As I see it there are several critical flaws in the MAX.
First, the engine placement means it has a non-linear control force curve, so it needs some system to compensate for that. Hence MCAS. This is because the landing gear can't be lengthened without expanding the gear bays, which would void the type certificate AFAICT.
Second, the larger size of the plane means that a single pilot cannot be guaranteed to be able to use the manual trim wheels in all flight modes. The force required is extreme, weaker pilots may not be capable of trimming the aircraft. This can't be fixed without changing the trim wheel size (which requires a new cockpit layout) and/or the horizontal stabilizer, both of which would void the type certificate.
Third, critical flight control systems need to be triple-redundant, and there are only two AOA sensors. Since the plane cannot be certified without MCAS (point 1) and MCAS can command a catastrophic failure (see two craters) it should be a triple-redundant system. A new AOA sensor would void the type certificate.
Canada stated that they would certify the MAX without MCAS and with required pilot training, if its performance characteristics were acceptable. Boeing has made no attempt (AFAICT) to try this, which raises suspicion that MCAS is in fact required for certification, which would make it a Fly-By-Wire system (and subject to appropriate regulations, requiring hardware changes) and not just a stability augmentation system. Essentially Canada called Boeing's bluff.
It's not the software that's the (only) issue. If it were, the plane would be flying by now.
> First, the engine placement means it has a non-linear control force curve, so it needs some system to compensate for that. Hence MCAS.
No. Boeing wanted it to share a type rating with the rest of the 737 family, hence MCAS. This plane would be perfectly safe to fly if it had no MCAS and required a new type rating. Consider the 767 which has a stronger pitch-up characteristic and operates just fine. This meme has been debunked several months ago but keeps getting repeated along with the more ignorant 'the plane is inherently unstable'.
> The force required is extreme, weaker pilots may not be capable of trimming the aircraft.
This is true in all planes. In certain conditions, aerodynamic loads exceed the pilot's or even the hydraulic system's ability to overcome. Pilots are trained for how to recover from these conditions and regain trim authority.
> Canada stated that they would certify the MAX without MCAS and with required pilot training, if its performance characteristics were acceptable. Boeing has made no attempt (AFAICT) to try this, which raises suspicion that MCAS is in fact required for certification
This claim contradicts your first claim, as the authority indicates they will accept the plane without MCAS. So clearly, MCAS is not critical to safe the operation of the plane in the eyes of this authority.
Without MCAS the MAX loses the 737 type rating and becomes a commercial failure. Of course Boeing isn't going to even humour that avenue of action except as a last resort.
> This plane would be perfectly safe to fly if it had no MCAS and required a new type rating.
GP didn't claim otherwise. GP claimed:
>> [...] so it needs some system to compensate for that.
And it does need that system - whether for safety is debatable, but it needs it for certification (not within the 737 family certification, but for certification full stop), because the FAA requires basically a linear control force curve.
>> weaker pilots may not be capable of trimming the aircraft.
> This is true in all planes.
Source? I'd assume, in fact, that in most planes that is not the case - superhuman strength is not required to trim.
> This claim contradicts your first claim, as the authority indicates they will accept the plane without MCAS. So clearly, MCAS is not critical to safe the operation of the plane in the eyes of this authority.
No, it doesn't. There are three possibilities:
1. Without MACS, the plane is safe and certifiable, but not similar enough to be certified with the 737 family.
2. Without MACS, the plane is reasonably safe, but not certifiable under the specific FAA rule requiring linear control forces (though possibly under more lenient, eg Canadian rules).
3. Without MACS, the plane is not safe and not certifiable.
I think 2 is the case. 1 has been debunked, and you argue that 3 is false, too.
You claim 1 is debunked but you’re replying to a quote from GP indicating Canada will accept the plane as per 1?
If you can back up the claim that 1 is debunked with a credible source, I suggest shorting Boeing stock because it means the 737 max is a complete failure, the line will likely be killed as it won’t be able to compete with the Neo, and stock price going to plummet through the floor.
> Without MCAS the MAX loses the 737 type rating and becomes a commercial failure.
Does it fail? I will grant you this: 1) A significant number of people would refuse to fly it. 2) Pilots would need to be trained to the new type. 3) There would have to be more simulators constructed to handle the training load, and the airlines would likely force Boeing to bay for that.
OTOH: All the 737 ground equipment and gates and so forth will work perfectly fine. It seems to me that with suitable discounts, it would sell through. Not an easy sale, certainly.
Good point. The airlines would certainly be less happy, but it's unclear that they'd be unhappy enough to make the plane unprofitable. I guess the question is whether it would make them all buy the A320neo instead.
> Pilots are trained for how to recover from these conditions and regain trim authority.
I agree with all of your corrections except this one. I've read that this yo-yo or rollercoaster maneuver was described in old 737 manuals decades ago, but then removed. It's not in the current manuals and I haven't heard anyone else claim that it was ever trained for by airline pilots, either back then or now.
I get the impression that Boeing decided some decades ago that needing to retrim without the motor and at extreme airspeeds and aerodynamic load was so unlikely that they didn't need to prepare pilots for it.
This would probably be true if they hadn't introduced a system that makes the stabilizer try to kill you, and then tied the off switch for that system to the off switch for the trim assist motor.
(A reason to be pedantic on this point is that it's important to know whether the lack of having performed this maneuver can be reasonably described as a pilot error.. although in the MAX cases there probably wasn't enough altitude to perform it anyway at the speeds involved.)
If you're right and he's wrong, then MCAS is a non-critical system (augmentation, not fly-by-wire) and would require a mere software fix, which ought to have been completed by now.
MCAS is a critical system if it's present in its current form, and may very well require more than just a software fix (3rd alpha vane perhaps). At this point not a lot is publicly known about what Boeing is doing to remediate the issue and I don't want to engage in speculation.
But their ultimate fallback plan if all else fails, will be to remove MCAS and have this thing get its own type rating and dedicated pilots.
It hasn't because the Flight Computer represents a single point of failure in a system with a catastrophic consequence of failure. This is not allowed. If it's even possible in theory but unlikely, it doesn't matter, it has to be redesigned. That redesign alone is likely enough to violate the little or no training required that was the original intent of the resign.
Note, these weren't "newly stringent" as if they've never been done before now. Worst case scenario bit flips by cosmic rays are textbook test cases in aerospace projects. That they weren't considered before then is a marked demonstration of lack of due-diligence or follow-through in enumerating the fault-tree.
> This meme has been debunked several months ago but keeps getting repeated along with the more ignorant 'the plane is inherently unstable'.
Yet, there has been no information released, at least publicly, as to the bare airframe flight characteristics (bare as in sans MCAS).
The reasons for the initial inclusion of the MCAS seems like it may have been related to the augmentation of the "touch and feel" of the flight controls, but we simply do not know at this point what were the reasons for the increase of it's operating envelope and authority.
If you have a source for the debunking, I would appreciate if you could share it. In the meantime, our best bet is to hope for one of the other CAA-s to conduct said bare airframe tests.
I suspect that one must also consider that the Boeing's PR department is busy coloring the narrative in a favourable way.
The FAA should review the natural (bare airframe) stalling characteristics of the B737 MAX to determine if unsafe characteristics exist. If unsafe characteristics exist, the design of the speed trim system (STS)/MCAS/elevator feel shift (EFS) should be reviewed for acceptability.
