• Boeing 737Max, l’enchaînement des modifications marginales aboutit à une catastrophe (deux catastrophes ?) Sous la pression de la réduction des coûts, un bricolo dans le logiciel de contrôle de vol a été introduit et de ne pas en informer les pilotes (il aurait fallu les faire repasser au simulateur de vol pour les habiliter au nouveau système…)

    After a Lion Air 737 Max Crashed in October, Questions About the Plane Arose - The New York Times
    https://www.nytimes.com/2019/02/03/world/asia/lion-air-plane-crash-pilots.html


    Boeing’s 737 Max is the latest version of a plane that first went into service half a century ago.
    Credit : Matt Mcknight/Reuters

    But Boeing’s engineers had a problem. Because the new engines for the Max were larger than those on the older version, they needed to be mounted higher and farther forward on the wings to provide adequate ground clearance.

    Early analysis revealed that the bigger engines, mounted differently than on the previous version of the 737, would have a destabilizing effect on the airplane, especially at lower speeds during high-banked, tight-turn maneuvers, Mr. Ludtke said.

    The concern was that an increased risk of the nose being pushed up at low airspeeds could cause the plane to get closer to the angle at which it stalls, or loses lift, Mr. Ludtke said.

    After weighing many possibilities, Mr. Ludtke said, Boeing decided to add a new program — what engineers described as essentially some lines of code — to the aircraft’s existing flight control system to counter the destabilizing pitching forces from the new engines.

    That program was M.C.A.S.
    […]
    The F.A.A. would also determine what kind of training would be required for pilots on specific design changes to the Max compared with the previous version. Some changes would require training short of simulator time, such as computer-based instruction.

    I would think this is one of those systems that the pilots should know it’s onboard and when it’s activated,” said Chuck Horning, the department chairman for aviation maintenance science at Embry-Riddle Aeronautical University.

    That was not the choice that Boeing — or regulators — would make.

    The F.A.A. Sides With Boeing
    Ultimately, the F.A.A. determined that there were not enough differences between the 737 Max and the prior iteration to require pilots to go through simulator training.

    While the agency did require pilots to be given less onerous training or information on a variety of other changes between the two versions of the plane, M.C.A.S. was not among those items either.
    […]
    At least as far as pilots knew, M.C.A.S. did not exist, even though it would play a key role in controlling the plane under certain circumstances.

    Boeing did not hide the modified system. It was documented in maintenance manuals for the plane, and airlines were informed about it during detailed briefings on differences between the Max and earlier versions of the 737.

    But the F.A.A.’s determination that the system did not have to be flagged for pilots gave pause to some other regulators.

    Across the Atlantic, the European Aviation Safety Agency, the European Union’s equivalent of the F.A.A., had qualms, according to a pilot familiar with the European regulator’s certification process.

    At first, the agency was inclined to rule that M.C.A.S. needed to be included in the flight operations manual for the Max, which in turn would have required that pilots be made aware of the new system through a classroom or computer course, the pilot said. But ultimately, he said, the agency did not consider the issue important enough to hold its ground, and eventually it went along with Boeing and the F.A.A.

    • Après avoir tergiversé devant l’énormité de l’enjeu, la FAA a suspendu les vols et Boeing annonce cesser les livraisons. Deux par jour ! comme le dit l’article, il va falloir pousser les murs à Renton…

      Boeing gèle les livraisons des B 737 MAX : près de 2 avions par jour sont concernés !
      https://www.latribune.fr/entreprises-finance/industrie/aeronautique-defense/boeing-gele-les-livraisons-des-b-737-max-pres-de-2-avions-par-jour-sont-co


      Crédits : © POOL New / Reuters

      Boeing annoncé la suspension des livraisons de ses avions moyen-courriers 737 MAX, qui ont été interdits provisoirement de vol dans le monde après deux accidents récents d’appareils de ce type, l’un d’Ethiopian Airlines, l’autre de Lion Air. Mais l’avionneur continue la production en espérant implémenter la solution à ses problèmes une fois qu’elle sera validée.

      Ce jeudi, en début de soirée en France, au lendemain de l’immobilisation totale de la flotte de B 737 MAX qui a suivi l’accident d’Ethiopian Airlines le 10 mars dernier dans des circonstances similaires à celles observées lors du crash de Lion Air en octobre, Boeing a annoncé la suspension des livraisons de ses appareils moyen-courriers.

      « Nous suspendons la livraison des 737 MAX jusqu’à ce que nous trouvions une solution », a déclaré à l’AFP un porte-parole, ajoutant que l’avionneur américain poursuivait en revanche leur production en écartant l’éventualité de réduire les cadences.

      Il va falloir trouver de la place. Boeing construit 52 B737 MAX par mois, quasiment deux par jour.

      « Nous sommes en train d’évaluer nos capacités », c’est-à-dire de savoir où les avions sortis des chaînes d’assemblage vont être stockés, a-t-il admis.

      Boeing entend donc continuer à assembler les avions et introduire la solution à ses problèmes une fois que ces derniers auront été clairement identifiés et que la façon de les résoudre validée.

    • Ça ne s’arrange pas pour Boeing et la FAA qui a délégué une grande partie de la certification de la nouvelle version à …Boeing.

