Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Transportation Government

NYT: Deadly 'Misguided Assumptions' Were Built Into Boeing's 737 Max (nytimes.com) 257

Posted by EditorDavid from the tragic-mistakes dept.
The automated MCAS system in the Boeing 737 Max played a role in two fatal crashes.

But today the New York Times reports that a year before they'd finished developing the plane, Boeing "made the system more aggressive and riskier," and that "test pilots, engineers and regulators were left in the dark about a fundamental overhaul." While the original version relied on data from at least two types of sensors, the ultimate used just one, leaving the system without a critical safeguard. In both doomed flights, pilots struggled as a single damaged sensor sent the planes into irrecoverable nose-dives within minutes, killing 346 people and prompting regulators around the world to ground the Max. But many people involved in building, testing and approving the system, known as MCAS, said they hadn't fully understood the changes. Current and former employees at Boeing and the Federal Aviation Administration who spoke with The New York Times said they had assumed the system relied on more sensors and would rarely, if ever, activate. Based on those misguided assumptions, many made critical decisions, affecting design, certification and training...

The company also played down the scope of the system to regulators. Boeing never disclosed the revamp of MCAS to Federal Aviation Administration officials involved in determining pilot training needs, according to three agency officials. When Boeing asked to remove the description of the system from the pilot's manual, the F.A.A. agreed. As a result, most Max pilots did not know about the software until after the first crash, in October.... While the F.A.A. officials in charge of training didn't know about the changes, another arm of the agency involved in certification did. But it did not conduct a safety analysis on the changes. The F.A.A. had already approved the previous version of MCAS. And the agency's rules didn't require it to take a second look because the changes didn't affect how the plane operated in extreme situations...

The disasters might have been avoided, if employees and regulators had a better understanding of MCAS... Safety analysts said they would have acted differently if they had known it used just one sensor. Regulators didn't conduct a formal safety assessment of the new version of MCAS. The current and former employees, many of whom spoke on the condition of anonymity because of the continuing investigations, said that after the first crash, they were stunned to discover MCAS relied on a single sensor.

"That's nuts," said an engineer who helped design MCAS.

"I'm shocked," said a safety analyst who scrutinized it.

"To me, it seems like somebody didn't understand what they were doing," said an engineer who assessed the system's sensors.
This discussion has been archived. No new comments can be posted.

NYT: Deadly 'Misguided Assumptions' Were Built Into Boeing's 737 Max More

NYT: Deadly 'Misguided Assumptions' Were Built Into Boeing's 737 Max

Comments Filter:

  • single sensor well the single ceo can do some hard time.

  • Missing the point (Score:5, Informative)

    by ugen ( 93902 ) on Saturday June 01, 2019 @08:11PM (#58693070)

    It does not matter how many sensors are feeding this "system". The concept itself is faulty and deadly. Any talk of sensors is simply misdirection, probably by Boeing.

    In case anyone missed this, let me recap the entire chain of cock-ups that lead to where we are now:
    1. 737MAX has larger engines (that are really not suitable for this airframe)
    2. These engines had to be moved forward of the wings and slightly up to fit.
    3. Because of their size and location, under certain angles of attack, these engines will start producing additional lift. I.e. once a plane points "up" at a certain angle, it will get pushed up even faster (potentially a positive feedback loop)
    4. In addition to actual airframe motion, due to this pitch moment, it becomes progressively easier to pull on the yoke as angle of attack increases. This means that a pilot can more easily pull the plane out of its safe envelope.
    5. One of the certification requirements is that what is described in point 4 cannot happen (i.e. the force needed to pull the yoke should not decrease with angle of attack).
    6. So, to satisfy that certification requirement (and not to actually make plane more envelope stable, btw - as you may have thought), Boeing needed a solution.
    7. Now, as this is an ancient airframe and an ancient mechanical system (with a sprinkling of FBW), Boeing could not simply "adjust the feel" of the yoke (and, likely due to cost and complexity did not want to spend an effort on at least a purpose built system).
    8. So, these "engineers" decided that the best way to adjust the minute feel of the yoke, is to control the plane's AOA using its largest flight control surface - the slowly moving elevator.
    9. They also decided, for reasons that have never been explained, to change the behavior of elevator controls. In previous 737 generations there were two switches: One switch to turn off automatic (autopilot, autotrim) control of elevator Another switch to turn off any electric trim (at which point elevator trim would have to be controlled manually by spinning a big wheel in the middle of the cockpit). That means a pilot can turn off the autotrim, but still use electric servomotors to control the elevator (which makes elevator control much easier, as it requires a lot of force to move at high speeds)
        737MAX, however, has only one switch. That switch turns off BOTH the autotrim and the manual electric trim. To put it simply, there are now only two options - either automatics can control the elevator, or pilot must crank a handwheel if s/he wants to control elevator trim.
    10. To add insult to injury, possibly due to changed wing configuration, at certain speeds and angles of attack, manual forces required to move a trim wheel are outside the human capability (i.e. - the wheel will simply not budge).