Observation O3.4-A: The original implementation of MCAS was driven primarily by its ability to provide the B737 MAX with FAA-compliant flight characteristics at high speed. An unaugmented design would have been at risk of not meeting 14 CFR part 25 maneuvering characteristics requirements due to aerodynamics.
Observation O3.4-B: Extension of MCAS to the low-speed and 1g environment during the flight program was due to unacceptable stall characteristics with STS only. The possibility of a pitch-up tendency during approach to stall was identified for the flaps-up configuration prior to the implementation of MCAS.
Finding F3.4-A: The acceptability of the natural stalling characteristics of the aircraft should form the basis for the design and certification of augmentation functions such as EFS and STS (including MCAS) that are used in support of meeting 14 CFR part 25, subpart B requirements.
In short, Boeing designed a full-authority flight envelope protection system, just like Airbus has. Except for the fact that Airbus uses a full triplex system (3 ADIRU-s with their own set of sensors), while Boeing went with a single source of data, treating the wetware on the seat as the pseudo duplex channel ("you are the backup", while neglecting to inform them of their role, or their potential physical inability to accomplish this, nor provide accurate force feedback in sims). Now they are trying to sell us a duplex/pseudo-triplex model with the consolation that while the beast still has half a brain (pun intended), it is at least more tame. All this while simply neglecting to tell us, the pilots and the flying public, exactly why it was needed in the first place. See O3.4-B above.
With all those changes listed, you are basically saying that if it was a different plane, the software would not be a problem (which in turn is an issue because we don’t really know that would be true or not since Boeing seems to have institutional problems).
The issue is that the plane was changed only enough to avoid a cert issue but to keep the plane flyable, software had to be implemented to keep the pilots and the plane in check.
So, the plane needs to be either redesigned or it won’t certify. You are correct in that Canada called Boeing’s bluff. But the software is the issue or the plane would not be flying anyways because it wouldn’t certify.
As the 737 MAX saga unfolds, I've been wondering just why options to modify the landing gear (say: telescoping legs, or placement, or both), is such anathema.
Clearly, moving engine pods alone is not without its risks.
Ground handling equipment for most of the 737 operators is designed around the low clearance. So if they were to make it sit higher, operators would have to remove a significant amount of equipment.
Watch the video from your link. The landing gear only extend on rotation. When it's on the ground the 737 MAX 10 sits at the same height as every other 737 MAX.
Laziness. This is absolutely a "fuck it, we'll fix it in software" problem. I don't think it would necessarily invalidate the type certificate to change the legs but Boeing has gotten away with doing the bare minimum of structural changes necessary to keep the 737 relevant. Adding fuselage tube sections is far easier than reworking the complex gear systems and moving everything out of the way to make the bays longer (737 has an equipment bay around the nose gear, mains have systems routed around them) so they will do just about anything to avoid that.
It's not laziness, it's cost to cost-sensitive customers who have a viable alternative with Airbus A320 Neo. Boeing actually initially set out to make an entirely new plane. The airliners instead wanted a re-engined 737 to keep type certification so that they didn't have to retrain pilots and could keep new equipment purchases to a minimum.
It's not that Boeing would have been unwilling to build an entirely new plane, their CEO announced that as the plan in 2011, it's that operators would rather they didn't.
And, in retrospect, Boeing would have been WAY ahead financially, not to mention that hundreds of deaths would have been prevented, if they had just offered to subsidise the retraining if they bought the new plane...
In retrospect that may be true. But had MCAS not just had one really stupid flaw, they might have come our way ahead. The plane may have other flaws, even big ones, but could easily have gotten away with them if not for the crashes.
I don't really think that anecdote applies cleanly to this circumstance. Had Boeing stuck by their guns and given the customer a new plane despite them wanting a faster horse, what's to say airlines wouldn't choose to buy new airplanes from Airbus instead? If the only option to an airline is to switch planes and retrain pilots, then the relative cost of switching away from Boeing goes down.
Ford was selling a car in a class of it's own, at a price range and volume that was unmatched in the rest of the automotive industry at the time. Boeing is not.
As the parent mentioned, that would make it a different plane, which would require the airlines to go through an expensive training process with their pilots. It seems Boeing initially preferred that but was talked out of it by airlines.
It would presumably be easier to just not have the rogue computer pulling on the control surface the other way? The trim wheel seems like a last ditch mechanism to deal with a malfunctioning hydraulic control system but that's not the problem with the MAX, rather the hydraulics are working fine but being told to do the wrong thing.
“In the course of the investigation, a new type of flight assistance system known as the Maneuvering Characteristics Augmentation System (MCAS) came to light. It was intended to bring the flight characteristics of the latest (and fourth) generation of Boeing's best-selling 737 airliner, the "MAX", in line with certification criteria. The issue that the system was designed to address was relatively mild. A little software routine was added to an existing computer to add nose-down trim in situations of higher angles of attack, to counteract the nose-up aerodynamic moment of the new, much larger, and forward-mounted engine nacelles.”
“Apparently the risk assessment for this system was not commensurate with its possible effects on aircraft behaviour and subsequently a very odd (to a safety engineer's eyes) system design was chosen, using a single non-redundant sensor input to initiate movement of the horizontal stabiliser, the largest and most powerful flight control surface. At extreme deflections, the effects of this flight control surface cannot be overcome by the primary flight controls (elevators) or the manual actuation of the trim system. In consequence, the aircraft enters an accelerated nose-down dive, which further increases the control forces required to overcome its effects.”
Right around 37:30 it shows how difficult it is to use the manual trim wheel to affect the plane's attitude.
One pilot has to move all focus to it, without touching the other controls.
It is still baffling to me how everything, from one sensor to a control system that can overwhelm the pilots with stick forces with no sanity checks in software, got through Boeing and then the FAA.
> One pilot has to move all focus to it, without touching the other controls.
And even that may not be enough.
It's quite plausibly physically impossible if the pilot happens to be less strong than this one, or if the aircraft's situation is worse than this simulator's.
In particular, the Ethiopian flight was in extreme overspeed (if I recall, past the max safe structural speed for the plane!), which increases all of these forces. I'm not sure whether that was being modeled by the simulator, or if the simulation's model of trim wheel force is a correct one.
There's certainly no guarantee that a pilot can produce the force required to relieve aerodynamic load on the stabilizer here. It's a purely mechanical system.
The borked AoA vane also meant the computer was not calculating airspeed correctly. They were in an Airspeed Unreliable situation, which warrants being generous with power based on the stage of flight.
Climb-out from Adis Ababa (a hot and high airport) means you've got precious little excess in terms of sacrificial power to begin with. The MAX 8 could only take-off at all due to an unusually long runway as I recall.
Actually, in earlier flight manuals for the 737 there was a description for the so called roller-coster-maneuver for exactly the case that the trim was so far off that it couldn't be operated manually any more. The maneuver consisted of pushing the yoke forward to take the pressure off the stabilizer and quickly trim back and then put the nose up again. So it was documented, that in certain conditions the forces could be too high for the pilots.
Think of it for a sec. Your plane tries to kill you by pointing the nose down. With all your force you are barely able to make it only loose the altitude slowly.
Now, would you point your nose down knowing that you may not be able to point it back up again?
Well, the roller-coster maneuver assumes you are high enough up that you can trade off some of your height for correcting the trim. Here is a link to the description: http://www.b737.org.uk/runawaystab.htm#rc
This obviously wouldn't work in cases like the Ethiopian, where the plane had very little height over ground due to the high mountains around the airport.
