back to article UK joins growing list of territories to ban Boeing 737 Max flights as firm says patch incoming

Britain's Civil Aviation Authority (CAA) has banned all Boeing 737 Max flights in UK airspace after a second fatal crash of the type near Addis Ababa in Ethiopia last Sunday killed all 157 people on board. Meanwhile, Boeing has promised to issue a software update for an under-fire part of the 737 Max flight control suite. …

  1. Blockchain commentard

    Wonder if Boeing is going to start doing a patch Tuesday for their kit?

    1. Steve Knox
      Happy

      We've downloaded some updates for your plane.

      Pick a time to restart your plane to finish installing these updates.

      1. big_D

        Re: We've downloaded some updates for your plane.

        Restart now.

      2. Solarflare

        Re: We've downloaded some updates for your plane.

        "These updates have been labelled as safety-critical, your plane will be automatically restarted in 10 minutes"

      3. Kez

        Re: We've downloaded some updates for your plane.

        Your plane will be automatically restarted in 30 minutes to finish installing updates. Please save your work, and pick an emergency landing spot or begin inflating life rafts.

        1. Waseem Alkurdi
          Joke

          Re: We've downloaded some updates for your plane.

          Then reboots in 10 minutes. Yes, it's running embedded Windows 10.

          (Would be ironic if it did though)

    2. Anonymous Coward
      Anonymous Coward

      "This is your Chaplin speaking"

      [Old Private Eye speech bubble on DC10's]

      1. M.V. Lipvig Silver badge

        Re: "This is your Chaplin speaking"

        Hi Charlie, how's the comedy business these days?

    3. Ian Michael Gumby
      Boffin

      @Blockchain commentard...

      While I appreciate your joke, I have to ask a serious question...

      Will some one do an audit of the individuals who worked on this kit?

      Seriously I'd love to see their backgrounds and if they are truly software engineers. (Have an engineering degree from an accredited US Engineering school. (US because BA is a US company) )

      No joke. I mean going back almost 30 years ago, I was assigned to a project to develop a specialized RTOS and an application to monitor water purification. While it was one of my favorite projects, the only reason I was selected was that I was the only Software Engineer available at the time to do the work. (Talk about luck of the draw).

      I have to wonder how much time, thought and energy went in to the design and testing of this code / sensor.

      If I were Boeing... I'd do it because its going to be the first thing the FAA and the queue of lawyers are going to want to see.

      And this is a bit scary and hits home because I'm on a jet twice a week to and from client(s).

      1. Cederic Silver badge

        Re: @Blockchain commentard...

        I think it would be unfair to blame software engineering for this one. It's a multi-disciplinary failure and you wouldn't for instance expect software engineers to have aircraft user interface design expertise.

        I'm reluctant to blame anybody for this type of thing. It's a fatal fuck up but shit happens. Lets understand, learn and work to minimise a repeat.

        Crucifying the poor cunt that implemented precisely what was asked is not going to achieve that.

        1. Ian Michael Gumby
          Boffin

          @Cederic Re: @Blockchain commentard...

          I'm not out for crucifying anyone.

          But the fact is ... lives were lost.

          Who did what and when is important.

          Who was involved in terms of aeronautical engineering and software engineering.

          The center of gravity change is significant ... what do the engineers have to say and what was documented.

          Then you have the sensors and also the software controls.

          Its not a question of blame, but to find out what went wrong and fix the process so that it doesn't happen again.

          To be clear, this audit will occur because the FAA, lawyers and the company will demand it.

  2. DCFusor

    An already safe...

    I haven't run the numbers, but given the small number of these so far, and the corresponding small number of flight hours, wouldn't the crashes so far put this among the very most dangerous commercial aircraft in the past few decades? The "optics" seem really bad here.

    1. Banksy

      Re: An already safe...

      Already safe....apart from all the dead people.

      1. Yet Another Anonymous coward Silver badge

        Re: An already safe...

        It depends.

        If each new 737 variant is a completely different new aircraft when it comes to crash statistics then the later variants have had very few accidents - the -800 a couple and the -900 none (IIRC)

        Considering the number of 737s flying and that they mostly do short commuter hops with lots of take offs and landings they are amazingly safe.

        If you include all the early models with their somewhat distressing tendancy for control surfaces to fall off then ....

    2. martinusher Silver badge

      Re: An already safe...

      That's the wonder of Modern Marketing. By referring to this plane as a "737" people just assumed it was another sort of 737 instead of an entirely new plane. Boeing just piggybacks on the reputation of the long established workhorse instead of having to build from the ground up.

      Why would I think of it as an entirely new aircraft? Its true that its roughly the size and capacity of the 737 that it replaces but its got a completely different main wing and flight control systems. The original 737 came from an era where planes were flown by people -- there were literally physical connections between the cockpit controls and the flight surfaces. These sorts of planes have to be inherently stable. The design isn't as efficient as we can make these days, though, so the temptation is to use a very high efficiency airfoil and make up the consequent loss of stability with avionics. This is a whole new game, though. (Disclaimer -- I'm not an aeronautical engineer although I do know quite a bit about sailplanes and their high efficiency airfoils; like most of us on this site I also know quite a bit about the pitfalls of software systems design, execution and testing.)

      Boeing rushed the 787 into service without fully wringing out the bugs. This resulted in a six month grounding while problem of battery fires was brought under control (fortunately that didn't result in fatalities.) They need to figure one this out, and not just a quick "Hail Mary" patch. It probably won't do much harm to the company long term.

      1. bazza Silver badge

        Re: An already safe...

        The marketing was helped by the pilot's manuals making no mention of MCAS whatsoever. You can imagine the surprise in the piloting community after its existence came to light after the Lion Air tragedy.

        This one is different to the 787 - several hundred people are tragically dead. Also worse than 787, Boeing and the FAA have lost the confidence of the rest of the world's aviation regulators. The high degree of trust that's been carefully built up over generations of engineers and regulators has been destroyed in just a few months.

        That means no return to flight in, say, the UK until both Boeing and the FAA have convinced the CAA that the problem has been fixed properly. And the same in France, Germany, etc etc.

        That's going to take a very long time to do. It's going to be very expensive. It can easily result in different designs upgrades being required in different countries, meaning there's no common design that's permitted to fly everywhere.

        It's a total f*****g disaster for Boeing's commercial prospects. It's not like Boeing are flush with cash, they've been cheerfully paying out a share-price-boosting dividend without any real evidence to suggest that their revenue can support it and cover off disasters like this, especially when their accounting practice seems to involve something termed deferred costs...

        It might be cheaper to replace the MAX with A320neos, for both Boeing and the airlines.

        1. Waseem Alkurdi

          Re: An already safe...

          replace the MAX with A320neos, for both Boeing

          Imagine General Motors (back in the 2000s and the failing ignition switches, or the '70s Ivey "your life is worth $200K" Memo) giving out Toyotas and Nissans to folk.

          Ahhhh ....

    3. John Jennings

      Re: An already safe...

      Technically, the DeHavelland Comet is more reliable at this point. 2 were lost after a year in service.

      There were plenty of those made in the end - including the Nimrod - as soon as they discovered that punch rivets were not a good idea on a pressurised hull.....

      1. Mooseman Silver badge

        Re: An already safe...

        "as soon as they discovered that punch rivets were not a good idea on a pressurised hull....."

        And square windows.

      2. anothercynic Silver badge

        Re: An already safe...

        Ouch!

        It was more the squared windows than the punch rivets... But your point is nonetheless very valid.

        1. werdsmith Silver badge

          Re: An already safe...

          The discovered the syndrome of metal fatigue in the pressurised hull and enabled the rest of the airliner industry.

      3. Stoneshop

        Re: An already safe...

        Technically, the DeHavelland Comet is more reliable at this point. 2 were lost after a year in service.

        Just looking at the number of crashed aircraft done in by a particular failure, yes (there had been two other write-offs before that, but those were respectively an actual pilot error on takeoff, and structural failure of the main wing spar in a severe thunderstorm). But crashes are usually counted against either flown distance, number of takeoffs and landings, or passenger-miles, depending on what metric you're interested in. Comet just reached 112 aircraft total with a fair number of them built after the 1954 losses; there are over 350 MAX8's in operation already (well, maybe not at this moment, IYKWIM). So the statistics are slightly different.

        The contenders for 'worst aircraft accident stats' are probably the Caproni CA60 (one built, only a single short flight, pilot unhurt, plane totalled) and the Caproni CA48 (again only one built, wing failure at 1000m altitude, 14 fatalities)

        1. CrazyOldCatMan Silver badge

          Re: An already safe...

          'worst aircraft accident stats' are probably the Caproni CA60

          Closely followed by the Lockheed F-104 Starfighter. AKA "Widowmaker".

          1. Cederic Silver badge

            Re: An already safe...

            I think the Me163 deserves a dishonourable mention here.

    4. werdsmith Silver badge

      Re: An already safe...

      I am wondering how it feels to be a SWA customer getting on board a 737-800 MAX this morning and if they are watching every change of pitch during climb out.

      1. anothercynic Silver badge

        Re: An already safe...

        @werdsmith, there is no 737-800 MAX. It's either a 737-800, or it's a 737 MAX 8. They are different models. The -800 is fine. It continues to fly. The MAX 8 is grounded.

    5. Ian Michael Gumby

      @DC Fusor Re: An already safe...

      I think the issue is that while its not a completely new aircraft, there are significant changes.

      AFAIK the airframe is basically the 737 however they have larger engines which are more fuel efficient and there's a change in the center of gravity.

      If the issue is as they suspect, the sensors are set up to keep the plane from having the nose rise to quickly and end up in a stall situation.

      The current 'fix' is to turn this off during takeoffs where you're climbing quickly.

      If the pilot doesn't, then he's going to be fighting the nose up / auto down and at low levels ... boom into ground. (At least that's what is being said on the news)

      With respect to the other crash... there was a question about a bad sensor that was replaced prior to the accident. This begs the question if that it wasn't a bad sensor but the software that controls the input in to the auto pilot that was bad.

  3. Steve Todd

    The reason that the Max series need MCAS

    Is because they've changed the position and size of the engine nacelles and pylons in order to fit larger engines. This tended to cause the aircraft to nose up in some circumstances, which could cause a stall. MCAS is there to trim nose down if it detects that, but in a fit of genius Boeing saw fit to have only two AoA sensors, not three. If one is faulty how can the software detect which one?

    1. Steve Todd

      I forgot to add

      The reason that Boeing could get away with this is, because the 737 Max series are supposedly an upgrade to an existing type, they don't have to go through the full type certification process. It's unlikely that they'd get a Max through the full process in its current form.

