"US, Canada finally ground 737 Max jets..."
* Canada, US finally ground 737 Max jets...
TIFIFY.
Canada and America have now banned Boeing 737 Max aircraft from flying anywhere over the Great White North and the Land of the FreeTM, pending the implementation of new safety measures and training programs. This comes after several nations, from the UK to Japan, grounded the passenger jets after two Boeing 737 Max 8s crashed …
Depends on a lot of factors as Boeing and Airbus do have some joint projects and there's lobbyists, etc. who come out of the woodwork. More worrying is will Boeing now push out a patch that works or just different bugs? The only sure way to tell is require the Boeing board to fly on the plane.
I think they were waiting for some hard evidence. Once it arrived, *grounded*. No crashes occurred in the USA, and so the decision was "not wrong".
A grounding of all planes of that model would disrupt airline schedules, and so I think they wanted to avoid that happening. Now that there's evidence to ground them, safety first.
I read the linked article about what the system does, and there seems to be too many "it takes over" scenarios associated with it, almost like brakes in your car that apply themselves in situations where it would be smarter to accelerate or steer around something.
In the case of a stall detect in which the instrumentation had iced up (let's say), it could drive a plane into the ground, if I interpret things correctly.
Pilots are probably used to using the 'on the yoke' trim adjustment, but apparently if you flip to 'manual trim control', you have to spin a handwheel instead, NOT something a pilot would normally want to do. And going to 'manual trim' apparently disables the system, but it seems kind of *obscure* to me that THIS is the only way to shut it off.
I think an alarm should sound, warning the pilot, before this automated system kicks in. Something like "stall alert" followed by a well documented 'correction' operation that's also announced, and a BIG FAT KILL SWITCH to take it off line in case it was caused by instrument error.
Anyway, FAA will now investigate no doubt and come up with something. Boeing will have to re-certify, I bet.
My understanding was that manual trim would only disable this system for a couple of minutes. Then you'd be back to fighting it. A nice big loop of fight, disable, fly, fight, disable, fly. You'd better hope it doesn't trim down when you're trying to make your emergency landing.
Your stall alert makes sense 90% of the time, but in a real emergency there are too many alarms going off already. Adding information announcements on the end distract the pilots away from dealing with the other factors going on, and delays the other alarms from sounding. Better to have the pilots aware that this thing can go wrong in training.
Even better to have it run on more than one sensor at a time. If it really is one AOA sensor to each flight-control computer, that's just disgraceful.
"Even better to have it run on more than one sensor at a time. If it really is one AOA sensor to each flight-control computer, that's just disgraceful."
There is indeed only one sensor to each FC computer. And it isn't disgraceful, it is cheaper. And remember, the sole purpose of any CEO of any American company is to "Enhance Shareholder Returns" (at any cost).
"A grounding of all planes of that model would disrupt airline schedules, and so I think they wanted to avoid that happening. Now that there's evidence to ground them, safety first."
From what I've been reading over the last few days, there has been evidence aplenty, particularly for South West Airlines pilots that MCAS is a pig and Boeing have been working on a patch for some while because they already know there are issue with MCAS. You don't spend time and effort fixing something if it's not broke. And if it's not broke, you leave the patches or fixes aimed at improvements for the next release cycle.
As this is basically a new aircraft with news system, does it not seem odd that Boeing are creating a patch that stops the MCAS fro going to full negative or positive trim unless that situation has been reported to them as a problem?
From what I've been reading over the last few days, there has been evidence aplenty, particularly for South West Airlines pilots that MCAS is a pig and Boeing have been working on a patch for some while because they already know there are issue with MCAS.
Yes, apparently pilots have reported quite a few issues with MCAS.
You would think, that in light of that, perhaps better documentation/warnings should have been distributed by Boeing/FAA to be absolutely crystal clear to any operators of the aircraft what those issues are and how to address them. Especially since failure to do so is likely to result in rapid disassembly of the aircraft.
"Now that there's evidence to ground them, safety first."
2 identical planes crashing in identical ways within a couple of months of each other is surely enough evidence to have grounded them immediately.
"A grounding of all planes of that model would disrupt airline schedules, and so I think they wanted to avoid that happening."
Yeah, let's not mind the possibility of a plane crash as long as we don't disrupt airline schedules. Way to order your priorities!
"Boeing will have to re-certify, I bet."
I wouldn't bet on that. It's ASTONISHING what a call to your golfing partner "Mr. President" and some well placed $$$$ in the right pockets can do to turn night into day and a complete broom and reinstall into a minor update.
@Mark 85 - "The only sure way to tell is require the Boeing board to fly on the plane."
Amendment to flight safety regulations for all commercial flights: Two first-class seats must be reserved and occupied by a Board Member of the aircraft manufacturer, and a Board Member of the airline.
The Romans actually had a law like that for architects of bridges, aqueducts, etc.
When the bridge or whatever went into service, the architects were required to stand underneath it. I do not know how long they had to stay there, though.
Even the Code of Hammurabi (3,800 years ago) required that, if a house should collapse killing the occupants, the architect was to be put to death.
