NYT: Deadly 'Misguided Assumptions' Were Built Into Boeing's 737 Max (nytimes.com) 257
The automated MCAS system in the Boeing 737 Max played a role in two fatal crashes.
But today the New York Times reports that a year before they'd finished developing the plane, Boeing "made the system more aggressive and riskier," and that "test pilots, engineers and regulators were left in the dark about a fundamental overhaul." While the original version relied on data from at least two types of sensors, the ultimate used just one, leaving the system without a critical safeguard. In both doomed flights, pilots struggled as a single damaged sensor sent the planes into irrecoverable nose-dives within minutes, killing 346 people and prompting regulators around the world to ground the Max. But many people involved in building, testing and approving the system, known as MCAS, said they hadn't fully understood the changes. Current and former employees at Boeing and the Federal Aviation Administration who spoke with The New York Times said they had assumed the system relied on more sensors and would rarely, if ever, activate. Based on those misguided assumptions, many made critical decisions, affecting design, certification and training...
The company also played down the scope of the system to regulators. Boeing never disclosed the revamp of MCAS to Federal Aviation Administration officials involved in determining pilot training needs, according to three agency officials. When Boeing asked to remove the description of the system from the pilot's manual, the F.A.A. agreed. As a result, most Max pilots did not know about the software until after the first crash, in October.... While the F.A.A. officials in charge of training didn't know about the changes, another arm of the agency involved in certification did. But it did not conduct a safety analysis on the changes. The F.A.A. had already approved the previous version of MCAS. And the agency's rules didn't require it to take a second look because the changes didn't affect how the plane operated in extreme situations...
The disasters might have been avoided, if employees and regulators had a better understanding of MCAS... Safety analysts said they would have acted differently if they had known it used just one sensor. Regulators didn't conduct a formal safety assessment of the new version of MCAS. The current and former employees, many of whom spoke on the condition of anonymity because of the continuing investigations, said that after the first crash, they were stunned to discover MCAS relied on a single sensor.
"That's nuts," said an engineer who helped design MCAS.
"I'm shocked," said a safety analyst who scrutinized it.
"To me, it seems like somebody didn't understand what they were doing," said an engineer who assessed the system's sensors.
But today the New York Times reports that a year before they'd finished developing the plane, Boeing "made the system more aggressive and riskier," and that "test pilots, engineers and regulators were left in the dark about a fundamental overhaul." While the original version relied on data from at least two types of sensors, the ultimate used just one, leaving the system without a critical safeguard. In both doomed flights, pilots struggled as a single damaged sensor sent the planes into irrecoverable nose-dives within minutes, killing 346 people and prompting regulators around the world to ground the Max. But many people involved in building, testing and approving the system, known as MCAS, said they hadn't fully understood the changes. Current and former employees at Boeing and the Federal Aviation Administration who spoke with The New York Times said they had assumed the system relied on more sensors and would rarely, if ever, activate. Based on those misguided assumptions, many made critical decisions, affecting design, certification and training...
The company also played down the scope of the system to regulators. Boeing never disclosed the revamp of MCAS to Federal Aviation Administration officials involved in determining pilot training needs, according to three agency officials. When Boeing asked to remove the description of the system from the pilot's manual, the F.A.A. agreed. As a result, most Max pilots did not know about the software until after the first crash, in October.... While the F.A.A. officials in charge of training didn't know about the changes, another arm of the agency involved in certification did. But it did not conduct a safety analysis on the changes. The F.A.A. had already approved the previous version of MCAS. And the agency's rules didn't require it to take a second look because the changes didn't affect how the plane operated in extreme situations...
The disasters might have been avoided, if employees and regulators had a better understanding of MCAS... Safety analysts said they would have acted differently if they had known it used just one sensor. Regulators didn't conduct a formal safety assessment of the new version of MCAS. The current and former employees, many of whom spoke on the condition of anonymity because of the continuing investigations, said that after the first crash, they were stunned to discover MCAS relied on a single sensor.
"That's nuts," said an engineer who helped design MCAS.
"I'm shocked," said a safety analyst who scrutinized it.
"To me, it seems like somebody didn't understand what they were doing," said an engineer who assessed the system's sensors.
single sensor well the single ceo can do some hard (Score:2)
single sensor well the single ceo can do some hard time.
Missing the point (Score:5, Informative)
It does not matter how many sensors are feeding this "system". The concept itself is faulty and deadly. Any talk of sensors is simply misdirection, probably by Boeing.
In case anyone missed this, let me recap the entire chain of cock-ups that lead to where we are now:
1. 737MAX has larger engines (that are really not suitable for this airframe)
2. These engines had to be moved forward of the wings and slightly up to fit.
3. Because of their size and location, under certain angles of attack, these engines will start producing additional lift. I.e. once a plane points "up" at a certain angle, it will get pushed up even faster (potentially a positive feedback loop)
4. In addition to actual airframe motion, due to this pitch moment, it becomes progressively easier to pull on the yoke as angle of attack increases. This means that a pilot can more easily pull the plane out of its safe envelope.
5. One of the certification requirements is that what is described in point 4 cannot happen (i.e. the force needed to pull the yoke should not decrease with angle of attack).
6. So, to satisfy that certification requirement (and not to actually make plane more envelope stable, btw - as you may have thought), Boeing needed a solution.
7. Now, as this is an ancient airframe and an ancient mechanical system (with a sprinkling of FBW), Boeing could not simply "adjust the feel" of the yoke (and, likely due to cost and complexity did not want to spend an effort on at least a purpose built system).
8. So, these "engineers" decided that the best way to adjust the minute feel of the yoke, is to control the plane's AOA using its largest flight control surface - the slowly moving elevator.