      Flawed analysis, failed oversight: How Boeing, FAA certified the suspect 737 MAX flight control system | The Seattle Times
      https://www.seattletimes.com/business/boeing-aerospace/failed-certification-faa-missed-safety-issues-in-the-737-max-system-im


      A worker is seen inside a Boeing 737 MAX 9 at the Renton plant. The circular sensor seen at bottom right measures the plane’s angle of attack, the angle between the airflow and the wing. This sensor on 737 MAX planes is under scrutiny as a possible cause of two recent fatal crashes.
      Mike Siegel / The Seattle Times

      Federal Aviation Administration managers pushed its engineers to delegate wide responsibility for assessing the safety of the 737 MAX to Boeing itself. But safety engineers familiar with the documents shared details that show the analysis included crucial flaws.

      As Boeing hustled in 2015 to catch up to Airbus and certify its new 737 MAX, Federal Aviation Administration (FAA) managers pushed the agency’s safety engineers to delegate safety assessments to Boeing itself, and to speedily approve the resulting analysis.

      But the original safety analysis that Boeing delivered to the FAA for a new flight control system on the MAX — a report used to certify the plane as safe to fly — had several crucial flaws.

      That flight control system, called MCAS (Maneuvering Characteristics Augmentation System), is now under scrutiny after two crashes of the jet in less than five months resulted in Wednesday’s FAA order to ground the plane.

      Current and former engineers directly involved with the evaluations or familiar with the document shared details of Boeing’s “System Safety Analysis” of MCAS, which The Seattle Times confirmed.

      The safety analysis:
      • Understated the power of the new flight control system, which was designed to swivel the horizontal tail to push the nose of the plane down to avert a stall. When the planes later entered service, MCAS was capable of moving the tail more than four times farther than was stated in the initial safety analysis document.
      • Failed to account for how the system could reset itself each time a pilot responded, thereby missing the potential impact of the system repeatedly pushing the airplane’s nose downward.
      • Assessed a failure of the system as one level below “catastrophic.” But even that “hazardous” danger level should have precluded activation of the system based on input from a single sensor — and yet that’s how it was designed.

      The people who spoke to The Seattle Times and shared details of the safety analysis all spoke on condition of anonymity to protect their jobs at the FAA and other aviation organizations.

      Both Boeing and the FAA were informed of the specifics of this story and were asked for responses 11 days ago, before the second crash of a 737 MAX last Sunday.
      […]
      Delegated to Boeing
      The FAA, citing lack of funding and resources, has over the years delegated increasing authority to Boeing to take on more of the work of certifying the safety of its own airplanes.

      Early on in certification of the 737 MAX, the FAA safety engineering team divided up the technical assessments that would be delegated to Boeing versus those they considered more critical and would be retained within the FAA.

      But several FAA technical experts said in interviews that as certification proceeded, managers prodded them to speed the process. Development of the MAX was lagging nine months behind the rival Airbus A320neo. Time was of the essence for Boeing.

      A former FAA safety engineer who was directly involved in certifying the MAX said that halfway through the certification process, “we were asked by management to re-evaluate what would be delegated. Management thought we had retained too much at the FAA.

      There was constant pressure to re-evaluate our initial decisions,” the former engineer said. “And even after we had reassessed it … there was continued discussion by management about delegating even more items down to the Boeing Company.

      Even the work that was retained, such as reviewing technical documents provided by Boeing, was sometimes curtailed.
      […]
      Inaccurate limit
      In this atmosphere, the System Safety Analysis on MCAS, just one piece of the mountain of documents needed for certification, was delegated to Boeing.

      The original Boeing document provided to the FAA included a description specifying a limit to how much the system could move the horizontal tail — a limit of 0.6 degrees, out of a physical maximum of just less than 5 degrees of nose-down movement.

      That limit was later increased after flight tests showed that a more powerful movement of the tail was required to avert a high-speed stall, when the plane is in danger of losing lift and spiraling down.
      […]
      After the Lion Air Flight 610 crash, Boeing for the first time provided to airlines details about MCAS. Boeing’s bulletin to the airlines stated that the limit of MCAS’s command was 2.5 degrees.

      That number was new to FAA engineers who had seen 0.6 degrees in the safety assessment.
      […]
      System failed on a single sensor
      The bottom line of Boeing’s System Safety Analysis with regard to MCAS was that, in normal flight, an activation of MCAS to the maximum assumed authority of 0.6 degrees was classified as only a “major failure,” meaning that it could cause physical distress to people on the plane, but not death.

      In the case of an extreme maneuver, specifically when the plane is in a banked descending spiral, an activation of MCAS was classified as a “hazardous failure,” meaning that it could cause serious or fatal injuries to a small number of passengers. That’s still one level below a “catastrophic failure,” which represents the loss of the plane with multiple fatalities.
      […]
      Boeing’s System Safety Analysis assessment that the MCAS failure would be “hazardous” troubles former flight controls engineer Lemme because the system is triggered by the reading from a single angle-of-attack sensor.

      A hazardous failure mode depending on a single sensor, I don’t think passes muster,” said Lemme.

      Like all 737s, the MAX actually has two of the sensors, one on each side of the fuselage near the cockpit. But the MCAS was designed to take a reading from only one of them.

      Lemme said Boeing could have designed the system to compare the readings from the two vanes, which would have indicated if one of them was way off.

      Alternatively, the system could have been designed to check that the angle-of-attack reading was accurate while the plane was taxiing on the ground before takeoff, when the angle of attack should read zero.

      They could have designed a two-channel system. Or they could have tested the value of angle of attack on the ground,” said Lemme. “I don’t know why they didn’t.

      The black box data provided in the preliminary investigation report shows that readings from the two sensors differed by some 20 degrees not only throughout the flight but also while the airplane taxied on the ground before takeoff.

      No training, no information
      After the Lion Air crash, 737 MAX pilots around the world were notified about the existence of MCAS and what to do if the system is triggered inappropriately.