We could learn quite a lot about responsibility from "primitive" cultures.
"...will Boeing now push out a patch that works or just different bugs?"
I wonder who is writing the software for this aircraft system.
Microsoft?
Seriously, should this problem have not been found before these crashes? And what does that say about the testing process?
Could it be a case of "Get it out the door, marketing is making a fuss."?
I wonder who is writing the software for this aircraft system.
Software people. They tend to rely on the hardware world being perfect, because the hardware people tent to spend a lot of time and effort masking the imperfections of the hardware world. See ECC and RAID for everyday examples. If they've been told that "this input is correct", they'll trust that the hardware group have dealt with inconsistencies outside their box.
Seriously, should this problem have not been found before these crashes?
Well, it's easy to rack up a hundred hours on a new model. Or two hundred. But a lot of these fringe problems occur so rarely, or after so many flight hours, that they'll only crop up in the wild after the testing is complete.
And what does that say about the testing process?
It is, by necessity, limited. What it says about the project overview, though, is that somebody slipped up with insufficient inputs to the flight computer, insufficient alerts for the pilots, or both. That or somebody was utterly negligent.
Most people can't (or won't) think in terms of "how can this fail". They don't want it to, so they don't think about it. The people who design these systems tend to be in the group who say "but what if" until everyone else gets bored and goes home. Somewhere, somebody didn't say "but what if" on this. Or (more likely in my opinion) they were overruled by somebody higher up who needed to ship and isn't of the paranoid mindset to consider just how badly things might go.
In other words:
Could it be a case of "Get it out the door, marketing is making a fuss."? - could be.
Standard software testing procedure (at least when I was in college) was to feed out of bounds data into a program and examine the results. We were also expected to consider how such data might arise in real world usage and code suitable error handling procedures. It's pretty damned clear that the systems in question were never properly subjected to GIGO testing.
No mission critical system should ever be released for production without it first being subjected to comprehensive tests intended to break it.
As a mechanical aerospace engineer, I know that if I design something and it fails and causes a crash and people die - I go to prison. This makes me a) very careful, and b) VERY much willing to make sure my ass is covered. If I'm overruled by a manager, I make sure to get it in writing. It's also why, everything I design gets checked by stress engineers, all drawings are checked by another design engineer, plus manufacturing get involved, etc. There are a lot of checks and balances to make sure that mechanical failures do not bring down an aircraft. Basically, because none of us want to go to prison or have that guilt on our conscience.
I have to admit, I've yet to meet a software engineer, in any industry, who has that mentality. So I'm afraid to say, I would not be surprised if the software didnt have a multiple eyes, multiple discipline check of the code.
It does raise an interesting point though, I mean on a mechanical part design, my name is on the part drawing. The checkers name is on the drawing, stress have their own record of files, and manufacturing do as well. Everyone involved in that part is recorded, and so when it fails we get a boot up the ass. How do you record all of that on software? Unless its a very simple program, you're unlikely to have just a single software engineer working on it for the lifetime of the project. How do you show who put the dodgy line of code in, and when? Why did they do it ? Was it checked? How do you PROVE the code was checked? Considering that we will in the foreseeable future have automated cars, controlled by software, how do we maintain that level of record keeping that allows people to be held responsible or proven not responsible for the failures that may lead to deaths. Solve that tracking problem and you'll like earn a few million down the line.
"Everyone involved in that part is recorded, and so when it fails we get a boot up the ass. How do you record all of that on software? Unless its a very simple program, you're unlikely to have just a single software engineer working on it for the lifetime of the project. How do you show who put the dodgy line of code in, and when? Why did they do it ? Was it checked? How do you PROVE the code was checked?"
Version control will show exactly who changed what when. It won't show if it was checked but it'll show who's responsible for checking changes in.
Andy good version control system can tell that - although it could be tampered with, unless some extra precautions are taken. Good requirement management systems are usually built on version control systems, or the like.
Peer review, tests, etc. could be performed as designs reviews - someone has to sign it was done, and risk the consequences.
Evidently, if everything just becomes box ticking, the risks increases exponentially.
As I understand it, its not a bug, it's the whole way the thing is implemented.
They bodged the engines in at an angle, for ground clearance, and that has ruined the planes inherent stability so they are trying to correct a serious fundamental hardware fault with software.
Avionics software have to meet very strong requirements (DO-178 for real software and DO-254 for "firmware" code like FPGA), with separate development and verification teams, tracing all requirements, software AND test software (including all scripts and tools), and lots of documents registering who did what. Quite like the mechanical parts, then.
Now there are several levels of certification (DAL), including the lowest level where (almost) nothing is certified.
And on top of that, you're just certifying that you designed / coded what was requested, not that what was requested made any sense. So you clearly can certify that 2+2 makes 5, you "only" have to write it in a such a way that all teams from specs, coding, verification and the like will not realize that it doesn't actually make sense.
For example like certifying that releasing the brakes of the plane if their pedal is pressed "too strongly" should make a perfectly complete and usable ABS system, saving the tires from blowing because of getting stuck (an interesting goal). But without ever asking any system anywhere to start braking again later...