9. They also decided, for reasons that have never been explained, to change the behavior of elevator controls. In previous 737 generations there were two switches: One switch to turn off automatic (autopilot, autotrim) control of elevator Another switch to turn off any electric trim (at which point elevator trim would have to be controlled manually by spinning a big wheel in the middle of the cockpit). That means a pilot can turn off the autotrim, but still use electric servomotors to control the elevator (which makes elevator control much easier, as it requires a lot of force to move at high speeds)
737MAX, however, has only one switch. That switch turns off BOTH the autotrim and the manual electric trim. To put it simply, there are now only two options - either automatics can control the elevator, or pilot must crank a handwheel if s/he wants to control elevator trim.
10. To add insult to injury, possibly due to changed wing configuration, at certain speeds and angles of attack, manual forces required to move a trim wheel are outside the human capability (i.e. - the wheel will simply not budge).
All of the above points cannot be fixed in software, no matter what Boeing PR will tell us. Keep this in mind.
Re:Missing the point (Score:5, Insightful)
In addition to your points: A major requirement was that the plane must be flyable by pilots already trained for regular 737's without requiring retraining. Hence the inability to make significant changes to the operation of it. Which explains some of the 'out there' design choices.
Re: (Score:3)
Re: (Score:2, Informative)
I heard Boeing were deciding between 737 MAX and a new design (inheriting 787 technology). They hadn't made any announcement either way..
Except then this press release [aa.com] came out.
Rumor is, it's this airline that didn't want to retrain and thus they forced Boeing's hand to go with the MAX rather than a new type.
(Engineers at Boeing, I suspect, would rather have simply started a 797 that was a 737 sized 787. No need for MCAS. Modern aircraft design.)
Re: (Score:2)
Great post! One detail to correct: the control surface moved by MCAS is actually the entire horizontal stabilizer, which explains why MCAS was able to completely overpower the elevator.
Re: (Score:2)
10. To add insult to injury, possibly due to changed wing configuration, at certain speeds and angles of attack, manual forces required to move a trim wheel are outside the human capability (i.e. - the wheel will simply not budge).
In Ethiopian (may be in Lion, not sure), the pilots had left the engine in take-off full throttle leading to near super sonic speed. Had they reduced thrust, the hand cracking may be well within the human muscle ability. So still there is room for "pilot error". Sure they had less altitude to play with; but if no speed, the jack-screw may not hv got stuck up tight.
Re: (Score:2)
You have a few mistakes there.
First, all 737 have an elevator feel unit, so they could adjust the feel of the yoke. But it is an analog computer, so they didn't bother.
Second, a 737 max still has both switches. But the MCAS can only be disabled by cutting all electrical power to the trim motor.
Re: (Score:2)
Absolutely brilliant analysis of the MCAS fiasco, better than anything I've read in the media. And as you pointed out what is posted in the media is self serving excuses by Boeing trying to defect blame elsewhere. eg. The airlines wouldn't buy an extra angle of attack sensor etc.
Re:Missing the point (Score:5, Interesting)
So we now must wait until a problem results in loss of human life before coming up with a solution? You are welcome to fly on a plane produced under that approach, but count me out, please.
Re: (Score:2)
Hmm...
Traffic fatalities, USA, 2017-2018: ~40,000.
Airplane fatalities, USA, 2017-2018: 600.
So, when do we get people really excited about making cars safer, since we have 70x as many deaths from using the things than we have from even unsafe planes like the one in TFA?
Re: (Score:2)
If the press would take just 10% of the time they're spending on covering airliner safety problems, and use it to cover other forms of transportation (like say car accidents), we'd actually save more lives. Your error isn't in your reasoning about this problem. Your error is in prioritizing this problem over other problems. That mis-prioritization is literally leading to thousands if not tens of tho
Re: (Score:3)
That mis-prioritization is literally leading to thousands if not tens of thousands of deaths as we waste time and money on fixing this high-hanging fruit, when there are lots of other low-hanging fruit which would save more lives per dollar spent fixing.
In what way is fixing bad software that only takes 3-4 weeks of programmer time to do properly not low hanging fruit? It's also an apple to oranges comparison because ground vehicle deaths are almost never due to design flaws as was clearly the case here. These sort of crashes get so much attention precisely because the problems are so fixable and not just because so many people died on the same day. The story represents a carelessness and profits first attitude that is attention-grabbing and news worthy. M
Re: (Score:3)
1. Has not resulted in any crashes.
Your point might be more clear if you included a subject. The way it's written, I'm having trouble understanding your meaning.
The simple reading is obviously false, because the plane has resulted in crashes.
Re: (Score:2)
Actually I think point 9 and 10 are partly responsible for the ET302 crash. I would bet a lot of money that if the trim wheel had spun more easily or if they had been able to turn the electric trim back on without turning on the auto trim system as well that flight would not have crashed. All you have to do is look at what they were trying to do and it's pretty obvious that either of those last two points would probably have saved them and both definitely would have.
Re: (Score:2)
I agree with you. I don't work in the airline world, but another maybe more critical world. I'm cautious about what I write here, sorry. Basically even if you definitively find a significant problem with a design that has already passed months or years of testing and govt. certification, you're not allowed to make changes without resubmitting to the approval process. Huge $ and many years until it's implemented, if at all. That's where the system is broken. Just like reporting a zero-day to MS and they
Re: (Score:2)
Cynically I think the problem is psychological / ego. The people who make up the system- lab testers, certificate signers, bureaucrats, govt. officials- everyone- don't want to admit a flaw in their system. I'm all about design review and improvement. I've never been offended by someone pointing out a flaw in any of my ideas or designs. Better to have something done right! But people who make up political structures- govt., corporate, whatever, are very egocentric. IMHO.
Part of the problem I think is generational change, with insufficient overlap between generations, so there isn't enough continuity. New guys come in and build their systems like other systems they are used to, and it fucks up.
Re: (Score:2)
I previously worked on Air Traffic Control software and saying hasn't caused a crash is never a justification for any feature of the software. Everything gets analyzed and tested offline.