      1. Charlie Clark Silver badge

        Re: I forgot to add

        Yes, it will be interesting to see what happens if the software is identified as being at least partly at fault. Difficult to see that not leading to a landmark judgement about the liability of software. Of course, as long as it was just people from south east Asia, er, test driving the software, there was always the hope that no one would lawyer up. Could be different for the Ethiopian flight which, unfortunately, had UN people on board, and where the flight recorder could end up in Paris.

        Note, I am not making light of the tragedies nor even really pointing the finger at Boeing, which has still has an enviable safety record. In fact, one of the consequences of the near duopoly of Boeing-AirBus has been fantastically safe planes. But the idea of Boeing rushing to offer a software patch should have everyone worried. In fact, the FAA should seriously consider forcing a complete recertification or otherwise leave itself open to court cases for certifying the planes as safe to fly. Pretty certain some countries will require new certification in any case.

        1. Waseem Alkurdi

          Re: I forgot to add

          Difficult to see that not leading to a landmark judgement about the liability of software.

          We humans are, frankly, assholes, because we only learn when people die. Cars, aircraft, and now software. Why not get it right the first time?

          Could be different for the Ethiopian flight which, unfortunately, had UN people on board, and where the flight recorder could end up in Paris.

          Is it not unfortunate that the Ethiopians were onboard as well? I'm not following here.

          1. Charlie Clark Silver badge

            Re: I forgot to add

            Is it not unfortunate that the Ethiopians were onboard as well? I'm not following here.

            I was being slightly facetious: unfortunate in the sense that it bumped the story up in the news cycle, which invariably favours westerners.

          2. anothercynic Silver badge

            Re: I forgot to add

            @Waseem, I totally get what you're saying (being from Africa, seeing Ethiopian having this happen hurts, especially given they have a stellar reputation compared to many of their continental aviation compatriots).

            The UN is special though and having multiple employees killed in a flight (similar to MH 17), can probably invoke additional protocols beyond just a standard accident investigation (usually handled by the country of the airline, the country of the manufacturer and certification authority, and possibly nations of passengers involved in the tragedy). I would not be surprised if they involved the French authorities as well. The global media tends to also sit up when an incident involves Europeans, Americans, or Asians.

      2. Frumious Bandersnatch

        Re: I forgot to add

        It's unlikely that they'd get a Max through the full process in its current form.

        This is Aspartame!

        1. CrazyOldCatMan Silver badge

          Re: I forgot to add

          This is Aspartame!

          No - I'm aspartame!

          (Bitter, slightly unpalatable and not suitable for long-term use due to unexpected long-term issues..)

    2. John Sager

      Re: The reason that the Max series need MCAS

      And how come, based on potentially faulty AoA data, could the system wind the trim beyond the point that the pilot loses elevator control? That just seems mad. Also, if the attitude is pitch negative (i.e. going down), it still assumes it's going to stall. Some serious head-scratching needs to go on in Seattle.

      1. Eddy Ito

        Re: The reason that the Max series need MCAS

        Software taking control away from the pilot? Never I good idea in my book.

        1. Mark 85

          Re: The reason that the Max series need MCAS

          Same goes for self-driving cars, IMO.

        2. Updraft102

          Re: The reason that the Max series need MCAS

          That used to be the one thing that Boeing had over Airbus. Boeing supposedly was of the opinion that they would help the pilot, but ultimately that pilot was the absolute authority at all times. Airbus' attitude was that since pilot error is the largest contributor to air crashes, they would willingly disobey the pilot anytime the on-board computer thought it was a bad idea.

          Now we have Boeing demonstrating specifically why the attitude that their competition supposedly has regarding overriding the pilot is a bad idea.

          1. PhilipN Silver badge

            Re: The reason that the Max series need MCAS

            Some years ago a mate of mine, regular visitor to South Africa, said that after a perfect landing in a 747 in Jo'burg the second officer announced gleefully and with much respect and admiration for his boss that it was the final landing by the captain, due to retire after a long commercial flying career, and done entirely manually i.e. without the electronic whiz-bangs.

            Question from a non-pilot : Don't they train pilots to fly in an emergency without the technology these days?

            1. Anonymous Coward
              Anonymous Coward

              Re: The reason that the Max series need MCAS

              "Don't they train pilots to fly in an emergency without the technology these days?"

              Which "they" do you mean?

              Airbus are pretty much completely reliant on technology, and it is openly acknowledged in their design philosophies etc. The pilot cannot bypass the technology, that capability no longer exists, and that has to be explicitly part of the design->deployment process.

              Boeing in public have been criticising Airbus's reliance on technology, saying that the pilot should always be able to take full control if the need arises.

              Boeing HQ and the US regulators apprear to have lost the plot, at least temporarily, and some of the FAA's equivalents elsewhere (e.g. EASA) appear to have followed suit (see NYT article link below).

              Unfortunately, many people have already lost their lives as a result - whether or not the Air Ethiopia crash had te same root cause as last year's LionAir incident remains to be seen, but in the meantime, readers might find some interesting reading at

              https://en.wikipedia.org/wiki/Lion_Air_Flight_610

              Also worth a look is:

              https://www.nytimes.com/2019/02/03/world/asia/lion-air-plane-crash-pilots.html (3 February 2019)

              e.g. for sections like this:

              "the new engines for the Max were larger than those on the older version, they needed to be mounted higher and farther forward on the wings to provide adequate ground clearance.

              Early analysis revealed that the bigger engines, mounted differently than on the previous version of the 737, would have a destabilizing effect on the airplane, especially at lower speeds during high-banked, tight-turn maneuvers.

              [...]

              [EASA] was inclined to rule that M.C.A.S. needed to be included in the flight operations manual for the Max, which in turn would have required that pilots be made aware of the new system through a classroom or computer course [...] But ultimately [...] the agency did not consider the issue important enough to hold its ground, and eventually it went along with Boeing and the F.A.A.

              When Brazilian regulators published their required training for pilots, they singled out M.C.A.S. as one of the changes that needed to be flagged.

              [continues]"

              1. Mine's a Large One

                Re: The reason that the Max series need MCAS

                "The pilot cannot bypass the technology, that capability no longer exists, and that has to be explicitly part of the design"

                That's not strictly true for Airbus. Simply put, the systems operate in various "Laws" or modes whereby the systems will attempt to protect the aircraft from being flown outside its envelope. They range from Normal Law attempting to protect the aircraft in pitch, roll, speed, load factor and angle-of-attack, through Alternate Law 1 or 2, down to Direct Law which allows the pilot to completely hand-fly the aeroplane in the event of systems failures.

                1. Steve Knox
                  Joke

                  Re: The reason that the Max series need MCAS

                  Simply put, the systems operate in various "Laws" or modes whereby the systems will attempt to protect the aircraft from being flown outside its envelope.

                  The Laws of Aerobotics?

              2. Anonymous Coward
                Anonymous Coward

                Re: The reason that the Max series need MCAS

                > Which "they" do you mean?

                It differs by airline. A friend is a pilot for Air Canada and he says he always does manual take-offs and landings because he feels it is his job to fully understand the aircraft and how to handle it in all conditions. The airline support this view.

                Other airlines recommend full automation all the time. This can have problems e.g. Asiana Flight 214 which came in too low at Los Angeles and struck the perimeter wall. The investigation criticised several things including "Over-reliance on automation and lack of systems understanding by the pilots were cited as major factors contributing to the accident."

                1. AIBailey

                  Re: The reason that the Max series need MCAS

                  "Other airlines recommend full automation all the time."

                  According to a pilot, that's simply not true.

                  And if you’re wondering: a full 100 percent of takeoffs are manual. There is no such thing as an automatic takeoff anywhere in commercial aviation.

                  Ask the pilot <- Very interesting site.

                2. anothercynic Silver badge

                  Re: The reason that the Max series need MCAS

                  Other airlines recommend full automation all the time. This can have problems e.g. Asiana Flight 214 which came in too low at Los Angeles and struck the perimeter wall.

                  San Francisco. It struck a sea wall which is rather more solid than a mere perimeter wall. That was also the first fatal hull loss of... a BOEING 777. Not an Airbus. A Boeing. And it was not particularly the automation at fault (given this was a visual approach), but also Boeing's unnecessarily convoluted documentation for its flight automation system... THAT is what was criticised. It led to the lack of systems understanding by the pilots (which was a contributing factor).

                  Anyone pointing fingers at Airbus over automation and gleefully saying that Boeing doesn't have that problem should look at exactly this incident and Lion Air JT610. :-(

              3. anothercynic Silver badge

                Re: The reason that the Max series need MCAS

                Airbus are pretty much completely reliant on technology, and it is openly acknowledged in their design philosophies etc. The pilot cannot bypass the technology, that capability no longer exists, and that has to be explicitly part of the design->deployment process.

                That is categorically not true. Airbus uses standard flight law, alternate flight law and then only in extreme situations will allow the pilot to make *all* decisions.

                QF32's return to Singapore after the engine explosion was literally the latter... One thing that came out of the QF32 debriefs was that the flight computer was not helping with the number of error messages it was showing, and that was apparently changed.

                The difference between the 737 MAX certification and Airbus' approach is that Boeing convinced the FAA that the fact they needed MCAS to help deal with the change in the CoG and aircraft stability was not something pilots needed to know. Brazil disagreed and insisted that any airlines using the MAX in Brazil would have to specifically train their pilots to be aware of MCAS and how to control/disable it if it failed/misbehaved. EASA was leaning towards Brazil's view but that also changed (no doubt helped by plenty of chivvying from Boeing).

                Airbus is at least very clear about what it does, how it does it, and why it does it. Boeing changed how they did things and showed a lot of arrogance by saying "oh the pilots don't need to know and it won't make much difference in the grand scheme of things". Tell the relatives of JT610 that.

              4. john.w

                Re: The reason that the Max series need MCAS

                Interesting article in NYT and reminded me of the scene in Sully where he challenges the FAA's simulator flight as they did not take into account the pilot's thinking time.

                1. My Alter Ego

                  Re: The reason that the Max series need MCAS

                  Except that it didn't happen that way. The flight scene of the movie was incredibly accurate, but then diverted massively from reality. The NTSB acknowledged that the simulations didn't take human reactions into account, they didn't need Sully to tell them that. In fact Robert Sumwalt (the chair of the panel, and a former A320 pilot) was very complimentary about the CRM (Cockpit Resource Management) and the fact that trying to concentrate with pretty much every alarm going off in the cockpit is incredibly difficult, even in a simulator.

                  Captain Sullenberger actually asked for the real names of NTSB members to be removed from the movie.

                  The problem is that it's really difficult to make two hours of NTSB hearings into a movie that the general public want to watch. I actually watched the NTSB hearing videos (they're on YouTube) as I'm an aviation nerd, and while dry were actually pretty interesting.

                  Now when I hear people say "I didn't know that..." in relation to Sully, I reply with "and I didn't know that the Americans captured the Enigma device until I watched U-571".