"They are more concerned with their share prices than two planes worth of people."
And yet..."Safety is a core value at Boeing...There is no greater priority for our company", yet the software fix was delayed due to the government shutdown. Does anyone know why Boeing was in such dire need of FAA help that they couldn't carry on developing their own fix for their own software on the their own without government help?
JBnb asked, "...why Boeing was in such dire need of FAA help...?"
Presumably they're developing the software patch IAW DO178, to some moderately high Design Assurance Level. So there's a lengthy process, with dozens and dozens of documents, and with independent review and sign-off at various stages. So, if that's the sort of process they're following, then it takes months.
Given the circumstances, there will be intense pressure to complete the process even faster, and at the same time even slower and more carefully, than last time. It'll be insane.
Nobody is allowed to point out that the whole Design Assurance process didn't actually seem to help the first time through, based on the evidence before us. So I won't mention it here... ...Oops.
I also won't mention how the whole aircraft safety process shouldn't have allowed a 2nd incident of the same type. There's an exposé topic, just sitting there.
Bucket of stink.
I am strongly reminded of something I read just recently.
"Evidently, a crucial case is omitted, which is far more depraved than massacring civilians intentionally. Namely, knowing that you are massacring them but not doing so intentionally because you don't regard them as worthy of concern. That is, you don't even care enough about them to intend to kill them. Thus when I walk down the street, if I stop to think about it I know I'll probably kill lots of ants, but I don't intend to kill them, because in my mind they do not even rise to the level where it matters. There are many such examples. To take one of the very minor ones, when Clinton bombed the al-Shifa pharmaceutical facility in Sudan, he and the other perpetrators surely knew that the bombing would kill civilians (tens of thousands, apparently). But Clinton and associates did not intend to kill them, because by the standards of Western liberal humanitarian racism, they are no more significant than ants. Same in the case of tens of millions of others".
[For fanatical Democrats who may object, substitute "Bush 1", "Bush 2" or "Trump" for "Clinton" and substitute some appropriate atrocity of theirs].
- Noam Chomsky, 'Samantha Power, Bush & Terrorism,' 31 July 2007 https://zcomm.org/zblogs/samantha-power-bush-and-terrorism-by-noam-chomsky/
My (dated) knowledge of AOA sensors is that they're more-or-less windvanes on their sides, so the air passes over them and pulls them straight back. If they're at an angle then the aircraft is not travelling directly forwards through the air, but is tail-sitting. Or nose-sitting, but between gravity and engines that won't last long before it's straight again.
So you have a mechanical component that rotates, and a sensor to detect the rotation. I expect they'll use Hall sensors so there's no contact and no bits to get mucky *inside*, but if the rotating component freezes, or gets caked in grease or muck so it can't move, it'll read wrongly.
If it seizes during landing (or on rotation at take-off), it'll be raised, and will register a high AOA. Nose-down to correct...?
If you had two operating at once, you could at least tell that you were getting inconsistent readings. If you had three, you'd have a pretty good guess which sensor to disregard.
[Actually it swaps between the captain's and the first officer's Angle of Attack sensor each flight.]
The FAA somehow certified a whole series of aircraft (B737MAX-8, -9, -7 & -10) with a new system ("MCAS") critical to flight safety which relies entirely on one out of two available sensors.
There is no averaging, no voting, not even a 'disagree' indicator.
The pilots' flight manuals originally omitted any mention of the MCAS, so if it misbehaved, the pilots would have no idea WTF was happening because they did not know MCAS existed.
Oh, and just to add insult to injury, having the AoA displayed on the pilots' screen was an 'extra cost option', so unless their airline had gone to that expense, there was no way for the pilots to know that their AoA devices were in violent disagreement
In my view the FAA acted completely negligently in certifying the B737MAX aircraft system (including the manuals). It seems likely that they relied on representations from Boeing that negligently (or even willfully) misrepresented the risks inherent in the MCAS design and implementation.
Since there were US citizens killed in the Ethiopian crash, if that is shown to also be MCAS-induced, I would expect both Boeing and the FAA to be hit with ginormous lawsuits in US courts.
Then there will be the teeny weeny detail of fixing and re-certifying "anti-death-crash software patches", manual updates and probably hardware changes - maybe including a third AoA transducer and voting / averaging / alerting software
In my view the FAA acted completely negligently in certifying the B737MAX aircraft system (including the manuals).
That's the problem. My understanding (could be wrong, anyone?) is that the FAA did not certify the 737 MAX. As far as representations from Boeing to the FAA are concerned, the 737 MAX is merely an improved 737, therefore should be considered a 737, and thus use the existing 737 certification. The FAA (and other countries equivalents also, though they may have been trusting the FAA's opinion and just blindly accepted it) accepted this. So from a flying certification perspective, the 737 MAX is a 737, and did not receive an separate certification.
This is actually one of the biggest topics for disagreement between the Americans and the European regulatos. It's called Grandfathering. The Americans love it, the Europeans do there best to block it.
