern what gets a rubber stamp and a piece of paper.

Yes, all it was was changing a name. If the engineers had been allowed to do what they knew was right unimpeded by regulation or management, we wouldn't be discussing this. That designation is only worth something to those who put stock in it, but the truth is it has zero actual effect on engineers who work in the field.


Great post and if the MAX is somewhat normal in behaviour (the EASA test flights should show this one way or the other) the engineers might have decided that slightly lighter stick force was acceptable overall just like the Transport Canada Employee suggested and the MAX would overall be safer without MCAS in the first place.
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 1:31 am

patrickjp93 wrote:
PixelFlight wrote:
patrickjp93 wrote:
The fact also is a type certificate does not make a plane safe, as the MAX has proven.

The other fact also is regulators can be bought off.

The fact remains that Boeing COULD build a clean sheet design without giving a flying flamingo about regulations, launch it into the skies, and it could never see a problem. However much that infuriates your sensibilities as a rules man, it's the truth. If you let good engineers do good work, there's pretty much a zero percent chance a sound regulatory requirement will be missed. I was actually party to one such case in software development. No one could interpret the law, the lawyers were worse than useless, and what we built had compliant security when the auditors and regulators came knocking. Rules may be rules, but they are not at all what make an airplane safe. Compliance with them does not make an airplane safe. You can be compliant with a terrible rule that actually undermines another good one and essentially make your design less safe. It has never been laws that have protected you. It has been the values of the society you live in. When those Boeing engineers called the FAA agents monkeys, there's an incredibly high likelihood their contempt was justified. I have yet to meet a regulator as smart as the dumbest people I've worked with in a corporate environment. It's not unique to Australia. American regulatory bodies are filled with the same ivory tower untouchables as the twits who came up with IFRS 17. It doesn't matter if it's the forestry service or the FAA. There are idiots aplenty when it comes to government anything.

You make a confusion between laws and the engineering part of the aviation safety certification. The engineering part of the aviation safety certification was largely setup by engineers to avoid accident, because many in flight issue can potentially end in a crash, as many tragedy have show the history of aviation. This process is absolutely vital for the actual civil commercial aviation. Over the last few decades this long process very successfully lowered the number of accident and fatalities to a historically low level despite the massive augmentation of flying aircraft every single day. The 737-8/9 MAX is an unbelievable mess because it suddenly show that this process can be cheated. The response of that event is not less regulation but clearly more regulation, as all majors regulators have very loudly show to Boeing. So sorry to disagree with you, but when it come to the reality, regulator, requirement, compliance, type certificate is what have made the today civil commercial aircraft so safe. No one want to go backward, and the 737-8/9 MAX fiasco absolutely show why.

No, the answer is far less, more open-ended regulation on the engineering, and far more regulation on the management. The process is not what makes planes safe. Good engineering does that. Good engineering can and DOES happen with absolutely zero regard for regulations. This is because engineers are smart, introspective, reflective, and iterative. Listen to the testimonials from Boeing engineers who say how much the company has changed, how it used to be management just let the engineers do what they want once a target capacity, range, and cargo load were set. When that happened, Boeing was peerless. Until the A330 NEO and A350, Airbus was essentially the also-ran, not a truly worthy competitor. The engineers are far better than the regulators, and at some point, regulators need to be strung up by their oversized balls and put back in their place. Rip the whole system down and start again, because it's the very institution of regulation that failed here.

Good luck to regulate the management....
I think that part of the disagreement is that you don't realize the scale and the complexity of the task to ensure safety on a very big project that involve many others skills than engineers.
The factual reality is that the actual process is exactly the revers of what you think it should be: regulators will take even more importance to ensure safety after a such fiasco: to help even better engineering even in case of crappy unregulated management.
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 1:42 am

MSPNWA wrote:
Do you really think that the MAX is the first aircraft that "cheated" the process? I think this is a reflection of the root of the problem with how we're not getting anywhere. This isn't to single you out, but if your worldview is something to the effect of "Boeing sucks", you're forced to trip over yourself and ignore some realities to stay in that worldview.

No, but not completely... Clearly this is not the first time than a manufacturer have issues with the safety regulation, as the regulation is in part about how to safely handle new issues. But most of the time those issues was unexpected and/or identified after years of exploitation, there was not known at the design time. What is special about the 737-8/9 MAX is that Boeing actively cheated to the FAA. The safety process inside the FAA was not good enough to handle that unexpected situation and failed. That event is a kind of first by it scale.
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 1:53 am

patrickjp93 wrote:
That is all immaterial. Seriously, read through what I am writing and take it absolutely literally. I do not give a damn what the standard is. If I had to design MCAS in a bubble, I'd have developed it to match and likely exceed the catastrophic requirements without even knowing them. I've even got logical analysis further up the thread on how to detect a faulty AoA vane with data from other systems, something Boeing decided not to do on the 737 MAX because grandfathering is too stringent and new type certificates require extensive training, even if in reality the handling would have been the same and differences training would have been sufficient (and some simulator time for new sensor displays and procedures associated).

You, and every absolutist rules lawyer like you who can't put aside the rules and use your head to think through the problem and solution are the single most detrimental force in the game. At some point, even a good design, including a regulatory institution, cannot be patched up and fixed, and a whole new solution has to be created carefully from the ground up. Boeing got greedy because the regulations were antagonistic and not fit for purpose. If Boeing could have raised the landing gear and kept within grandfathering, all of this would have been avoided. If Boeing could have implemented a redundant sensor system under grandfathering, we wouldn't be discussing this. If a hybrid of new type certification and grandfathering existed such that pilot training could have been minimized, the crashes wouldn't have happened. The regulations are both too heavy-handed and insufficient. And at the end of the day, they do not govern good engineering. They only govern what gets a rubber stamp and a piece of paper.

Yes, all it was was changing a name. If the engineers had been allowed to do what they knew was right unimpeded by regulation or management, we wouldn't be discussing this. That designation is only worth something to those who put stock in it, but the truth is it has zero actual effect on engineers who work in the field.

You have to understand that is't Boeing decision that created that mess, not the FAA. The FAA was expected to prevent the mess but failed.
Boeing was free to use a redundant sensors from the start, this is not the regulator that prevented this, but the obsolete architecture of the 737 that Boeing wanted to keep. The architecture need to evolve to the point that pilot training will be unavoidable, because the pilots have to know how the system work and how to ensure safety of the flight.
 
User avatar
par13del
Posts: 9521
Joined: Sun Dec 18, 2005 9:14 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 1:57 am

PixelFlight wrote:
The factual reality is that the actual process is exactly the revers of what you think it should be: regulators will take even more importance to ensure safety after a such fiasco: to help even better engineering even in case of crappy unregulated management.

The danger here is the politics, which regulator decides which engineering approach is best or safe? Example, Airbus side stick, Boeing yolk, Airbus FBW, Boeing FBW, history tell us that both are safe, but as we get more global and complex even with multiple domestic regulators, the politics as the folks in power will and do have the authority to restrict and even override good engineering.
You stated that you have seen where consumers have been hurt by products that did not follow regulators, we also have customers that have been hurt by following regulations which were outdated and not up to snuff, both sides of the same coin.
The one thing we can agree on is that in areas where their is high legal liability, the regulators are slow not because they think the engineering is not safe, but because the CYA is a priority.
It is an uneasy marriage and since the regulators are usually under government control, budgets to ensure continued training to ensure to stay up to date is usually limited.
 
DC10LAXJFK
Posts: 26
Joined: Sat Nov 18, 2017 6:46 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 1:57 am

PixelFlight wrote:
MSPNWA wrote:
Do you really think that the MAX is the first aircraft that "cheated" the process? I think this is a reflection of the root of the problem with how we're not getting anywhere. This isn't to single you out, but if your worldview is something to the effect of "Boeing sucks", you're forced to trip over yourself and ignore some realities to stay in that worldview.

No, but not completely... Clearly this is not the first time than a manufacturer have issues with the safety regulation, as the regulation is in part about how to safely handle new issues. But most of the time those issues was unexpected and/or identified after years of exploitation, there was not known at the design time. What is special about the 737-8/9 MAX is that Boeing actively cheated to the FAA. The safety process inside the FAA was not good enough to handle that unexpected situation and failed. That event is a kind of first by it scale.


Exactly. You can't have it both ways about regulations. Boeing actively and deliberately gamed the grandfathering regulations. They knew they introduced a feature on the MAX that fundamentally changed flight characteristics and stability and hid those facts from the regulators and the airlines. They knew that knowledge of those characteristic differences would risk questions from both the regulators and airlines about compliance, type rating, training - all unacceptable to Boeing to continue to justify the MAX product.

What Boeing certainly knows is that regulations are designed so that specific flight characteristics can be evaluated and addressed. Boeing intentionally disregarded those regulations and actively worked to mislead the regulators and the airlines about those flight characteristics. Guess What. The plane crashed. TWICE in 5 months. For failure to comply with regulations.