            2. Eddy Ito

              Re: The reason that the Max series need MCAS

              Essentially it depends on the plane but for some, perhaps most these days, the short answer is no. Keep in mind I haven't flown for some years due to old eyes and few dollars but some planes are fly-by-wire only meaning there is no mechanical or hydraulic backup. Typically there are "sufficient" redundant computers in the event of a failure, IIRC that's 3 so in the event of one being different it essentially gets out voted and ignored and assuming that two failures on a flight should be exceedingly rare.

              1. PhilipN Silver badge

                Re: The reason that the Max series need MCAS

                Many thanks for the above AC and EI.

                So are you saying that for example with the way commercial aeronautics are going :

                Sully could not have landed on the Hudson? or

                The 747 which crashed in Japan some years ago, after the pilot had lost control of the tail, or the tail itself (I forget which), but managed to manoeuvre for some time on engine power alone (an incredible feat), that also could not happen now?

                If so - God almighty!

                1. Richard 12 Silver badge
                  Unhappy

                  Re: The reason that the Max series need MCAS

                  No, that isn't true.

                  The computers have "normal" mode for when Everything Is Fine, and "alternate" modes for when the proverbial excrement has impacted the air recirculation device.

                  In the normal modes, it does all kinds of clever stuff automatically, to the point where it can technically handle flying and landing almost entirely on its own.

                  As it loses sensors, it fails back to simpler and simpler rules, based on how much information it is sure of.

                  In the worst of the alternate modes, it simply drives the hydraulics exactly how the pilot asked, because it knows that it has no idea what's going in.

                  That's supposed to be the basic concept.

                  Boeing appear to have forgotten this.

                  1. Stoneshop

                    Re: The reason that the Max series need MCAS

                    As it loses sensors, it fails back to simpler and simpler rules, based on how much information it is sure of.

                    The moment it starts singing "Daisy Bell" ...

                2. Mine's a Large One

                  Re: The reason that the Max series need MCAS

                  Sully landed in the Hudson in an Airbus A320 complete with standard Airbus automation. If I recall, the only criticism Sully had was that they system imposed limits on his flare before touchdown (probably because the system wasn't in landing mode) meaning touchdown was harder than it could have been.

                3. anothercynic Silver badge

                  Re: The reason that the Max series need MCAS

                  @PhilipN,

                  Sully flew an Airbus (US1549). Which is, if you were to believe some in this thread, "fully automatic and the pilot can't do *anything*". The fact that Captain Sullenberger was able to put the A320 down on the Hudson well enough to not only keep the hull intact, but have everyone onboard survive the incident (albeit with injuries), should be enough proof that the whole "Airbus is crap because automation" narrative is crap.

                  Incidentally, the Atlas (Prime Air) 767 freighter that went down in Texas recently did so after turbulence and 'stick input'... it appears it pitched up (in turbulence) and the pilot then pushed the control column forward to bring the nose down. It then stayed down until it impacted. The stick shaker that *should* activate in that instance apparently didn't. So... Boeing with its "the pilot is always in control" policy clearly is not infallible either (and the 767 has a shedload less automation than the 787 or the new MAX has).

                  Go figure.

            3. Jude Bradley

              Re: The reason that the Max series need MCAS

              MCAS is an insidious design, pilots were not even told about this "addon", and it was not mentioned in the FCOM.

        3. tip pc Silver badge

          Re: The reason that the Max series need MCAS

          Traction control and ABS are 2 software systems that effectively just work and have saved many many lives by taking control away from the driver.

          New drivers now are not taught how to defeat aquaplaning or preventing wheels from locking under braking due to the reliability of those systems.

          Next time your on a plane and it’s raining on landing you’ll be happy the auto brake helps you stop safely.

          1. big_D

            Re: The reason that the Max series need MCAS

            I nearly had an accident the first time I drove an ABS equipped car.

            It was icy and the car in front lost control. I braked, it locked up, so I automatically went into cadence braking mode, which the ABS also tried to do... I just steered around the spinning car in front, but it was nerve wracking.

            I still don't fully trust ABS, it lengthens the braking distance for a good driver.

            Likewise my current car has a collission warning system with emergency braking system. It leaves things much too late IMHO, I have never tested the system, because I just don't trust it to stop in time. At the most, it looks like it would lessen the impact, as opposed to avoiding the accident altogether.

            1. Anonymous Coward
              Alien

              Re: The reason that the Max series need MCAS

              So, wait, you were close enough to the car ahead of you that you needed special braking techniques not to hit it? Hmm.

              1. big_D

                Re: The reason that the Max series need MCAS

                No, I was on an icy road, which required standard braking techniques for such conditions. Me pumping the brakes and the ABS trying to do the same thing meant the braking distance was longer than either I or the ABS alone would have managed. The problem is, you have to have trust in those systems, for someone brought up without those systems, it is a huge leap of faith to not brake "properly" and trust the car knows what it is doing.

                If I had been too close to the car ahead, I wouldn't have been able to brake and steer around it.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: The reason that the Max series need MCAS

                  If, in order not to hit the car in front of you (or have to steer round & get killed by whatever is coming the other way) you have to pump the brakes or equivalently if you have to brake hard enough to trigger the ABS so it will do that for you then you are too close.

                  1. Anonymous Coward
                    Trollface

                    Re: The reason that the Max series need MCAS

                    Heh, I like the silent downvotes!

                2. JeffyPoooh
                  Pint

                  Re: The reason that the Max series need MCAS

                  big_D "...was on an icy road..."

                  My neighbourhood includes a small hill which can be perfectly icy. My car (W211) is 4Matic and I use Nokian studded tires.

                  Sometimes the slippery ice is covered with fluffy snow, and that can result in the tires 'rafting' (or 'tobogganing') on the compressed snow, so the tire studs fail to reach the ice. Under these conditions, the ABS is the worst pssoble thing because it keeps regenerating endless new rafts of compressed snow under the tires.

                  Thankfully, the ABS on my car allow me to press the brake pedal harder and lock up the wheels. Yes, it's true.

                  I presume that this obscure ABS override feature is only available under certain conditions, such as very slow speed.

                  With the wheels locked up for a couple of seconds, the snow rafts are ground away and the studs can then bite into the ice. It's possible to creep down the hill safely.

                  This whole process of getting safely down the hill under these conditions is highly obscure. Without the ABS override it would be much worse.

                  (Going up the hill is easy as momentum is your friend.)

            2. Salestard

              Re: The reason that the Max series need MCAS

              I can happily report that the auto-braking on the 2015 Volvo S60s works excellently after I was momentarily distracted by a pedestrian whilst approaching a set of lights. Car in front stopped whilst I was still, erm, distracted, and the Swedish Logic Box neatly brought proceedings to a proverbial and literal halt before anything impact-y happened.

              At the opposite end of the scale, the forerunner to the S60 was my 2003 V70R, with an astonishing AWD-Traction-Suspension system - within reason, it was basically impossible to drive outside the thing's envelope. Idiotic cornering speeds aside, the really impressive thing with the safety suite was the adaptive brake assist.

              In essence, it learned your usual braking style, and thus recognised when you were panic braking - at which point it would give you the full benefit of AP 4 pots & 330mm discs all round, wind front suspension up, and stop you and it to the very fullest of its ability. Only triggered it twice in five years, but it was impressive just how hard it could stop, and slightly concerning that even for an experienced aggressive driver of performance cars, how far away I was from being able to consciously brake that hard.

              1. Anonymous Coward
                Anonymous Coward

                Re: The reason that the Max series need MCAS

                Salestard triggered his Brake Assist System.

                I triggered and experienced the Mercedes BAS once while driving up an highway off ramp at *** kmh. The seat belt tightened, the brake pedal was sucked below my foot (felt very weird, like a failure), my head was flung forward and down, the only thing I could see was the speedometer unwinding like the Bid Clock at the Dutch Flower Auction. Oh. My. Gawd. Internal organs actually hurt.

                When the speedometer reached 80 kmh (a perfectly reasonable cornering speed for the upcoming curve), I released the brake and everything went back to normal.

            3. commonsense

              Re: The reason that the Max series need MCAS

              Likewise my current car has a collission warning system with emergency braking system. It leaves things much too late IMHO, I have never tested the system, because I just don't trust it to stop in time. At the most, it looks like it would lessen the impact, as opposed to avoiding the accident altogether.

              The point is that you aren't expected to trust it to stop - it's there if you forget to stop for some reason.

            4. werdsmith Silver badge

              Re: The reason that the Max series need MCAS

              Likewise my current car has a collission warning system with emergency braking system. It leaves things much too late IMHO,

              It's an emergency braking system and I am happy to report that far from leaving it too late, when I found my self in an emergency the brakes were on before I could react and push the brake pedal.

            5. Zimmer
              Happy

              Re: That's the REAL function of ABS !

              ....which the ABS also tried to do... I just steered around the spinning car in front, but it was nerve wracking....

              The ABS is there to give you control of the car in these circumstances, allowing you to brake AND steer with less chance of you locking the wheels and sliding out of control... so it seems it worked very well for you...

          2. elaar

            Re: The reason that the Max series need MCAS

            "Traction control and ABS are 2 software systems that effectively just work and have saved many many lives by taking control away from the driver."

            I regard them as systems that operate to enable the driver to remain IN control. ABS brakes effectively, but allows the driver to steer (somewhat) whilst braking is being performed.

            If traction control is operating, what control has been taken away from the driver? The driver never had control of individual wheel speeds anyway.

            1. MJI Silver badge

              Re: The reason that the Max series need MCAS

              My current car has a pretty good traction control, works very well, can even tackle off road if I wanted, but last heavy snow I also engaged diff lock, it was ridiculously in control of the conditions.

          3. MJI Silver badge

            Re: The reason that the Max series need MCAS

            My last car hit a kerb at low speeds because it would not stop, foot to floor on brake, ABS pulsing and doing eff all.

            In those conditions ABS at 5mph was a total liability.

            Current car reports an ABS failure but it still works.

            Intermittant contact as one of these units with steel soldered

          4. swm

            Re: The reason that the Max series need MCAS

            I hate the ABS system. It materially lengthens stopping distance on snow and can cause accidents under slippery conditions. I haven't found a way to disable the system.

        4. JJKing
          Mushroom

          Re: The reason that the Max series need MCAS

          Perhaps you would like to tell that to Airbus. They did that same thing years ago.

          https://en.wikipedia.org/wiki/Air_France_Flight_296

          1. Mine's a Large One

            Re: The reason that the Max series need MCAS

            Was AF296 caused by Airbus? The pilots flew their aircraft on a low flypast at high-alpha (ie. nose up) with the engines at flight idle, gear/flaps down, and then selected TO/GA too late for them to spool-up to full power and start to climb away from the trees they were heading towards and therefore hit.