Basically, it means that for a small change you dont need to recertify the full aircraft. Because recertification is VERY expensive. But then the question becomes whats a small change? And how many small changes before it constitues a new aircraft and needs to be recertified?
As a thought experiment at uni, we were able, under the American rules, with many little steps, to bring a wood and cloth plane from the first world war up to a fully metal enclosed passenger aircraft (think early 50's level) on a single type certificate.
OK in reality, you wouldnt get that far (as someone would eventually show a modicium of sense), but it gives you an idea of the problems with Grandfathering.
Now i dont know enough about the changes between the 737 and the 737 MAX, but maybe it should have been recertified. At the very least, there should have been a much higher level of scrutiny placed on the implementation of this AoA feature. I have absolutely never heard of any system like that which does not use multiple sensors (min 3) and a voting system. To allow a single sensor to control something like this with a foreseeable risk of crashing the aircraft is, well, frankly criminal.
(from a 15 year veteran of the Aerospace industry)
Well said and very clearly put. Have one of these on me!
IMHO there should be mandatory re-certification if the centre of gravity and or mass of the aircraft changes due to new engines and/or engine mounting pylons. The whole flying model will change quite dramatically when this happens.
Airbus saw this when they stretched the A320 into the A321. The A321 seems to fly much more like a lead baloon especially when compared to the A318. Same basic aircraft but...
{I also spent many years working in the Aviation Industry}
As I understand it, the fundamental change was more fuel efficient engines. However these if placed in the logical place would have scarped along the tarmac.
So they were moved forward and cranked up a bit.
Changing the CG and the on thrust/off thrust trim by such an extent they put some software in to correct for it.
So downtrim when the throttles are opened, giving a massive nose down if the throttles are chopped. Before the trim returns to 'glide'
This was bunged in the anti stall software I think.
The engines are not "cranked up," at least the angle relative to the fuselage is about the same. The nose gear was lengthened to produce more clearance so the angle to the pavement changed, but that difference makes no difference to flying characteristics.
The main change is the projected area at high angles of attack is larger and farther forward so the pitch moment is a bit softer than previous planes at those high angles of attack. The software was to linearize the feel of the yoke so the plane handled the same. There's no thrust component to MCAS because the thrust has a constant pitch moment contribution regardless of pitch. It isn't anti-stall, it just so that simulators didn't need to be reprogrammed for the high angle case and the pilots didn't need to be recertified on high angle cases.
According to the New York Times, since 2005 FAA no longer relies on independent experts for airplanes certification, but lets companies designate their own employees for such tasks.
I think this is also an answer to Schneier when he proposed IT companies should hire people to advocate for citizens' privacy and security. Most people do only the interests of those who pay them.
I really hope that if it is demonstrated that Boeing and FAA took "shortcuts" to allow the Max fly and be sold as an identical 737 replacement, the fines will be adequate to the deaths toll - and not only of US citizens.
"I think this is also an answer to Schneier when he proposed IT companies should hire people to advocate for citizens' privacy and security. Most people do only the interests of those who pay them".
While I have great respect for Mr Schneier and the other experts in his field, I think he greatly underestimated the difficulty of this problem.
Money is like concentrated sulphuric acid. Let enough of it out into the world and it's damned hard to limit the damage.
We now have a dominant culture (coming from the USA) in which money is not only the greatest, but almost the only value. Think about it. Aren't the rich, on the whole, those who are admired and set up as role models? Almost regardless of how they got their money?
Now try to think of a system in which honest people regulate the great majority of the corrupt (where "corrupt" means "will do almost anything for money"). Not easy, is it?
I really hope that if it is demonstrated that Boeing and FAA took "shortcuts" to allow the Max fly and be sold as an identical 737 replacement, the fines will be adequate to the deaths toll - and not only of US citizens.
Boeing will get sued. The FAA won't even though Boeing followed the FAA rules that industry lobbies for. If you need an example that everyone here can relate to, look at the FCC.
MCAS is not a magic device, it operates by using the stabilizer trim system. There is training in place for handling unexpected stabilizer trim changes. https://www.youtube.com/watch?v=3pPRuFHR1co&t=155s That sound of a twig dragging on a pot lid is from the stabilizer trim system with a fault condition. It is clearly audible over the accurately simulated sound level in the cockpit. Doesn't matter what the fault condition that starts it, the required response is the same, turn the motors off. As mentioned in the comments the only thing the instructor missed is that there are flip-out handles on the trim wheels to make cranking the wheels go faster.
This style of response upsets me.
Basically what you are saying is that, in the event of this system failing and trying to nose-dive the aircraft into the ground and kill everyone on board, if nothing else is going on and the cockpit is quiet, there is a procedure to handle the situation.