Re: (Score:2)
737 max murder plane.
Re: (Score:2)
You're claiming the problem is the airframe is now unstable, but there is no evidence indicating this is a real-world problem.
Of course there is, because that is the reason for: The problem was a failure of a new anti-stall system, which was added because of that instability. Actually not added, it was planned and integrated together with new engines and the bigger airframe, it was obvious that a system like MCAS is either needed, or the pilot needs to take more control, or the the whole autopilot software
Re: (Score:2)
You are referring to this [reuters.com].
Yes Boeing will probably use that at any trials they face: that clever third pilot who managed to figure out how to get out of the situation. I haven't read that much about what he actually did though. I'd like to see him interviewed. He couldn't have known about MCAS, but there are a number of things he could have done including turning on the autopilot on the opposite side from the bad AoA vane or extending the flaps a bit or being sure to slow down as much as possible and then t
Re: (Score:3)
that clever third pilot who managed to figure out how to get out of the situation
This is used in ATC. You might have an executive controller who does tactical stuff, talking directly to pilots, and behind him a supervisor who is able to sit back and look at the bigger picture. You can see this happen in the Sully movie where the SUP is walking around doing resource management and monitoring communications.
Likewise the deadheading pilot in the jump seat was able to do some thinking while the two main pilots were overwhelmed by the stick shaker and alarms.
Re: (Score:2)
fighter jets overcome these limitations.
No they don't. Fighter jets have ejector seats so the pilots can bail out of an uncontrollable aircraft.
Re: (Score:2)
Aha, here's a source for the two identical switches: https://www.seattletimes.com/b... [seattletimes.com]
Automation always needs a way to disable it (Score:5, Insightful)
Both hardware and software systems are getting way more complex now, with tons of inputs and the potential to fail. Any system that could cause an unsafe condition needs to have a way to override it that's easy to activate and leaves things in a safe state once you do. With all the testing and certification that go into avionics it's surprising something got designed that doesn't function like that. I wonder if the engineers who design these systems have any flight experience at all, or aerospace engineering experience, or if they're just coding to a spec someone passed along third-hand to them.
I'm in IT systems engineering and the trend towards automating all the things is great but IMO we have similar issues. My brother is a software developer and he's admitted to me that he has zero clue how most of the CI/CD pipelining stuff he checks code into does what it does. It's almost as easy as writing the code, writing the right test, pushing the magic button and everything's in production...but very few people have the knowledge of how the system actually does things under the hood. As we get more and more people entering the field who don't understand how basic compute/network/storage and communication protocols work, I wonder who will know how to fix something when the automation goes haywire and stops working.
Re: (Score:3)
I agree 100%. I'm amazed at how many people here (and other tech boards) think the opposite- that humans make the mistakes and machines are much faster and better. Maybe, but who is to decide whether there is a malfunction? If someone is willing to put big $ into multiple redundant systems and computers, like the Space Shuttle had, then okay, but when there's 1 sensor per pilot seat, I'd rather put my life in the pilot's hands. His (or her) life is also on the line- usually a good incentive to make corr
Re:Automation always needs a way to disable it (Score:5, Insightful)
What you say has the ring of truth. I am in neither aviation or IT. I am in medicine where the same thing is happening. Technology should be a tool, not a toy. Instead, technology has become an indulgent plaything where we develop high tech gizmos for the sake of developing them, because we can, not because we should, very often by entrepreneurs, executives, and technologists with no knowledge of the primary subject or the professional corps they are selling to. The idea of minimizing man-in-the-loop has gone too far.
In medicine and surgery, we we see a lot of good that comes from a lot of new technology, but also certain problems for which failure rates (not getting the desired result or cure) and complication rates (having unanticipated adverse effects) are on an exponential rise. These rapid upticks in problems are confirmed in published studies, and lawyer websites are making money suing companies for bad designs, but the companies keep pumping out fallacious and faulty products while surgeons get their education more and more from the companies rather than their schools and (so called) learned societies. You can appreciate it at the moment because of the current legal activities against companies making narcotics, where the companies, in an environment of lax or corrupt oversight, can make a market out of deadly products that in prior decades were not needed for effective care, and doctors were not asking for a better mousetrap.
Technology is fun and beguiling, but when it is an end unto itself, and the result is less skill, less education, and worse results than when knowledgeable professionals take the reins or the rudder, then technology has gone to far. As in, like, social media, instead of actually just talking to someone.
Redundancy (Score:2)
Two is one, one is none.
Slashdot Poll Update (Score:2)
Could we please redo this poll [slashdot.org] just to gauge how much public confidence has either increased or decreased in the 737-MAX the last few months?
This isn't the same as Samsung's exploding phone fuck up. The Aircraft business is all about safety and confidence.
It'll be interesting to see just how damaging this becomes in the long term.
It has probably never been safer to fly in a Boeing as right now only because Boeing can't afford to see another of its birds crash and burn.
I don't think they could survive anothe
Single Point of Failure == Bad Engineering (Score:2)
>A year before the plane was finished, Boeing made the system
>more aggressive and riskier. While the original version
>relied on data from at least two types of sensors, the
>ultimate used just one, leaving the system without a
>critical safeguard. In both doomed flights, pilots struggled
>as a single damaged sensor sent the planes into
>irrecoverable nose-dives within minutes, killing 346 people
>and prompting regulators around the world to ground the Max.
"the ultimate (MCAS) used just on
That's a funny way to spell (Score:3)
This is what happens when you bust unions (Score:4, Interesting)
Boeing (Score:2)
Boeing to blame, dont blame pilots (Score:2)
Many blame self regulation, or too little, another question to ask, is does it take too long for them to develop a new airframe to accomodate the larger engines because of over regulation. I don't know, it sounds to me that a new body should not take that long as they are not really doing a ground up redesign, just reshaping the body. Maybe I am missing something here. Boeings timelines for this seem to indicate it would take a decade to do a new body.How much of that is due to regulations and paperwork.