            1. Anonymous Coward
              Anonymous Coward

              Re: The reason that the Max series need MCAS

              > Was AF296 caused by Airbus? The pilots flew their aircraft on a low flypast at high-alpha (ie. nose up) with the engines at flight idle, gear/flaps down, and then selected TO/GA too late for them to spool-up to full power and start to climb away from the trees they were heading towards and therefore hit.

              Nearly - they weren't on flight idle but nearly full power. There wasn't enough left to 'power up' and the low altitude + approaching hill prevented the only other option - to nose down.

        5. Anonymous Coward
          Holmes

          Re: Air France 447 all over again?

          While the Air France crash was due to two pilots putting in conflicting controls, it was again impounded by the computer not communicating it's actions well (and the pilots).

          So in this case, could it be, though only pilot to computer in this case, the computer not communicating it's change in trim well? Thus pilots making adjustments/maneuvers, and "strange things" happening, as the automatic system overrides their action.

          You then get a feedback effect, either from the computer, or from the human user, each one trying to adjust the others, each ones action becoming more and more extreme, until one fails.

        6. brainyguy9999

          Re: The reason that the Max series need MCAS

          Software "takes control" away from pilots in all airliners. All fly-by-wire systems take the control out of the pilot's hands. Unless you are flying prop planes, fly-by-wire is necessary.

          I suspect most people get into their automobiles every day and don't realize they really have little control over their vehicle. The vast majority of modern autos are fly-by-wire. The accelerator and brake pedals are only connected to sensor boxes. They are no longer physically connected to carburetors and brake cables. The steering wheel is the same. In most cases, it is connected to a sensor box and the computer drives the electric motor(s) to turn the wheels. There is no longer a steering shaft that physically connects to the front wheels anymore. Pop your hood and see for yourself.

          We all happily go our merry way and don't realize that we have a lot of trust in software when we're racing down the highway.

          1. MJI Silver badge

            Re: The reason that the Max series need MCAS

            Pedals not connected

            Brakes

            Wrong, they are connected hydraulically to the pedal, yes there is a servo but it would take a leak to stop them working.

            Steering

            Wrong, power steering seems to work by a walking beam type system to operate the power bit, no power steering works.

            And there is a nice solid bar with universal joints between the steering column and the steering box

            Accelerator

            Depends, some are, some are Drive By Wire, last car was DBW and had a motor on the throttle body, previous similar one had a cable. DBW advantage was easy cruise control.

            Current is DBW by necessity as it is a unit injector Diesel.

            1. Anonymous Coward
              Anonymous Coward

              Re: The reason that the Max series need MCAS

              "Brakes [...] are connected hydraulically to the pedal, yes there is a servo but it would take a leak to stop them working."

              It would generally take *two* leaks, one on each of the two independent sets of piping and pistons etc, to disable brakes on modern cars (ie those with dual circuit brakes, which appear to have been standard fitting since late last century. Doesn't even need a computer :)

              https://www.howacarworks.com/basics/how-the-braking-system-works

              1. MJI Silver badge

                Re: The reason that the Max series need MCAS

                Seen the following

                Rear drum shattered, piston popped out, huge leak on that wheel.

                Rear circuit drained and front circuit not pressured so no front brakes.

                Hand brake on ONE wheel only.

                That was horrid and a 1970s twin brake circuit car.

          2. Stork

            Re: The reason that the Max series need MCAS

            I am quite sure you are wrong regarding cars. Both steering and brakes must and do work in case of a power failure.

            You got electric parking brakes, but the main brakes are hydraulic like the last many years.

            Likewise there is both hydraulic and electric power steering, but even with the engine off you can turn the wheels..

      2. Anonymous Coward
        Anonymous Coward

        Re: The reason that the Max series need MCAS

        A stall can happen in a dive. Interestingly, with such a circumstance expeditious reaction would likely be more urgent than otherwise. So perhaps automatic recovery based on AOA indication is especially sensible for that case.

        Detecting the failed indication via cross check of other instrumentation (sensors) is more nuanced and complex than it might appear at first glance.

        1. JeffyPoooh
          Pint

          Re: The reason that the Max series need MCAS

          AC wisely noted, "Detecting the failed indication via cross check of other instrumentation (sensors) is more nuanced and complex than it might appear at first glance."

          Yes. That.

          'Connecting the dots' to integrate Avionics can take 10 minutes. Dealing with the failure modes can require the other 99.99% of the engineering budget.

          I've seen it done very well; it took over a year.

      3. Anonymous Coward
        Anonymous Coward

        Re: The reason that the Max series need MCAS

        Stall can occur with pitch down situations.

        Limiting the trim seems like a band-aid. The addition of more AOA sensors is necessary, IMO, to provide enough redundancy for sensor failure mitigation. I also believe that the new configuration of the MAX makes it inherently unstable in certain conditions, which is unacceptable.

    3. Phil O'Sophical Silver badge

      Re: The reason that the Max series need MCAS

      If one is faulty how can the software detect which one?

      Does it have to? If it gets substantially different values from them it just has to light up a big alarm light and disable MCAS. It certainly shouldn't pick one sensor & trust it.

      1. sanmigueelbeer
        Alert

        Re: The reason that the Max series need MCAS

        If one is faulty how can the software detect which one?

        Boeing's soon-to-be-released software patch (for the MCAS) is meant to address this issue. Don't know how the system is going to "coin flip" if two AoA sensors are giving false readings. Which one to trust?

        Another thing is pilot training: FAA directive instructs operators to provide simulator time to pilots in order to get them "acquainted" to this new feature.

        Pilots must also know how to diagnose a potential MCAS issue as well as know how to manually disable MCAS.

        In Australia, there are only two known airline companies operating 737 MAX and they are SilkAIr (an SQ subsidiary) and Air Fiji (QF and VH don't have any).

        As for now, the investigation is still fresh. No one is yet certain that the cause is due to MCAS.

      2. Alister

        Re: The reason that the Max series need MCAS

        @Phil O'Sophical

        As currently configured, the MCAS doesn't compare the inputs from both Angle of Attack sensors, it only works off the one which the currently running Flight Control Computer is using.

        I would hope that part of the forthcoming update would address that and include a comparison, but it's still not ideal. In most aviation control loops, a vote of three is the minimum used to identify a faulty sensor.

      3. Anonymous Coward
        Alien

        Re: The reason that the Max series need MCAS

        That's like a worse version of what killed AF447: plane suddenly panics and drops into some manusl mode, pilots don't understand what's going on, everyone dies.

        1. Anonymous Coward
          Anonymous Coward

          Re: The reason that the Max series need MCAS

          I kinda do agree. Flight 447 is really sad. As, even an untrained, no idea person, I could still figure out "oh, nothing is wrong here, hold heading straight" etc. If 477 had followed the manual perfectly, it would have been ok. Panic set in (or just confusion) and the worse happened.

          Here, with the 737 it seems slightly different. Even following training, if no one is told the MACS exists, or if the MACS can be faulty (due to 1 or 2 CPU control, not the normal 3), then how can a pilot or crew respond correctly?

          1. Anonymous Coward
            Anonymous Coward

            Re: The reason that the Max series need MCAS

            Oh, I didn't mean the pilots should not know about MACS: what I meant was that the failure mode of 'I give up, it's your plane now' tends to result in bad things when people become very used to having the system help them. I'm not sure there's a way around that: I expect the answer is that very automated planes do have these nasty failure modes and will occasionally crash because they drop into some manual mode and the pilots fail to cope. That does not mean they're not still safer, of course.

            In the case of MACS people seem to be saying there are only two sensors so there's an obvious split-brain possibility: having three would make it a whole lot safer it seems to me.

    4. AVee
      Meh

      Re: The reason that the Max series need MCAS

      > This tended to cause the aircraft to nose up in some circumstances, which could cause a stall.

      That's the thing that gets me. There's all this talk about sensors and software, redundancy, pilot training etc. But before all of that it seems to me that the physical characteristics of this plane are significantly worse then it's predecessors (at least in some aspects). Didn't the problem really start there?

      I might be reading to much into it, but it seemed to me Boeing try to squeeze a bit to much out of the 737, which backfired pretty badly.

      1. Anonymous Coward
        Anonymous Coward

        Re: The reason that the Max series need MCAS

        " the physical characteristics of this plane are significantly worse then it's predecessors (at least in some aspects). Didn't the problem really start there?"

        Seems a fair description. In the interests of a ~10% improvement in fuel economy on the MAX series, without having 737 operators incur costs, aircrew downtime for retraining etc, the designers and regulators appear to have been a bit economical with the truth. LionAir showed this last year but didn't hit the headlines to the same extent.

        One of the things computers (as distinct from springs and wires and pulleys) can do is allow people to build systems with better efficiency but also with less margin for safety when something fails (than on their non-computerised equivalent).

        But that change in tactic has to be seen for what it is - a reduced safety margin in some circumstances, with corresponding tradeoffs.

        If people make the change on the quiet, and don't understand or don't admit the implications for whatever reason, Bad Things are likely to happen.

    5. devTrail

      Re: The reason that the Max series need MCAS

      ... but in a fit of genius Boeing saw fit to have only two AoA sensors, not three ...

      Actually judging from what I read about the Lion Air crash the situation is even worse. One single faulty sensor was enough to cause the accident. Only some comments to some articles mention two sensors and as they are they just seem unconfirmed rumours.

      1. Sweep

        Re: The reason that the Max series need MCAS

        There are two AoA sensors but only one is in use by the flight control computer at any one time...

    6. Nonymous Crowd Nerd

      Re: The reason that the Max series need MCAS

      Having only two sensors is the real problem. If there's a failure, there's no way for the software to decide which is wrong and therefore work out the real angle of attack. The real answer is to add an extra sensor, like you say - or more likely two extra sensors for symmetry.

      This is why it's a potential financial black hole for Boeing. Adding the extra sensors to existing planes, revising the software to support voting in case of a failure, and testing (properly this time) is an absolute shed-load of work. It would be realistically three months to get even the first grounded planes safely airborne.

      Any other approach, though, risks the possibility of a third accident which would put Boeing into bankruptcy.

  4. Anonymous Coward
    Anonymous Coward

    will be able to enter UK airspace and land at their destination as planned

    So fingers crossed then....

    1. Doctor Syntax Silver badge

      Re: will be able to enter UK airspace and land at their destination as planned

      Landing's OK. It's taking off again that's risky.

  5. TeeCee Gold badge
    Facepalm

    Let me fix that for them.

    ...designed to make an already safe aircraft even safer.

    Should read:

    "...designed to make a seriously fucking dangerous aircraft somewhat safer."

    Hint for Boeing: "safe aircraft" do not fly themselves into the turf.