Now assume you are climbing towards mountains, and your airspeed indicators are bollocksed. You think you are going too fast, so you withdraw the flaps. Your angle of attack rapidly increases, then the stick-shaker activates, there are voices shouting "DON'T SINK! DON'T SINK!", "TERRAIN! TERRAIN! TERRAIN!", "STALL! STALL! STALL!" or similar. The noise of the stall warning horn is blaring out, the yolk is shaking aggressively. Meanwhile the nose of the plane keeps being forced down. Your airspeed is increasing, but you don't know how fast you're going. You disable auto-trim, and there's a temporary lapse where you get the nose back up, bu all the stall warnings continue, so your reflex is not to pull up hard. The nose drops again. You are pulling back on the stick with around 50kg of force, which should also disable all auto-trim and autopilot (as it did on previous 737s) but by that point you are only 1000ft above ground level, your instruments are still reading nonsense, you have no fucking clue why the plane is nosediving and you can't pull the stick back any harder. There is a quiet clickity click noise from the trim wheel, which you already disabled but for some god-forsaken reason it's going again. You're in a nose-dive, 40 degrees down, 500ft above the rapidly approaching mountains.
That all happens in about 2 minutes, in the case of Ethiopia.
Yes, it might be possible to (temporarily) disable the system. No doubt an exceptional crew might handle the situation better. But you know what? Blaming the pilots here is not how you prevent this shitstorm happening again.
It's possible that what Boeing describes as the "unique aircraft handling characteristics" are sufficiently extreme that handing "out control to the pilots" is not really an option. After fighting with the software to keep the nose up, if the pilot suddenly gets back control, their natural response would be to climb a fast as possible which would almost immediately set off the stall condition that seems like it's more or less inherent to the design. So the plane might then crash anyway.
No, unless you are at an unsafe altitude, below the charted MSA.
Pilots should be trained when they regain control, to put the plane level, at a safe altitude/speed, and possibly on a safe route - assess what went wrong, plan what to do next, and inform traffic control - which will help to clear the path from other airplanes whenever needed. For example, if you plan to return to the departing airport, it's usually useless to gain altitude, unless you have another good reason to do so.
Of course pilots can do mistakes, panic, and follow the "natural" response instead of what training should have taught them. Still, it's possible that the different handling characteristics of the Max for which pilots weren't required to train for, may deceive pilots trying to recover the plane even after the MCAS has been turned off, even if they don't try "to climb as fast as possible".
It looks as though penny pinching may be to blame on the part of Boeing. While minor upgrades to a model may be okay with only the issue of a bulletin, changing the engine type and altering the aerodynamics and flight characteristics should always require new type approval and relevant training. Also in this case it seems as though instrument redundancy has also been left out to save money. Boing should be held to account along with whoever allowed them to get away with taking shortcuts, whether it is the FAA or pressure from the administration.
Unfortunately, what was said about General Motors back in the 1950s could now be said about Boeing.
"What is good for Boeing is good for America".
I think you will find that most members of Congress think so. (And certainly not because of any funding they may have received from Boeing and its partners).
I'm she that in the early 00s, El Reg team a series of stories about a press flight of the 777 that lost altitude she too the two fly by wire systems disagreeing with each other. Something about them both been developed by the same team, rather than two two separate units. Anybody remember this?
No, I've not heard that before. But I'm certainly not an authority on it!.
However, one thing that came out of the BA38 777 miraculous crash landing at Heathrow was that the triple redundant software for part of the fuel system had been developed by just one company, to save a lot of money. They set up 3 teams, kept them separate. At the time it was irregular, but signed off as OK by the FAA and EASA.
However because this was the CAA's AAIB investigating the BA38 crash, they had the power to condemn it if they were dissatisfied and cause a global grounding. I think it was touch and go at one point in the investigation - the crash was due to a fuel issue after all - but eventually it was determined to be due to ice formation in an oil / fuel heat exchanger. This was readily resolved and the 777 carries on with it's reliable career with that software intact.
An event such as you've recalled illustrates very well the value of having on-the-ball pilots in a cockpit.
This was readily resolved and the 777 carries on with it's reliable career with that software intact.
And don't forget the fleet-wide grounding of the 787 when ANA discovered the batteries were overheating.
If the cause of the latest crash is the MCAS, I hope FAA will implement a re-certification of the 737 MAX family.
(I must humbly admit: Donald Trump is one "funny" (for lack of a better word) character, however, there is still hope for him.)
"the triple redundant software for part of the fuel system had been developed by just one company, to save a lot of money. "
Citation required - not for the "to save money" bit, for the "triple redundant software" bit.
"eventually it was determined to be due to ice formation in an oil / fuel heat exchanger."
That one is widely documented. Citations readily available, e.g. via
https://en.wikipedia.org/wiki/British_Airways_Flight_38
The captain in this case made the ballsy decision to reduce the flap by one notch just as they approached the runway. In the few seconds he had available, he realised that they were going to hit the masts at the airport threshold. By reducing flap he reduced drag just enough to extend the glide and miss the masts. Gutsy call on final approach with limited engine power if the aircraft was anywhere near stall speed. He had no time to discuss this with anyone else in the crew, he just made the call himself. It was correct.
His call made the difference between a hull loss that everyone walked away from and a catastrophic accident.
An event such as you've recalled illustrates very well the value of having on-the-ball pilots in a cockpit.
