back to article We don't know whether 737 Max MCAS update is coming or Boeing: Anti-stall safety fix delayed

Boeing yesterday warned it will take longer than expected to overhaul the anti-stall system in its 737 Max aircraft, the infamous safety mechanism that likely caused two deadly crashes. Both the manufacturer and America's aviation watchdog, the FAA, said the deployment of a software update for the airline jets' Maneuvering …

  1. Adrian 4

    "another big customer, Norwegian, is reportedly considering legal action against Boeing for the costs the budget airline has incurred from having its fleet grounded."

    Well, duh .. is that not expected ? Will American just take the hit of cancelling 90 flights a day for 2-3 months?

    1. J. R. Hartley

      "A warning indicator that all is not well with the sensor data was an optional extra that budget airlines tended to skip."

      So this is where we're at. The bean counters reign supreme. Well I am never ever flying again for the rest of my life. I'll take the boat from now on.

      1. Anonymous Coward
        Anonymous Coward

        You'll retire to the country and write a follow up to "Fly fishing"?

        1. Velv
          Boffin

          Already done:

          https://www.amazon.co.uk/J-R-Hartley-Casts-Again-Memories-Angling/dp/0091774373/

          You can still pick up the original too.

      2. Cuddles

        ""A warning indicator that all is not well with the sensor data was an optional extra that budget airlines tended to skip."

        So this is where we're at. The bean counters reign supreme."

        It sort of looks bad at first glance, but if you think about it it's really fair enough. Airlines should be able to assume that a plane they plan on ordering is fully functional and safe; it shouldn't have been certified to fly if that's not the case. So when they see a fairly expensive optional extra that just adds an indicator light, why would they care about it? If it had any effect on safety it wouldn't be optional.

        1. Nonymous Crowd Nerd

          It's "fair enough" from the point of view of the airlines. The logic you describe works fine for them.

          However, things look very dodgy indeed here as far as Boeing is concerned. They would appear to very been selling a safety critical indicator as though it was not, in fact, safety critical at all. This is on top of installing two physical indicators and only using one of them on any given flight and missing the entire MCAS out of the manual. It seems to me that Boeing may ultimately end up with a bill for the whole liability for the Ethiopian crash and the whole liability for the cost of the grounding of around 380 new planes and the whole liability for the delivery delays on new planes that should have be coming into service at the rate of fifty a month.

        2. lampbus

          'Airlines should be able to assume that a plane they plan on ordering is fully functional and safe;'

          Yes, but I assume that 'indicator that all is not well with the sensor data' is there to cover a faulty sensor that was functional and safe when the aircraft was certified, but that got bent or worn out in service.

      3. JimC

        > I'll take the boat from now on.

        I don't think I'd go as far as to say that marine safety was any better. CCCAS (Costa Concordia Coastline Avoidance System) has been demonstrated to have its flaws...

      4. A.P. Veening Silver badge

        Taking the boat

        Boats aren't that safe either, enough (too many) go down every year.

      5. anothercynic Silver badge

        It's a bit disingenuous to say that budget airlines 'tend to skip' optional items. If it had been clear that this is actually an important item, I would have expected someone like Boeing to say "this is important, it is a required item, not optional".

        Optional is "nice to have", not "oh, this is important!" - It's more like Boeing is happy to charge people more for things that should be there, kind of like the bad Ryanair joke of charging for the oxygen masks.

      6. Andre Carneiro

        And yet you want cheap tickets...

        Tot be fair to be bean counters, we the passengers have a lot of the responsibility for this state of affairs.

        We look at nothing but price on our tickets. We don't care about quality or safety or anything like that. We allow the likes of Ryanair to treat us like shit and we still buy their tickets because they're cheap (not me specifically, I wouldn't fly with the bastards for all the tea in China).

        We have made it ALL about cost. And now that mindset is coming to bite us in the arse.

        This was almost an inevitable next step.

        1. Stork Silver badge

          Re: And yet you want cheap tickets...

          There would be some merit in you argument if it was possible to do a meaningful comparison of e.g. safety between airlines. This is often not the case.

          - modern flying is incredibly safe. In most cases, statistical noise would overpower any real difference in risk.