    1. DropBear

      Re: Let me fix that for them.

      ...especially not while actively overriding the control input of their pilots.

  6. Anonymous Coward
    Anonymous Coward

    We do not currently have sufficient information

    > A CAA spokesman said: "As we do not currently have sufficient information from the flight data recorder ...

    In other words, initial analysis of the FDR hasn't revealed an obvious cause, so now they're worried.

    1. Anonymous Coward
      Anonymous Coward

      Re: We do not currently have sufficient information

      @AC, No that's incorrect, you are jumping to conclusions. The CAA have not been given any information from the FDR, as the NTSB haven't released any yet, and the CAA are not a party to the investigation.

      1. Anonymous Coward
        Anonymous Coward

        Re: We do not currently have sufficient information

        > @AC, No that's incorrect, you are jumping to conclusions. The CAA have not been given any information from the FDR, as the NTSB haven't released any yet, and the CAA are not a party to the investigation.

        That may well be true. In which case why did the CAA spokesperson use the word "sufficient" rather than "any"?

        It could just be a slip of the tongue but it doesn't help people who are trying to go by just what official sources are saying.

  7. Paul Smith

    Panic

    There have been 2 incidents. Not twenty or two hundred, but two. As somebody mentioned initial analysis of the FDR did *not* reveal anything obvious, so it is reasonable to assume that it did *not* reveal the trim against the stops or that it did *not* reveal faulty AoA sensor data, so basically, it did not reveal any connection between the two accidents. In other words, shit happened and people died, but jumping to conclusions will not stop more shit happening.

    1. Anonymous Coward
      Anonymous Coward

      Re: Panic

      Whilst jumping to conclusions may not stop shit happening, not allowing any 737 MAX flights will stop anyone dying in them until the ban is lifted (after Boeing successfully show they've addressed what they purport to be the issue).

    2. Anonymous Coward
      Anonymous Coward

      Re: Panic

      Yes, two. Two extremely fatal incidents. In just under two years of service.

      Two more than the A380; One more than Concorde; The same number of lost Falcon 9 rockets.

    3. Steve Todd

      Re: Panic

      Over 300 people dead? Two accidents over a period of a few months in a new type shortly after it was introduced? Yes it calls for suspension of flying until they can identify the cause. What world do you live in where you can say "we don't know why these aircraft crashed, lets keep risking passengers while we find out"

      1. JJKing

        Re: Panic

        Still drive your car even with the hundreds killed around the world every day?

        Visitors still go the USA even with the thousands dead from guns each year.

        Flying is still 800 times safer than being a passenger in a bus. Should we stop busses driving on the road when one crashes?

        300 deaths though tragic will not keep the MAX 10 grounded forever. The reason they crashed will be isolated and fixed and life will go on and aviation will have learnt and important safety lesson.......until the next one arises.

        1. Dave K

          Re: Panic

          There's a difference between the understood risk of doing something in everyday life, and using a mode of transport that *may* have a serious safety flaw.

          I know drivers can be killed in accidents and I continue to drive. However, if numerous cars the same model that I have started crashing in suspicious circumstances where there looks to be no driver error involved, would I want some assurances that there isn't a critical flaw with my car before I drive it again? Or would I just hop into my potential death-trap car and keep going? I'd stop (in case you're wondering) and would use a different vehicle until mine is confirmed to be safe to drive.

          Nobody is saying that the MAX will be grounded forever. However, 2 fatal flights within a few months for a brand new plane is very worrying - especially when it looks as if the flight systems may have intentionally flown the plane into the ground. That's why you ground the planes. When hundreds of lives are at stake, you err on the side of caution until you have proof that the plane is definitely safe.

          1. Paul Smith

            Re: Panic

            "However, if numerous cars the same model that I have started crashing... "

            Exactly! But two is not numerous!

            1. Anonymous Coward
              Boffin

              Re: Panic

              Two accidents is 1% of the aircraft that have been built (376). In two years of service. That is, in fact, numerous.

              1. Anonymous Coward
                Anonymous Coward

                Re: Panic

                Bah, 0.5% sorry.

                1. Francis Boyle

                  Re: Panic

                  When lives are at stake rounding up is the Right Thing.

            2. Anonymous Coward
              Anonymous Coward

              Re: Panic

              If on a new car, just a few hundreds ones on the streets, were reported two incidents where the steer suddenly activated automatically and drove the car into a wall at high speed, killing all occupants, would you feel confident driving it?

              Remember these planes fly in a strictly controlled environment where incidents caused by someone not respecting the rules are far, far rarer, and near misses quickly reported and investigated, unlike roads.

            3. Dave K

              Re: Panic

              >> Exactly! But two is not numerous!

              So, we wait then? Assume it's just bad luck and wait until we have 3, 4, 5+ crashes before taking action? Meanwhile, what happens if someone you know is on a plane that crashes, there have been similar accidents from other planes from the same model but someone felt that "there wasn't enough of a trend" to investigate? How would you feel then?

              Each plane crash has the potential to kill hundreds of people. It is essential that potentially serious issues are spotted, investigated and resolved as soon as possible.

              This isn't anything against Boeing, when the DC-10 was first introduced and ran into issues with the cargo doors failing, they investigated straight away. Then after a second crash, the DC-10 was grounded until modifications were made. They didn't wait until half a dozen planes had crashed before taking action, and if anything the DC-10 should have been grounded after the first failure (as it was, modifications were recommended but not made mandatory until 346 people were killed on Turkish Airlines flight 981).

              TLDR: You don't just shrug and ignore possible issues when hundreds of lives are at stake. You ground the plane, identify the fault and fix it before allowing flights to resume.

            4. Stoneshop

              Re: Panic

              Exactly! But two is not numerous!

              These are the two only MAX8 accidents. Not just the two that appear to be similar from a larger number of accidents, but the only two accidents so far. And they have rather striking similarities., enough so that it's quite likely attributable to a common cause.

        2. Androgynous Cupboard Silver badge

          Re: Panic

          > Visitors still go the USA even with the thousands dead from guns each year.

          Some may. I don't.

      2. Patched Out
        Facepalm

        Re: Panic

        He lives in the same world as the FAA apparently ...

    4. Charlie Clark Silver badge

      Re: Panic

      Nobody is pointing the finger but withdrawing planes is standard procedure (and really the only acceptable procedure) even when there is only a chance of them being at fault. Or would you like to be the one defending the decision if there is another incident, or should the planes should to be at least partly at fault?

      See what happened when the batteries in Boeing's 787 started to smoulder, when the engines on the A380 (which can fly pretty well with just one) had troubles. Planes are very,very safe but, unfortunately, when they do have issues, the results are most often catastrophic.

    5. Dan 55 Silver badge

      Re: Panic

      The usual measurement, fatal passenger events per million flights, is off the scale for this model.

    6. JimC

      Re: Panic

      As well as the two superficially similar incidents there was also a very similar near accident where another Lion Air crew just managed to keep the aircraft in the air. **IF** the Air Ethiopia loss does turn out to have the same root cause then that suggests that the instructions given to crews on how to deal with the situation that seems to have caused the Lion air incidents are inadequate. Grounding the aircraft until the cause is established doesn't seem over the top.

    7. Anonymous Coward
      Anonymous Coward

      Re: Panic

      @Paul Smith

      As somebody mentioned initial analysis of the FDR did *not* reveal anything obvious, so it is reasonable to assume that it did *not* reveal the trim against the stops or that it did *not* reveal faulty AoA sensor data

      This is completely erroneous information, no data about the content of the FDR has been released yet.

    8. Mike 125

      Re: Panic

      >jumping to conclusions will not stop more shit happening.

      Eh? How so?

      If there's a problem, people are safe. If there's not a problem, people are safe. Where's the additional shit, sh't head?

    9. Rasslin ' in the mud

      Re: Panic

      "There have been 2 incidents." Wrong!

      If you define an incident as MCAS running away, there have been at least three, still a very tiny number. The first one being on the Lion Air aircraft that crashed on a subsequent flight (the first accident) due to a seemingly identical failure. The first time, the flight crew pulled the circuit breaker on the MCAS and continued the flight.

      I would love to see the System Safety Hazard Analysis to learn if the potential for these failures was (allowed to be) identified during development.

      Regardless, by poo-pooing the idea that there might be a fundamental flaw in the MCAS, Boeing management has harmed the company's reputation and lost a lot of confidence from those of us that fly as passengers.

      1. Yet Another Anonymous coward Silver badge

        Re: Panic

        >Planes are very,very safe

        And one of the reasons they are very safe is that when something like this happens airlines and aviation authorities ground them until they are sure if there is a problem and what the fix is.

        They don't just turn it off and on again and see if happens again.

      2. Paul Smith

        Re: Panic

        And that is the sort of conclusion that kills people. We do not know that this was an MCAS incident, and it is both stupid and dangerous to think that was based on the current evidence because that might make you think that an MCAS patch would fix or prevent it. Nothing has been officially released but given that the FAA has access to the actual Flight Recorder and that they have issued a Continued Airworthiness Notification (PDF) to the International Community (CANIC) related to the Boeing 737-8 and Boeing 737-9 (737 MAX) fleet, it would be safe to say that the flight recorder did not show trim against the limits or faulty AoA data.

        1. rmason

          Re: Panic

          How are you not getting this?

          "They" aren't making any assumptions, they have grounded the planes while the issue is discovered.

          You keep claiming air travel is safe. It is, and things like this are *why* it is safe.

          Honestly, what single disadvantage is there to grounding the models in question?

          Name a single advantage to allowing them to continue flying while the facts are established?

          It doesn't matter, at this stage, what caused it. What matters is stopping those planes from flying in or around our nation(s) until the facts are known and whatever the issue is, is corrected.

        2. Alister

          Re: Panic

          @Paul Smith

          given that the FAA has access to the actual Flight Recorder and that they have issued a Continued Airworthiness Notification (PDF) to the International Community (CANIC) related to the Boeing 737-8 and Boeing 737-9 (737 MAX) fleet, it would be safe to say that the flight recorder did not show trim against the limits or faulty AoA data.

          You are again making assumptions that are not valid. The FAA do not have access to the Flight Data Recorder, it is currently with the NTSB, and the FAA released their CANIC before the Ethiopian FDR had even been recovered.

    10. Anonymous Coward
      Boffin

      Re: Panic

      Grounding the aircraft is not jumping to conclusions: grounding the aircraft is saying 'we don't know what, if anything, is wrong with them but guven the statistics there might be something, so let's do the safe thing and not fly them'. And this will, in fact, 'stop more shit happening'.

    11. Anonymous Coward
      Facepalm

      Re: Panic

      Paul. You don't understand statistics. Sorry.

  8. seven of five

    Already a patch available?

    The fact Boeing already know in which direction to patch is the most worrysome to me. How can they already know how to fix an issue they don´t know yet?