So
Complexity (Score:2)
While there appear to be specific and serious mistakes that Boeing made here, I think the root cause is a general lack of understanding of how to certify complex systems. When controls become this complex, there is no practical way to test all of the possible failure modes. This is obvious but non-lethal in the constantly uncovered bugs in consumer electronics. Its not clear that an expensive but low volume system like an aircraft autopilot can actually have more testing time than a low cost, but high v
Re: (Score:2)
The root cause is the flying museum piece of an airframe, everything else is just a contributing factor. Well, and there is another cause deeper than that, where corporate greed resulted in a unsafe airframe.
homicidal regulatory capture (Score:5, Insightful)
First, a caveat: I have worked in avionics and even indirectly with Boeing, a company I even like and [mostly] have admired.
My eyes on some of this stuff, however, were opened years ago while working for a smaller firm on some avionics. The FAA was all over the project, reviewing every assumption and every line of code and all tests, etc. Nothing that appears to have happened with the 737Max and MCAS would ever have withstood even the first meeting with the FAA people. While dealing with all this stuff, I had the occasion to discuss it with a Boeing guy I knew and had worked with and I learned that the FAA allowed Boeing to have their own internal guys get trained and certified by the FAA and then those guys could do the reviews and sign-offs. In other words, Boeing was effectively self-certifying. I believe the same things was happening at all the biggest aerospace firms.
This is tied to regulatory capture, where early entrants to a market get in before the government regulates it, then they encourage government to hyper-regulate (which suppresses any new competitors from even entering the market) and even help the government write the regulations, and as early-in-the-market experts they are not regulated as harshly as any newer entrants.
The big boys of the industry were presumed qualified and experienced, both because they'd been doing it for decades, and because they' even helped the government figure out how to do it. With Boeing as the sole airliner builder in the US, it's vital to government that their stuff is approved. The same thing is probably true in Europe over Airbus - and of course because the US and the Europeans are critical NATO allies and big trading partners, it's vital to the US to accept the European Airbus stuff, and for them to accept the Boeing stuff. Maybe this incident will finally change that and regulators on both sides of the pond will return to scrutinizing airline builders at least as much as the makers of small planes and smaller vendors of aircraft parts.
Ronald Reagan once famously said that freedom is always a single generation from being lost - the idea being that each generation needs to learn about it and value it enough to properly defend it. There is a corallary which applies here: The people at Boeng today are not the people who designed and built the DC-3, the 707, the 727, the 747, etc, just as the Boeing space division people who brag about their history in spaceflight are in fact not the people who built Apollo or the Shuttles. The current Boeing teams are a newer younger generation and they need every bit as much regulatory oversight as any mom-and-pop shop making parts for home built planes, or anybody at SpaceX trying to orbit a human for the first time (in fact there's probably more actual experience with space capsules at SpaceX these days, where numerous cargo Dragons have flown to and from and been docked at the ISS, than at Boeing) - they are not the genetic inheritors of the experience of the old Boeing people any more than the kids of today have genetically inherited a commitment to freedom and liberty (evidenced by the millenials who want speech they disagree with banned).
Comment removed (Score:3)
Re:OK, enough! (Score:5, Insightful)
I think I'll take the NYT's word, and the word of their listed sources, over that of a guy on Slashdot with zero sources who's never flown a jet aircraft. Call me crazy.
Re:OK, enough! (Score:5, Insightful)
Please stop the BS. The crashes did not happen in a situation where the pilots had enough time to find out what was wrong. You statistical argument is flawed. If this had "happened many times", this would be known by now. Instead, there is no evidence to that effect.
Re: (Score:2)
Please stop the BS. The crashes did not happen in a situation where the pilots had enough time to find out what was wrong.
Actually they did. But what the GP doesn't realise is the pilots did *exactly* what he said was the answer. Unfortunately 4 seconds later the entire system started to trim down again, rinse repeat until the plane is on the ground (with a bit of excessive force).
See the OP is speaking out of pure ignorance and I think we've covered many a time here before that disabling auto-trim does nothing to disable MCAS.
Re: (Score:2)
And that just means they had not enough time. They could do the quick fix, but they did not have enough time to understand why the problem happened again and again and again. Sure, if Boeing had not been criminally negligent and had actually told the pilots that this could happen, or even only what the new system did, the pilots would likely have had enough time to fix the overall problem. But as it was the pilots were faced with a complex system that insisted on malfunctioning and no idea what was going on
Re: OK, enough! (Score:5, Informative)
The Captain in the second crash had over 10000 hours...
Re: (Score:2)
Re:OK, enough! (Score:5, Insightful)
But it magically happened to inexperienced flight crews on airlines with poor safety records.
Boeing knowing sold the plane to airlines that had inexperienced crews, and told those airlines that additional training was not necessary. Avoiding the cost of additional training and certification was the primary purpose of MCAS.
Sure it was the airplane and not the pilots. Uh huh.
It was a combination of poor design and poorly trained pilots. Boeing is responsible for the poor design. They get much of the blame for the poorly trained pilots as well.
Re:OK, enough! (Score:4, Informative)
Did you miss the part that Ethiopian bought a 737 Max simulator that for some bizarre reason, doesn't simulate MCAS? Seems like they tried pretty hard to get their pilots checked out on the new plane but in the end, Boeing's screw up(s) prevented that.
1. MCAS suffered from mission creep (ever heard of that concept before?).
2. Multiple engineering and supervisory sections at Boeing and the FAA missed that.
3. MCAS is now more powerful than before and successful operation hinges on a single, error prone sensor.
4. Even the manufacturer of the simulator (Thomsen) who, after all, has to work very closely with Boeing, didn't get enough information to simulate the plane correctly.