It would be chaos if airlines could design planes just the way they wanted and could disregard regulations at will. Aviation would not be safer.
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 2:06 am

patrickjp93 wrote:
PixelFlight wrote:
patrickjp93 wrote:
It only matters because the law says it does and law enforcement exists, but it has no actual fundamental effect on the engineering. If you'd like a boolean table to prove this beyond any doubt, I can easily make one. In terms of the ACTUAL engineering and implementation, they don't matter one iota. They're just a rigid set of rules that more often than not get in the way of innovation or provide ass coverage for unscrupulous actors like Boeing's management who complied with the law as written and convinced the FAA that they had. If instead you had audited the design with a team of engineers to simply poke holes in everything rather than braindead monkeys looking at rule books so long you fall asleep before you finish reading, they'd have found these flaws, Boeing would have to have fixed them, and we wouldn't be having this discussion. Rules do not matter. Values matter. That's why we're now saying Boeing has a safety culture problem.

No, the requirements come from common sense. They come from sound engineering principles. Everything you just listed is a value, not a rule. Physics determines the real rules, nothing else.

Subcontractors are not a necessity, and in fact things like the MAX prove they're more often a liability for engineering firms. If you want your IP to stay inside and have your software come out right, keep your own IT department. It's really that simple, and a cost-benefit analysis will show it's cheaper in the long run.

That designation doesn't matter except to cover management's rear end. The engineers knew it was wrong and had designed a redundant system to start on the KC-46. The engineers had the values that essentially made that designation redundant and pointless. That's what you don't seem to get. That designation was worse than useless. It does not and should not matter. Sound engineering didn't require it to do the job well, and having it caused more problems than it solved.

No, the technical requirements and objectives are not set by laws but by standards wrote by engineers and to help engineers to deliver safe product. Those standards do have massive effects on ACTUAL engineering and implementation. There allow to share a common understanding and designation between engineers working in aircraft safety. This allowed to standardize and rationalize a lot of things, from design, production, testing, maintenance, etc... And yes the regulation is also there to prevent manufacturer too much focused on money to kill peoples. This is exactly what failed with the 737-8/9 MAX and why this is a so big mess for the FAA.

You have it entirely backwards, but you're not open to reasoning and debate apparently. Skill and respect of one's work are the only things that impact their engineering. Those standards are worthless for everyone but spectators. You design the system the sensible way. The rest is nothing but paperwork, pomp, and circumstance. If you build it right the regs don't matter. That's why I can get away with not reading them. You basically have to be a twit to be noncompliant apart from arbitrary value types of regulation, such as having 3 redundant sensors instead of two. If I build the software to allow for any number of them, then why do I need to read the long-winded legalese when you can just tell me "2" or "3" and I can change one variable in one loop and copy+paste a hardware interface on another socket or memory location?

when you do it right the first time, regulations do not matter beyond a trivial level. Like I said, I can mathematically prove this to you if it'll make you happy. You can easily be noncompliant with a bunch of FAA regulations and produce a safer plane for it, as evidenced by the fact the design of the 787 fuselage and wings was done long before the regs surrounding CFRP designs were complete, and no revisions came about as part of them. The EASA and FAA are not infallible, their decrees are not written by gods, and they will always be behind the best and brightest in the industry.

I tried my best to explain to you the reality of civil commercial aircraft safety. There are a lot of existing material on the subject, and the same exists for automobile, industry, medical, and nuclear. Learn and come back later instead of bashing decades of industry width efforts to improve safety, even if it's not perfect as all you design yourself.
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 2:18 am

patrickjp93 wrote:
PixelFlight wrote:
patrickjp93 wrote:
It was done to make the plane cheaper to produce while staying within the grandfathering envelope and not require pilot training. It was pure greed. There is no other reason. Regulations are a double-edged sword, because the signoff is still made by corruptible humans, and the rules are written by fallible, sloppy humans too, in a language as imprecise as English.

I mostly agree with you here. If the FAA was working as expected, Boeing would probably not be able to put the initial 737-8/9 MAX in exploitation. The failure was both at Boeing and at the FAA, and this is why the EASA appear in that subject: there temporarily could not trust Boeing nor the FAA until there clean there respective safety issue. Standards and regulation are a very useful in today technology safety. I have see myself so much products with defective safety that harmed peoples. Most of them was not in conformity with standards and regulation.

Anyone willing to put out badly engineered products didn't care about the regulations anyway. That's why they don't matter from an engineering perspective. You either take pride in your work and do it right the first time or you don't. Regs be damned you don't need them to do a proper job.

This imply that you know everything about the consequences of your product. You could believe that you are so perfect to know everything, but I can tell you that testing labs around the world see epic failures of engineer design every single day. But of course you are so good that you can sell forever the very first version of your work and all your git repositories only contain the initial perfect and complete revision commit. Ho, in fact I realize that you don't even need version control. You can probably do "cat > a.out" or XKCD#378 https://www.explainxkcd.com/wiki/index.php/378:_Real_Programmers
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 2:22 am

morrisond wrote:
patrickjp93 wrote:
PixelFlight wrote:
The risk designation is a standard in aircraft safety. When Boeing use a lower classification for MCAS, this is not just changing a name, but also change on the mitigation or risk control that will be allowed in case of failure, and change how deep the failure analysis will be done. Because of the wrong classification, the mitigation or risk control was allowed to be done by the pilots, and the risk of a single erratic AoA sensors was not correctly addressed.

That is all immaterial. Seriously, read through what I am writing and take it absolutely literally. I do not give a damn what the standard is. If I had to design MCAS in a bubble, I'd have developed it to match and likely exceed the catastrophic requirements without even knowing them. I've even got logical analysis further up the thread on how to detect a faulty AoA vane with data from other systems, something Boeing decided not to do on the 737 MAX because grandfathering is too stringent and new type certificates require extensive training, even if in reality the handling would have been the same and differences training would have been sufficient (and some simulator time for new sensor displays and procedures associated).

You, and every absolutist rules lawyer like you who can't put aside the rules and use your head to think through the problem and solution are the single most detrimental force in the game. At some point, even a good design, including a regulatory institution, cannot be patched up and fixed, and a whole new solution has to be created carefully from the ground up. Boeing got greedy because the regulations were antagonistic and not fit for purpose. If Boeing could have raised the landing gear and kept within grandfathering, all of this would have been avoided. If Boeing could have implemented a redundant sensor system under grandfathering, we wouldn't be discussing this. If a hybrid of new type certification and grandfathering existed such that pilot training could have been minimized, the crashes wouldn't have happened. The regulations are both too heavy-handed and insufficient. And at the end of the day, they do not govern good engineering. They only govern what gets a rubber stamp and a piece of paper.

Yes, all it was was changing a name. If the engineers had been allowed to do what they knew was right unimpeded by regulation or management, we wouldn't be discussing this. That designation is only worth something to those who put stock in it, but the truth is it has zero actual effect on engineers who work in the field.


Great post and if the MAX is somewhat normal in behaviour (the EASA test flights should show this one way or the other) the engineers might have decided that slightly lighter stick force was acceptable overall just like the Transport Canada Employee suggested and the MAX would overall be safer without MCAS in the first place.

Anyone have hear of a following of that "Transport Canada Employee" suggestion ?
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 2:31 am

hivue wrote:
patrickjp93 wrote:
It was done to make the plane cheaper to produce while staying within the grandfathering envelope and not require pilot training. It was pure greed.


This is a non sequitur. By this logic, avoiding being greedy must involve making your product new from scratch and making it expensive.

No, you're committing reductio ad absurdum, except not to make a point about going too far. As an engineer myself, I think grandfathering and iterative improvement are perfectly valid, and it does NOT always make sense to start from a clean sheet. Adding functionality to an application with a quality codebase does not require clean-sheeting the whole program. However, over time as so many different programmers touch a system with a lack of coherent style and design patterns, it can become decoherrent and more than difficult to work on. At some point, especially with a small team, you reach a breaking point on features taking longer to produce while bug reports pile up from the depths of legacy Hell.