Edit: the point isn't that the maneuver had prevented the accident, but that its existance in the flight manuals shows that it was known that the trim forces could be higher than what the pilots could apply to the trim wheels.
Yeah, and I think MCAS ended up fully deflecting the stabilizer on Ethiopian. Even with a somewhat more reasonable altitude, I wonder how long it takes to physically manually retrim from one end of the jackscrew to level flight. I think even the electric motor takes at least six seconds to do that.
From what I read the situation was made worse by the fact that they where flying a bit on the fast side even when they were not going down yet, increasing the load on the stabilizer.
A bit of the fast side is an understatement. They were at full takeoff power the entire time they were fighting the trim. They never reduced engine power, which would have reduced the forces on the stabilizer. An easy thing to miss certainly, and it was one of many factors that contributed to the crash:
A possible ameliorating factor: they had an IAS Disagree warning (unreliable airspeed) since takeoff, and it may be policy to keep airspeed up in that case -- not knowing your airspeed means that reducing it may cause a stall.
(Still, they could have asked ATC for an speed reading or used other measurements to convince themselves that it was safe to slow down.)
I'm not a pilot but I do sail some and the same manouver is used. You know, sails also generate huge forces which might not be possible to physically counter. What you do is, if you want to trim and are courteous to your crew, you point your yacht upwind for a moment to let them trim and then get back on your course.
I also did a bit of sailing and remember it was also standard to steer a bit more upwind if the boat is listing too much. That is, if there isn't anything in the way, if you steer more upwind :p
> It's quite plausibly physically impossible if the pilot happens to be less strong than this one, or if the aircraft's situation is worse than this simulator's.
That simulation would have ended in a crash if they didn't abort it.
So the pilots strength did not seem to matter and the situation was about as bad as it gets.
At least some simulators are capable of modelling those forces (I don't have any knowledge of the domain, but I would assume it's standard in "professional" simulators):
I think getting through Boeing was effectively the same as 'getting through' the FAA at this point though, since the FAA relied so heavily on Boeing in order to perform their stated duties.
The argument of Boeing for MCAS to be not "safety critical" is, that there is a trim cut out switch in every airplane, which is to be activated in case of a "trim runaway" to cut of all electricity to the trimming system, including MCAS. As this is a memory checklist, every problems should be able to just switch off MCAS in case of a problem...
As mentioned in the talk, the problem is, that reality differs, and the MCAS actions don't appear to the pilot like a normal trim runaway. Actually, the day before the Lion Air crash, the machine already had the same problem, but the pilots (as the story goes due to the advice of a third pilot present) did activate the cut out switch and solved the problem.
That still doesn't explain why Boeing didn't implement at least consistency checking with the other sensor. And of course, we know now, how wrong Boeing was in their assumption.
Unfortunately the next day, the other crew did not do this. And on the Ethiopian Air flight, they did activate the cut out switch, but way to late and didn't regain control of the machine, as it was out of trim too far.
Correction on the Ethiopian flight: They activated the trim cutout, were able to regain most control, and then deactivated it, presumably to adjust the trim, tested that they had trim controls, and then something happened to distract them from trimming it correctly and then cutting it back out.
Had they left it cut out, they would have been able to keep it under control, had they adjusted the trim and then cut it out, they would have been in a decent position to come back and land. It will be interesting to see what the investigation finds about why it was cut back in and then left.
In previous models you could cut out the auto trim while still having electric trim on the yoke enabled. Sadly in the MAX Boeing decided to get rid of this feature which would have been pretty damn useful for these crews.
It's controls designed in the 60s grandfathered in for many decades because of common type ratings that simply don't make any sense anymore. More modern clean sheet plane designs do not have the issue of literally not being able to apply enough force to adjust the trim!
I think the mismatch may be that these are all-manual designs, and the 737 is much larger now than when it was first designed, plus the first design didn't have automated systems counteracting your inputs.
Boeing was looking to do a clean sheet design, the airlines wanted to keep the same type rating. The presentation micharacterizes that bit of history, but that's what was going on. This follows what made the A320neo popular, Airbus took a older venerable design and re-engined it for higher efficiency.
The 777 got a similar upgrade that did include a new wing design.
Ultimately Boeing is looking to introduce an all-composites design that fills the 737 and 757 roles, but airlines desires for crew commonality might push that back.
> This follows what made the A320neo popular, Airbus took a older venerable design and re-engined it for higher efficiency.
Though note the A320 is a newer design than the 737; the A320neo as a result didn't have the big problem of the 737 MAX: because its landing gear was always longer, because it was always designed for high-bypass turbofans, it could easily fit the larger engines under its wings without having to relocate the engine mounting.
The 737 MAX is a world away from the original 737 (hell, the shortest 737 MAX is 6.6m/23% longer than the original 737 design!), whereas the A320neo is much, much closer to the original design. The 737 MAX has ~80% parts commonality with the previous-generation 737 NG, yet alone the original 737; the A320neo has 95% with its predecessor, which _is_ the original design.
B-17 cockpit pictures aren't showing me the same resemblance with the big trim wheels you see in the 707, 727, 737, etc. I do see them in the KC-135, Dehavilland Comet, etc.
There's a very obvious shared design between the 707 and 737 cockpit that goes beyond anything you could attribute to general cockpit design.
Sure. This all rolls up to me saying that the design of the 737 might have dated back further than the 1960's. I feel like the 707 is evidence that it dates back to the 1950's. It shares more in common than the 737 than just the trim wheels. That was just an obvious call out since there's an MCAS tie in there. For example, the 707, 727, 737, and 757 all have the same fuselage circumference.
As I recall, the 707-727-737 are a direct evolutionary line serving the same niche, and the 757 was intended as a 'stretch 727', so yeah, I think you're right.
Similarly, when I consulted with one of the major airlines (although not in flight operations) I was told that many of the physical specifications of airplanes were driven/limited by airport gates. That is, wingspans, fuselage curvature, door height, etc. need to be within certain ranges so that it could use existing gates unmodified. This was one of the biggest issues with adoption of the Airbus A380...airports had to build new gates just to support them. I understand that is an issue with the 737-MAX: to place the much larger engines in a place that wouldn't screw up the balance (e.g. under the wings instead of out in front of them) would make the plane inconveniently high off the ground.
707, 727, and 737 all share the same “41 section”. The 757 and 767 also share a common 41 section but don’t have any commonality with the earlier models. The latter two were designed at the same time, with Boeing using some risk management strategies: They used “new fangled computers” to aid in the design of the 57 wing, and the old way for the 67. The 57 wing turned out much better than predicted.
Maybe expound on this a little? Considering the 757 was (am I wrong?) a medium body short/medium haul airframe, and the 767 was a wide body medium/long haul, how are they all related?
The 757 and 767 were designed at the same time and have a common type rating. It’s not unusual at an airline that has both aircraft for a pilot to be flying a 757 one day and a 767 the next.
Did you actually run the numbers? The 737 MAX statistics are abysmal [1]. It stands at 3.08 crashes per million flights, compared to 0.06 for the 737 NG. It's two orders of magnitude worse. Are cars really two orders of magnitude more dangerous than planes?
As another commenter stated, you can mince statistics any way you want to paint any picture you want.
Only two 737 MAX have ever crashed (both outside of the US), so the 3.08 figure is an extrapolation, not necessarily reality. After the software update it might have gone another 500K flights (or more) without a crash, leaving the figure at 2.0 (or smaller).