Shit happened.
Re: (Score:2)
You are either so stupid it is staggering, or you are a paid shill with no honor. As you post AC, I believe it likely is the second.
Re: (Score:2)
Re: (Score:2, Interesting)
But, the airplanes crashed because the crew reacting improperly and/or couldn't fly with a relatively simple trim failure.
And that, is exactly what manufacturers want. To make a system so complex the only way to fly it is with their software. They aren't interested in training pilots, they want monkies who spend time in simulators. It also helps to push veteran pilots into retirement / out of the air because they lack the ability to fly those planes.
It's a fact of life that your reaction times go down as you get older. It gets worse if also have to deal with understanding the systems themselves and happens in other profess
pilots should fly, not debug software systems and (Score:2)
Granted, hardware failed, but why have persons with hands, feet and butts in the cockpit if they cannot immediately reassert manual control and trim the plane independently heads-up without having to consult manuals heads-down as they plunge below existing terrain levels?
Re: (Score:2)
Granted, hardware failed, but why have persons with hands, feet and butts in the cockpit if they cannot immediately reassert manual control and trim the plane independently heads-up without having to consult manuals heads-down as they plunge below existing terrain levels?
Absolutely, this ^^^ I could not agree more. As much as technology can help, and even save lives, if it goes wrong, I want a human to be able to override it.
Sardonically I'll say they want humans in the cockpit for blame purposes. I wish that wasn't true, but IIRC it was the first thing Boeing said.
Re: (Score:2)
Best is a trained human.
Re: (Score:2)
why have persons with hands, feet and butts in the cockpit if they cannot immediately reassert manual control?
Because Boeing told them that training for that wasn't necessary.
Re:pilots should fly, not debug software systems a (Score:5, Insightful)
Well...only one piece of hardware failed and that failed AoA vane should not have crashed the plane. The only reason it did is because of the MCAS software. So I would classify it as far more of a software problem. Without MCAS the AoA failure would just have disabled the auto pilot. Despite the low altitude it is possible the pilots could have saved themselves in the few minutes they had by being highly intelligent and quick thinking and very very good at their jobs, but they are humans. Not robots. A lot of people would panic and have trouble thinking 100% clearly when the airplane you have flown for many years suddenly starts to have a mind of its own and point toward the ground at a low altitude. They were probably freaking out and it wasn't exactly the same as 'runaway trim' in the sense that it wasn't just a continuous out of control turning of the trim wheel. It was intermittent. So it would have been confusing especially for the Lion Air pilots when Boeing was still keeping MCAS a closely guarded secret.
I don't think it was that they had no idea how to fly the plane manually and needed to consult manuals for that. If that were the case I could see your point. They were consulting manuals to try to figure out what the hell was going on. Why was the plane aiming toward the ground all of a sudden in little bursts? I think they must have done that only because it was such a weird and rare problem. And anyway the ET302 pilots mostly did the right thing by disabling the auto trim and trying to turn the trim wheels, but were going too fast and the wheels wouldn't turn. Why they didn't slow down or rollercoast is a mystery, but maybe they just weren't smart enough and also the rollercoasting procedure has not been documented since the 737-200 back in the early 80s. That is a long long time ago. Why Boeing removed the procedure from their training manuals is as much of a mystery as why they used a single sensor for a system that could crash the plane if one went bad.
Re:pilots should fly, not debug software systems a (Score:5, Interesting)
I think there is still more dirt to come out. In the Lion Air accident, the AoA sensor had been replaced after the previous (nearly disastrous) flight, and the new one still failed. Seems like a mighty big coincidence, that two AoA sensors in a row would be defective. Someone is not telling the whole truth.
Re: (Score:3)
They replaced the AoA sensor vane, not the sensor electronics.
Re: (Score:2)
I am not reassured.
Re: (Score:2)
I'm not trying to reassure you. I'm simply stating that the failure was likely in the sensor electronics, not the vane. So replacing the vane probably didn't fix the issue at all. They probably assumed it was a faulty vane because physical damage to the vane causing bad readings is more common than failures of the sensor electronics. I don't know how hard it is/isn't to test these things on the ground.
Re: (Score:3)
This is a good point and I would like to hear more about this. I just happen to live in a country right next to Indonesia and the culture and the people are not so different and well the people here tend to be bumblers. They have a lot of trouble getting things right especially with tricky or detail oriented work. So I could for instance quite easily imagine them replacing the wrong sensor. Maybe they replaced the good one instead of the bad one.
Really just the fact that the plane nearly crashed the day bef
Re:OK, enough! (Score:5, Interesting)
As 737MAX (unlike previous generations of 737) no longer has an electric trim separate from an automatic electric trim (the latter including MCAS), and manual elevator trim is difficult or impossible at higher angles of attack and speeds, these pilots were physically unable to restore their plane's trim manually. So, they tried to resort to switching back the only switch Boeing left them - which restored their ability to manually use electric trim and move an elevator, but also turned the MCAS back on. As MCAS is faster and has higher control authority than a human, it quickly overpowered them. However, were they not to do this, they did not have been able to manually trim back in time. It's a lose-lose situation. Boeing executives should stand trial for this (but probably won't)
Re: (Score:3)
They just needed to reach out the window and reorient the AoA sensor wing- automatic trim would have taken over.
(that was sarcasm- sorry if anyone didn't get it or is offended)
Seriously- if aerodynamic forces can become so great that humans can't control the controls, IN AN EMERGENCY, why don't the pilots have power assist? Don't turn off the trim motor- just disconnect the controls and give me a simple rocker or toggle lever.
Re:OK, enough! (Score:5, Informative)
IN AN EMERGENCY, why don't the pilots have power assist?
A very good question, especially given that the previous 737-NGs could enable trim power assist without turning auto trim on.
Boeing purposefully changed the switch operation [seattletimes.com] so that it was impossible to enable trim power assist without MCAS also being enabled...