    All of the above points cannot be fixed in software, no matter what Boeing PR will tell us. Keep this in mind.

    • Re:Missing the point (Score:5, Insightful)

      by Brama ( 80257 ) on Saturday June 01, 2019 @10:09PM (#58693434) Homepage

      In addition to your points: A major requirement was that the plane must be flyable by pilots already trained for regular 737's without requiring retraining. Hence the inability to make significant changes to the operation of it. Which explains some of the 'out there' design choices.

      • Yes, indeed. This Medium article by Gregory Reed Travis, a pilot and software developer, I think covers the entire situation pretty well, https://medium.com/@gregoryree... [medium.com]

      • Re: (Score:2, Informative)

        by Anonymous Coward

        I heard Boeing were deciding between 737 MAX and a new design (inheriting 787 technology). They hadn't made any announcement either way..

        Except then this press release [aa.com] came out.

        Rumor is, it's this airline that didn't want to retrain and thus they forced Boeing's hand to go with the MAX rather than a new type.

        (Engineers at Boeing, I suspect, would rather have simply started a 797 that was a 737 sized 787. No need for MCAS. Modern aircraft design.)

    • Great post! One detail to correct: the control surface moved by MCAS is actually the entire horizontal stabilizer, which explains why MCAS was able to completely overpower the elevator.

    • 10. To add insult to injury, possibly due to changed wing configuration, at certain speeds and angles of attack, manual forces required to move a trim wheel are outside the human capability (i.e. - the wheel will simply not budge).

      In Ethiopian (may be in Lion, not sure), the pilots had left the engine in take-off full throttle leading to near super sonic speed. Had they reduced thrust, the hand cracking may be well within the human muscle ability. So still there is room for "pilot error". Sure they had less altitude to play with; but if no speed, the jack-screw may not hv got stuck up tight.

    • You have a few mistakes there.
      First, all 737 have an elevator feel unit, so they could adjust the feel of the yoke. But it is an analog computer, so they didn't bother.
      Second, a 737 max still has both switches. But the MCAS can only be disabled by cutting all electrical power to the trim motor.

    • ugen [slashdot.org]: “It does not matter how many sensors are feeding this "system". The concept itself is faulty and deadly. Any talk of sensors is simply misdirection, probably by Boeing.”

      Absolutely brilliant analysis of the MCAS fiasco, better than anything I've read in the media. And as you pointed out what is posted in the media is self serving excuses by Boeing trying to defect blame elsewhere. eg. The airlines wouldn't buy an extra angle of attack sensor etc.

  • Automation always needs a way to disable it (Score:5, Insightful)

    by ErichTheRed ( 39327 ) on Saturday June 01, 2019 @08:35PM (#58693146)

    Both hardware and software systems are getting way more complex now, with tons of inputs and the potential to fail. Any system that could cause an unsafe condition needs to have a way to override it that's easy to activate and leaves things in a safe state once you do. With all the testing and certification that go into avionics it's surprising something got designed that doesn't function like that. I wonder if the engineers who design these systems have any flight experience at all, or aerospace engineering experience, or if they're just coding to a spec someone passed along third-hand to them.