Let's say you need to travel from NYC to San Diego.
Let's assume a car death rate of 1.25 deaths per 100 million vehicle miles (a figure that popped up in Google). But that includes motorcyles and pedestrians, so let's play it safe and call it 1 death per 100 million miles.
By now we are comparing apples (chance of death by trip) to oranges (chance of death per mile traveled) but let's press on.
Distance from NYC to San Diego is 2,800 miles. So your chance of dying en route to San Diego is about 1 * 2,800 / 100,000,000 or ~30 in a million chance if using a car. Whereas with the MAX it is ~3 in a million (if you take a direct flight), or an order of magnitude more safe.
Statistically, you’re more likely to choke and asphyxiate on your dinner than to die in a plane crash.
That doesn’t make a defective flight system a greater or lesser problem. It’s irrelevant.
Aggregate data is tough to interpret anyway for a cross country trip. Traffic deaths per 100M miles vary from 1.83 (South Carolina) to 0.54 (Massachusetts). Also, motor vehicle aggregate numbers include all trips — if you compare common carriers, busses and rail are dramatically safer than private cars.
> That doesn’t make a defective flight system a greater or lesser problem. It’s irrelevant.
Oh, I totally agree. I was just trying to put into perspective the fact that even defective flight systems are incredibly safe and that our fear of flying is often irrational...
Indeed I looked into it a little bit more and found that planes are about three orders or magnitude safer than cars [1] (fatality per miles traveled). So even assuming that the MAX is two orders of magnitude less safe than the 737 NG (based on limited data), it would still be an order of magnitude safer than traveling by car.
[1] I found 11 fatalities per trillion miles for planes, and 12.5 fatalities per billion miles for cars (in the US).
But how does travel per million miles make sense? Nobody decides to fly from Singapore to Sydney or drive. It's just not comparable.
It's hard to find a good statistic that would make modes of transport comparable. But if I'd pick one I'd pick time spent (are 10 hours on a plane more or less safe than 10 hours in a car)
Just considering safety, per trip is what I personally care about - the total odds I will die going by plane or by car. Often, this means flying through a hub which we would not visit by car so the numbers would be really hard :-/
Airplanes are faster than cars, and the average trip is longer. So, even if the pax fatality rate per distance is much better for aircraft (a factor of 200 to 1000, say), the fatality rate per trip is not that much better (a factor of 2 to 10, say).
Some more notes:
- That is for part 121 aviation (airlines). General aviation fatality rates are much worse (you're 15 times more likely to die in a small plane than in a car for the same distance, and 250 times more per trip...)
- An airliner also carries many more pax. The above numbers are per pax; if you base it per vehicle, then a plane is only about 5 times safer than a car for a given distance, and about 20 times more likely to crash than a car per trip.
- About 4% or so of all B747 or A300 ever built have been complete hull losses. (Newer planes are safer, presumably, but also haven't been around that long, so the statistics are not entirely trivial to compare.)
I find the whole "most accidents happen within X miles of home" argument so tired. That's like saying "most electrons are found within the vicinity of their nuclei."
I'd be more interested in knowing where FATAL accidents occur, on the suspicion that most people do not live on highways and local streets are traveled at lower speeds.
This is odd: that table suggests the MAX has flown 600k flights, but https://randy.newairplane.com/2018/05/22/737-max-a-year-of-s... suggests the MAX had only flown 41k total flights six months before the first crash. Adding >500k flights before the grounding seems implausible.
That article was published exactly one year after the introduction, at the time about a third of all delivered aircraft to date were delivered, theres some lag from delivery to first revenue flight, so its plausible that less than 100 had been in revenue service.
So, with all the lag in getting the aircraft into service, its plausible that in the next 10 months the type could rack up 500,000 flights, since thats just a little more than 4 flights a day per aircraft on average.
So if airlines would be forced to print the stats and if on your ticket for a MAX will be printed 100x more likely to crash then 737 classic would you chose MAX because some cars,bathroom or lightning statistics?
My point is that American pilots probably have an intrinsic advantage flying American-made planes over foreign pilots (it's the "white privilege" of the aviation world). It's hard to measure, but it's likely there in the form of pilot social circles.
I doubt it's the fact that they're American flying American planes as egregious accidents happen even in those sorts of scenarios (cf. Air France 447, French pilots, French plane, French carrier).
There's the NY Times Magazine article that reminded everyone of the word 'airmanship' [1] although it wasn't terribly well-received [2], [3] by some other pilots.
If you don't want to read all those, basically pilots in richer countries might be more likely to also be private pilots and more familiar with how an aircraft 'feels' that translates to a better sense of what's happening in larger aircraft. Combine a lack of that in poorer countries with the dumpster fire of Boeing's choices, crap replacement parts, and 'limited' training regimens and you have a fatal error chain forged.
The criticisms focus on the idea that heroic pilots who could recognize and avoid the situation probably aren't the norm. Further, there's often prejudice against pilots from developing countries even when they are competent; neither of these excuse the systemic failure and getting to the conclusion of "but for the pilots the crashes wouldn't have happened" is somewhere between insulting and reductive.
Did you read about Boeing and airlines trying to cut more of the pilots training costs? With the FAA in Boeing's pockets (if this accidents would not have happened) you would probably get less simulator training and more VR, tablet apps and software hacks to make even more money for the rich.
Edit: To be clear, while this was 10 years ago and noone died, this incident seems to me to be a bit worse than the issues with the 737 MAX in that with the A330, there is no shutting off the systems that caused this issue, as they are part of the flight controls. Fortunately the causes were investigated and while the exact cause of the issue was not identified, the computer systems were updated to deal the fault scenarios identified in the investigation.
That one was a case of electronic gremlins in one particular plane together with a quite particular edge case in the software, based on reasonable assumptions.
> So why fly on a 737MAX when any other plane out there is safer?
Well no one can fly one right now as they are all grounded. However, once they get approval for a fix from all countries, the airplanes get updated with said fix, and the pilots get whatever training required for the fix and thus can start flying again, why not fly them? Presumably, that failure type should never happen again and its record seems fine outside of this 1 problem.
>However, once they get approval for a fix from all countries
That's a big assumption. The planes are already unmanageable, even if MCAS is fixed: human pilots aren't strong enough to turn the trim wheels manually in an emergency.
>and the pilots get whatever training required for the fix
I don't see how this is possible without forcing pilots to get a totally different type rating for this aircraft. That's the whole reason they put MCAS in there in the first place: to avoid a different type rating, which would require an expensive add-on certification.
> The planes are already unmanageable, even if MCAS is fixed: human pilots aren't strong enough to turn the trim wheels manually in an emergency.
Operation of the trim wheel and the forces acting on it are the same as the 737 NG. If this worries you, you shouldn't take any 737.
The wheel in that video can not be turned manually because of the aerodynamic forces acting on it. Pilots are trained extensively to recognize a runaway trim condition and stop it before it gets to that point. At lower angles a roller coaster maneuver can be used to turn the trim manually.
The MCAS was definitely poorly designed but everyone is downplaying the poor pilot response and maintenance issues involved with the crash. Lion Air pilots flew a plane with a stall warning going on for a full hour instead of landing ASAP. Then when the plane got to the ground, the company saw it fit to fill it up with people again and fly it with a critical system malfunctioning due to unknown causes.
They dodged responsibility because boeing had a serious design issue but their behavior was criminal, even more so than boeing. I wouldn't fly any lion air plane.