Pilots need to be well trained and have flight experience thus most airlines require a senior pilot on each flight. There's an old saying that goes: "The first person at the crash site is always the pilot.". I think some pilots have forgot about this after some news stories about being drunk, drugged, etc. In this case, it's probably more like experience. Even a senior pilot would not have much flight time in these planes.
This decision is entirely normal. One crash is a subject of commiseration, two of the same kind with the same airframe and on new planes and it is time to realize that something is likely very wrong.
I'm not pouring fire and brimstone on Boeing though, they have one of the most complicated jobs on the planet. I'm sure they'll find out what is wrong, if only because now that the planes are grounded, the pressure on them is skyrocketing.
So yeah, they'll solve the problem. They have to.
It is a complicated job, but at some levels it's not.
For example, it ought to be quite easy to recognise the dangers in stretching out a 60 year old design this far, indeed introducing some aerodynamic instability to be competitive. That ought to have raised alarm bells all the way up and down through Boeing, but didn't.
They really might not survive this. If MCAS is permanently condemned no matter what fixes are proposed, that's probably the end of 737MAX. Aerodynamic fixes would be very difficult, and would require a full recertification (something they've avoided for 50 years). And that'd be the end of Boeing's single aisle cash cow. They might be forced to exit the single aisle business because they've not got a replacement design on the books. If they can't make good money from 777x and 787 (the latter is working well now but who knows if it will ever pay itself back). And this is before they get sued, fined, pay out compensation to the grounded airlines, etc.
For example, it ought to be quite easy to recognise the dangers in stretching out a 60 year old design this far,
I'd assumed in aeronautics 60 years old meant well understood. The basic plan flies, they aren't just going to roll over.
Sure, but it doesn't mean a design could become outdated anyway. The 737 design has the wing/ground clearance issue, which wasn't envisioned when jet engines had far smaller diameters.
Changing it's not simple, because moving it will require to re-design the wing box which is one of the most critical structural designs in a plane, aerodynamics will change, probably impacting the wing and tail surfaces position and design, actuators will need to change as well, etc etc.
Then parts and assembly lines needs to be updated (and workers as well) - plus the certification.
It's a lot of money - exactly the reason why Boeing attempted a shortcut, to increase profits.
Well, Boeing persuaded the FAA that because it was a derivative, it was ok to be certificated as such, nevermind the fact the wing is new, the engines are new, the CoG is different and now requires software to maintain the AoA. But hey... it's all *fiiiiiiiiiine*.
Some routinely executed flight manoeuvres and stuff that were routine on 737s prior to MAX become unacceptably risky without computer assistace/override on the MAX family. Up to you to decide whether than equates to "too difficult to fly manually".
Further reading via:
https://theaircurrent.com/aviation-safety/what-is-the-boeing-737-max-maneuvering-characteristics-augmentation-system-mcas-jt610/ (article published November 2018, after LionAir but well before Ethiopia).
Is this to say that the 737 max is too difficult to fly manually?
With the proper training, not at all.
However, that's the point, if the aircraft required its own training régime - even if it's just a few hours 'conversion' training - then that would mean it wasn't the same aircraft and would have had to receive its own certification, rather than just using the existing 737 certification.
New certification means a more costly aircraft, as getting it certified costs money. In addition to the increased purchase cost due to having to get the aircraft certified, there'd be an even bigger training cost to the airlines. A big airline like SWA that has ordered 280 of these would have to train a thousand pilots, and that costs more money. Therefore initial operating costs would be higher, and they couldn't just assign any existing 737 pilot to it randomly, they could only assign the ones who had undertaken the training, therefore less flexibility for the airlines (until they'd competed their replacement programs eliminating all non MAX 737's) which means more cost.
Therefore Boeing introduced systems to the aircraft to (try to) make it fly to the pilots like a bog-standard 737, therefore no certification expenses therefore no training expenses. As much of this correction seems to be dependant on software 'hiding' the actual changes in how the aircraft flies, this means Boeing introduced more software complexity - read more bugs and more points of failure - to the aircraft to accomplish this. And this additional complexity means that the control systems are now more dependant on aircraft sensors (AoA in the MCAS case), which doesn't seem to have been taken into account in the sensor package of the aircraft. What was prior to the MAX a useful information system, AoA, that just provided information to the pilots (and could issue automatic alarms/warnings - "beep, beep, pull up, beep, beep, pull up..."), is now a critical control system. This increase in importance of the system doesn't seem to have been reflected in the AoA sensor package, in that there are only 2 AoA sensors (that don't even have their own instrument readout in the cockpit unless the airline pays extra for that feature), not a properly redundant 3-sensor voting system.
PM offered "One crash is a subject of commiseration, two... ...time to realize that something is likely very wrong."
Serious question: Why did it need two?
The whole point of Air Accident Investigation is to prevent accidents from reoccurring.
So: Why two?
This question needs to be included in the scope of the inquiry.
They have not yet completed the investigation into the Lion air crash so have not yet issued any recommendations.
As I understand the crash investigation process, investigators are obliged to produce an interim report 12 months after starting the investigation. They will then produce a final report when they are ready.
