Ethiopian havariet - Oppdatering - Curt Lewis

Boeing fix will prevent repeated activation of anti-stall system -sources By Eric M. Johnson and Tim Hepher            SEATTLE/LONDON, March 25 (Reuters) - A Boeing Co software fix for the grounded 737 MAX will prevent repeated operation of an anti-stall system at the centre of safety concerns and deactivate it altogether if two sensors disagree widely, two people familiar with pilot briefings said. The anti-stall system - known as MCAS, or Maneuvering Characteristics Augmentation System - has been pinpointed by investigators probing October's fatal Lion Air crash and faces new scrutiny in the wake of another fatal accident in Ethiopia. Those accidents, which killed nearly 350 people, triggered the worldwide grounding of Boeing's flagship 737 MAX aircraft and ignited a debate over the proper balance between man and machine in piloting the latest version of the 50-year-old 737. The MAX has bigger engines, mounted further forward, which can force the plane's nose higher, threatening a stall. MCAS was designed to counter this but some experts say it overcompensated and the latest changes give some authority back to the pilot. Airline briefings on the software upgrade, which is designed to address the situation faced by pilots of the doomed Lion Air jet last October, started on Saturday.  Pilots have been told that the MCAS system - which forces the nose downwards to avoid a stall, or loss of lift - will only operate one time for each event rather than impose repeated corrections like those believed to have pushed the Lion Air jet into a dive, the two people familiar with the briefings said. Additionally, MCAS will be disabled whenever two sensors that measure the 'angle of attack' - a parameter that determines how close a plane is to an aerodynamic stall - differ too much. "Otherwise it would be garbage in, garbage out," a third person familiar with the briefings said. This is a change from the previous set-up which only linked MCAS to one sensor at a time, ignoring the other, and which may have resulted in a single point of failure on Lion Air 610. The pilot will be able to deduce that MCAS is no longer working in the background because the system will show a warning message labelled "AOA disagree", indicating the two sensors are producing values that differ by an excessive margin. Previously the "AOA disagree" warning would not have halted the MCAS software because the system was designed to focus on either the left or right sensor, alternating between flights. It was oblivious to whether readings from the sensors were aligned. Boeing said on Monday its software patch would incorporate more than one angle of attack input, limit trim commands and limit authority but gave few details. "We've been working diligently and in close cooperation with the FAA on the software update. We are taking a comprehensive and careful approach to design, develop and test the software that will ultimately lead to certification," a statement said. FAA APPROVAL NEEDED The change sheds light on Boeing's previously reported decision to make the warning light a standard feature, since the change in flight control laws now makes it indispensable. The third person said Boeing would need to give pilots in their training a full explanation of what the fix is and why it is being implemented. Both the software fix and the training have to be approved by the Federal Aviation Administration. Other methods for holding the nose of the aircraft in the right position, known as manual or electric trim, are unchanged as is the ability to cut out the automated trim system altogether using a standard step-by-step checklist. Boeing has previously said that existing crew procedures, which include using a pair of cut-out switches, would have addressed a condition known as a stabilizer trim runaway and by doing so, automatically deal with any problem with MCAS. But it has faced criticism for designing a system that potentially out-runs the ability of pilots to recover by repeatedly forcing the nose down using hefty forces, as the pilots in the doomed Lion Air flight experienced. (   (Reporting by Eric M. Johnson in Seattle, Tim Hepher in London, Allison Lampert in Montreal; Editing by Lisa Shumaker) Back to Top

In Test of Boeing Jet, Pilots Had 40 Seconds to Fix Error A 737 Max 8 at Boeing's plant in Renton, Wash. In simulations of a suspected problem in the crash of a Max 8 in Indonesia last fall, pilots had just moments to disengage a faulty system.CreditCreditRuth Fremson/The New York Times During flight simulations recreating the problems with the doomed Lion Air plane, pilots discovered that they had less than 40 seconds to override an automated system on Boeing's new jets and avert disaster. The pilots tested a crisis situation similar to what investigators suspect went wrong in the Lion Air crash in Indonesia last fall. In the tests, a single sensor failed, triggering software designed to help prevent a stall. Once that happened, the pilots had just moments to disengage the system and avoid an unrecoverable nose dive of the Boeing 737 Max, according to two people involved in the testing in recent days. Although the investigations are continuing, the automated system, known as MCAS, is a focus of authorities trying to determine what went wrong in the Lion Air disaster in October and the Ethiopian Airlines crash of the same Boeing model this month. The software, as originally designed and explained, left little room for error. Those involved in the testing hadn't fully understood just how powerful the system