On one team, I had to upgrade 10 Java apps that had been built on Spring Boot 1.2.1 to Spring Boot 2 while also pulling them off Windows Server 2008 and moving them to CentOS. They had been coded by a team of external contractors who were no longer with the company and who had left no documentation whatsoever on the requirements or thought process behind each of them. Furthermore, I'm no expert on the build systems of Gradle and Maven. When you go to upgrade Spring Boot, you have to upgrade the build system versions. Okay, that's fine until your build properties files suddenly stop working because breaking changes were made to the syntax and semantics while the errors provide no assistance. So now I have to triage the build until it works, and suddenly I get tons of compiler errors because a bunch of WSDLs (SOAP API contracts which are completed at build time, nasty work) suddenly either didn't build or built in the wrong order. Now it's down the rabbit hole of sifting through documentation and Stack Overflow to figure out how to translate the old into the new, while of course ensuring no IP addresses or meaningful code names get passed along. Oh, and now I'm finding out which versions of the other 3rd party libraries work correctly with Spring Boot 2. Oh and now I need to also upgrade to Java 11 because Oracle's ending Java 8 support. Oh and while we're at it let's also change Java providers from Oracle to AdoptOpenJDK because Oracle now wants to charge you $25 per core per machine per year that you run a Java environment on. So now I need to change the PowerShell AND Bash scripts to handle the new generic Java path schemes so our SSL certificate renewal processes don't break and cause an outage at the worst possible time. Fan, bloody, tastic!

If I'd known how nasty the upgrade was going to be I would have just yanked down a Spring Starter project, watched a couple Youtube videos, and rebuilt the 10 applets from scratch in no time flat.

Boeing could have, given free reign, raised the height of the 737 MAX and told airlines to simply get more luggage equipment because that's the compromise to getting better fuel economy with no pilot training. Then the engines could be moved back, be made the same size as the A320NEO (making the MAX an even fiercer competitor), and MCAS is never even thought about.

So yes, Boeing got greedy while getting stuck between a rock and a hard place because of incompetent regulators who very easily could have compromised and accepted improvements on a grandfathered type so long as handling was the same and pilot training needs would be minimized. The problem with regulators is rigidity when it comes to these schemes, and it's just the completely wrong approach.
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 2:32 am

par13del wrote:
PixelFlight wrote:
The factual reality is that the actual process is exactly the revers of what you think it should be: regulators will take even more importance to ensure safety after a such fiasco: to help even better engineering even in case of crappy unregulated management.

The danger here is the politics, which regulator decides which engineering approach is best or safe? Example, Airbus side stick, Boeing yolk, Airbus FBW, Boeing FBW, history tell us that both are safe, but as we get more global and complex even with multiple domestic regulators, the politics as the folks in power will and do have the authority to restrict and even override good engineering.
You stated that you have seen where consumers have been hurt by products that did not follow regulators, we also have customers that have been hurt by following regulations which were outdated and not up to snuff, both sides of the same coin.
The one thing we can agree on is that in areas where their is high legal liability, the regulators are slow not because they think the engineering is not safe, but because the CYA is a priority.
It is an uneasy marriage and since the regulators are usually under government control, budgets to ensure continued training to ensure to stay up to date is usually limited.

The FAA ad the EASA have an always evolving international mutual agreement that proved to be able to handle the different approaches of Boeing and Airbus, and this is the same for Embraer in Brazil, Bombardier in Canada, and many others manufacturers. Those agreement exists to avoid to redo the regulation work everywhere, so this imply to not block a design for no valid reason.
Regulation is about to handle issues, so if there is a new version of a regulation, this is in most case because an issue was identified with the previous version of the regulation. So yes, better to comply to the last version of the regulation.
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 2:38 am

PixelFlight wrote:
patrickjp93 wrote:
PixelFlight wrote:
You make a confusion between laws and the engineering part of the aviation safety certification. The engineering part of the aviation safety certification was largely setup by engineers to avoid accident, because many in flight issue can potentially end in a crash, as many tragedy have show the history of aviation. This process is absolutely vital for the actual civil commercial aviation. Over the last few decades this long process very successfully lowered the number of accident and fatalities to a historically low level despite the massive augmentation of flying aircraft every single day. The 737-8/9 MAX is an unbelievable mess because it suddenly show that this process can be cheated. The response of that event is not less regulation but clearly more regulation, as all majors regulators have very loudly show to Boeing. So sorry to disagree with you, but when it come to the reality, regulator, requirement, compliance, type certificate is what have made the today civil commercial aircraft so safe. No one want to go backward, and the 737-8/9 MAX fiasco absolutely show why.

No, the answer is far less, more open-ended regulation on the engineering, and far more regulation on the management. The process is not what makes planes safe. Good engineering does that. Good engineering can and DOES happen with absolutely zero regard for regulations. This is because engineers are smart, introspective, reflective, and iterative. Listen to the testimonials from Boeing engineers who say how much the company has changed, how it used to be management just let the engineers do what they want once a target capacity, range, and cargo load were set. When that happened, Boeing was peerless. Until the A330 NEO and A350, Airbus was essentially the also-ran, not a truly worthy competitor. The engineers are far better than the regulators, and at some point, regulators need to be strung up by their oversized balls and put back in their place. Rip the whole system down and start again, because it's the very institution of regulation that failed here.

Good luck to regulate the management....
I think that part of the disagreement is that you don't realize the scale and the complexity of the task to ensure safety on a very big project that involve many others skills than engineers.
The factual reality is that the actual process is exactly the revers of what you think it should be: regulators will take even more importance to ensure safety after a such fiasco: to help even better engineering even in case of crappy unregulated management.

I'm not underestimating it at all. When you have the skill and mental capacity to keep microarchitecture vulnerabilities in mind while writing robust Operating System code (I contribute to OpenBSD) and then integrating that with extremely performance-sensitive code on top of it for managing transactions securely in a fault-tolerant way, then you can talk to me about complexity. Everyone on this forum knew MCAS needed redundancy in the sensors and proper failure detection the moment they heard it ran off of one AoA. Designing a fault-tolerant, available, correct MCAS is trivial for any computer science graduate who knows how to write C/C++ code to handle a memory or bus interface. I didn't graduate from MIT but I tell you what any of the people I taught/tutored for High Performance Computing could have met everything the JATR committee recommended up front blindfolded.

No, the regulators are proven incompetent. Get them out of the picture. It's their own rigid framework and lack of sensible compromise that incentivized managers to shoehorn MCAS in to begin with. Grandfathering is too incomplete and insufficient a system. It needs room to allow iterative growth without breaking type rating, simple as that.
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 2:44 am

PixelFlight wrote:
patrickjp93 wrote:
That is all immaterial. Seriously, read through what I am writing and take it absolutely literally. I do not give a damn what the standard is. If I had to design MCAS in a bubble, I'd have developed it to match and likely exceed the catastrophic requirements without even knowing them. I've even got logical analysis further up the thread on how to detect a faulty AoA vane with data from other systems, something Boeing decided not to do on the 737 MAX because grandfathering is too stringent and new type certificates require extensive training, even if in reality the handling would have been the same and differences training would have been sufficient (and some simulator time for new sensor displays and procedures associated).

You, and every absolutist rules lawyer like you who can't put aside the rules and use your head to think through the problem and solution are the single most detrimental force in the game. At some point, even a good design, including a regulatory institution, cannot be patched up and fixed, and a whole new solution has to be created carefully from the ground up. Boeing got greedy because the regulations were antagonistic and not fit for purpose. If Boeing could have raised the landing gear and kept within grandfathering, all of this would have been avoided. If Boeing could have implemented a redundant sensor system under grandfathering, we wouldn't be discussing this. If a hybrid of new type certification and grandfathering existed such that pilot training could have been minimized, the crashes wouldn't have happened. The regulations are both too heavy-handed and insufficient. And at the end of the day, they do not govern good engineering. They only govern what gets a rubber stamp and a piece of paper.

Yes, all it was was changing a name. If the engineers had been allowed to do what they knew was right unimpeded by regulation or management, we wouldn't be discussing this. That designation is only worth something to those who put stock in it, but the truth is it has zero actual effect on engineers who work in the field.

You have to understand that is't Boeing decision that created that mess, not the FAA. The FAA was expected to prevent the mess but failed.
Boeing was free to use a redundant sensors from the start, this is not the regulator that prevented this, but the obsolete architecture of the 737 that Boeing wanted to keep. The architecture need to evolve to the point that pilot training will be unavoidable, because the pilots have to know how the system work and how to ensure safety of the flight.

No, they weren't free to, as it breaks the type rating under the current rules, which then expands into much longer certification, then much more pilot training, and the business case collapses. That's the actual livelihood of the company at stake. The FAA's grandfathering system is an absolute disgrace of rigid academic bureaucrats who couldn't engineer their way into building an outhouse. If Boeing had had the flexibility you claim without there being vindictive consequences in exercising that freedom, we wouldn't be discussing this, simple as that. The rules are poorly made. That is an objective truth.
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 2:52 am

PixelFlight wrote:
patrickjp93 wrote:
PixelFlight wrote:
I mostly agree with you here. If the FAA was working as expected, Boeing would probably not be able to put the initial 737-8/9 MAX in exploitation. The failure was both at Boeing and at the FAA, and this is why the EASA appear in that subject: there temporarily could not trust Boeing nor the FAA until there clean there respective safety issue. Standards and regulation are a very useful in today technology safety. I have see myself so much products with defective safety that harmed peoples. Most of them was not in conformity with standards and regulation.