Re: (Score:3, Interesting)
So the problem is in fact correctable by cutting power and trim
Re: (Score:2)
It seems that if the plane is severely out of trim, there are huge forces acting on the stabilizer and the manual trim wheel is impossible to turn. There is a maneuver to mitigate that (pulling the nose up, then letting go to briefly reduce the loads) but it is really inadvisable to do close to ground.
Re:OK, enough! (Score:4, Insightful)
As OP said, the elevator trim can be adjusted by turning the trim wheel by hand. The current thinking is that the crew cut power to the electric trim, and tried to spin the trim wheels by hand.
On ET302 they absolutely flicked the stab trim switches, but then they coudn't turn the wheel. [youtube.com] Not sure about Lion Air though. The problem with that is that if you are going fast the wheel is too hard to turn. The force required to turn the wheel grows stronger in a nonlinear way as air speed increases. You have to also slow down or let go of the yoke and let the plane dive while you spin the wheel.
The clever third pilot in the Lion Air flight was probably just smarter and better at troubleshooting and may have also gotten lucky. I am not sure it is clear exactly what actions he took. Do you have a link for that? It was a different flight and maybe he was traveling slow enough to just flick the stab trim switches and turn the trim wheel or maybe he knew about rollercoastering to release pressure on the manual trim wheels.
Maybe Boeing should have 10 pilots on the plane so that there is always a good enough and smart enough pilot available for when the plane feels it is time to crash. Or Airlines could just buy Airbus planes. Or Boeing could just write better control software. If the feeling is that only US pilots are smart enough and good enough to fly a 737 Max without crashing it then I guess foreign airlines should stick with Airbus just in case not every pilot is a genius. Airbus could now adopt a motto like Airbus: planes so good that your pilots don't have to be.
Re: (Score:2)
Nobody should need luck to stay alive on an airliner.
Re:OK, enough! (Score:5, Interesting)
The manual trim works if you aren't going far beyond the Vne of the aircraft. In the Ethiopia airlines case at the end of the flight the IAS of the AC was 458-500 kts. The pilots never changed from takeoff power (94% N1, more or less balls to the wall as the MAX has a massive surfeit of thrust).
Also note that the MCAS does not operate with the flaps deployed. While MCAS is inferior in terms of implementation (single sensor input an willingness to push the AC further outside of its documented flight envelope which means its not taking in data available to the AC, eg, altitude, the various airspeeds, GPS, GPWS) it can be shut off with the flick of a switch. Its more or less there to keep high pitch angles suppressed after the flaps are pulled up.
While I am not defending Boeing in this case (I was ANTI-MAX before Lion air and wanted a clean sheet for both mid market and small jet market) the manual trim system will work if the plane isn't going 100-150 kts past Vne - forces that the control surfaces experience will become exponential - this is why AC manufacturers have a Vne and barber poles. I'm sure the stick shaker was causing panic (even with 8000+ hours the captain might have never experienced one) and simply looking at the barber poles would give a hint on the overspeed situation.
The MAX should not exist and the MCAS system is flawed - but the system does not work if the flaps are deployed. Which means that when MCAS starts acting up the trim cutout switches and hand flying the aircraft in the flight envelope is a perfectly valid option.
Aviate, navigate, communicate. I think that in this situation communication (between PIC/FO) could have been an issue.
Boeing has a "simulated" low tech AC (which if I got my way would have been clean-sheeted like a modernized A320) which relied on software in the latest rendition to keep up the facade. But neither of the aircraft (Lion, Ethiopia) was doomed to being a total loss. The horrible training of the crew for the new AC type plays a major role - the type-certification for the 737-200 is valid on a MAX8/MAX9/MAX10, but the training would be drastically different. The fact the training is tied to the type-certification is sad. The 737MAX simulators are STILL as of May 2019 not truly complete for simulating Lion or Ethiopia conditions.
Boeing screwed up. (#1 not making a clean sheet small jet, #2, not implementing MCAS sanely), Training could have bridged the gap but this was forgone for expediency. Pilots were not trained in the differences in the various types within a single type-certified AC. I do think if pilots in general were more accustomed to having to hand fly aircraft this rubbish MCAS system would not have been as lethal as implemented.
If the MAX ends up banned I would not be sad - I'm not happy that a type-certification has been recycled since the 1960s. However this is a much larger discussion and not necessarily saying what the MAX and MCAS is is unworkable - if the AC had been clean sheeted this type of garbage wouldnt be necessary. We have AC manfacturers buying Bombardier and Embraer to avoid type-certifications - its better to no innovate and buy other designs than to just re-design the AC! And this is in the day of CAD and much better simulations! How is it "too expensive" now to clean sheet when the simulation tools are a million times better than slide rule created AC like the 747 and the SR-71 were designed? Crazy.
Re: (Score:3)
I guess you missed a few memos. Like the one that on the 787max, under some conditions a human isn't strong enough to adjust the trim manually unless you dive to relieve aerodynamic force (note, going into a dive at 4000 feet when the plane is already trying to dive might be a bad idea).
Re:OK, enough! (Score:5, Interesting)
There's a wheel you turn, it has two little handles that flip out to manually turn it. one pilot flies the airplane while the other cranks the handle to trim the airplane.
I am getting sick of repeating this, but that doesn't work at high speeds. Or at least that is what Boeing claims. Boeing says you need to roller coast to get the wheel to spin freely, but I guess you know better than Boeing does. You can blame the pilots for not responding perfectly just like you can blame the driver of a car if Tesla Autopilot grabs the wheel and slams a car into a bridge support at 80mph or jams down the accelerator or turns off the breaks.