Boeing’s own testing assumed pilots respond to runaway trim situation within 4 seconds [0]. Beyond that, the MCAS will have put the plane in an aerodynamic position where the pilot forces required to manually stabilise are too great. 4 seconds is not a lot of time. The Ethiopian pilots were aware of the need to disengage the powered trim and use manual control. They just couldn’t force the controls enough given the position the plane was in. The 737MAX is a death trap. It won’t fly again without significant redesign.
On the other hand, the AOA sensor on the Ethiopian Airlines plane failed at takeoff, likely due to birdstrike. Birdstrike isn't supposed to crash an aircraft.
The speaker talks about trimwheel behaviour. Pilots train for runaway stabilizer trim, but that's continuous movement of the trimwheel, faulty MCAS looks much like regular speedtrim. Also, activating electric trim activates another round of MCAS. Obviously you shouldn't take Lion Air, but after this talk Boeing doesn't look safe now either.
Broadly speaking, I agree with you. I was responding to the hysteria about the trim wheel in this thread. I'm getting the impression that some users think the trim wheel, or its behavior under extreme aerodynamic conditions, is a "new" design flaw unique to the 737 MAX when in fact almost every airliner in existence has a trim wheel behaves like that.
The exception being modern fly-by-wire planes that simply don't have an option of manual override.
The speaker talks about trimwheel behaviour. Pilots train for runaway stabilizer trim, but that's continuous movement of the trimwheel, faulty MCAS looks much like regular speedtrim
Empirically, the Lion Air plane exhibited the same MCAS behavior on its last (successful) flight. So it's at least possible for pilots to recognize it as a runaway trim and act accordingly.
Obviously you shouldn't take Lion Air, but after this talk Boeing doesn't look safe now either.
After reading the Lion Air report my conclusion is that the MCAS was poorly designed but it's also an easily fixed problem on an otherwise safe design and there's so much focus on boeing that they will take action and fix it. Meanwhile nobody cares about Lion Air and if they keep flying broken airplanes eventually they're going to kill more people, with or without MCAS.
Note the penultimate Lion Air flight had a third-pilot dead-heading in the cockpit. Not a regular luxury.
Also, the AoA-vane was replaced with a faulty part, and never retested after install if I recall correctly. A procedure complicated by the fact the plane would have had to have been started, shutdown, then restarted since the Flight Computer switches from side-to-side each flight.
So a maintenance tech may have accidentally tested the wrong computer assuming the documentation wasn't up to snuff. Can't say as I've seen that part of the documentation myself; but considering they left MCAS out of the pilot docs, I somehow doubt that it was greatly elaborated on in the maintenance docs as well.
I think that 3rd pilot was key not just because of an extra person; IIRC, he had a vantage point the pilots didn't have, and saw what was going on with the trim wheels.
The 737 should have been retired decades ago. It's an utterly primitive aircraft, and its cockpit hasn't changed significantly since the 1960s. Newer Boeing aircraft don't have those trim wheels at all. Even the old DC-9 didn't have them.
Yes, the plane might require expensive training and expensive modifications. It may even have to get completely scrapped if the changes are deemed uneconomical to deploy.
With all the different government agencies going to be manually inspecting the updated plane themselves, the MCAS problem is going to be put under a microscope by dozens of different countries and if they do approve it and deploy it, then I am going to take there word for it as having mitigated the MCAS problem and won't care about stepping on a 737 max as its track record outside of this 1 problem is fine.
If it does not get approved or deployed, then who cares because you won't even have the option to fly it as it will stay grounded. Regardless of what happens, checking what plane I will be flying on will not impact my decision when choosing flights.
What if it does get approved, but only by some countries? So, for instance, suppose the US approves it, but China and the EU don't? Then, it probably won't stay grounded, because this plane is usually used for shorter-distance travel. Southwest Airlines, for instance, exclusively uses 737-type aircraft, and all their travel is domestic US, so an EU ban wouldn't affect them at all.
I for one wouldn't feel too confidant about the FAA approving this plane with the EU regulators refusing to, considering what a criminally-negligent job the FAA did in approving it in the first place.
> I don’t know the same about my car, which is why I’ll take it over a Max any day
"ignorance is bliss"
If you knew how much software went into a car vs. an airplane, you might think twice. Airplanes seem more complicated than cars, but software-wise they are much simpler. Cars have millions upon millions more SLOC than airplanes. You think MCAS is bad, how about cars that have sudden loss of steering, emergency brakes that mysteriously engage, or a throttle that can't be disengaged?
Serious design flaws in airplanes are these big dramatic events. Serious design flaws in cars pop up in the news every day, and we just ignore them [1][2].
Software flaws in cars usually aren't fatal. If your car has a failure, you just pull over on the side of the road. You can't do that in an airplane.
>how about cars that have sudden loss of steering
Citation needed. I've never heard of a car having this problem, and it's generally impossible because there's a mechanical link between the steering wheel and the front wheels.
>or a throttle that can't be disengaged?
Citation needed. I've never heard of this happening where it's been proven to be real and not a publicity stunt. All the problems with "unintended acceleration", including on Toyotas a while back, have been shown to either be people using aftermarket carpet mats, or even people faking it. What's more, turning off the car in an emergency is not hard, even in push-button-start cars. Now of course, we can blame some wrecks from faulty systems on poor driver training, drivers who just aren't very good, drivers who can't handle an emergency, etc. This simply does not apply in an airplane: pilots go through a LOT of training to get that job, so if they crash anyway, that points to an unforgivable mistake in engineering or manufacturing.
> Citation needed. I've never heard of a car having this problem, and it's generally impossible because there's a mechanical link between the steering wheel and the front wheels.
That's not a loss of steering, that's a loss of power assist. You can still steer a vehicle just fine without power assist; you only need the assist at very low speeds.
I've driven a car with intermittent failure of power steering, it's not impossible and at higher speed, the wheel provide stablization on their own already.
And it's actually comparable to the _intended_ failure mode of a 737 Max. If the system fails you can't let the computer control the trim, so there are manual trim wheels provided and you switch off electronic trim. Like the steering wheel of a large modern car, these wheels are mechanically connected to the thing you want to change but if you're feeble like me you'll struggle to even move them which is why the computer was in the loop.
As I understand it large trucks existed prior to power-assist, they just hired big strong chaps who could wrestle the steering.
We probably don't want (and Boeing doesn't want) to make 737 Max certification have a "Physical strength check" where you need to exert so-and-so much turning force for so-and-so many seconds or you can't fly their plane. So probably trim wheels need a re-think, whether that happens as part of the 737 Max work, its immediate aftermath or not for years because this incident scares manufacturers away from changing anything about trim.
Seismic shifts in safety considerations do happen, we haven't seen the last of them. And they aren't always ultimately for the better. Titanic had a few effects, many of them really good, but one notable one is that it pushed the narrative that you need to provide and test a LOT of lifeboats on an ocean liner. Titanic, as you can probably all recite, did not have enough lifeboats. But in practice lifeboats are very much a last resort for an ocean liner captain. You've got a whole lot of civilians who are incompetent at sea at the best of times, probably panicking and now you're trying to successfully get them into smaller boats under supervision of a relatively smaller number of crew. Some of them are likely to be injured or even die. A ship's master would prefer _anything_ over putting passengers into lifeboats, except them all drowning. Almost always the sensible course of action, taken by the ship's master, will be to take the still working ship to any port and unload the passengers. Yes even if the ship is somewhat on fire, or has grave engine problems, almost anything except actually sinking right now.