Anyone willing to put out badly engineered products didn't care about the regulations anyway. That's why they don't matter from an engineering perspective. You either take pride in your work and do it right the first time or you don't. Regs be damned you don't need them to do a proper job.

This imply that you know everything about the consequences of your product. You could believe that you are so perfect to know everything, but I can tell you that testing labs around the world see epic failures of engineer design every single day. But of course you are so good that you can sell forever the very first version of your work and all your git repositories only contain the initial perfect and complete revision commit. Ho, in fact I realize that you don't even need version control. You can probably do "cat > a.out" or XKCD#378 https://www.explainxkcd.com/wiki/index.php/378:_Real_Programmers

I'm not perfect, but math is, and I don't need an incompetent regulator who can't perform basic lambda calculus telling me my work is insufficient when I can mathematically prove he or she is too ignorant to hold the position they have as my supervisor. I've smacked around enough Aussie regulators that way for good reason. Mathematical proofs are ironclad.

I'm implying I know all the consequences of MCAS when it's given bad information: it causes a nosedive. I know how long the diving action lasts. I know how steep it is. Effectively, I know everything about MCAS. Everyone here does if you've been keeping up with the data dumps. MCAS is a very simple system. Implementing the software for it is easy. The hardware is trickier, but that's really just wiring and relays given the AoA is a known quantity.

Those labs have never met me. I have a spotless record. I'm just not the fastest. When you do things right the first time, you maximize quality, and I command a high price for my work, and out of quality, cost, and time, you can only pick two as the manager. It takes me however long it takes me, but I've never submitted a program that was flawed, and I've peer-reviewed and fixed work by engineers 20 years my senior to their humiliation in some cases. I'm not a genius. I just care.

No my git repositories contain tons of drafts and places where I ended a day incomplete. But I've never attempted to merge flawed code, not once out of 602 submissions to FreeBSD.
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 2:56 am

patrickjp93 wrote:
hivue wrote:
patrickjp93 wrote:
It was done to make the plane cheaper to produce while staying within the grandfathering envelope and not require pilot training. It was pure greed.


This is a non sequitur. By this logic, avoiding being greedy must involve making your product new from scratch and making it expensive.

No, you're committing reductio ad absurdum, except not to make a point about going too far. As an engineer myself, I think grandfathering and iterative improvement are perfectly valid, and it does NOT always make sense to start from a clean sheet. Adding functionality to an application with a quality codebase does not require clean-sheeting the whole program. However, over time as so many different programmers touch a system with a lack of coherent style and design patterns, it can become decoherrent and more than difficult to work on. At some point, especially with a small team, you reach a breaking point on features taking longer to produce while bug reports pile up from the depths of legacy Hell.

On one team, I had to upgrade 10 Java apps that had been built on Spring Boot 1.2.1 to Spring Boot 2 while also pulling them off Windows Server 2008 and moving them to CentOS. They had been coded by a team of external contractors who were no longer with the company and who had left no documentation whatsoever on the requirements or thought process behind each of them. Furthermore, I'm no expert on the build systems of Gradle and Maven. When you go to upgrade Spring Boot, you have to upgrade the build system versions. Okay, that's fine until your build properties files suddenly stop working because breaking changes were made to the syntax and semantics while the errors provide no assistance. So now I have to triage the build until it works, and suddenly I get tons of compiler errors because a bunch of WSDLs (SOAP API contracts which are completed at build time, nasty work) suddenly either didn't build or built in the wrong order. Now it's down the rabbit hole of sifting through documentation and Stack Overflow to figure out how to translate the old into the new, while of course ensuring no IP addresses or meaningful code names get passed along. Oh, and now I'm finding out which versions of the other 3rd party libraries work correctly with Spring Boot 2. Oh and now I need to also upgrade to Java 11 because Oracle's ending Java 8 support. Oh and while we're at it let's also change Java providers from Oracle to AdoptOpenJDK because Oracle now wants to charge you $25 per core per machine per year that you run a Java environment on. So now I need to change the PowerShell AND Bash scripts to handle the new generic Java path schemes so our SSL certificate renewal processes don't break and cause an outage at the worst possible time. Fan, bloody, tastic!

If I'd known how nasty the upgrade was going to be I would have just yanked down a Spring Starter project, watched a couple Youtube videos, and rebuilt the 10 applets from scratch in no time flat.

Boeing could have, given free reign, raised the height of the 737 MAX and told airlines to simply get more luggage equipment because that's the compromise to getting better fuel economy with no pilot training. Then the engines could be moved back, be made the same size as the A320NEO (making the MAX an even fiercer competitor), and MCAS is never even thought about.

So yes, Boeing got greedy while getting stuck between a rock and a hard place because of incompetent regulators who very easily could have compromised and accepted improvements on a grandfathered type so long as handling was the same and pilot training needs would be minimized. The problem with regulators is rigidity when it comes to these schemes, and it's just the completely wrong approach.

You are far from the only engineer on this forum... But the kind of work you describes is EXACTLY WHAT NEED TO BE AVOIDED in the context of safety critical system. It'a an totally different world. The STS is a relatively well documented exemplar safety critical complex software development. This article give a hit at the process: https://www.fastcompany.com/90450330/why-doing-the-easy-parts-of-your-to-do-list-first-can-be-a-bad-idea You can't blame the regulator for being "very easily could have compromised" and "rigidity" ant the same time ! The FAA was not prepared to handle Boeing cheating, but this is Boeing that decided to cheat to comply with unrealistic promises to operators.
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 3:05 am

PixelFlight wrote:
patrickjp93 wrote:
hivue wrote:

This is a non sequitur. By this logic, avoiding being greedy must involve making your product new from scratch and making it expensive.

No, you're committing reductio ad absurdum, except not to make a point about going too far. As an engineer myself, I think grandfathering and iterative improvement are perfectly valid, and it does NOT always make sense to start from a clean sheet. Adding functionality to an application with a quality codebase does not require clean-sheeting the whole program. However, over time as so many different programmers touch a system with a lack of coherent style and design patterns, it can become decoherrent and more than difficult to work on. At some point, especially with a small team, you reach a breaking point on features taking longer to produce while bug reports pile up from the depths of legacy Hell.

On one team, I had to upgrade 10 Java apps that had been built on Spring Boot 1.2.1 to Spring Boot 2 while also pulling them off Windows Server 2008 and moving them to CentOS. They had been coded by a team of external contractors who were no longer with the company and who had left no documentation whatsoever on the requirements or thought process behind each of them. Furthermore, I'm no expert on the build systems of Gradle and Maven. When you go to upgrade Spring Boot, you have to upgrade the build system versions. Okay, that's fine until your build properties files suddenly stop working because breaking changes were made to the syntax and semantics while the errors provide no assistance. So now I have to triage the build until it works, and suddenly I get tons of compiler errors because a bunch of WSDLs (SOAP API contracts which are completed at build time, nasty work) suddenly either didn't build or built in the wrong order. Now it's down the rabbit hole of sifting through documentation and Stack Overflow to figure out how to translate the old into the new, while of course ensuring no IP addresses or meaningful code names get passed along. Oh, and now I'm finding out which versions of the other 3rd party libraries work correctly with Spring Boot 2. Oh and now I need to also upgrade to Java 11 because Oracle's ending Java 8 support. Oh and while we're at it let's also change Java providers from Oracle to AdoptOpenJDK because Oracle now wants to charge you $25 per core per machine per year that you run a Java environment on. So now I need to change the PowerShell AND Bash scripts to handle the new generic Java path schemes so our SSL certificate renewal processes don't break and cause an outage at the worst possible time. Fan, bloody, tastic!

If I'd known how nasty the upgrade was going to be I would have just yanked down a Spring Starter project, watched a couple Youtube videos, and rebuilt the 10 applets from scratch in no time flat.

Boeing could have, given free reign, raised the height of the 737 MAX and told airlines to simply get more luggage equipment because that's the compromise to getting better fuel economy with no pilot training. Then the engines could be moved back, be made the same size as the A320NEO (making the MAX an even fiercer competitor), and MCAS is never even thought about.

So yes, Boeing got greedy while getting stuck between a rock and a hard place because of incompetent regulators who very easily could have compromised and accepted improvements on a grandfathered type so long as handling was the same and pilot training needs would be minimized. The problem with regulators is rigidity when it comes to these schemes, and it's just the completely wrong approach.

You are far from the only engineer on this forum... But the kind of work you describes is EXACTLY WHAT NEED TO BE AVOIDED in the context of safety critical system. It'a an totally different world. The STS is a relatively well documented exemplar safety critical complex software development. This article give a hit at the process: https://www.fastcompany.com/90450330/why-doing-the-easy-parts-of-your-to-do-list-first-can-be-a-bad-idea You can't blame the regulator for being "very easily could have compromised" and "rigidity" ant the same time ! The FAA was not prepared to handle Boeing cheating, but this is Boeing that decided to cheat to comply with unrealistic promises to operators.