    Or do they know what is b0rked? - which would be even more worrying.

    1. Chris G

      Re: Already a patch available?

      If I had relatives on either of those two flights I think I might be testing that question in court.

    2. Anonymous Coward
      Anonymous Coward

      Re: Already a patch available?

      Given what's known of how the aircraft was performing prior to the crash, they know the crashes weren't the result of a stall. So between the "greater resistance of stall" and "less resistance of stall" choices it is obvious to take the latter.

      If it turns out the cause of the crashes was something else, or two unrelated causes that had really terrible coincidence/timing, there's little harm done since MCAS is basically a backup to the pilot's abilities - if they are properly trained they should not put a commercial aircraft in a situation where it may stall in the first place.

      1. Anonymous Coward
        Anonymous Coward

        Re: Already a patch available?

        Nobody doubts modern airline pilots are well trained. Review the results of the Air France 447 crash, for what well trained pilots do when confused or overloaded. A flight controller that prevents unsafe flying regime is much better than trusting your well trained pilots will always understand and do the right thing.

        1. Anonymous Coward
          Anonymous Coward

          Re: Already a patch available?

          Agreed, but if you have even the slightest suspicion that the flight controller that prevents unsafe flying might actually have a serious problem, it is better to disable or tone down its "help" in any suspect cases, and rely more heavily on the pilot, until the flight controller can be fixed or absolved.

          1. Yet Another Anonymous coward Silver badge

            Re: Already a patch available?

            Unless disabling the system makes it so sensitive to stalls that it is unsafe to fly manually in normal use - in which case the safe course is to ground the aircraft

        2. Anonymous Coward
          Anonymous Coward

          Re: Already a patch available?

          > Review the results of the Air France 447 crash, for what well trained pilots do when confused or overloaded.

          No. I cannot let you get away with this statement. AF447 showed that Air France training was utter shit.

          Rule one in an emergency incident: ONE and only one pilot attempts to fly the plane, while the other goes through the checklists to determine what is wrong and what to do about it. The pilots are trained to communicate clearly so each knows what the other is doing. NONE of this happened in the Air France case.

          So either their training was shit or they ignored it. Proper simulator evaluations will weed out pilots who ignore their training. So their training was shit.

          Personally, I can't believe that AF management managed to avoid manslaughter through negligence charges.

          Sorry for the rant - but as you can tell - it makes me angry.

          1. Anonymous Coward
            Anonymous Coward

            Re: Already a patch available?

            Apparantely, manslaughter charges were filed against Airbus and Air France, but there doesn't seem to be any reference anywhere on the internet about whatever happened to the case. This is unsettling.. why doesn't Google tell me how the case ended? It can't have just vanished into the ether without a dismissal or a conviction?

        3. JeffyPoooh
          Pint

          Re: Already a patch available?

          AC, "A flight controller that prevents unsafe flying regime is much better than trusting your well trained pilots will always understand and do the right thing."

          If a car has Automatic Braking (to apply the brakes automatically when it detects that a crash would otherwise occur), then that may be a very good thing. Nothing but good.

          But if that system started slamming the brakes on randomly, then please turn it off. Not so "nothing but good" now.

          1. Anonymous Coward
            Anonymous Coward

            Re: If a car has automated braking

            "If a car has Automatic Braking (to apply the brakes automatically when it detects that a crash would otherwise occur), then that may be a very good thing. Nothing but good.

            But if that system started slamming the brakes on randomly, then please turn it off. Not so "nothing but good" now."

            Well spotted. And here's my own experience. Make your own mind up whether it's anecdote or evidence.

            I had a car that "slammed the brakes on randomly" (or, arguably, worse)..

            It was a brand new "city car", intended mostly as an around town runabout. It had Automatic Braking including some kind of forward looking 'radar'. It also turned out to come with an interesting failure mode where under certain initially unclear circumstances the radar would apparently see things that weren't really there and the result was that the (automatic, computer controlled) gearbox went into neutral (even if you were moving at 30-40mph at the time).

            Turning the car off and on again while stationary restored normal service (for a while). Definitely 'not so good'.

            The dealers were clueless, especially as no fault codes were recorded, so it stopped being used for anything except test drives based on my low speed very low traffic 5km commute.

            Eventually I became able to provoke the failures and to recover, safely, during that route almost on demand on a specific low risk llow speed low traffic section of the route.

            After a few weeks experimenting it turned out that one way of avoiding the failures was to push the button that disabled the forward looking radar 'safety' system. Pretty much 100% repeatable. Fancy that.

            It did eventually get fixed, but it took rather longer than it should have done to work out wtf was going on.

            Still, I'm sure Boeing, CFM, FAA, etc will sort out the 737-MAX issues in due course. It'd perhaps be better if these things were sorted *before* they were certified for commercial use.

    3. Stoneshop
      Facepalm

      Re: Already a patch available?

      The fact Boeing already know in which direction to patch is the most worrysome to me. How can they already know how to fix an issue they don´t know yet?

      Boeing were already working on a fix after the Lion Air crash (and the not-crash preceding it), but those things need to go through the relevant authority (in this case the FAA) before they can be rolled out.

      Trump's Wall Tantrum (a.k.a. the recent US govt shutdown) delayed that for five weeks.

  9. macjules
    Devil

    737-800

    Is there a difference between a 737-800 and a 737-800 Max? If not then Ryanair are in for a nasty shock.

    1. gazthejourno (Written by Reg staff)

      Re: 737-800

      Yes, they are different. At the moment there are six (count 'em!) 737-8 Maxes on the UK civil register and 96 737-800s. AFAIK Ryanair hasn't yet received any of their ordered Maxes.

    2. Wellyboot Silver badge

      Re: 737-800 v Max-8

      The new engine placement is a fairly big change from a flight physics point of view, The different distances between point of thrust, direction of thrust & CoG has introduced enough of an issue that the aircraft need an automatic trimming system to deal with the problems it can cause.

      1. Anonymous Coward
        Anonymous Coward

        Re: 737-800 v Max-8

        "The different distances between point of thrust, direction of thrust & CoG has introduced enough of an issue that the aircraft need an automatic trimming system [MCAS] to deal with the problems it can cause"

        YES! (though maybe centre of lift comes into the arithmetic somewhere too, I forget).

        This is *the* crucial factor in this whole sad MCAS story. The 737 MAX wasn't going to be airworthy without overriding the 737-vanilla pilot's inputs occasionally, because the MAX's weight and geometry (and thus its flight characteristics) were noticeably different than its vanilla predecessors.

        The rest of this sad MCAS story follows from that previously-hidden change, and whether or not the MCAS is found to be involved in this latest incident, Boeing and the FAA clearly already have some important questions to answer.

        1. Richard 12 Silver badge
          Mushroom

          Re: 737-800 v Max-8

          Exactly!

          Why did the FAA refuse to ask the question "What happens if it's broken?"

          Even back then, and assuming that MCAS was perfect, if the MCAS lost all* its sensors, then the pilots need to be able to fly the aircraft without it.

          That means simulator time, not just a couple of pages or a video to show them what an MCAS failure might look like and where the switches are.

          If you can't fly the aircraft without it, then any failure of that system is a fatal crash.

          * Seems to be just one... Gods!

          1. Zolko Silver badge

            Re: 737-800 v Max-8

            "then the pilots need to be able to fly the aircraft without it."

            from what I understood, this is the whole point: Boeing's marketing was that the -Max and non-Max did fly the same way, therefore no extra pilot training was needed which was money-saving for the airlines. Therefore, the pilots were not only not trained to fly the -Max without MCAS, but didn't actually know it even existed !

            This is bordering on criminal.

          2. Anonymous Coward
            Anonymous Coward

            "Why did the FAA refuse to ask the question "What happens if it's broken?" "

            It's the new "light touch regulation" - and remember they would like to privatize part of the FAA as well.

            FAA should have told Boeing - "sorry, these changes are enough to require re-certification of the airplane, and training for pilots - regardless of what you're saying to sell it better".

            But of course now US authorities are told to be "business-friendly" because otherwise they "disrupt innovation, increase customers costs, etc. etc." - the real cost can be then measured in lives.

            And FAA as far as I know as I'm writing, is still not grounding the planes to avoid to admit it made a huge mistake.

  10. Anonymous Coward
    Anonymous Coward

    It's a good job these planes don't run windows 10.

    1. Anonymous Coward
      Anonymous Coward

      I can neither confirm nor deny that these aircraft do or do not use Windows 10 as, if they did, that information would be restricted under commercial confidentiality agreements.

      1. Anonymous Coward
        Anonymous Coward

        Please don't me it's Windows M.E.

        1. David 132 Silver badge
          Coat

          No, it’s OSX. Everyone knows that’s the operating system for Max.

      2. Caver_Dave Silver badge

        OS

        I can assure you that there is a VERY short list of Operating Systems that have been used as part of DO-178B/C DAL A certification (able to host critical sections of flight software).

  11. whoseyourdaddy

    So, the engine change was for greater fuel efficiency?

    1. Steve Todd

      and range, yes.

      1. Anonymous Coward
        Anonymous Coward

        I like your level of snarky there, well played.

  12. Nick Kew

    How to convince the US authorities ...

    Find evidence of the use of Huawei kit at Boeing. Or maybe Kaspersky software.

    Unless perhaps they can opportunistically use this to launch an attack on the next (non-US) target?

  13. Marty McFly Silver badge
    Holmes

    Avionics experts and the court of public opinion....

    I get a chuckle out of all the armchair avionics experts appearing here. Blaming MCAS is nothing but presumption. The bottom line here is *we don't know* what caused this second crash *at this time*. Is it prudent to ground the entire fleet? Seems over-reactionary at this point. The UK fleet grounding (home of Airbus) when the US fleet is flying (home of Boeing) just reeks of industry politics.

    1. Anonymous Coward
      Anonymous Coward

      Re: Avionics experts and the court of public opinion....

      Or maybe you should look at those countries (loads of them) who have no interest in either manufacturer, who are grounding the planes.

    2. xehpuk

      Re: Avionics experts and the court of public opinion....

      Very few here have said it was the MCAS this time. They say it could be, so grounding the planes is the correct action until it's proven to be something else than software issues.

    3. SkippyBing

      Re: Avionics experts and the court of public opinion....

      The grounding is because they're not sure why a second 737 Max has ploughed in in only six months, for a type that's only been in service since May 17 that's a terrible record. If you don't know why an aircraft has crashed it's often considered a good idea to stop flying them until you know why. For a similar example look at the Comet, until they know for certain why these things are crashing it's not worth the risk. Although if you think it is you can probably get a used example quite cheaply now.

    4. sanmigueelbeer

      Re: Avionics experts and the court of public opinion....

      Is it prudent to ground the entire fleet?