Meanwhile just owning the lifeboats means your crew have to keep testing them and servicing them, each time also has a chance of injury or death as crew fall into the water, boats fall on the crew, and so on. So owning a suite of lifeboats for your ocean liner (which you weren't planning to crash into an iceberg at any time) is probably a net negative in terms of injuries and deaths.
>We probably don't want (and Boeing doesn't want) to make 737 Max certification have a "Physical strength check"
Actually, I think they absolutely should. And then it should be made illegal to have a plane that has any such requirements, so these planes should be deemed unairworthy, and Boeing should be forced to scrap them. Either that, or female pilots should be able to claim discrimination, and every female or otherwise not-strong-enough pilot should get a free lifelong chief pilot salary as part of the settlement.
Basically, this plane should never have been built. It's a 1960s design, and because of crappy regulations that allowed this, Boeing kept making this 1960s tech because it was "grandfathered". Newly-built planes should not be allowed just because they were OK 50 years ago, when they aren't good enough according to modern standards.
I'm guessing you meant "bigger"? Otherwise I don't know what a bogger trim is. The wheels already have servo motors, but understandably the cut-out cuts those out also.
Software flaws in cars usually aren't fatal. If your car has a failure, you just pull over on the side of the road. You can't do that in an airplane.
Many modern cars have computer control of brakes, accelerator and even steering, so a software flaw could stop you in the opposing lane just as you start to pass a car, or accelerate and steer you into a bridge pillar (and since that car was already steering the car before that, the driver may not be able to react in time)
mechanical link between the steering wheel and the front wheels.
Steer by wire is becoming much more common. It’s already in luxury cars and, like most features, will probably eventually trickle into economy car designs
You’re right. I was conflating electrically powered steering with steer by wire. In either case, EPS relies on software to determine the amount of force/torque rather than hydraulic/mechanical means.
I did see one source indicating a roughly 25% increase in steer by wire by 2026, but it’s behind a paywall so I’m not sure how good that source is. According to a Tesla forum, there’s still a mandate for mechanical linkage
EPS has been used in economy cars for years now; most cars on the market now probably have it. The few laggards that don't have EHPS (electro-hydraulic PS), where software runs a pump that pressurizes the hydraulic system.
EPS has been on production cars now since the 1990s, and I've never heard of any software problems with those at all. In fact, it's probably been more reliable than hydraulic systems since it doesn't have so many moving parts, just an electric motor, and no hydraulic fluid to leak or get contaminated (due to not being replaced on time, a common thing for people to skip on maintenance).
Steer-by-wire is a no-go for now, because it's illegal to not have a mechanical linkage. That might eventually change when we get driverless cars, but there's no sign that those are coming nearly as quickly as many people used to think; there's just too many problems with them.
There’s been some issues related to recalls on EPS. An excerpt below is from a 2015 GM truck recall:
“Recalled products do not contain the updated software that mitigates the effect of the condition. When the system voltage drops below 8.8 volts for more than 1 second — e.g., during low-speed turns — EPS assist is disabled”
Honda has had similar recalls.
I don’t know if that can be used to claim software caused the initial hazard but does indicate software is used to mitigate safety issues with the implication that software failures can lead directly to hazards
This doesn't sound like a big deal. Electronics normally can't function when system voltage is too low, and that can happen in a car if the battery is weak and the alternator isn't producing enough power (e.g., at very low speeds and with a high electrical load, such as making a sharp turn in a parking lot with a nearly-dead battery).
This isn't very different from old hydraulic-assist cars that also had the assist die or be too low when there was some problem (fluid too low, pump failure, belt failure, etc.). Was it ever a big problem? No, not really. If your power steering fails in a parking lot, it's a pain, but you're already barely moving, so you just stop. At worst, you might have a minor fender-bender.
I don't see how this is a software problem; this is an electrical problem. The only software issue here is the decision to shut down the EPS instead of bringing it back online when the system voltage goes high enough.
Personally, I'd say the fundamental problem here is actually the fact that cars still have 12V electrical systems, and batteries that are really meant for starting only, not for continuously supplying heavy electrical loads (like EPS). Carmakers should have gone to 42V or 48V systems ages ago.
To your point, the GM issue was involved in 30 accidents in a couple years but no fatalities. The problem is obviously not a failure in a parking lot, but at speed.
I don’t know the specifics of the system safety analysis but if the software is used to mitigate a hazard, it’s usually considered safety critical. In this case, if it shuts the EPS off, or fails to bring it back online, it it would significantly affect the vehicle handling dynamics. Again, I don’t know their classification scheme but I would assume the steering is a safety critical system. Some reports claim the vehicle lost all handling control, but I’m a little skeptical of that claim.
In any event, I wouldn’t consider it no issue. Recalls cost a lot of money. In the GM case it affected 1MM cars. I didn’t look up the cost of each fix, but I wouldn’t be surprised if it cost nine figures. I doubt they would go forward with a recall of that magnitude for a trivial issue.
I could see the same rationalization for MCAS. The system safety analysis didn’t claim an MCAS failure was catastrophic and they already had a procedural mitigation in place if it did fail. It wouldn’t take much to convince someone that such a recall fix was no big deal. This is part of the problem with systems using safety critical software
>To your point, the GM issue was involved in 30 accidents in a couple years but no fatalities. The problem is obviously not a failure in a parking lot, but at speed.
I'm not familiar with the specifics of that case, but having a low system voltage is more likely at parking lot speeds because the alternator isn't turning very fast, whereas at speed the alternator should be generating enough power to run everything including EPS, but maybe they underspecced the alternator, so I can see it happening. Still, losing your power assist at speed is still dangerous of course, but it is recoverable, and it's nothing like having a critical system fail in an aircraft. Failures in cars are always safer than in aircraft, because you're already on the ground. This is why safe design is so important in aircraft: if something goes wrong in a car, it might result in a wreck of a few vehicles at worst (multiplied by the number of cars experiencing that failure), but many times tragedy is avoided because the driver just needs to steer away from traffic and avoid running into something too fast. In an aircraft, there's no such thing as a "fender bender"; crashes are usually fatal, and they usually carry dozens to hundreds of passengers.
>Recalls cost a lot of money. In the GM case it affected 1MM cars. I didn’t look up the cost of each fix, but I wouldn’t be surprised if it cost nine figures.
That seems high: you're assuming each car cost $1000 to fix there. That's a lot of money to fix one component; at that volume, the part probably cost well under $100 each, and as another poster noted, the dealer labor required was pretty small.
I completely agree that car failures are almost always less severe than aircraft. However, to play devil's advocate, pilots have much more stringent training requirements and that's a relevant point to the MAX situation. I hope I didn't come across that I was trying to equate the two in terms of criticality, just trying to point out a couple counter examples to statements about car software not being critical. The details of the Honda case seem even more critical than the GM one.
I was estimating at $100 per fix (since it's just the labor cost of software). At roughly $120 per labor hour multiplied by 1MM vehicles is where I came up with the nine figure mark. At $1k per fix, it would be in the 10 digits. Regardless, it was overshot and I corrected it with the details in a reply (since I couldn't edit the original). It only comes in at 0.5 hours per fix. Not chump change but the decision to fix it may also have been influenced by the Toyota accelerator and GM ignition recalls that got a lot of press.