          - even if you look at "deaths per million NM during the last 25 years" (or similar), you have to filter out what is the airlines' fault from other causes. My gut feeling is the 11 Sept 2001 is quite important for that statistics in the US.

          - on raw numbers, Scandinavian Airlines is way less secure than Ryanair or Easyjet, even if their last fatal accident was in 2001 and none of their fault.

    2. nematoad
      FAIL

      Yeah, yeah, yeah.

      " Safety is our first priority,"

      No, I don't think it is, going by what happened to the passengers and crew of the two aircraft.

      "...an ongoing review of the 737 MAX Flight Control System to ensure that Boeing has identified and appropriately addressed all pertinent issues,"

      A pity that this was not done before these planes started crashing. Don't you think?

      Greedy, careless, money grubbing bastards.

      1. Scroticus Canis
        Unhappy

        Re: " Safety is our first priority," - as an optional extra it would seem.

        Shows the problem was already known about if there is a warning system available.

        Anybody not dumped their Boeing shares yet?

  2. Phil O'Sophical Silver badge

    Even with an alleged fix I can't see too many people wanting to fly in one for at least a year or two, until it's proved itself again. In that case, why would any airline try to bring them back into service? To fly them empty?

    1. Anonymous Coward
      Anonymous Coward

      Right now it is the safest aircraft out there.

      ZERO chance of one crashing!!

      I went off Boeings after a pair of 777 flights in and out of Beijing, the plane was twisting so much I thought it was going to snap in two, and it basically pogo'd through the sky over Mongolia, almost like the pilot was dodging AA fire.

      Same flight path on AirBus 330, 340 & 380 were as smooth as silk.

      1. Yet Another Anonymous coward Silver badge

        >ZERO chance of one crashing!!

        One had to do an "emergency" landing with an engine failure when being ferried back from an airport empty.

        (which is well within the expected stats given the number of planes being moved around, and isn't really an emergency)

        1. anothercynic Silver badge

          Still ZERO chance of crashing since an engine failure is not necessarily leading to a crash. Making an emergency landing tends to be the standard procedure.

      2. PeteA

        Said for a while I prefer Airbus as a passenger - though the Embraer 190's are very nice, the ride feels very 'crisp' with none of the wallowing that I associate with this size of aircraft [and the 737 in particular].

    2. Mr Benny

      tbh with short haul its not like you often get a choice or even know until you get to the gate which tired POS the airline has put on for your 2 hours of knees in your face pleasure,

    3. jake Silver badge

      I'd fly in one today.

      And yesterday. And last week. Without worrying about it.

      IF, and note the IF, it had a properly trained pilot at the controls. Sans said pilot, I wouldn't get on ANY commercial aircraft.

      1. hellwig

        Re: I'd fly in one today.

        Absolutely. I think the two pilots on the Ethiopian flight had less hours combined than a US pilot needs in order to be in command of such an aircraft. AND the fact that a Lyon-Air dead-head pilot was able to overcome the same issue only the day before the crash shows me even the affected airlines had some competent pilots, just not at the helm on those fateful days.

        I know that the FAA and EASA (U.S. and European aviation administrations) will cooperate (i.e. an FAA cert is good in Europe as well). I'm not aware of any other regions that have a competent enough administration to be considered legitimate globally.

        1. Michael B.

          Re: I'd fly in one today.

          The captain was extremely experienced and had 8000 hours, the copilot 200. This is close to what the US required until 2013 when they upped it to the current 1500

          1. jake Silver badge

            Re: I'd fly in one today.

            Experience and training aren't the same thing.

            1. Anonymous Coward
              Anonymous Coward

              Re: I'd fly in one today.

              Apart from Boeing not giving training on the system and how to override it? It is a responsibility of the manufacturer to make pilots and airlines aware of new features and to roll out training to them, especially safety critical systems.

              It is truly shocking that a system has to have an optional extra to tell you that i isn't working properly. That there is minimal to zero redundancy in a safety critical system, that airlines and pilots weren't even told about the system and that the results of a failure ar enot obvious and result in a very sudden plummet to earth. It is a real worry that the risk management in Boeing has stooped so low.

              Now if faulty sensors are common and so disabling MCAS is needed quite often the airplane then becomes less safe without it working (due to the instability of the engines).

              Ethiopian airways had a good reputation, much better than American Airlines.