If there is something glaringly obvious produced before the either of these reports, they may publish an alert bulleting before this.
AC noted, "...not yet completed the investigation into the Lion air crash....12 months..."
It's a very common failure to design processes that accomplish their goals, but require a duration that happens to be unacceptable.
It's as if far too many people have never considered the Axis of Time.
I'm employed by an aerospace company where the process to release any document seems to require about a month. So every trivial little project takes years, exceeding the annual budgeting cycle; thus wrapping the whole thing around its own axle.
'Axis of Time' folks. 'Axis of Time.'
If the process people could hoist aboard this concept, humanity would benefit immensely.
Strangely, engineers designing factories that punch out products live and breathe timing. Precisely like administrative staff don't.
No aircraft will be perfect, but this seems to be a fairly unique situation where the aircraft software caused the crashed because of a faulty sensor, rather than pilot error due to faulty sensors.. And this is awful design, 2 sensors, only one used for input, that is just asking for failure...
Airbus doesn't necessarily mean safer, correct. Airbus didn't make the mistake of using just *two* sensors for critical control systems. They *did* however make the mistake of not using heated sensors (which was rectified post-AF447 when it became clear that that was one contributing factor).
In my limited flying experience, Airbus are much nicer to be a passenger in, so far i've never encountered the evil 2-5-2 configuration on an Airbus (any airline that ever uses a 2-5-2 should be avoided like the plague, being stuck in the middle seat of that is hell above earth!)
Two actual crashes (with hundreds of deaths) PLUS a steady stream of reports and complaints from pilots.
Which, if the crashes hadn't happened, would probably be filed and gathering dust. "Damn pilots, always complaining, never satisfied".
There's a whole lot more of this waiting to happen in the automotive world too. Crude accident avoidance systems are being given hardware control over braking and steering when they're unfit for anything but a warning. I have first-hand experience with VW's "Front Assist" randomly applying maximum braking in heavy traffic.
"There’s a single button to disable most of these driver aids. All drivers should know where they are".
And why would a driver disable the sophisticated, foolproof software that a clever car manufacturer's experts have spent years perfecting? So that he can rely on his own fallible human judgment - and take the rap for anything, no matter how minor, that goes wrong?
What's (obviously) needed is a sophisticated, foolproof software system to tell the driver when to turn off the sophisticated, foolproof software.
Won't most traction control systems still take action even when "disabled"? Many times it means pulling the fuse to truly disable it, and then the car might go into limp mode because it detects the pulled fuse as a fault in the TC module.
I'd imagine the same will happen with self driving technologies. Sure there might be a button the "operator" can press which makes a suggestion to the software that it might be acting naughty, but that just temporarily places it in a less aggressive mode. Completely disabling it through any other means will be seen as a fault and cause the vehicle to go into limp mode or outright stop working.
Welcome to the brave new world. Get ready to start walking more.
Red Ted: "In the automotive world the deaths happen in ones and twos, in aviation when something goes wrong [a plane-full may die]"
True of course, but aren't overall numbers higher for roads? And there have been high profile safety issues in the past, perhaps causing some deaths and many "lucky escapes", so similar issues seem likely to be picked up.
eldakka: "Not to mention that if you feel something is wrong with your car, bus, truck, you can just pull over to the side of the road and stop."
Again true, but in general, drivers are far less trained to deal with such situations; for some problems, probably less likely to realise until it's too late, and in some others, less able to react correctly to avert disaster.
Even something as innocuous as cruise control may malfunction and cause problems. Previously had this happen to me whilst driving and suddenly the car decided to accelerate all on its own - not a hard acceleration as would happen if the pedal was stuck down - but a gentle increase such as when the cruise control is trying to maintain speed. I was able to drop the car into neutral (manual gear box) and pull onto the hard shoulder whilst the engine slowly increased revs until it hit the rev limiter.
Once at a safe and full stop I turned off the engine. Subsequent service found nothing wrong with the car.......
But in the car you can override them usually, I know I do when my Adaptive Cruise Control keeps following a lorry that turns off the motorway I am on, that is why I keep my foot resting near the pedals when I'm driving!
But also, braking fast in a car should never cause a crash, the only time it would is if idiots are driving too close to you to stop in time.
The universe has a commanding lead of idiots.
This is not so complicated, but everyone hopes it is because it helps for a better story and to have someone to blame. Well, someone who is alive.
LionAir, known for keeping 2 sets of maintenance books and cutting corners to keep turning airplanes has a crash due to a bad sensor and a system reacting to that. 3 other pilots on 3 other flights on the same plane turned off the autopilot, flew the plane fine and reported it to maintenance. Maintenance did... something presumably....
4th pilot repeatedly struggles with the same problem for over 15 minutes by trying to muscle it right until it gets to a critical situation and the plane pancakes.
Etihad puts a pilot with only 200 hours experience with this type of plane (US minimum is 1500 hrs) plane seems to pancake in the same way.