      I agree that the "jury is still out" and the cause of the latest accident has just started (and the press isn't helping).

      Is it prudent to ground the entire 737 MAX? Yes and no.

      No it is not because no one knows the cause of the latest accident. The trust in the aviation industry is on shaky grounds. Remember the SARS epidemic? A lot of airline executives are still haunted by it. Airline industry spend billions (combined) in PR and they don't want to waste all that money because the press & media are fanning the flames of how "unsafe" the 737 MAX is even without knowing the cause of this latest accident.

      This is not a "stunt": If individual 737 MAX operators won't ground their planes voluntarily then passengers will fly with someone who doesn't have them. Now that is a nightmare no airline executive wants.

    5. Richard 12 Silver badge

      Re: Avionics experts and the court of public opinion....

      This aircraft is new. Very new.

      This aircraft has now had two definite MCAS incidents, one of which caused a fatal crash during ascent.

      This aircraft has now had another fatal crash during ascent. That's 3 serious incidents, including two fatal crashes during ascent in only 22 months. Far more than any other passenger aircraft that I'm aware of.

      As we do not know what caused the third incident, the only prudent course of action is to ground the worldwide fleet until we do.

      However, we do know that the Ethiopian pilots knew that MCAS exists, what it can do and how to disable it. That implies this crash does not have the same event chain as the previous two!

      Something else happened - perhaps an unexpected side effect of the new procedure, perhaps something else entirely.

      We don't know, and thus the aircraft must be grounded until we do.

    6. bazza Silver badge

      Re: Avionics experts and the court of public opinion....

      The reason why we're now seeing groundings is because of how the FAA and Boeing have equivacated over the implications of the Lion Air crash, made worse by the seemingly similar circumstances of the Ethiopian crash. It seems like the FAA have maintained a line of business as usual, nothing to see yet, not even giving out guidance on how pilots should be trained to deal with MCAS, fly without MCAS, etc. It's been a guidance vacuum, other than giving out a note saying "treat it like trim runaway". As I understand it that's not great, because the symptoms aren't the same as trim runaway. The info vacuum is what's finally lead the rest of the world to ground it.

      There's anecdotal evidence to suggest that US pilots are now flying MAX on their own rules, having worked out what is necessary to deal with it. Whilst laudable, and no doubt benefitting from the experience of those with militarily test pilot histories, it does have a technical description; it's called 'Making it up for one's self". Which, strictly speaking, isn't allowed.

      One of the US airlines has taken upon itself to give its pilots a raw view of the AOA sensors' outputs so that they can form an independent opinion of the operation of MCAS. Again, that's making it up for themselves. It's unofficial, probably not Boeing sanctioned, but probably a life saver.

    7. Steve K

      Re: Avionics experts and the court of public opinion....

      Airbus HQ is in the Netherlands and their main office is in Toulouse. The UK is not the home of Airbus.....

  14. Anonymous Coward
    Anonymous Coward

    " and provides a limit to the stabilizer command in order to retain elevator authority."

    That's a worrying thing to admit. So, currently, the system can automatically trim to the point of saturation and removing elevator control from the pilots, in response to faulty sensor data?

    Seriously?

    1. SkippyBing

      Currently it has full nose down trim authority, which means you have to be pulling something like 50kg back force on the control column to keep it in level flight. I'm assuming they did this rather than limit it to avoid potential problems with the limit, after all there's no situation where it'd actually need to wind it all the way forwards right?...

      1. Anonymous Coward
        Anonymous Coward

        It's Worse Than That

        You have to add the control column torque tube linkage into the mix. This is designed so that the pilots can break it (in case one elevator jams, for example). If that happens, each pilot then has control over only 1 elevator.

        One elevator alone hasn't got the aerodynamic ability to override maximum down trim, no matter how hard you pull on it.

        As I understand it, corrections welcome, it goes something like this. With an MCAS fault this has the potential to cause loss of control. Two pilots, already highly stressed, one of them doing the flying and applying max load to their control column, are near to breaking that torque tube. I think the Lion Air BB data showed this had happened. If that happens, one elevator goes neutral, the nose lurches downwards because one elevator alone is not enough to prevent this. The other pilot has a second or two to react and grab their control column to join in before that dive probably becomes unrecoverable. The conditions in which the pilot has to make that determination are extreme; lots of negative G, stuff flying about the cockpit, ground rushing up fast...

        Meanwhile both of them are now not in a position to do anything about turning off MCAS. They both need both hands on the control columns to apply sufficient force. And the two pilots somehow have to coordinate their actions in order to fly the aircraft, whilst hauling back on their control columns for all they're worth, having never simmed for that situation in their entire lives, whilst trying to deal with an aircraft that's trying very hard to kill them.

        Great, isn't it? Not...

        The ramifications of this system being required, designed, approved, flown, and turning killer, still flown, are enormous. FAA is looking like it's toast so far as the rest of the world is concerned. This could make it very difficult to return the MAX to flight.

  15. Anonymous Coward
    Anonymous Coward

    God, the stress involved in writing this stuff...

    Who the hell is going to continue this when the current batch of devs retires; certainly not the bearded, man-bunned, stack overflow grazing ex-barista Lottie Dexter "web developers" we have now. In a decade's time - don't fly.

    1. bazza Silver badge

      Re: God, the stress involved in writing this stuff...

      That's been a problem for years now. I've seen ads years ago for Ada programmers, offering huge sums per hour. You can't do flight control software in Ruby. Python, Perl or PHP.

      There have been safety critical systems written in C; nothing wrong with that, but takes a lot of very careful review.

      1. Anonymous Coward
        Anonymous Coward

        Re: God, the stress involved in writing this stuff...

        There is more certifiable code written in C than Ada, with C++ on the way up. The challenge is in proving that the executable is correctly implementing the safety requirements, not what language is used for the source code. Software to help with the traceability of requirements to source code to executable code tends to be (there are relatively few examples) written for C first, then C++ and rarely for Ada (I'm told there is some, but I've not seen it).

        1. I ain't Spartacus Gold badge

          Re: God, the stress involved in writing this stuff...

          I'm writing the flight control software for a new large passenger jet in Javascript. Is this a problem?

          1. DropBear
            Trollface

            Re: God, the stress involved in writing this stuff...

            Not at all. It has been very thoughtfully engineered - when, not if, the worst happens there is even a handily integrated garbage collector to clean up the mess...

            1. SkippyBing

              Re: God, the stress involved in writing this stuff...

              Ironically there was a missile programme where to deal with memory over runs they just added enough RAM to last twice as long as the motor would run. This only became a problem when they upgraded the motor...

          2. PhilBuk

            Re: God, the stress involved in writing this stuff...

            No. Just make sure you use this week's framework.

            Phil.

        2. bazza Silver badge

          Re: God, the stress involved in writing this stuff...

          There is more certifiable code written in C than Ada, with C++ on the way up. The challenge is in proving that the executable is correctly implementing the safety requirements, not what language is used for the source code.

          That's where specialist tools vendors like Greenhills comes in. And their OS, INTEGRITY. And guess which airliner OEMs use these things?

          I like the feature in Ada where the valid range of values for a variable can be set. With only a little self discipline you can achieve something similar using ASN.1, but it's not built-in in C/C++/Java/C# like cardinality is in Ada.

          1. bazza Silver badge

            Re: God, the stress involved in writing this stuff...

            Er, not cardinality, but defined range values...

      2. Yet Another Anonymous coward Silver badge

        Re: God, the stress involved in writing this stuff...

        Move fast and break things ?

    2. Solarflare

      Re: God, the stress involved in writing this stuff...

      Just wait for the new age of "Flight Dev Ops - Agile development for agile aircraft". It doesn't matter if there is a bug, we'll patch it in the next cycle. Each flight can be renamed as a "sprint" and if one of those fails then we know not to use that bit in a release. Wonderful stuff.

  16. Sleep deprived
    Happy

    Please tell me Air Force One is a 737 Max 8

    Time to set an example. Fly as much as you want.

    1. Anonymous Coward
      Anonymous Coward

      Re: Please tell me Air Force One is a 737 Max 8

      No, but he asked a discount for the new 747s - there's still hopes that Boeing made the "right" savings as in the Max, although we don't know if those planes will "fly" in time....

  17. JSIM

    So, MCAS goes mad when it gets faulty data from AoA sensors, but no-one's talking about changing out all the crappy sensors, just software patches. Is that about right?

    1. Anonymous Coward
      Anonymous Coward

      Wiring

      If the MAX has the same AOA setup as it's predecessor, the NG, then it's using analogue Resolver AOA transducers. With resolver (and the closely related synchro) you can get some strange and hard to diagnose behaviour caused by wiring faults. If you have an intermittent wiring problem then you can be in deep trouble.

      If this is what's actually been happening, it's difficult to sort out during routine maintenance. You have to buzz through the cable to check for shorts, grounds, crosses, etc. and you should inspect the entire length of the cable to see if there's insulation damage, too tight a bend, anything that might cause intermittent problems.

    2. Richard 12 Silver badge

      AoA sensors are a probe or fin on the side

      Looks something like these.

      The fin type is basically a fin on a potentiometer* (like a household rotary dimmer), the probe type measures differential pressure. I understand that the 737MAX has the fin type (as do most modern aircraft)

      Any sensor could fail in flight - a plastic bag or helium balloon could wrap around it, a bird could hit it or crap on it, it could ice up or stick for other reasons, it might be fitted wrong or burn out young etc.

      So if the sensor is really important, you have at least three, of at least two different designs and placed in different locations so that it's really unlikely that two would fail on the same flight (hit by the same object, ice up together etc)

      With three sensors, you can tell which one is broken - the other two agree - and thus fly to an airport where they can fix it before you fly again.

      If two break on the same flight, it's even less likely that they'd break in the same way at the same moment, so you can tell that at least two are broken - but you don't know which to trust and should ignore them all.

      With only two sensors, if one is broken then you cannot tell which one is right, so you should ignore both if they disagree.

      With only one sensor, if it breaks you simply don't know.

      *Or other type of absolute encoder

      1. Yet Another Anonymous coward Silver badge

        Re: AoA sensors are a probe or fin on the side

        >With only two sensors, if one is broken then you cannot tell which one is right,

        This is in a way worse. It has two sensors but the suspect system only uses one, another part of the flight control system uses the other. So if one fails you flip a coin, if it comes up heads the plane stalls.

        1. Richard 12 Silver badge
          Mushroom

          Re: AoA sensors are a probe or fin on the side

          Heads you live, tails you die

      2. This post has been deleted by its author

  18. Bitbeisser
    Mushroom

    If it's a Boeing, I ain't going...