        2. Citizen99

          Re: I'd fly in one today.

          A bad design should not be excused because some, not all, human pilots managed to overcome its deficiencies.

        3. MrXavia

          Re: I'd fly in one today.

          How can the pilots be blamed for a system failing that they were not told existed? Even competent people cannot predict the unknown.

          The system was clearly flawed, and at the very least, the pilots should have been informed that this system was in place, and there should have been some kind of visual feedback to indicate it had activated.

        4. anothercynic Silver badge

          Re: I'd fly in one today.

          You'll find that the Ethiopian pilots did *everything* by the book as per Boeing's instructions (in the manual), and yet still couldn't recover control of the aircraft. So, slagging off the pilots of one of the most professional airlines that Africa has ever produced does not make you look smart, quite the contrary.

      2. bombastic bob Silver badge
        Devil

        Re: I'd fly in one today.

        "a properly trained pilot at the controls"

        THIS is the problem. The MAX was sold with the promise that existing 737 simulators could be used to qualify pilots for the new airframe. Given that special training is actually NECESSARY for the MCAS feature, the correct fix will probably include fixing the simulators, too...

        Aggressive marketing campaign drives development into a direction it probably should NOT have gone. "Agile" perhaps?

      3. John Brown (no body) Silver badge

        Re: I'd fly in one today.

        "IF, and note the IF, it had a properly trained pilot at the controls."

        Please bear in mind that in a previous article here at El Reg, it was reported that the ONLY mention of MCAS in the pilots manual was an index entry expanding on the MCAS acronym. No information on what it does or any possible failure modes. There was no training on it available from Boeing. SOME pilots were aware of it and how to get around its failure mode through word of mount, not official channels.

    4. Lars Silver badge
      Coat

      "why would any airline try to bring them back into service".

      I don't think all that many customers are that interested to knowing what plane they book so of course they will fly again. This will be expensive for Boeing in many ways and for several years and some orders are apparently already cancelled. As far as I know the full report is not out yet.

      1. The Nazz

        Expensive?

        re Lars

        And so it bloody well should be expensive.

        The Yanks fined Volkswagen what, something like $50bn and all they did was fiddle the consumption tests.

        1. Anonymous Coward
          Anonymous Coward

          Re: Expensive?

          @The Nazz

          Ahh, yes, but that was a foreign company wasn't it. I'm sure Boeing are very sorry and it won't happen again so some deal will be struck.

          1. Fred Flintstone Gold badge

            Re: Expensive?

            Yes, they will probably have to hire two full floors of the Trump Hotel for the next year.

          2. A.P. Veening Silver badge

            Re: Expensive?

            Just for your information, Boeing is a foreign company in Europe and while the EU isn't exactly known for excessively large fines, given past examples of American fines to European companies, an exception can always be made. And I am pretty sure Indonesia and Ethiopia are considering that same point as it will be a very welcome addition to the national treasury.

      2. jonathan keith

        "I don't think all that many customers are that interested to knowing what plane they book"

        They are now.

        1. John Brown (no body) Silver badge

          Unlikely. After all, TalkTalk made the national news headlines for huge data breaches, yet people still stay with them and sig up with them. People have very short/selective memories in general.

  3. devTrail

    Question for the experts

    In an older article in the comments I remember I saw a link to a forum for pilots. If someone has an account on that site can they forward a question?

    If I understood correctly the problem is that when the engine accelerates during take off it blows a strong airflow under the wing causing a sudden increase in the lift.

    Another detail is that witnesses in both accidents reported a screaming noise and this could be interpreted as if the pilots were pushing the engines at maximum power.

    Putting the two thins together I was wondering whether the system actually takes into account both the AoA and the engines acceleration. Is it possible that, among the other things that Boeing forgot to tell to the pilots, the excessive acceleration made things worse?

    1. camber

      Re: Question for the experts

      As a participant on those forums (PPRune): the MCAS system is not to do with engine thrust. Although engines under the wing (when increasing thrust) tend to pitch the nose up, the MAX is probably no worse than the previous 737 NG model in this respect. Also the MCAS system is not an antistall system as described in the article, it is supposed to improve handling at high wing angles of attack near the stall. This is because the engine nacelles are large and forward of the wing, which reduces stability.The plane without MCAS gets easier to pull up near the stall, so the description is mostly but not totally wrong. MCAS doesn't take thrust into account.