    I'm in IT systems engineering and the trend towards automating all the things is great but IMO we have similar issues. My brother is a software developer and he's admitted to me that he has zero clue how most of the CI/CD pipelining stuff he checks code into does what it does. It's almost as easy as writing the code, writing the right test, pushing the magic button and everything's in production...but very few people have the knowledge of how the system actually does things under the hood. As we get more and more people entering the field who don't understand how basic compute/network/storage and communication protocols work, I wonder who will know how to fix something when the automation goes haywire and stops working.

    • Re: (Score:3)

      by bobby ( 109046 )

      I agree 100%. I'm amazed at how many people here (and other tech boards) think the opposite- that humans make the mistakes and machines are much faster and better. Maybe, but who is to decide whether there is a malfunction? If someone is willing to put big $ into multiple redundant systems and computers, like the Space Shuttle had, then okay, but when there's 1 sensor per pilot seat, I'd rather put my life in the pilot's hands. His (or her) life is also on the line- usually a good incentive to make corr

    • Re:Automation always needs a way to disable it (Score:5, Insightful)

      by az-saguaro ( 1231754 ) on Sunday June 02, 2019 @09:04AM (#58694828)

      What you say has the ring of truth. I am in neither aviation or IT. I am in medicine where the same thing is happening. Technology should be a tool, not a toy. Instead, technology has become an indulgent plaything where we develop high tech gizmos for the sake of developing them, because we can, not because we should, very often by entrepreneurs, executives, and technologists with no knowledge of the primary subject or the professional corps they are selling to. The idea of minimizing man-in-the-loop has gone too far.

      In medicine and surgery, we we see a lot of good that comes from a lot of new technology, but also certain problems for which failure rates (not getting the desired result or cure) and complication rates (having unanticipated adverse effects) are on an exponential rise. These rapid upticks in problems are confirmed in published studies, and lawyer websites are making money suing companies for bad designs, but the companies keep pumping out fallacious and faulty products while surgeons get their education more and more from the companies rather than their schools and (so called) learned societies. You can appreciate it at the moment because of the current legal activities against companies making narcotics, where the companies, in an environment of lax or corrupt oversight, can make a market out of deadly products that in prior decades were not needed for effective care, and doctors were not asking for a better mousetrap.

      Technology is fun and beguiling, but when it is an end unto itself, and the result is less skill, less education, and worse results than when knowledgeable professionals take the reins or the rudder, then technology has gone to far. As in, like, social media, instead of actually just talking to someone.

  • Two is one, one is none.

  • Could we please redo this poll [slashdot.org] just to gauge how much public confidence has either increased or decreased in the 737-MAX the last few months?

    This isn't the same as Samsung's exploding phone fuck up. The Aircraft business is all about safety and confidence.
    It'll be interesting to see just how damaging this becomes in the long term.

    It has probably never been safer to fly in a Boeing as right now only because Boeing can't afford to see another of its birds crash and burn.
    I don't think they could survive anothe

  • >A year before the plane was finished, Boeing made the system
    >more aggressive and riskier. While the original version
    >relied on data from at least two types of sensors, the
    >ultimate used just one, leaving the system without a
    >critical safeguard. In both doomed flights, pilots struggled
    >as a single damaged sensor sent the planes into
    >irrecoverable nose-dives within minutes, killing 346 people
    >and prompting regulators around the world to ground the Max.

    "the ultimate (MCAS) used just on

  • That's a funny way to spell (Score:3)

    by rsilvergun ( 571051 ) on Saturday June 01, 2019 @08:49PM (#58693198)
    "Cost cutting Measures".

  • This is what happens when you bust unions (Score:4, Interesting)

    by BytePusher ( 209961 ) on Saturday June 01, 2019 @10:09PM (#58693438) Homepage
    And let management put profits before the lives of employees. Boeing spent years trying to burn their own house down, because the employees had too much power to steer the company. They used transparent threats about corporate takeover boogeymen and moved operations to states that were less union friendly for years. One thing I think we've all learned, we can trust the rich and powerful to make ethical choices about our lives! https://www.bloomberg.com/news... [bloomberg.com]
  • Boy, how Boeing has fallen. Once the proud builder of airlines, they thought that they, and a couple other builders WERE IT and they are "too big to fail" and could pretty much do anything they want. Sad as it is, I hope this kicks them in the pants, but, the suits won't be hurt, the WORKERS are the ones that will suffer!