I most certainly CAN and SHOULD blame the FAA for this as much as I blame Boeing. The regulations should have been robust enough to allow grandfathering with progressive improvement in meeting newer regulations as long as the handling didn't change. It's blatant stupidity that adding a redundant sensor-driven system to the 737 would break grandfathering, yet that's what Boeing ran into. If the FAA were competent that sort of lunacy wouldn't have ever passed into regulatory code.

Ask yourself if you would have been fine with the 737 MAX being grandfathered with a properly designed and implemented MCAS? Ask yourself if you would have been fine with raising the height of the landing gear, because that was another deal breaker on grandfathering since the 737 had always been short enough to not need slides for over-wing exits. If you would be happy with either of those, then guess what? The FAA's regulations were unduly rigid and are partly to blame for this. If you prevent safe designs from being possible, you're equally guilty when unsafe ones get put in your lap.
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 3:22 am

patrickjp93 wrote:
PixelFlight wrote:
patrickjp93 wrote:
No, the answer is far less, more open-ended regulation on the engineering, and far more regulation on the management. The process is not what makes planes safe. Good engineering does that. Good engineering can and DOES happen with absolutely zero regard for regulations. This is because engineers are smart, introspective, reflective, and iterative. Listen to the testimonials from Boeing engineers who say how much the company has changed, how it used to be management just let the engineers do what they want once a target capacity, range, and cargo load were set. When that happened, Boeing was peerless. Until the A330 NEO and A350, Airbus was essentially the also-ran, not a truly worthy competitor. The engineers are far better than the regulators, and at some point, regulators need to be strung up by their oversized balls and put back in their place. Rip the whole system down and start again, because it's the very institution of regulation that failed here.

Good luck to regulate the management....
I think that part of the disagreement is that you don't realize the scale and the complexity of the task to ensure safety on a very big project that involve many others skills than engineers.
The factual reality is that the actual process is exactly the revers of what you think it should be: regulators will take even more importance to ensure safety after a such fiasco: to help even better engineering even in case of crappy unregulated management.

I'm not underestimating it at all. When you have the skill and mental capacity to keep microarchitecture vulnerabilities in mind while writing robust Operating System code (I contribute to OpenBSD) and then integrating that with extremely performance-sensitive code on top of it for managing transactions securely in a fault-tolerant way, then you can talk to me about complexity. Everyone on this forum knew MCAS needed redundancy in the sensors and proper failure detection the moment they heard it ran off of one AoA. Designing a fault-tolerant, available, correct MCAS is trivial for any computer science graduate who knows how to write C/C++ code to handle a memory or bus interface. I didn't graduate from MIT but I tell you what any of the people I taught/tutored for High Performance Computing could have met everything the JATR committee recommended up front blindfolded.

No, the regulators are proven incompetent. Get them out of the picture. It's their own rigid framework and lack of sensible compromise that incentivized managers to shoehorn MCAS in to begin with. Grandfathering is too incomplete and insufficient a system. It needs room to allow iterative growth without breaking type rating, simple as that.

Take care of testosterone poisoning. The complexity of your project is still small compared to all is required to safety fly every days thousand of civil commercial aircraft with passengers. OpenBSD kernel is far from reaching safety critical certification. I don't think you understand the JATR review about MCAS, especially the R6 chapter: it's all about regulation compliance and certification process.
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 3:28 am

PixelFlight wrote:
patrickjp93 wrote:
PixelFlight wrote:
Good luck to regulate the management....
I think that part of the disagreement is that you don't realize the scale and the complexity of the task to ensure safety on a very big project that involve many others skills than engineers.
The factual reality is that the actual process is exactly the revers of what you think it should be: regulators will take even more importance to ensure safety after a such fiasco: to help even better engineering even in case of crappy unregulated management.

I'm not underestimating it at all. When you have the skill and mental capacity to keep microarchitecture vulnerabilities in mind while writing robust Operating System code (I contribute to OpenBSD) and then integrating that with extremely performance-sensitive code on top of it for managing transactions securely in a fault-tolerant way, then you can talk to me about complexity. Everyone on this forum knew MCAS needed redundancy in the sensors and proper failure detection the moment they heard it ran off of one AoA. Designing a fault-tolerant, available, correct MCAS is trivial for any computer science graduate who knows how to write C/C++ code to handle a memory or bus interface. I didn't graduate from MIT but I tell you what any of the people I taught/tutored for High Performance Computing could have met everything the JATR committee recommended up front blindfolded.

No, the regulators are proven incompetent. Get them out of the picture. It's their own rigid framework and lack of sensible compromise that incentivized managers to shoehorn MCAS in to begin with. Grandfathering is too incomplete and insufficient a system. It needs room to allow iterative growth without breaking type rating, simple as that.

Take care of testosterone poisoning. The complexity of your project is still small compared to all is required to safety fly every days thousand of civil commercial aircraft with passengers. OpenBSD kernel is far from reaching safety critical certification. I don't think you understand the JATR review about MCAS, especially the R6 chapter: it's all about regulation compliance and certification process.

No, I can assure you it isn't any less complex. Oh, and the kernel is certified for safety-critical use just as it's certified for PCI-DSS and it's certified for use in mainframes for financial transactions. It's far more robust and fault-tolerant than Linux. IBM's Z mainframes no longer run Linux either.

JATR's conclusions can be incorrect. I can mathematically prove you don't need a single regulation to build a safe product. It's not about the process or regulatory compliance. It's about good engineering. You can do rule-compliant work without ever reading the rules. I've done it many times. And in some cases the rules can be a hindrance to safety and good engineering. In this case the strictness around grandfathering was an impediment to good design rather than an enabler of good design.
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 3:31 am

patrickjp93 wrote:
PixelFlight wrote:
patrickjp93 wrote:
That is all immaterial. Seriously, read through what I am writing and take it absolutely literally. I do not give a damn what the standard is. If I had to design MCAS in a bubble, I'd have developed it to match and likely exceed the catastrophic requirements without even knowing them. I've even got logical analysis further up the thread on how to detect a faulty AoA vane with data from other systems, something Boeing decided not to do on the 737 MAX because grandfathering is too stringent and new type certificates require extensive training, even if in reality the handling would have been the same and differences training would have been sufficient (and some simulator time for new sensor displays and procedures associated).

You, and every absolutist rules lawyer like you who can't put aside the rules and use your head to think through the problem and solution are the single most detrimental force in the game. At some point, even a good design, including a regulatory institution, cannot be patched up and fixed, and a whole new solution has to be created carefully from the ground up. Boeing got greedy because the regulations were antagonistic and not fit for purpose. If Boeing could have raised the landing gear and kept within grandfathering, all of this would have been avoided. If Boeing could have implemented a redundant sensor system under grandfathering, we wouldn't be discussing this. If a hybrid of new type certification and grandfathering existed such that pilot training could have been minimized, the crashes wouldn't have happened. The regulations are both too heavy-handed and insufficient. And at the end of the day, they do not govern good engineering. They only govern what gets a rubber stamp and a piece of paper.

Yes, all it was was changing a name. If the engineers had been allowed to do what they knew was right unimpeded by regulation or management, we wouldn't be discussing this. That designation is only worth something to those who put stock in it, but the truth is it has zero actual effect on engineers who work in the field.

You have to understand that is't Boeing decision that created that mess, not the FAA. The FAA was expected to prevent the mess but failed.
Boeing was free to use a redundant sensors from the start, this is not the regulator that prevented this, but the obsolete architecture of the 737 that Boeing wanted to keep. The architecture need to evolve to the point that pilot training will be unavoidable, because the pilots have to know how the system work and how to ensure safety of the flight.

No, they weren't free to, as it breaks the type rating under the current rules, which then expands into much longer certification, then much more pilot training, and the business case collapses. That's the actual livelihood of the company at stake. The FAA's grandfathering system is an absolute disgrace of rigid academic bureaucrats who couldn't engineer their way into building an outhouse. If Boeing had had the flexibility you claim without there being vindictive consequences in exercising that freedom, we wouldn't be discussing this, simple as that. The rules are poorly made. That is an objective truth.

You have to understand all the aspects involved to safety fly an civil commercial aircraft. Pilots play a big role here and there need to understand how the system work to handle it in case of failure. If Boeing change the flight control system, then the pilots need to be trained to the new system to ensure safety. It's not just a regulation requirement, but a vital knowledge for the pilot. Just see hoe the pilots association reacted when there discovered that Boeing did hide MCAS to them...
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 3:47 am

patrickjp93 wrote:
PixelFlight wrote:
patrickjp93 wrote:
No, you're committing reductio ad absurdum, except not to make a point about going too far. As an engineer myself, I think grandfathering and iterative improvement are perfectly valid, and it does NOT always make sense to start from a clean sheet. Adding functionality to an application with a quality codebase does not require clean-sheeting the whole program. However, over time as so many different programmers touch a system with a lack of coherent style and design patterns, it can become decoherrent and more than difficult to work on. At some point, especially with a small team, you reach a breaking point on features taking longer to produce while bug reports pile up from the depths of legacy Hell.