      1. Anonymous Coward
        Anonymous Coward

        "he MAX is probably no worse than the previous 737 NG model in this respect"

        Actually, it is and that's why they added the MCAS system to "protect" pilots from unexpected attitudes.

        The larger engines moved forward changed how forces are applied to the airframe, and the MAX can keep increasing AOA without any increased stick input - a pilot has to *decrease* stick to keep AOA in some situations. This can obviously lead to unwanted AOA (especially without any AOA indicator) which in turn can lead to a bad stall - as the plane could be too low and too "nose up" to recover in time (i.e. take off/ascent)

        MCAS was designed to counter this effect and make the MAX "identical" to the NG to pilot, applying some "nose down" itself.

        1. camber

          Re: "he MAX is probably no worse than the previous 737 NG model in this respect"

          The MAX is probably no worse than the NG in thrust-pitch coupling, as it's engines produce similar thrust levels roughly the same vertical distance below the wing as the NG. You are describing the aerodynamic effects of the bigger engines, which is definitely worse on the MAX. However, you are describing a pitch unstable or divergent aircraft at high AoA, as common with most current technical discussions. If true it's terrible and the MAX should not have been certified at all no matter good MCAS is...under certification rules the aircraft must still be able to be safely flown and landed without augmentation. It's more likely (but not known) that the MAX is less stable (not unstable) at high AoA, so it gets easier to pull through at high AoA but won't pitch up by itself at constant yoke input. In some ways this makes the bad implementation of MCAS worse, as it presents a lethal risk to solve a less critical deficiency.

    2. Anonymous Coward
      Anonymous Coward

      @devTrail - Re: Question for the experts

      I'm not an expert but the system didn't take into account anything other than what the programmer wanted.

      As for Boeing not telling the pilots about the system, that's puzzling. Oh, and it is wrong too. This is not the first time an automated system plays tricks behind the pilots.

    3. Bubba Von Braun

      Re: Question for the experts

      The engines on the 737 MAX series were moved slightly forward and up to maintain the necessary ground clearance. (ever wondered why the engines have flatted bottoms on the nacelle)

      The issue as you point out is the increase in air flowing below the wing especially in take-off/climb can cause a pitch-up moment leading to a stall.

      MCAS was developed to counter this issue, however if the reports are correct and there is only one AOA sensor feeding the MCAS system, then its design is fatally flawed. There are two AOA sensors on the 737 MAX and integrating them should resolve any AOA sensor failure. Why they didnt probably cost/schedule pressures.

      Also seems Boing's design philosophy has been to let pilot inputs over-rule the flight computer. Seems that has changed with MCAS or its truly a bug in resetting the override count. Whats worse is that this wasn't called out.

      BvB

      1. Mage Silver badge
        Alert

        Re: Question for the experts

        There needs to be three sensors, because if there are two, which do you believe?

        1. Alvar
          Stop

          Re: Question for the experts

          Neither.

          Give the pilots the AoA disagree warning and let them do their job.

          Assuming of course that the system actually looks at both AoA sensors (it doesn't as designed) and that the airline has added in the optional AoA disagree warning (it would seem that most haven't).

          What the system should do -->

          1. Mage Silver badge
            Alert

            Re: Neither.

            That would be acceptable if the system was simply indicative, giving an audible warning etc. It's not acceptable for a system that automatically takes control.

            1. Anonymous Coward
              Anonymous Coward

              Re: Neither.

              Even with multiple sensor you can have totally unreliable data, and the auto system must give up and tell pilot they have to fly the plane.

              If it keeps on taking control while fed unreliable data it really doesn't matter how many sensor there are.

              Higher redundancy just ensures it takes more than one simple failure before the automatic system must be disabled.

          2. CrazyOldCatMan Silver badge

            Re: Question for the experts

            Give the pilots the AoA disagree warning and let them do their job.

            Which means pilot retraining since the handling characteristics without MCAS are significantly different. And one of the (alleged) benefits of the Max was that it flew just like the previous generation of 737s - except it doesn't without MCAS..