But there are ways to recover you say. So what? If the car's computer disables the brake pedal for instance you can let up on the gas pedal and hope for a hill before you hit a turn that is too tight for the speed or an intersection you cannot stop for or maybe you can exit the highway at just the right spot where the grass and terrain are not too rough or too smooth to slow the vehicle down sooner. If someone manages to save themself then great. You are off the hook. But what if they don't manage to save themselves? What if they are not smart enough or good enough? They deserve to die? The passengers deserve to die too? And the vehicle manufacture is totally off the hook?
Negligence is still negligence even if a dead victim might have saved himself by being smarter or quicker or by knowing some secret method. What happened was not runaway trim. It was MCAS. Which was an unknown system at the time of the Indonesian crash. Real runaway trim would probably present differently and anyway the rollercoasting procedure is no longer in the manual. That alone makes Boeing liable even if there were no other problems.
In ET302 the pilots only turned the electric trim back on because they could not turn the wheel. Yes they wasted time wrestling with the MCAS first and at that time they should maybe have known about MCAS, but I am not sure how much data Boeing released after the first crash. I think they were still trying to underplay it and blame stupid foreigners and even if they did release adequate information after the first crash maybe they did not release it in Bahasa Indonesia so that the pilots could understand it fully.
The first officer had a lot more than 60 hours and the pilot had thousands of hours of flight time. He was highly experienced. When a perfectly good aircraft aims itself toward the ground and the pilots are not good enough to stop it I don't blame the pilots. I blame the fucking plane for trying to be an air to ground missile, and I blame the morons who designed the thing so badly and yes they are fucking morons. A child could design a better system than the initial MCAS. That more than anything makes me question the safety of Boeing's newer planes. If that's how they think, if that's how careless they are, how can they design and build safe aircraft? Without a complete overhaul of management I don't see how anyone could trust Boeing to put safety first.
Re: (Score:2, Informative)
As a matter of fact, I spent the entire weekend with experienced 737 captains from major airlines, and engineers in the controls design group. All the controls people agreed it was designed incorrectly, and all the pilots have had other (nonMCAS-related) trim failures, all knew exactly what was going to happen when it did.
You do not turn a system that was running away on you 30 seconds ago *back on*. *That's why they got going too fast to crank the handle*, the solution is to *pull bac
Re: (Score:3)
Without a complete overhaul of management I don't see how anyone could trust Boeing to put safety first.
I won't get into the technical merits of the question here, as I am unqualified. However, the failure of management at Boeing is painfully clear to anyone who has been following the aftermath of these two crashes. They are in a very serious situation, and seem to me to be failing at managing the crisis, rectifying the problem (still grounded!) and, most importantly, restoring trust. I don't get the impression at all that they are transparent and interested in making sure they find any failures in their de
Re: (Score:2)
1. On the max you can't just use manual electric trim. Its automatic trim or manual using the trim wheels
2. On the max the trim wheels are too small to move the stabilizer in some parts of the flight envelope
Manual trim doesn't work.
Re: (Score:2)
Are you a troll or you just a dunce? As has been widely reported, with the electric trim off and well above takeoff speed, human fingers cannot move the trim wheel.
Re: (Score:2)
There is a perfectly workable recovery method that has been used for decades for runaway trim failures - turn off the trim system
You'd think with a story that had been covered and analysed so often on this very site that someone with a relatively low UI would understand why this doesn't work even without actually researching the topic.
If you'd have posted nothing at all we'd all be thinking more highly of you, but sadly you have just demonstrated not ignorance, but rather the result of a malevolent campaign to keep yourself stupid. Well congratulations, your campaign succeeded.
Re: Southwest (Score:4, Insightful)
The copilot had 200hrs (yes, incredible) but the pilot had thousands similar to western countries.
It's possible the 1 critical sensor on the plane is more prone to failure in certain settings less found in the US.
Looks like Boeing will have to pay a lot. Perhaps Trump is gonna have to ban other airplane manufacturers from the US in order to save it.
Re: (Score:2)
Perhaps Trump is gonna have to ban other airplane manufacturers from the US in order to save it.
Why do you think Trump is tariffing the EU? See if you can find an EU tariff story that doesn't also mention Airbus.
Re: (Score:2)
For a start, the Southwest planes include the sensor disagreement warning. But it's possible that they just never encountered the conditions that activated the MCAS. Although damage to the AoA sensor is quite common, maybe Southwest planes have never received damage to the one critical AoA sensor that activates MCAS. Whatever the case it is clear that pilots who fly the 737 Max from many airlines including ones in the United States, did not know about the MCAS system as it was not even in the manual! Th
Re: (Score:2)
For a start, the Southwest planes include the sensor disagreement warning. But it's possible that they just never encountered the conditions that activated the MCAS. Although damage to the AoA sensor is quite common, maybe Southwest planes have never received damage to the one critical AoA sensor that activates MCAS. Whatever the case it is clear that pilots who fly the 737 Max from many airlines including ones in the United States, did not know about the MCAS system as it was not even in the manual! There are a lot of American pilots who are deeply concerned about this, angry even. It might just be dumb luck that we didn't have a crash in North America.
Problem number one is designing a plane that needed MCAS.
Oopsies make that, modifying a good plane to cheap out that ended up needing MCAS.
It does seem a little odd that the pilots wouldn't notice the raising of the engines bringing the intake shroud into the lift of the wings at high AOA. Other changes might not be so obvious.
One does not simply mess with things like that without changing the flight characteristics of a plane. It did, and MCAS was the intended solution. Here we are.
Re: (Score:2)
Fuck off, Boeing troll.
Re:Southwest (Score:5, Insightful)
Most of Southwest Airlines Boing 737 are older 737-700 and 737-800, which use a different trimming system with two sensors.
Re: (Score:2)
Why is it that Southwest flew the same plane for so many hours, without any incident?
That would be for a different reason that the other planes smacked the ground... did I answer your blatantly-disingenuous and retardely-phrased question with proper semantic relevance??