On one team, I had to upgrade 10 Java apps that had been built on Spring Boot 1.2.1 to Spring Boot 2 while also pulling them off Windows Server 2008 and moving them to CentOS. They had been coded by a team of external contractors who were no longer with the company and who had left no documentation whatsoever on the requirements or thought process behind each of them. Furthermore, I'm no expert on the build systems of Gradle and Maven. When you go to upgrade Spring Boot, you have to upgrade the build system versions. Okay, that's fine until your build properties files suddenly stop working because breaking changes were made to the syntax and semantics while the errors provide no assistance. So now I have to triage the build until it works, and suddenly I get tons of compiler errors because a bunch of WSDLs (SOAP API contracts which are completed at build time, nasty work) suddenly either didn't build or built in the wrong order. Now it's down the rabbit hole of sifting through documentation and Stack Overflow to figure out how to translate the old into the new, while of course ensuring no IP addresses or meaningful code names get passed along. Oh, and now I'm finding out which versions of the other 3rd party libraries work correctly with Spring Boot 2. Oh and now I need to also upgrade to Java 11 because Oracle's ending Java 8 support. Oh and while we're at it let's also change Java providers from Oracle to AdoptOpenJDK because Oracle now wants to charge you $25 per core per machine per year that you run a Java environment on. So now I need to change the PowerShell AND Bash scripts to handle the new generic Java path schemes so our SSL certificate renewal processes don't break and cause an outage at the worst possible time. Fan, bloody, tastic!

If I'd known how nasty the upgrade was going to be I would have just yanked down a Spring Starter project, watched a couple Youtube videos, and rebuilt the 10 applets from scratch in no time flat.

Boeing could have, given free reign, raised the height of the 737 MAX and told airlines to simply get more luggage equipment because that's the compromise to getting better fuel economy with no pilot training. Then the engines could be moved back, be made the same size as the A320NEO (making the MAX an even fiercer competitor), and MCAS is never even thought about.

So yes, Boeing got greedy while getting stuck between a rock and a hard place because of incompetent regulators who very easily could have compromised and accepted improvements on a grandfathered type so long as handling was the same and pilot training needs would be minimized. The problem with regulators is rigidity when it comes to these schemes, and it's just the completely wrong approach.

You are far from the only engineer on this forum... But the kind of work you describes is EXACTLY WHAT NEED TO BE AVOIDED in the context of safety critical system. It'a an totally different world. The STS is a relatively well documented exemplar safety critical complex software development. This article give a hit at the process: https://www.fastcompany.com/90450330/why-doing-the-easy-parts-of-your-to-do-list-first-can-be-a-bad-idea You can't blame the regulator for being "very easily could have compromised" and "rigidity" ant the same time ! The FAA was not prepared to handle Boeing cheating, but this is Boeing that decided to cheat to comply with unrealistic promises to operators.

I most certainly CAN and SHOULD blame the FAA for this as much as I blame Boeing. The regulations should have been robust enough to allow grandfathering with progressive improvement in meeting newer regulations as long as the handling didn't change. It's blatant stupidity that adding a redundant sensor-driven system to the 737 would break grandfathering, yet that's what Boeing ran into. If the FAA were competent that sort of lunacy wouldn't have ever passed into regulatory code.

Ask yourself if you would have been fine with the 737 MAX being grandfathered with a properly designed and implemented MCAS? Ask yourself if you would have been fine with raising the height of the landing gear, because that was another deal breaker on grandfathering since the 737 had always been short enough to not need slides for over-wing exits. If you would be happy with either of those, then guess what? The FAA's regulations were unduly rigid and are partly to blame for this. If you prevent safe designs from being possible, you're equally guilty when unsafe ones get put in your lap.

I disagree, the aircraft safety regulation is not rigid as you think, the manufacturer is allowed to demonstrate a completely different approach than the existing regulated one as long a it demonstrate that this is safe. This is for example how Airbus have certified the FBW neutral stability: at that time it was in contradiction with many regulations aspects (and still is on some points). Boeing could have do the same, but the pressure on the delay was so high that there decided to keep the existing architecture instead of designing a appropriate one. Just see how much time it take them to do it right now...
 
RickNRoll
Posts: 1834
Joined: Fri Jan 06, 2012 9:30 am

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 3:47 am

patrickjp93 wrote:
PixelFlight wrote:
patrickjp93 wrote:
I'm not underestimating it at all. When you have the skill and mental capacity to keep microarchitecture vulnerabilities in mind while writing robust Operating System code (I contribute to OpenBSD) and then integrating that with extremely performance-sensitive code on top of it for managing transactions securely in a fault-tolerant way, then you can talk to me about complexity. Everyone on this forum knew MCAS needed redundancy in the sensors and proper failure detection the moment they heard it ran off of one AoA. Designing a fault-tolerant, available, correct MCAS is trivial for any computer science graduate who knows how to write C/C++ code to handle a memory or bus interface. I didn't graduate from MIT but I tell you what any of the people I taught/tutored for High Performance Computing could have met everything the JATR committee recommended up front blindfolded.

No, the regulators are proven incompetent. Get them out of the picture. It's their own rigid framework and lack of sensible compromise that incentivized managers to shoehorn MCAS in to begin with. Grandfathering is too incomplete and insufficient a system. It needs room to allow iterative growth without breaking type rating, simple as that.

Take care of testosterone poisoning. The complexity of your project is still small compared to all is required to safety fly every days thousand of civil commercial aircraft with passengers. OpenBSD kernel is far from reaching safety critical certification. I don't think you understand the JATR review about MCAS, especially the R6 chapter: it's all about regulation compliance and certification process.

No, I can assure you it isn't any less complex. Oh, and the kernel is certified for safety-critical use just as it's certified for PCI-DSS and it's certified for use in mainframes for financial transactions. It's far more robust and fault-tolerant than Linux. IBM's Z mainframes no longer run Linux either.

JATR's conclusions can be incorrect. I can mathematically prove you don't need a single regulation to build a safe product. It's not about the process or regulatory compliance. It's about good engineering. You can do rule-compliant work without ever reading the rules. I've done it many times. And in some cases the rules can be a hindrance to safety and good engineering. In this case the strictness around grandfathering was an impediment to good design rather than an enabler of good design.
Boeing could have implemented MCAS 2.0 as MCAS 1.0.


There was nothing stopping it from doing that. There was nothing stopping Boeing from redesigning the landing gear. Boeing was free to do whatever they wanted with the design. They just had to demonstrate that it was safe.

You seem to have a very poor understanding of quality procedures. It is never good enough to say something is safe. You have to demonstrate that it is safe
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 3:48 am

PixelFlight wrote:
patrickjp93 wrote:
PixelFlight wrote:
You have to understand that is't Boeing decision that created that mess, not the FAA. The FAA was expected to prevent the mess but failed.
Boeing was free to use a redundant sensors from the start, this is not the regulator that prevented this, but the obsolete architecture of the 737 that Boeing wanted to keep. The architecture need to evolve to the point that pilot training will be unavoidable, because the pilots have to know how the system work and how to ensure safety of the flight.

No, they weren't free to, as it breaks the type rating under the current rules, which then expands into much longer certification, then much more pilot training, and the business case collapses. That's the actual livelihood of the company at stake. The FAA's grandfathering system is an absolute disgrace of rigid academic bureaucrats who couldn't engineer their way into building an outhouse. If Boeing had had the flexibility you claim without there being vindictive consequences in exercising that freedom, we wouldn't be discussing this, simple as that. The rules are poorly made. That is an objective truth.

You have to understand all the aspects involved to safety fly an civil commercial aircraft. Pilots play a big role here and there need to understand how the system work to handle it in case of failure. If Boeing change the flight control system, then the pilots need to be trained to the new system to ensure safety. It's not just a regulation requirement, but a vital knowledge for the pilot. Just see hoe the pilots association reacted when there discovered that Boeing did hide MCAS to them...

So make them aware of the system, make the disabling procedure easy, do a proper human factors test, and put in an hour of sim training if a simple differences manual on an iPad isn't enough. Good lord would it kill you to actually evaluate and respond to the core of my arguments? Jesus Christ I just said the flaw with grandfathering is that it isn't nearly robust enough to allow good iteration on designs that is sensible. MCAS properly implemented does not requires days upon days of sim training per pilot. You know it. I know it, and every pilot worth his/her salt on this forum knows it.
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 3:54 am

RickNRoll wrote:
patrickjp93 wrote:
PixelFlight wrote:
Take care of testosterone poisoning. The complexity of your project is still small compared to all is required to safety fly every days thousand of civil commercial aircraft with passengers. OpenBSD kernel is far from reaching safety critical certification. I don't think you understand the JATR review about MCAS, especially the R6 chapter: it's all about regulation compliance and certification process.