        2. This post has been deleted by its author

        3. nautica Silver badge
          Boffin

          Re: Question for the experts

          When I worked in the aerospace industry it was an absolute imperative that, for a "fail-safe" or "fail-softly" system--which Boeing obviously does not consider this to be--three sensors are needed so that a "vote" can be taken. Of course, this was before the days of the mental set of the sh*theads who think that software can solve everything--and this ABSOLUTELY INCLUDES engineering managers--became "the way" of engineering design.

          Face it: now, designing things with hardware is soooo "old school", so "not trendy", so...safe.

          "Never ask a man with two watches for the correct time."

          "‬When someone builds a bridge,‭ ‬he uses engineers who have been certified as knowing what they are doing.‭ ‬Yet when someone builds you a software program,‭ ‬he has no similar certification,‭ ‬even though your safety may be just as dependent upon that software working as it is upon the bridge supporting your weight.‭"‬...

          "‬There are no standards for computer programmers and no group to certify them.‭"‬--David L.‭ ‬Parnas

      2. steelpillow Silver badge
        Boffin

        Re: Question for the experts

        The cause of the pitch instability which MCAS is designed to address is said to be extra lift created by the bigger and more forward-placed engine cowlings. Presumably this is created by the cowlings themselves. Perhaps counter-intuitively, more air rushing under the wing would not increase pressure and hence lift but, through the Bernoulli effect, actually reduce it. Thus, the new engines may to some extent be shifting net lift forward rather than / as well as simply adding to it. But as far as MCAS is concerned, the exact physical cause is irrelevant, it only has to deal with the effect.

        I have also read that the MCAS software does already take readings from both AOA sensors, however NOT AT THE SAME TIME! For each successive decision cycle it alternates between sensors, reading only one at a time. It does not compare them to check they read the same. Thus, both need to be working. This is mental. It occurs to me that if just one sensor is faulty them MCAS will only activate half as often as in a real high-AOA situation. I do hope that the accident investigators are intelligent enough to realise this and will sync the flight recordings to the software cycle to determine whether that was happening.

        And especially now that we know sensors can fail, a third should be fitted and the usual algorithm implemented that if one disagrees then it is overridden and must be fixed before the plane can make another flight.

        Finally, let us hope that Boeing has utterly destroyed its street cred with the FAA as well as with the rest of us and will have to jump through massive hoops for a generation before anything new it comes up with is allowed anywhere hear a passenger again.

        1. Schultz
          Boffin

          readings from both AOA sensors, however NOT AT THE SAME TIME!

          From a layman's point of view it seems nonsensical that the computer system would not compare sensor readings. Also installing an extra LED warning light to warn about sensors seems nonsensical if you already have an integrated computer system and central cockpit screen - just display a warning message on the screen!

          But Boeing tried to keep the system close enough to that of the older 737s to avoid pilot re-training -- apparently to the point that the electronic screen would only show 'analog' dial-type readings. Adding extra information would require pilot-retraining because they'd have to learn how to react to that extra information. The system reading only a single attitude sensor at a time may have been a consequence of these efforts to reproduce the older model user interface.

          Airbus went through a extensive and time-consuming process to figure out computer-controlled flight when they transitioned to 'fly by wire'. It sounds like Boeing now started a similar transition out of necessity with their 737s. But they did it under the radar of the FAA, EASA, etc., so I'd predict a lengthy re-certification process.

      3. Boufin

        Re: Question for the experts

        Re: The engines on the 737 MAX series were moved slightly forward and up to maintain the necessary ground clearance. (ever wondered why the engines have flatted bottoms on the nacelle)

        Why did Boing persist with developing and stretching the low-slung 737? The longer and then more modern 757 had much better ground clearance. The competing A320 also has better clearance, with no need for squashed nacelles or engines mounted fore and up. This to me seems the be the central problem here.

        1. Anonymous Coward
          Anonymous Coward

          "Why did Boing persist with developing and stretching the low-slung 737?"

          Because they thought it was cheaper and doesn't require a full and long re-certification. Now they may have become aware it wasn't true.

    4. S4qFBxkFFg

      Re: Question for the experts

      In addition to the other comments - if I remember correctly, MCAS was not primarily a safety system - its purpose is to make the aircraft's handling characteristics similar enough to previous 737 aircraft that it would not require to be certified as a new type (which is expensive).