There was a problem with GM ignition switches. The detent was too short and so it was possible for it to accidentally be switched to off. Bunch of people died as a result. Three problems. Power steering and brakes no longer work. Two the anti-theft device can lock the steering wheel. Third the airbags are disabled. It's a classic systems interaction issue. And is exactly the thing that shows up as the design processes becomes Balkanized.
I remember that one; that was absolutely criminal because they were informed there was a problem, and refused to do a recall because it would cost money. Instead, they quietly changed the ignition switch to fix the design defect, but without changing the part number or informing anyone.
And, as you pointed out, it was a systems interaction problem. Losing power steering at speed isn't great, but it's recoverable (maybe less so if you're weak and you're driving some big stupid SUV, rather than a small economy car), and losing power brakes is also bad but recoverable because you have enough vacuum in the system to do a full stop (but only 1 usually), but tie them together, at speed, and also (worst of all) lock the steering wheel, and you have a recipe for disaster. This is far, far, far worse than losing your power steering assist at parking-lot speeds.
What you bring up in terms of cascading failures is termed the "swiss cheese model"[1]
This is the traditional way to deal with system hazards. What has been talked about is the need for changing the way we think about software failures on safety critical systems, distinct from traditional failure mode approaches.
"The result is that software-related accidents involve a new type of accident, which can be called a component interaction accident: None of the components fail (all satisfy their specified requirements) but the problems arise from dysfunctional interactions among the components."[2]
The Takata airbag issue wasn't ignored at all, it was a very serious safety issue. For defects of that magnitude there's the Department of Transportation, and there will be recalls to pull the faulty part out of circulation.
Catastrophic as in 300 people will not die due to the flaw, yes.
But one-off car fatalities that kill 1-3 people happen regularly and they add up. The self-driving variety pop up with the highest visibility but if you go searching you'll find tons of accidents where brake failure at highway speeds cause a fatal crash.
I do concede that distracted driving and alcohol play a much bigger role in the large amount of car fatalities than software flaws. But I still stand by my original assertion that you are more likely to die due to the effects of a software flaw in your car than due to a software flaw in the 737 Max.
How do software flaws in cars kill you exactly? The main example you bring up is brake failure at high speed, but that's not a software issue, that's a mechanical issue (and is oftentimes caused by neglecting maintenance on the part of the car owner).
Yes, there's the self-driving stuff, and there have been some egregious examples, but those systems also save lives by preventing accidents. Lane departure warnings, automatic braking, and electronic stability control all, on the balance of things, make driving much safer.
Braking systems have been partially modulated by software for decades, i.e. ABS, TCS, ESC.
Additionally, other software controlled systems can induce mechanical issues. For example, in the case of the Toyota unintended acceleration debacle, an engine at WOT typically does not produce vacuum. However, power-assisted brakes almost universally are vacuum-powered. So, if the software-controlled throttle gets stuck wide open, you lose power-assist to the brakes.
Power assist not working in the breaks doesn't really equate to loosing the breaks entirely. You can still use them to slow down unless the break wire or hydraulics are literally cut.
And successful control of the vehicle depends on the vehicle's specific characteristics and the physical ability and awareness of the driver. The point being: it has killed people.
Software is increasingly controlling safety critical systems in cars so I would expect software failures to take up an increasingly large number of fatal vehicle faults going forward. On safety systems that have been using software for decades, one can find examples of such potential failures [1]
Only a heavy-software run car might (e.g. a Tesla autopilot or the Uber fatality). But I agree with you. I fail to see how software bug in a car would lead to a comparable outcome.
I don’t think most people realize how software dependent their “dumb” car is. From antilock braking to throttle response to steering response in some cases is largely controlled by software. It goes way beyond the infotainment systems we intuitively think of as software
I agree that cars are more safe now than ever before and that mechanical failure is more deadly than software failure.
The whole point of my comment was to put to bed the irrational fear of flying. You are still more safe travelling long distances in a faulty flight system such as the MAX than you are by car. There are just too variables to account for in cars, one of which includes increased software complexity.
The 737 MAX crashed twice and killed 346 people. It's not an "irrational fear" to refuse to ever fly in one again.
Secondly, what are the exact figures you're using to show that the 737 MAX is safer than cars? And now compare it to other planes, the more realistic comparison? I'm not taking planes to places that are within driving distance. The 737 MAX was waaaay less safe than other planes.
I think we have to stop segmenting our thoughts into “software” and “hardware” and instead look at issues like the 737 Max as an integrated system failure. “Software” failures can easily manifest themselves into hardware failures; thinking of them as separate systems can lead to a complacency mindset of “its just software so we don’t have to be as rigorous in our design”
My fleet sums to ~100k trips and zero (human) deaths. The 737MAX can't claim such a low number of deaths per trip.
Regardless, we can choose our metrics to paint whatever picture we want to paint and any metric we choose is of little use anyway because it's an apples to oranges comparison.
Yes, I think you are right, it is much lower than 500K, I misread the wiki page which stated it had 500K flights at the time groundings started and assumed there weren't a significant number of flights between the first crash and groundings.
I'm still not sure I follow. How many flights do you think the MAX has now? I'd guess around 100k but the wiki says around 600k and the difference seems important.
Anyone old enough knows this is flows from 1980s Reagan deregulation policies. Now these same people (literally the same people, in some cases) are trying to blame the government for it. The government (FAA) is nominally at fault, but the reason they are at fault is exactly what you said - they could not get funding to do their job and relied on industry to self-regulate.
Save taxpayer dollars with fewer inspectors! Less burden on industry! Win-win! :-(
As I've mentioned elsewhere, more self-inspection at packing plants, combined with higher line speeds "for worker safety," is why I recently went vegetarian.
I can very faintly understand the reaction when Boeing was so successful. It just exemplify that no institution should rest on laurels and there should be mandatory external pressure and chaos monkey like systems to restore doubts.
They have chaos monkey like systems all over the place when designing and building commercial aircraft.
They perform tons of analyses like FMEA on their processes, their designs, then they have tons of SimIL/SIL/HIL testing partially derived from those analyses to verify their safety case, and at almost every layer of the development lifecycle they do tons of fault-injection oriented verification.
The MCAS system went through an amount of rigor that dwarfs anything applied to typical software or IT infrastructure, but the issue persisted due to fundamental underestimation of risk associated with this kind of failure and a confusingly terrible design & implementation from a functional-safety and human factors perspective.
It's ... within the realm of distant possibility. But generally not recommende practice.
Flight systems (fuel feed, hydraulics) assume a gravitational vector toward the bottom of the aircraft. Flying inverted would starve fuel and hydraulic systems.
We've seen it again and again: Industries do not "self-regulate." How many people have to die before the "REGULATION BAD!" people are put in their place?
In the Q&A, there were two questions about topics that the speaker wasn't really aware of.
1. A purchase option for an instrument/indicator that shows discrepancies between Angle of Attack sensors on each wing.
2. In the KC-46A Pegasus it seems the pilots are able to override the MCAS system by simply pulling on the controls.
For me, #2 would have been an interesting discussion as perhaps Boeing chose not to re-use this system because it might delay certification. Imagine being the person who (may) have made the call to create a worse software than something that existed to sneak past compliance.
Note that for the 767-2C/KC-46 it's very likely the case that the 767-2C wouldn't share a common type-rating with the rest of the 767 family (as this wasn't a requirement for the KC-46 contract!), and for the 737 MAX a lot of design decisions were driven by the desire for the 737 MAX to have a common type rating with earlier 737 models.