No, I can assure you it isn't any less complex. Oh, and the kernel is certified for safety-critical use just as it's certified for PCI-DSS and it's certified for use in mainframes for financial transactions. It's far more robust and fault-tolerant than Linux. IBM's Z mainframes no longer run Linux either.

JATR's conclusions can be incorrect. I can mathematically prove you don't need a single regulation to build a safe product. It's not about the process or regulatory compliance. It's about good engineering. You can do rule-compliant work without ever reading the rules. I've done it many times. And in some cases the rules can be a hindrance to safety and good engineering. In this case the strictness around grandfathering was an impediment to good design rather than an enabler of good design.
Boeing could have implemented MCAS 2.0 as MCAS 1.0.


There was nothing stopping it from doing that. There was nothing stopping Boeing from redesigning the landing gear. Boeing was free to do whatever they wanted with the design. They just had to demonstrate that it was safe.

You seem to have a very poor understanding of quality procedures. It is never good enough to say something is safe. You have to demonstrate that it is safe
As the guy who's been going on and on about mathematically proving things, that's just insulting. No, boeing could not have done that without giving up the 737 type rating. That's been made abundantly clear in the JATR report as well. It's only NOW that the FAA and EASA will allow it, if they even do. If it's forced to become a new type, that means full sim training as if it were a clean sheet. That's utterly ridiculous. the regulators made MCAS 2.0 impossible to grandfather and made the taller landing gear impossible to grandfather. The one was a multi-input, redundant, fault-tolerant system. You can read that one up for yourself Leeham and others have covered it extensively. The other breaks the lack of evacuation slides which was also a strictly grandfathered requirement of the 737 type. It's not like Boeing kept that for kicks. Ground equipment is ridiculously cheap compared to pilot retraining. If they hadn't been forced to keep both, we wouldn't be here. It's a failure of regulators. If you applied the same safety-critical analysis to the regulation framework you'd realize how asinine it is.
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 3:58 am

patrickjp93 wrote:
PixelFlight wrote:
patrickjp93 wrote:
I'm not underestimating it at all. When you have the skill and mental capacity to keep microarchitecture vulnerabilities in mind while writing robust Operating System code (I contribute to OpenBSD) and then integrating that with extremely performance-sensitive code on top of it for managing transactions securely in a fault-tolerant way, then you can talk to me about complexity. Everyone on this forum knew MCAS needed redundancy in the sensors and proper failure detection the moment they heard it ran off of one AoA. Designing a fault-tolerant, available, correct MCAS is trivial for any computer science graduate who knows how to write C/C++ code to handle a memory or bus interface. I didn't graduate from MIT but I tell you what any of the people I taught/tutored for High Performance Computing could have met everything the JATR committee recommended up front blindfolded.

No, the regulators are proven incompetent. Get them out of the picture. It's their own rigid framework and lack of sensible compromise that incentivized managers to shoehorn MCAS in to begin with. Grandfathering is too incomplete and insufficient a system. It needs room to allow iterative growth without breaking type rating, simple as that.

Take care of testosterone poisoning. The complexity of your project is still small compared to all is required to safety fly every days thousand of civil commercial aircraft with passengers. OpenBSD kernel is far from reaching safety critical certification. I don't think you understand the JATR review about MCAS, especially the R6 chapter: it's all about regulation compliance and certification process.

No, I can assure you it isn't any less complex. Oh, and the kernel is certified for safety-critical use just as it's certified for PCI-DSS and it's certified for use in mainframes for financial transactions. It's far more robust and fault-tolerant than Linux. IBM's Z mainframes no longer run Linux either.

JATR's conclusions can be incorrect. I can mathematically prove you don't need a single regulation to build a safe product. It's not about the process or regulatory compliance. It's about good engineering. You can do rule-compliant work without ever reading the rules. I've done it many times. And in some cases the rules can be a hindrance to safety and good engineering. In this case the strictness around grandfathering was an impediment to good design rather than an enabler of good design.

Please show the safety certification of OpenBSD. Safety != Security.
Does it run on radiation tolerant lockstep processor used in flight computers ? No.
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 4:03 am

PixelFlight wrote:
patrickjp93 wrote:
PixelFlight wrote:
Take care of testosterone poisoning. The complexity of your project is still small compared to all is required to safety fly every days thousand of civil commercial aircraft with passengers. OpenBSD kernel is far from reaching safety critical certification. I don't think you understand the JATR review about MCAS, especially the R6 chapter: it's all about regulation compliance and certification process.

No, I can assure you it isn't any less complex. Oh, and the kernel is certified for safety-critical use just as it's certified for PCI-DSS and it's certified for use in mainframes for financial transactions. It's far more robust and fault-tolerant than Linux. IBM's Z mainframes no longer run Linux either.

JATR's conclusions can be incorrect. I can mathematically prove you don't need a single regulation to build a safe product. It's not about the process or regulatory compliance. It's about good engineering. You can do rule-compliant work without ever reading the rules. I've done it many times. And in some cases the rules can be a hindrance to safety and good engineering. In this case the strictness around grandfathering was an impediment to good design rather than an enabler of good design.

Please show the safety certification of OpenBSD. Safety != Security.
Does it run on radiation tolerant lockstep processor used in flight computers ? No.

It does in satellites, so the lack of it being applied in the field yet is nothing more than a red herring.
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 4:06 am

patrickjp93 wrote:
PixelFlight wrote:
patrickjp93 wrote:
No, they weren't free to, as it breaks the type rating under the current rules, which then expands into much longer certification, then much more pilot training, and the business case collapses. That's the actual livelihood of the company at stake. The FAA's grandfathering system is an absolute disgrace of rigid academic bureaucrats who couldn't engineer their way into building an outhouse. If Boeing had had the flexibility you claim without there being vindictive consequences in exercising that freedom, we wouldn't be discussing this, simple as that. The rules are poorly made. That is an objective truth.

You have to understand all the aspects involved to safety fly an civil commercial aircraft. Pilots play a big role here and there need to understand how the system work to handle it in case of failure. If Boeing change the flight control system, then the pilots need to be trained to the new system to ensure safety. It's not just a regulation requirement, but a vital knowledge for the pilot. Just see hoe the pilots association reacted when there discovered that Boeing did hide MCAS to them...

So make them aware of the system, make the disabling procedure easy, do a proper human factors test, and put in an hour of sim training if a simple differences manual on an iPad isn't enough. Good lord would it kill you to actually evaluate and respond to the core of my arguments? Jesus Christ I just said the flaw with grandfathering is that it isn't nearly robust enough to allow good iteration on designs that is sensible. MCAS properly implemented does not requires days upon days of sim training per pilot. You know it. I know it, and every pilot worth his/her salt on this forum knows it.

Ok, you are now maybe ready to understand that Boeing did no want any sim training for the 737 MAX, not because of the regulators, but because Boeing promised to the operators that there will not require sim training time to the pilots flying the MAX and, even agree to pay 1M$ per aircraft in case that promise will be broken. Really, it's not the regulator that enforced that impossible goal, but Boeing itself !
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 4:08 am

PixelFlight wrote:
patrickjp93 wrote:
PixelFlight wrote:
You have to understand all the aspects involved to safety fly an civil commercial aircraft. Pilots play a big role here and there need to understand how the system work to handle it in case of failure. If Boeing change the flight control system, then the pilots need to be trained to the new system to ensure safety. It's not just a regulation requirement, but a vital knowledge for the pilot. Just see hoe the pilots association reacted when there discovered that Boeing did hide MCAS to them...

So make them aware of the system, make the disabling procedure easy, do a proper human factors test, and put in an hour of sim training if a simple differences manual on an iPad isn't enough. Good lord would it kill you to actually evaluate and respond to the core of my arguments? Jesus Christ I just said the flaw with grandfathering is that it isn't nearly robust enough to allow good iteration on designs that is sensible. MCAS properly implemented does not requires days upon days of sim training per pilot. You know it. I know it, and every pilot worth his/her salt on this forum knows it.

Ok, you are now maybe ready to understand that Boeing did no want any sim training for the 737 MAX, not because of the regulators, but because Boeing promised to the operators that there will not require sim training time to the pilots flying the MAX and, even agree to pay 1M$ per aircraft in case that promise will be broken. Really, it's not the regulator that enforced that impossible goal, but Boeing itself !