    1. This post has been deleted by its author

  19. Anonymous Coward
    Anonymous Coward

    Automatic trim adjustment does not push down the nose aggressively

    Given a plain canvas at Boeing and the desire to extend the life of the 737 what they have actually done is upgrossed the capacity and length of the airframe and added additional power for the 737 MAX. Since Boeing was using the basic design of the 737 they probably performed the modifications using a series of supplemental type certificates (STDs). This reduces the time and cost for the development of the new 737s.

    Fundamentally they increased the capacity of the aircraft to carry weight, fly safely at speed, and be controllable across all flight surfaces and axes.

    In changing the length of the aircraft AND increasing the wing size AND AND...changing the engine type, critically the center of gravity was moved (I am guessing) aft. While load and balance can control nose up (passengers and luggage-freight) making it safe to fly, the pitch axis (a sudden pitch downward in climb out is what happened in both crashes) seems to be what the software system was designed to compensate for in the MAX versions of the 737.

    The reason the plane can exist in its upgrossed size however is the LEAP engine, for both commercial and aeronautical reasons. There must be something bad inherent in the design of this upgrossed version of the aircraft which the software control is meant to mitigate.

    The LEAP engine is being operated commercially at less than maximum output in order to allow for a longer engine life, and the turbofan has some considerable novelty built into it which increases the thrust to weight ratio. Since there are conditions when thrust decouples from airspeed, for example clear air turbulence, updrafts-downdrafts, and since the engine seems to rely upon available air (quantity-density) for full blade inflation (operating at its rated capacities) and predictable thrust, maybe the software was developed to compensate for blade deflation (and the resultant reduced airflow across the wings caused by reduced thrust plus the blade re-inflation latency). If the air supply faltered in climb out, and the blades deflated, you would want the nose to drop quickly to reduce the angle of attack to prevent a stall of what are probably super critical wings, close to the ground. No recovery from that.

    I wouldn't be surprised if the weather was really hot upon departure for those (now) two downed aircraft...the air is much less dense and stable and therefore more difficult for the engines to 'bite'.

    The fact that the software interfaced with a single sensor in the two downed aircraft demonstrates a breakdown in communications between software engineers and the aeronautic wonks. Properly developed software, given the critical nature of its purpose, should have been relying upon multiple points for data for it to fly safely if the design flaws above exist as stated.

    I think the point of failure was in the design of the aircraft-engine pairing given the 737 MAX is just an upgraded version of an existing aircraft, and that it operates at the edge of the performance envelope in its upgrossed design. The software was meant to make the design workable.

    Properly operating software will make the plane safe to fly in automatic mode, however the plane is still flyable by a pilot (I am relying on Richard S. Bach and his Jonathan Livingston Seagull to explain what pilots can do to manipulate safe flight that machines (aircraft) can't do alone) manually.

    Finally, and commercially speaking, the 737 series is a very practical solution for a range of flight requirements. Because of the similarity in flight characteristics between the different models and configurations, a pilot checked on type of one model can pick up and check out quickly on the other models as well. This is a big selling feature of the 737. It may be that the MAX series requires special training and increased awareness of the people that schedule and fly them.

    Calling the nose down feature of the software control system a 'trim adjustment' is meant to minimize the importance of the role Boeing plays in these two crashes, I think. The software is designed for disaster prevention, but poorly.

    1. Alister

      Re: Automatic trim adjustment does not push down the nose aggressively

      the pitch axis (a sudden pitch downward in climb out is what happened in both crashes) seems to be what the software system was designed to compensate for in the MAX versions of the 737.

      The MCAS is designed to induce a pitch down to counteract the fact that the engine nacelles are lower, longer, and further forward on the 737 MAX and therefore can cause a pitch up in certain conditions.

      The MCAS rotates the whole stabiliser to achieve this, and can therefore induce sufficient downward moment that the elevators cannot compensate for it even with full upward deflection.

      1. This post has been deleted by its author

    2. This post has been deleted by its author

  20. Anonymous Coward
    Anonymous Coward

    10 * 10 * 10 * 10 * 10 * 10 * 10

    Are these people still using imperial units of measurement?

  21. Anonymous Coward
    Anonymous Coward

    DO-178

    "New software should be released any year now. Once we get these 57 documents and 27 meetings finished. Until then, you can just wait. We do this to assure safety."

    Hey, how's that 'assured safety' working out for you?

    Now they'll be tempted to go back and make the process even worse in *all* respects.

    The standards people shouldn't be allowed to create standards. They're doing it wrong, due to a host of false assumptions.

  22. Conundrum1885

    Re. Screamliner

    Re. standards. Therac-25 comes to mind. Also LHC, Tchernobyl and Columbia.

    Sure it complied when it was originally constructed but that ****** was a disaster waiting to happen.

    RIP all those who have died due to a most likely entirely preventable software issue.

    Boeing should do the honourable thing and publish the firmware to trusted third parties so they can

    go through it in *LINE BY LINE* analysis and find out exactly why it went so terribly wrong.

    Then the report should be referred to in court when the managers are held responsible as they

    quite rightly should be for corporate manslaughter.

    I feel bad about this but its best to get it out in the open.

    Also it looks like quite a few issues have been caused by stall prevention systems over the years,

    perhaps the right thing to do is ground *all* the 737-MAX planes and those using related software

    until it can be permanently resolved and the required backup systems added.

    If needs be throw unlimited resources at it and take folks off less urgent projects no matter what the cost.

    Consider scrapping the aircraft class if it can't be fixed without a complete redesign.

  23. jigr1969

    Boeing has a history

    I'm sure all of you on here remember the RAF Chinook crash into the Mull of Kintyre back in 1984, which was covered in great length on the computer weekly website. It turned out that the FADEC system was relying on two speed sensors in order to keep the two engines running in sync. If erroneous data was received, it could cause a single engine to overrun, which in turn would cause the helicopter to flip.

    Looks like Boeing has forgotten previous mistakes.

    https://www5.in.tum.de/~huckle/chinook_software.pdf

  24. naive

    I don't want Albert Einstein to be my pilot

    "Split second decisions are needed, and the complexity creates danger. All of this for great cost yet very little gain. I don't know about you, but I don't want Albert Einstein to be my pilot. I want great flying professionals that are allowed to easily and quickly take control of a plane!"

    Donald J. Trump, president of the USA, March 13, 2019

    No more explanations needed, just fire all this cheap .NET programming H1B visa labor, and start building planes again.

    Or ask your grandpa, how they built the excellent 707's.

    1. werdsmith Silver badge

      Re: I don't want Albert Einstein to be my pilot

      Or ask your grandpa, how they built the excellent 707's.

      ----

      I would ask him but he lost his hearing because of those excellent 707 turbo jets being louder than thunder.

    2. This post has been deleted by its author

  25. Milton

    Absence of evidence is not evidence of absence

    I understand that Boeing and the FAA, eyeing the potential economic and reputational fallout from a grounding, are staking a position on the lack of immediate evidence that Ethiopian 302 went down for the same reason as Lion 610, and further that the loss of Lion 610 might well have been avoided if the pilots had turned off the anti-stall setting that may, given bad data by a defective AoA sensor, have been at the root of the problem.

    A Boeing executive might well honestly say:

    "A. Lion 610 wouldn't have crashed if the pilots had been more aware of how to correct the situation (which they should have been, from reports of prior incidents, for that very aircraft, which were sucessfully resolved); B. we simply don't know yet what caused Ethiopian 302 to crash; and C. even if it was the same scenario, we must again point out that pilots had no excuse not to know how to rectify the problem."

    I think you really cannot blame an executive for that line of reasoning.

    But.

    But, a Boeing engineer might have some rather different thoughts, like:

    "Yeah, both sets of pilots should have known what to do in the case of the anti-stall system being erroneously activated. Both sets of pilots already had a body of prior events and reports to work from. Lion 610's pilots should have known about what had already occurred on previous flights with their very own airframe. Ethiopian 302's pilots cannot conceivably have been unaware of Lion 610. So what if there is more to this than we're assuming? What if, while we're obsessing about bad AoA data setting off our (nice, shiny, new) anti-stall software, there is another, much more subtle, much less easily fixed problem which occurs very infrequently, perhaps with almost random intermittency? Doesn't this, in fact, stink like a catch of week-old haddock left in the noonday sun?"

    My guess is that executives will make the basically bad decision to keep the plane flying, not out of greed or even stupidity, but because they follow their own logic. Which, to a non-engineer brain, makes sense.

    Whereas engineer brains are preprogrammed with laws like Murphy's, and that one about Unintended Consequences, and in particular the one that correlates systems complexity with not only increased numbers of points of failure, but to the ever-increasing difficulty of finding, replicating, diagnosing and fixing the rare and subtle ones. (Look how long it took to finally figure out the phenomenally rare combination of factors involved the B737 rudder hardover failures that brought down UA 585, USAir 427, and nearly killed Eastwind 517. This was an entirely mechanical problem in a single power control unit, occasioned when a specific sequence of flight events brought very hot hydraulic fluid into a very cold servo system. Nowhere near as complex as a million lines of code, but from the first deadly accident to a final finding by NTSB was eight years. (The fact that this too was B737 is purely coincidental.))

    It's difficult enough to prove that 1,000 lines of code are error-free, let alone the millions that can make up aircraft OS and flight systems programs. (And let's not overlook the fact that this airframe has some significant changes from the NG series that preceded it. The positioning of the engines—further forward and higher, to accommodate larger fan diameters—has made big differences to CG and trim; the winglets are new; and even changing the nose gear system alters an aircraft's inflight CG and trim needs. Fuel figures suggest the 737MAX flies beautifully trimmed ... but all these things are changes which do affect the way software performs and makes decisions.)

    On balance, I suspect experienced engineers would be a leetle bit more inclined to ground the 737MAX fleet, right now, than their bosses in the e-suite.

  26. Wobbly World

    Eyewitness...

    Eyewitness, Turn Buzuna, a 26-year-old housewife and farmer report that the the Boeing 737 MAX 8 was shuddering making, “A loud rattling sound, like straining and shaking metal, it tried to climb but it failed with the nose pointed down and the tail raised up. It went straight to the ground with its nose, it then exploded.”

    Another witness, Tamirat Abera, 25, was walking past the field at the time reported that, “Before it crashed there was fire in the tail that was trailing white smoke, that turned black, items like clothes and papers were coming from the tail. Then when the plane was very close to the ground, the plane turned sharply, before hitting earth, crashing about 300 meters away.”

    Questions:

    Were the pilots trying to correct a fatal dive caused by failure of the MCAS, that was repeatedly force the airliner's nose down??

    Did the pilots lose elevator control on one wing or did one engine fail or was it pilot input that caused the final sharp turn before hitting the ground??

    Did faulty AoA data and the MCAS wind the trim system to its max and did that cause aerodynamic loads on the tail section in the dive that caused it to break up in flight??

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like