Re: (Score:2, Insightful)
How in the fuck was it "mass murder"? It was a mistake, actually a series of mistakes, that ended in crashes. Had any of the individual mistakes not happened, the crash wouldn't have happened.
It's tragic and unfortunate, but imbeciles getting themselves worked into a foaming-at-the-mouth hissy fit about it will solve exactly nothing.
Re: (Score:2)
Call it "criminally negligent homicide" on a mass-scale if you want. It most decidedly was that.
Classical, well-known and well-established principles of reliable and safe general engineering and of reliable software engineering for safety-critical systems were grossly and willfully ignored in a system that obviously can kill a lot of people if it malfunctions.
Re: (Score:2)
Makes a lot of sense to me. Actual engineers do usually understand safety and risk management because it is a large part of engineering education. In particular, real engineers understand that when you mess with the system you have to re-verify all assumptions.
I firmly believe that if you make technological decisions you are not qualified to make and end up killing a lot of people, you, your boss and the one that set this policy (generally the CEO) belong into prison for a life-sentence.
Re: Southwest (Score:2)
Sorry, but that's the role of the product team. If I'm developing software to spec, and that spec is designed to kill people (say I'm working on a military drone), then that liability is on the product team for designing and developing a drone, not on the coders who did their job well by meeting spec.
Re: Southwest (Score:2)
its pretty easy when you consider the long history of American Corporations putting profit before people.
and all you have to do to get people to ignore it.
Is tell them the worlds most dangerous airframe.
Is actually the safest.
Re: Southwest (Score:2)
Re: (Score:3)
Last I heard, the manual procedure for runaway trim doesn't work because the smaller trim wheel can't move the horizontal stabilizer.
Re:Chinese propaganda and mediocre pilots (Score:5, Insightful)
How is your Boeing stock? Not as bad as you thought? Anyone who blames the pilots for these accidents completely is quite obviously insincere. Yes probably much better and vastly more intelligent pilots could have saved those flights, although it would still have been an entirely unnecessary close call with death for hundreds of innocent people, but it would be better to have planes that don't require genius level pilots not to crash and explode into tiny little pieces whenever a sensor fails. This can be easily accomplished by not putting retards in charge of your flight control software and make no mistake retards did design MCAS whether it was the management or the software engineers who are at fault here. Almost certainly management, but no way are they going to not scapegoat someone else for their own bad decisions that made Boeing planes all crashy deathy. Put another way, by using smart people to design the flight control software you don't need even smarter people to keep the planes from crashing on purpose. With good enough software even a well trained monkey could fly the plane at least well enough not to kill everyone.
Re: (Score:2)
How is your Boeing stock?
21% down from before the crash, but no worries, Orangeman's EU tariffs are helping keep Boeing afloat.
Re: (Score:2)
Oh man...I would love to see that. Do you think you could track down a link or title and post it here on the next Boeing story?
In theory though all they had to do to disable MCAS was extend the flaps a little or engage autopilot on the other side. The Lion Air pilots didn't know about MCAS, but the ET302 pilots may have. I am not so sure about slowing down or rollercoaster maneuvers at those altitudes though. I would love to see that simulated though. I'd like to suggest that to that Mentour Pilot youtube g
It's the whole process (Score:2)
Boeing have abandoned any forms of quality assurance. This can only come from the top. We're talking board level, and it goes right back to late 1990s.
Re: (Score:2)
Boeing have abandoned any forms of quality assurance. This can only come from the top. We're talking board level, and it goes right back to late 1990s.
They have stockholders- they can't be bothered with fixing profit-eating flaws!
I've seen companies go out of business (and left them) because of shortsightedness. At one company, to the general manager I suggested a really good long-term fix for a major production problem and his response was: "gotta eat" (meaning, we don't care about tomorrow- we need $ today.)
Re: (Score:2)
Re: Money quote (Score:2)
Re: (Score:2)
Watch this video [youtube.com]. It was really more about badly designed software than anything else. The larger and higher mounted engines are not really a big deal and neither would MCAS have been if the software had been designed properly. I am not a very experienced programmer myself but there is no way I would have designed control software for a life or death system without sanity checks or sensor data redundancy. Nor would I have allowed it to exert so much control that it could actually crash the plane. It was bas
Re: (Score:2)
Reading how MCAS works, it looks like an student designed it.
while (inAir) {
if (AoA > threshold) {
trim(down,5)
}
sleep(10)
}
"Oh the airplane has two AoA sensors? I have no idea why, I only need one. Oh, just switch between them for each flight, that should distribute the wear evenly."
Re: (Score:2)
I am not a very experienced programmer myself but there is no way I would have designed control software for a life or death system without sanity checks or sensor data redundancy.
Yes, but if you would have been "involved" you only would have written a very small part of that software (even under the consideration that it is most likely "just a few lines of code"). In other words: you as "programmer" have no real influence on the whole system.
Nor would I have allowed it to exert so much control that it cou
Re: (Score:2)
Yes, but if you would have been "involved" you only would have written a very small part of that software (even under the consideration that it is most likely "just a few lines of code"). In other words: you as "programmer" have no real influence on the whole system.
Probably true but we don't yet know those sorts of details. For all we know they outsourced the programmers from India or something. I just meant that if I did have full authority to write the control software myself I would have done sanity checks and used the data from all sensors available instead of just one. Basically I would have written the software pretty much like it is now with the update. I just don't understand why it was not done that way originally. I hope such details will come out during the
Re: (Score:2)
Although we don't really know for sure yet, from what I read I don't think the Lion Air pilots even managed to get that far in their troubleshooting before missiling into the sea. They were probably panicked and not thinking clearly and they had very little time due to their low altitude of only 3000 - 5000 feet. Being that low and having the plane mysteriously nosing down suicidally could make almost anyone panic. You'd have to be cool-headed and calm and yet fast-thinking and a good high intelligence trou