The goal WAS possible, if the FAA hadn't been incompetent rubes with shoddy regulatory frameworks. There's no scientifically/mathematically sound reason the 737 MAX shouldn't be grandfathered just because of a new redundant sensor system or because it gets tall enough to not need it.
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 4:15 am

patrickjp93 wrote:
PixelFlight wrote:
patrickjp93 wrote:
I most certainly CAN and SHOULD blame the FAA for this as much as I blame Boeing. The regulations should have been robust enough to allow grandfathering with progressive improvement in meeting newer regulations as long as the handling didn't change. It's blatant stupidity that adding a redundant sensor-driven system to the 737 would break grandfathering, yet that's what Boeing ran into. If the FAA were competent that sort of lunacy wouldn't have ever passed into regulatory code.

Ask yourself if you would have been fine with the 737 MAX being grandfathered with a properly designed and implemented MCAS? Ask yourself if you would have been fine with raising the height of the landing gear, because that was another deal breaker on grandfathering since the 737 had always been short enough to not need slides for over-wing exits. If you would be happy with either of those, then guess what? The FAA's regulations were unduly rigid and are partly to blame for this. If you prevent safe designs from being possible, you're equally guilty when unsafe ones get put in your lap.

I disagree, the aircraft safety regulation is not rigid as you think, the manufacturer is allowed to demonstrate a completely different approach than the existing regulated one as long a it demonstrate that this is safe. This is for example how Airbus have certified the FBW neutral stability: at that time it was in contradiction with many regulations aspects (and still is on some points). Boeing could have do the same, but the pressure on the delay was so high that there decided to keep the existing architecture instead of designing a appropriate one. Just see how much time it take them to do it right now...
It's exactly as rigid as I said, and Boeing could not simply redo the avionics architecture without causing it to be a completely new type and require full-blown top-to-tail sim training. You're halfway decent as a debater but that was an amateurish slip-up.

You are wrong on this. The training requirement is a simple table listing the difference with the previous model and for each difference the level of training is evaluated. A proper MCAS design would have probably be a single line in that table that would require a relatively small simulator training session.
Sorry, but I don't usually speak English.
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 4:20 am

PixelFlight wrote:
patrickjp93 wrote:
PixelFlight wrote:
I disagree, the aircraft safety regulation is not rigid as you think, the manufacturer is allowed to demonstrate a completely different approach than the existing regulated one as long a it demonstrate that this is safe. This is for example how Airbus have certified the FBW neutral stability: at that time it was in contradiction with many regulations aspects (and still is on some points). Boeing could have do the same, but the pressure on the delay was so high that there decided to keep the existing architecture instead of designing a appropriate one. Just see how much time it take them to do it right now...
It's exactly as rigid as I said, and Boeing could not simply redo the avionics architecture without causing it to be a completely new type and require full-blown top-to-tail sim training. You're halfway decent as a debater but that was an amateurish slip-up.

You are wrong on this. The training requirement is a simple table listing the difference with the previous model and for each difference the level of training is evaluated. A proper MCAS design would have probably be a single line in that table that would require a relatively small simulator training session.
Sorry, but I don't usually speak English.

In this case that's not true, because the change in architecture would break grandfathering altogether. The 737 MAX would have been an all-new type. It's no longer about differences training at that point. It's the full gauntlet sim training as if it's a brand new pilot on a brand new plane. That was a requirement Boeing had. Surely the FAA could have worked together with Boeing to find a proper compromise solution where grandfathering rigidity was relaxed to allow either MCAS 2.0 or increased landing gear height without nullifying the common type rating.

I wish I'd known English was your 2nd or 3rd+ language. Your use of it is very good, but I'm sure some of your ideas aren't translating perfectly.
 
User avatar
PixelFlight
Posts: 958
Joined: Thu Nov 08, 2018 11:09 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 4:22 am

patrickjp93 wrote:
RickNRoll wrote:
patrickjp93 wrote:
No, I can assure you it isn't any less complex. Oh, and the kernel is certified for safety-critical use just as it's certified for PCI-DSS and it's certified for use in mainframes for financial transactions. It's far more robust and fault-tolerant than Linux. IBM's Z mainframes no longer run Linux either.

JATR's conclusions can be incorrect. I can mathematically prove you don't need a single regulation to build a safe product. It's not about the process or regulatory compliance. It's about good engineering. You can do rule-compliant work without ever reading the rules. I've done it many times. And in some cases the rules can be a hindrance to safety and good engineering. In this case the strictness around grandfathering was an impediment to good design rather than an enabler of good design.
Boeing could have implemented MCAS 2.0 as MCAS 1.0.


There was nothing stopping it from doing that. There was nothing stopping Boeing from redesigning the landing gear. Boeing was free to do whatever they wanted with the design. They just had to demonstrate that it was safe.

You seem to have a very poor understanding of quality procedures. It is never good enough to say something is safe. You have to demonstrate that it is safe
As the guy who's been going on and on about mathematically proving things, that's just insulting. No, boeing could not have done that without giving up the 737 type rating. That's been made abundantly clear in the JATR report as well. It's only NOW that the FAA and EASA will allow it, if they even do. If it's forced to become a new type, that means full sim training as if it were a clean sheet. That's utterly ridiculous. the regulators made MCAS 2.0 impossible to grandfather and made the taller landing gear impossible to grandfather. The one was a multi-input, redundant, fault-tolerant system. You can read that one up for yourself Leeham and others have covered it extensively. The other breaks the lack of evacuation slides which was also a strictly grandfathered requirement of the 737 type. It's not like Boeing kept that for kicks. Ground equipment is ridiculously cheap compared to pilot retraining. If they hadn't been forced to keep both, we wouldn't be here. It's a failure of regulators. If you applied the same safety-critical analysis to the regulation framework you'd realize how asinine it is.

New type rating don't imply "full sim training as if it were a clean sheet". Airbus successfully use "Common Type Rating" to take the new aircraft controls by undergoing “differences training” only. And for sure, going from a A330 to a A350 is way more different that what Boeing tried to avoid between the 737 NG and a 737 MAX with redundant MCAS.
 
patrickjp93
Posts: 648
Joined: Thu Aug 22, 2019 12:00 pm

Re: Boeing 737MAX Grounding, General Discussion Thread, January 2020

Tue Jan 14, 2020 4:23 am

PixelFlight wrote:
patrickjp93 wrote:
RickNRoll wrote:
Boeing could have implemented MCAS 2.0 as MCAS 1.0.


There was nothing stopping it from doing that. There was nothing stopping Boeing from redesigning the landing gear. Boeing was free to do whatever they wanted with the design. They just had to demonstrate that it was safe.

You seem to have a very poor understanding of quality procedures. It is never good enough to say something is safe. You have to demonstrate that it is safe
As the guy who's been going on and on about mathematically proving things, that's just insulting. No, boeing could not have done that without giving up the 737 type rating. That's been made abundantly clear in the JATR report as well. It's only NOW that the FAA and EASA will allow it, if they even do. If it's forced to become a new type, that means full sim training as if it were a clean sheet. That's utterly ridiculous. the regulators made MCAS 2.0 impossible to grandfather and made the taller landing gear impossible to grandfather. The one was a multi-input, redundant, fault-tolerant system. You can read that one up for yourself Leeham and others have covered it extensively. The other breaks the lack of evacuation slides which was also a strictly grandfathered requirement of the 737 type. It's not like Boeing kept that for kicks. Ground equipment is ridiculously cheap compared to pilot retraining. If they hadn't been forced to keep both, we wouldn't be here. It's a failure of regulators. If you applied the same safety-critical analysis to the regulation framework you'd realize how asinine it is.

New type rating don't imply "full sim training as if it were a clean sheet". Airbus successfully use "Common Type Rating" to take the new aircraft controls by undergoing “differences training” only. And for sure, going from a A330 to a A350 is way more different that what Boeing tried to avoid between the 737 NG and a 737 MAX with redundant MCAS.

That option wasn't on the table in the case of either modification. You're free to read the JATR report's findings on the motivations behind Boeing's actions.

Popular Searches On Airliners.net

Top Photos of Last:   24 Hours  •  48 Hours  •  7 Days  •  30 Days  •  180 Days  •  365 Days  •  All Time

Military Aircraft Every type from fighters to helicopters from air forces around the globe

Classic Airliners Props and jets from the good old days

Flight Decks Views from inside the cockpit

Aircraft Cabins Passenger cabin shots showing seat arrangements as well as cargo aircraft interior

Cargo Aircraft Pictures of great freighter aircraft

Government Aircraft Aircraft flying government officials

Helicopters Our large helicopter section. Both military and civil versions

Blimps / Airships Everything from the Goodyear blimp to the Zeppelin

Night Photos Beautiful shots taken while the sun is below the horizon

Accidents Accident, incident and crash related photos

Air to Air Photos taken by airborne photographers of airborne aircraft

Special Paint Schemes Aircraft painted in beautiful and original liveries

Airport Overviews Airport overviews from the air or ground

Tails and Winglets Tail and Winglet closeups with beautiful airline logos