  • Many blame self regulation, or too little, another question to ask, is does it take too long for them to develop a new airframe to accomodate the larger engines because of over regulation. I don't know, it sounds to me that a new body should not take that long as they are not really doing a ground up redesign, just reshaping the body. Maybe I am missing something here. Boeings timelines for this seem to indicate it would take a decade to do a new body.How much of that is due to regulations and paperwork.

    So

  • While there appear to be specific and serious mistakes that Boeing made here, I think the root cause is a general lack of understanding of how to certify complex systems. When controls become this complex, there is no practical way to test all of the possible failure modes. This is obvious but non-lethal in the constantly uncovered bugs in consumer electronics. Its not clear that an expensive but low volume system like an aircraft autopilot can actually have more testing time than a low cost, but high v

    • The root cause is the flying museum piece of an airframe, everything else is just a contributing factor. Well, and there is another cause deeper than that, where corporate greed resulted in a unsafe airframe.

  • homicidal regulatory capture (Score:5, Insightful)

    by Anonymous Coward on Sunday June 02, 2019 @03:44AM (#58694168)

    First, a caveat: I have worked in avionics and even indirectly with Boeing, a company I even like and [mostly] have admired.

    My eyes on some of this stuff, however, were opened years ago while working for a smaller firm on some avionics. The FAA was all over the project, reviewing every assumption and every line of code and all tests, etc. Nothing that appears to have happened with the 737Max and MCAS would ever have withstood even the first meeting with the FAA people. While dealing with all this stuff, I had the occasion to discuss it with a Boeing guy I knew and had worked with and I learned that the FAA allowed Boeing to have their own internal guys get trained and certified by the FAA and then those guys could do the reviews and sign-offs. In other words, Boeing was effectively self-certifying. I believe the same things was happening at all the biggest aerospace firms.

    This is tied to regulatory capture, where early entrants to a market get in before the government regulates it, then they encourage government to hyper-regulate (which suppresses any new competitors from even entering the market) and even help the government write the regulations, and as early-in-the-market experts they are not regulated as harshly as any newer entrants.

    The big boys of the industry were presumed qualified and experienced, both because they'd been doing it for decades, and because they' even helped the government figure out how to do it. With Boeing as the sole airliner builder in the US, it's vital to government that their stuff is approved. The same thing is probably true in Europe over Airbus - and of course because the US and the Europeans are critical NATO allies and big trading partners, it's vital to the US to accept the European Airbus stuff, and for them to accept the Boeing stuff. Maybe this incident will finally change that and regulators on both sides of the pond will return to scrutinizing airline builders at least as much as the makers of small planes and smaller vendors of aircraft parts.

    Ronald Reagan once famously said that freedom is always a single generation from being lost - the idea being that each generation needs to learn about it and value it enough to properly defend it. There is a corallary which applies here: The people at Boeng today are not the people who designed and built the DC-3, the 707, the 727, the 747, etc, just as the Boeing space division people who brag about their history in spaceflight are in fact not the people who built Apollo or the Shuttles. The current Boeing teams are a newer younger generation and they need every bit as much regulatory oversight as any mom-and-pop shop making parts for home built planes, or anybody at SpaceX trying to orbit a human for the first time (in fact there's probably more actual experience with space capsules at SpaceX these days, where numerous cargo Dragons have flown to and from and been docked at the ISS, than at Boeing) - they are not the genetic inheritors of the experience of the old Boeing people any more than the kids of today have genetically inherited a commitment to freedom and liberty (evidenced by the millenials who want speech they disagree with banned).

  • Comment removed (Score:3)

    by account_deleted ( 4530225 ) on Sunday June 02, 2019 @07:57AM (#58694682)
    Comment removed based on user account deletion

Slashdot Top Deals

Kleeneness is next to Godelness.

Close