was until they flew the plane on a 737 Max simulator, according to the two people. Compounding the flaws, pilots received limited training about the system before the first crash. During the final minutes, the captain of the Lion Air flight flipped through a technical manual trying to figure out what was happening. In a tacit acknowledgment of the system's problems, Boeing is expected to propose a software update that would give pilots more control over the system and make it less likely to trigger erroneously, according to three people, who spoke on the condition of anonymity to describe the private meetings. There are common procedures in place to counteract MCAS, as currently designed. If the system starts pushing the plane's nose down, pilots can reverse the movement via a switch at their thumb, a typical reaction in that situation. In doing so, they can potentially extend the 40-second window, giving them more time to avoid a crash. To fully neutralize the system, pilots would need to flip two more switches. That would shut off the electricity to a motor that allows the system to push the plane toward the ground. Then the pilots would need to crank a wheel to correct whatever problems had emerged. The pilots, in the simulations, followed such procedures to successfully shut off the system and land safely. But they did so with a far better understanding of how it worked and prior knowledge that it would be triggered - benefits that the pilots of the fatal 737 Max crashes did not have. If pilots don't act hastily enough, attempts to disable the system can be too late. In the Lion Air crash, pilots used the thumb switch more than two dozen times to try to override the system. The system kept engaging nonetheless, most likely because of bad readings from a sensor, until the plane crashed into the Java Sea, killing all 189 people on board. John Cox, an aviation safety consultant and a former 737 pilot, said pilots are highly likely to use the thumb switch to extend the 40-second window to several minutes. But that may still not be enough time to diagnose and solve the problem, especially if the pilots, like the Lion Air crew, were not informed of the system. "There is a limited window to solve this problem, and this crew didn't even know that this system existed," he said. A Boeing spokesman said that existing procedures for flying the 737 Max include how to respond to similar conditions. The spokesman added that Boeing had reinforced those procedures in a bulletin to pilots after the Lion Air crash. "Our proposed software update incorporates additional limits and safeguards to the system and reduces crew workload," the spokesman said in a statement. The new software system was designed to be a safety feature, operating in the background to help avoid a stall. Taking data from a sensor, the system would engage if the nose of the jet was too high. It would then push down the nose of the plane to keep it from stalling. The planes flew in similar erratic patterns, suggesting to experts that an automated system might have malfunctioned on both flights. In the current design, the system engages for 10 seconds at a time, with five-second pauses in between. Under conditions similar to the Lion Air flight, three engagements over just 40 seconds, including pauses, would send the plane into an unrecoverable dive, the two people involved in the testing said. That conclusion agreed with a separate analysis by the American Airlines pilots' union, which examined available data about the system, said Michael Michaelis, the union's top safety official. One of the people involved in the training said MCAS was surprisingly powerful once tested in the simulator. Another person found the system controllable because it was expected. Before the Lion Air crash, Boeing and regulators agreed that pilots didn't need to be alerted to the new system, and training was minimal. At least some of the simulator flights happened on Saturday in Renton, Wash., where the 737 Max is built. Pilots from five airlines - American, United, Southwest, Copa and Fly Dubai - took turns testing how the Max would have responded with the software running as it was originally written, and with the updated version, known as 12.1. In the simulations running the updated software, MCAS engaged, though less aggressively and persistently, and the pilots were also able to control the planes. Boeing's software update would require the system to rely on two sensors, rather than just one, and would not be triggered if the sensors disagreed by a certain amount, according to the three people. Given that the 737 Max has had both sensors already, many pilots and safety officials have questioned why the system was designed to rely on a single sensor, creating, in effect, one point of failure. The update would also limit the system to engaging just once in most cases. And it would prevent the system from pushing the plane's nose down more than a pilot could counteract by pulling up on the controls, the three people said. In conversations with pilots and airline officials over the weekend, Boeing executives didn't directly address why MCAS was designed with such flaws, one person with direct knowledge of the meetings said. Instead, the company stayed focused on the software updated, the person said. The software changes still require approval by the Federal Aviation Administration. Pilots' unions have said they are comfortable with the proposed changes but want to review them before making a decision. Pilots will be required to complete a training on the updated system on their iPads.