      The impression I got, was that if it was a new aircraft type, the handling characteristics would be dealt with in the training for that specific type; MCAS would not necessarily have been required because the pilots would be expected to know the particular behaviour of the aircraft, and how to deal with it - including in stalls.

      (Not an expert, the largest thing I've ever flown was small enough that I could physically drag it around.)

      edit: looks like it (or some other method) would have been required due to the runaway pitch up

      1. steelpillow Silver badge
        Boffin

        Re: Question for the experts

        Yes S4qFBxkFFg you are right about the handling issue. But then, unexpected handling is a safety issue, so really MCAS is both: handling, therefore also safety.

        Further to my above comment, I hope also that the FAA will revoke the "same as before" certification and deem the MAX a new type requiring a lot more pilot training after all. If they do that then the simplest and most reliable bugfix to MCAS would be to uninstall it.

    5. martinusher Silver badge

      Re: Question for the experts

      I won't claim to be an expert but I have a little experience with sailplane design. Its very rare that just one component causes a crash, usually its a series of failures and shortcomings that are obvious in retrospect but weren't anticipated by the designers. One thing that concerns me about the MAX is that the combination of full down trim and full up elevator would lead to a stabilizer that has the potential to stall (its not just the main wing that can stall -- the stabilizer is also a wing and if that stalls it can make the plane uncontrollable). This is the kind of situation that would never happen in real life -- a pilot is unlikely to wind the trim one way while giving opposite command to the elevator -- but a piece of software isn't that smart, it only sees the big picture if it was designed to do that. So its easy to envisage a situation where the pilots got too much power (for some reason), the plane pitched up, the MCAS tried to compensate with the pilots fighting to keep control of the plane. This may explain why nobody's buying the quick software fix; the accident investigators need to look at the entire picture in order to figure out exactly what happened before the sequence of events can be unwound to find remedies that are true fixes. A patch to the MCAS software might be part of the solution but its unlikely to be the entire solution.

      This highlights the difference between 'apps' development and real time systems development. If this Tuesday's patch doesn't work then the worst that can happen is you've got a bunch of annoyed customers. In a real time systems world if your software doesn't work you're quite likely to end up with a bunch of dead customers. There is no such thing as "Rapid Application Development" in safety critical systems.

  4. Anonymous Coward
    Anonymous Coward

    I just can’t believe a safety feature can be optional, makes you wonder what else they cut back on.

    1. Yet Another Anonymous coward Silver badge

      Lots of safety features are optional.

      Did you order the auto-braking radar for your car? Lane departure warning?

      What about fitting self-sealing fuel tanks, bullet-proof windows (if you live in S London), 5 point harness, rally seats, roll cage, fire extinguishers?

      Would you get on a train without these safety features?

      1. Martin Gregorie

        Lots of safety features are optional.

        The ones you're talking about are all optional, since people can and do drive cars without them: they are not necessary for controlling the car.

        However, the MCAS failure light, along with specific training on how to disable a failed/misbehaving MCAS is decidedly non-optional because it tells the pilots something they absolutely need to know on order to fly the aircraft successfully.

        You want proof of that? Just recall that two airliners have now crashed because (a) the pilots had no indication that MCAS had failed due to lack of a failure indicator, (b) did not know MCAS was installed or why and (c) had not been trained to detect MCAS faults or to turn it off.

        NOTE: that in all stable, licensed aircraft, if you pull the stick back the nose will initially rise and then stabilise at the new, pilot-commanded angle of attack and a slower airspeed. If the stick is pulled back still further the process will repeat until eventually the aircraft stalls, at which point the pilot is rudely awakened because either the stall warning horn sounds just before the stall occurs or (in a glider or other plane without a stall warning horn), the aircraft stalls and the nose drops sharply as a consequence of the stall.

        However, as a B737MAX without a working MCAS will start to pitch up at an increasing rate as it approaches the stall and will do this without pilot input, this is an unstable behavior and is never acceptable in a licensed aircraft: those that do it will not be licensed. The MCAS was installed to prevent this behavior, but unfortunately its failure modes were not subject to sufficient testing: obviously so, or the two planes would not have crashed.

        1. Anonymous Coward
          Anonymous Coward

          The ones you're talking about are all optional, since people can and do drive cars without them: they are not necessary for controlling the car.