From the 767-2C type certificate:
> The Boeing 767-2C has not been evaluated by the Flight Standards Board. No pilot type rating or training, checking and currency requirement determinations have been made.
Note the only 767-2Cs built were to certify the type, no airline has ordered the freighter aircraft.
On #1. No-one has, other than speculating, confirmed the option is cost difference (there are hundreds of options for the 737 series, many of which are just configuration differences). In the case of the indicator, there would need to be additional training, so airlines may opt not to have it to save on training, since it is not required.
"Apparently the only design of the MCAS system the FAA saw was limited to a 0.6 degree deflection [of the stabilizer] at high speeds and only single deflection only. And that was changed and ... it is still unclear how that could happen ... it was changed to multiple activations, even at high speed, and each activation could move the stabilizer as much as 2.5 degrees, and there was no limit to how often it could activate." (~28min; emphasis added)
For me, in a crisis with a lot of burning questions, one I haven't seen raised much is: who changed the MCAS behavior after the FAA "saw" the first version? Someone decided this should happen, and someone implemented it (perhaps the same person). Forget the C-suite for a moment; someone in middle management made this call. Shouldn't they answer for it?
When stuff like this happens, it's a process issue, not an issue with a particular engineer. It's human nature to try to assign blame to people and that's why it's so important to avoid that. Whatever process created the flawed product is where the blame lies.
Somewhere in the group that produced MCAS, there's a process to permit changes to be submitted, reviewed, accepted or rejected, implemented and tested along with the documentation produced at each stage.
Maybe that process is broken, maybe it isn't. From the outside we can't tell. However, as responsible professional software developers what we should do is understand that these are system problems and not just look around for someone to pin the blame on.
Yeah, my first reaction after watching the video (it was a good video to watch over a morning coffee!) was that the author used passive voice several times without making it clear _who_ took a particular action ("It was decided" and other phrases like that). You make a good point that no one person might've made the call, however someone _must_ be accountable for it even if no single party is responsible (a single person at some level, possibly the CEO, probably below that level). That's what I'm personally curious to know.
as people died, now you need both: to identify the issue with the process that caused the problem to happen, sure, but also to identify key figures that signed off the design and trough the justice system identify whether exists a direct cause between their decisions and people deaths.
Are holding people to (moral, ethical) account and looking at problems from a systems perspective mutually exclusive?
These are systems problems, I fully agree, but they aren't only systems problems. The systems in question are people. They have minds, personalities, and agency. Eliding this - sorry for saying so - makes phrases like "whatever process created the flawed product [...]" sound absurd, borderline callous.
I hate to resort to what by now is a web forum trope, but would you look the MAX victims' families in the eye and say, word for word, what you wrote above: "No, 'they' shouldn't" be held to account? Come on dude.
In some different articles I read, the change from 0.6 to 2.5 came after flight testing of the aircraft when it became apparent that the MCAS system needed greater authority to function properly. That part of it was totally normal. The major error, however, was that the documentation was not updated following the changes. That created a situation where some people were looking at documentation that no longer reflected the true system.
You can read about it in more detail here.[0] Likely responsibility for the (series of) decisions was diffuse enough that perhaps no one person made the call.
I had the same issue with another link posted today where the video wasn't loading at first. I downloaded it from a mirror using wget at over 200 Mb/s.
EDIT3: after couple reloads and waiting couple dozen of seconds native html video player have switched to some custom CCC player with settings option available. Probably needed some time before JS fully loaded and did it's job. Apparently /u/lovehashbrowns had loading issues, so this sounds related. Maybe CCC is getting hug of death from HN, Reddit or whatever.
Funny, I was impressed that they embedded many languages in the video and felt it was a great great work from the group. Sorry it was an annoyance to you.
Does anyone else feel like we're going to be having a nearly identical conversation about a car some day? Some mixture of design changes, sensors, and software, (driven by business) that lead to avoidable deaths?
Warrant against hyperbole: I'm not against the idea of self driving cars. In fact I have a Tesla and use auto steer daily.
I'd argue this already happens with vehicles and many other products. Many safety features themselves can lead to avoidable deaths in certain scenarios. From something as simple as the seatbelt to something as complex as auto-braking and collision avoidance. IE a seatbelt can cause a death by inhibiting egress. Fancy collision avoidance may prevent you from getting off a train track if there is a car or gate in front of you.
Car manufacturers already have to make calls not only about whether these features are worth it for the greater good, but also whether or not it will make the car too expensive.
Like Tesla's decision to employ a door system that can't be operated in the event of electrics failure?
Or how the extra strong glass they use prevents emergency responders from quickly getting through in case of emergency?
Or unintended consequences created by instability and regression in Neural Network based self-driving systems after an OTA update?
It's happening every day; to not overly pick on Tesla, Volkswagen, Nissan, and BMW were caught cheating in one way or another on emissions. Takata using substandard materials in airbags.
Don't have the links on-hand, but these have just been a handful of what I recall over the last 10 or so years.
The problem I can't figure out is how to get people as in an uproar over something less dramatic than an aircraft crash to properly signal to industry that inferior quality is not acceptable.
This is all business as usual apparently. I never felt comfortable or like I was even a good fit in an environment where apparently success is gated by how much you can get away with not having to disclose, and how much scrutiny you can avoid.
It's actually caused me quite the crisis of faith as a contributor to industry in general. At some point, no matter what level I'm at, someone is going to make a decision to abuse something I put in place for them.
What exactly does that leave the responsible course of action as for someone who is opposed to furthering unethical business by facilitating it via automation? How does one effectively conduct themselves so as not to become an unwitting accomplice via obfuscating skeevy business practices through automating them? I'm not satisfied with the answer of "just do your part, and get paid, the chip is on someone else's shoulder". I've spent too long watching industry do what it does to be able to realistically anticipate any company doing things the "right" way by default. I simply can't entertain Hanlon's Razor anymore. Not when 2nd and third order effects of decisions are so rarely taken into account by those around me.
I sure hope I figure something out, or the new year is not going to be fun... Sorry for the digression... Your question has just been related to something that has been weighing heavily on my mind recently.
First, the engine placement means it has a non-linear control force curve, so it needs some system to compensate for that. Hence MCAS. This is because the landing gear can't be lengthened without expanding the gear bays, which would void the type certificate AFAICT.
Second, the larger size of the plane means that a single pilot cannot be guaranteed to be able to use the manual trim wheels in all flight modes. The force required is extreme, weaker pilots may not be capable of trimming the aircraft. This can't be fixed without changing the trim wheel size (which requires a new cockpit layout) and/or the horizontal stabilizer, both of which would void the type certificate.
Third, critical flight control systems need to be triple-redundant, and there are only two AOA sensors. Since the plane cannot be certified without MCAS (point 1) and MCAS can command a catastrophic failure (see two craters) it should be a triple-redundant system. A new AOA sensor would void the type certificate.
Canada stated that they would certify the MAX without MCAS and with required pilot training, if its performance characteristics were acceptable. Boeing has made no attempt (AFAICT) to try this, which raises suspicion that MCAS is in fact required for certification, which would make it a Fly-By-Wire system (and subject to appropriate regulations, requiring hardware changes) and not just a stability augmentation system. Essentially Canada called Boeing's bluff.
It's not the software that's the (only) issue. If it were, the plane would be flying by now.