Conclusion: All the 400 planes that have been flying for more than 2 years, were Type Certified by the FAA and any changes to the OS are required to be approved by the FAA must be all about to crash out of the SKY!!!!! NO ONE CAN SAFELY CONTROL THEM!!!!
Or... these are two horrible incidents that illustrate a greater need for regulation on airlines and training on pilots......
But then why would everyone ground them????
Well: Australia and Singapore have the greatest abundance of these being flown by Airlines they don't trust, China probably see's this as a great way to get leverage on the FAA, UK and EU might have some desire to take a pound of flesh for AirBus, Canada might want a pound for Bombardier, and Trump is an idiot who does not encourage faith in the US by any of these countries. But this is just a theory...
What have Etihad got to do with this? It was an Ethiopian airlines aircraft.
Of the two airlines that fly the Max into Oz, one is Silk Air, a subsidiary of Singapore Airlines. Hardly an airline not to trust. They routinely come in any list of the top 5 best and safest airlines in the world along with Qantas and the gulf airlines.
This rant is impressive.
It is filled with inaccurate data ("struggles with the same problem for over 15 minutes"), use of all caps, 4 consecutive exclamation marks, 4 consecutive question marks. Also conspiracy theories, accusations of vested interests behind third parties actions, even manages to bring Donald Trump into it.
I'll give it 4 thumbs up.
Eyewitness, Turn Buzuna, a 26-year-old housewife and farmer report that the the Boeing 737 MAX 8 was shuddering making, “A loud rattling sound, like straining and shaking metal, it tried to climb but it failed with the nose pointed down and the tail raised up. It went straight to the ground with its nose, it then exploded.”
Another witness, Tamirat Abera, 25, was walking past the field at the time reported that, “Before it crashed there was fire in the tail that was trailing white smoke, that turned black, items like clothes and papers were coming from the tail. Then when the plane was very close to the ground, the plane turned sharply, before hitting the earth, crashing about 300 meters away.”
Questions:
Were the pilots trying to correct a fatal dive caused by failure of the MCAS, that was repeatedly forcing the airliner's nose down??
Did the pilots lose elevator control on one wing or did one engine fail or was it pilot input that causing the final sharp turn before hitting the ground??
Did faulty AoA data and the MCAS wind the trim system to its max and did that cause aerodynamic loads on the tail section in the dive that caused it to break up in flight??
Witnesses about an air crash should be taken with a pitch of salt - and anyway witnesses on the ground can usually just see the latest moments of a crash.
For example, an engine may fail and get fire *after* the loss of control because the air flow inside it is no longer within the acceptable parameters. When an airplane exceeds the maximum speed, it can start to sustain structural failures.
So, listen to them, they may still have valuable info, but look for real evidences.
An example of this was TWA 800, a 747 that broke apart over New York. The central fuel tank exploded and the cockpit section was detached. Due to this sudden loss of weight at the front, the aircraft pitched upwards and briefly climbed with flames coming out of the front of the aircraft.
Many witnesses saw this and reported seeing a missile, leading to numerous conspiracy theories that it was shot down.
I remember a crash of a helicopter several decades ago (it from the squadron I was in). Most of the ground based witnesses said the thing was flying and the rotors were turning but one witness took a picture as the chopper was maneuvering all over the sky. The picture showed the chopper upside down and the tail rotor and main rotor not moving. The pic was picked up by the press and in their eyes, case closed. Fast film and camera speed it turned out as the evidence was a hydraulic failure of the flight control system. So eyewitnesses and even carmera coverage are taken with a grain of salt.
I'm not sure this is about Boeing wanting to save the money on getting the plane recertified as a new type. I mean everyone wants to save money but...
I think the real reason is to get sales to customers with existing 737 fleets. A 90 minute iPad based training course means no expensive pilot retraining is required. If that airline bought Airbus instead, it would be lots of expensive re-training - but then so would a new type not called the 737.
I was watching a pilot on YouTube yesterday. He had the vertical speed data which showed that both planes were going up and down like a yo-yo as the pilots fought the software. It was not helped by Adis Ababa airport being at 6000 ft., maybe the software thought that they were 7000ft above sea level and that there was plenty of height to play with.
See here at 5:34
https://www.youtube.com/watch?v=XKmS866ZTaQ
"Pilots repeatedly voiced safety concerns about the Boeing 737 Max 8 to federal authorities, with one captain calling the flight manual inadequate and almost criminally insufficient,"
Don't you know that's what you get with Agile(tm) development: "working* software over documentation"
* it mostly works
Fail Fast Fail Quick. Oops, not making this any better, am I....
Ok, this is serious - apart from the route the Black (aka Orange) boxes took from Ethiopia. Ethiopia didn't want to send the Black Boxes of the doomed Boeing MAX flight to the US. Why? Because of the time-zone difference. Really, Why? Because Boeings are made in the US. So Ethiopia asked Germnay if they could download the data. "Sorry, we don't have the software to enable us to do that". UK? Sorry, we're not very United at the moment (I lied about that one). Final destination? (sorry, that was a really bad pun). France. Home of Airbus. And so Boeing are really - and I mean really - looking forward to working with the French on this one. Fight!!!!!!