          Well, there's the problem. Boeing and the FAA thought pilots could pilot planes without AOA indicators or AOA disagree alerts. They have been optional on the 737 line for decades and the planes flew very well.

          Actually, there's no guarantee that even with those displays available the Lion Air pilots would have done any better. "Our sensors are bollixed" is something they understood already. What they didn't understand is that the stabilizer was, and would continue to, persistently, insistently, and intermittently keep trimming nose down. Or perhaps the captain did, but failed to share that with his first officer.

          If your car keeps jerking the wheels the left, do you really need a "steering failure" light on the dash to figure out the problem?

          As for the AOA indicator, you'd be surprised at how many commercial pilots will tell you they're unnecessary.

          All that said, the AOA disagree alert (it's not an "MCAS failure light", by the way) should have been there. Selling it as a chargeable extra is not forgivable. Whether it would have helped in these specific cases is a little beside the point.

          1. eldakka

            Well, there's the problem. Boeing and the FAA thought pilots could pilot planes without AOA indicators or AoA disagree alerts. They have been optional on the 737 line for decades and the planes flew very well.

            But prior to the 737 MAX AoA sensor data was not a control input. It was an information input to the pilots and warning systems. No control system acted on input received from the AoA sensors. If installed AoA sensors malfunctioned, the worst the plane's systems would do is start throwing alerts to the pilots or, if they had the optional AoA indicators, show weird numbers on those indicators.

            With the 737 MAX, AoA sensors are not optional, they are critical flight control input. That is, control systems now directly act on data received from the AoA sensors, unlike with the previous 737 versions, and MCAS adjusts the TRIM automatically and directly from AoA sensor input. Therefore having the "AoA disagreement light" remain an optional feature, even though AoA data is now critical flight-input and automatic control adjustment data, is negligent at best.

            The core of the problem is that Boeing intentionally downplayed, if not hid, MCAS and how it worked and how to respond to it, intentionally failed to require pilots to train on this system, to protect sales.

            1. Anonymous Coward
              Anonymous Coward

              I agree with you in principle. It's just worth remembering that the warning wouldn't have necessarily saved either of the flights in the topic. It's the knowledge of trim behaviour that was the key.

          2. CrazyOldCatMan Silver badge

            Selling it as a chargeable extra is not forgivable

            Especially in the context of the cost of the whole aircraft - $80k in a multi-million dollar aircraft? Really?

            Are Boeing *that* desperate to scape every cent from the sales that they make an essential pilot-information system optional?

            Ironic that, if they were, then they have just caused the market for 737 Max 8 aircraft dive into the ground. And I hope it leads to some of their execs getting to learn what life is like without a regular pay cheque.

        2. Anonymous Coward
          Anonymous Coward

          The problem light is extra. If I had one now, it would emit a bright blinking red light,

      2. Tom Chiverton 1

        No.

        But what I do have is my car's auto-brake (and emergency brake assist). And there's a whole confusion of sensors in the bumper and grill area to support it. And the failure mode is "all my fault" (it'll only brake, or brake assist, if I'm stupid enough to hit something and it knows it) as opposed to *maybe* getting rear ended instead of hitting something. Might hit something anyway...

        Cars are not planes, in other words.

    2. Marty McFly Silver badge
      Go

      Watch this video...

      From Mentour Pilot (a 737 captain) on YouTube. It explains the misconception about the 'safety feature' being 'optional'.

      https://www.youtube.com/watch?v=CD0JabYjF3A

      This question is answered at 1 min 30 seconds if you want to skip ahead. A technical answer, which is well suited for us geeky types that read The Reg.

      1. jake Silver badge

        Re: Watch this video...

        Yeahbut, Marty ... it's no fun listening to the reasonable voice of an experienced commercial pilot when ThePress is fanning the flames of popular opinion and promoting doom & gloom and conspiracy theories, now is it?

        1. Anonymous Coward
          Anonymous Coward

          @jake - Re: Watch this video...

          there's no question he is an experienced pilot. The question is would he have done better in the cockpit in that deadly situation without any knowledge of the system ?

          1. jake Silver badge

            Re: @jake - Watch this video...

            Would not have happened. His airline made sure he had that knowledge. Which is kind of the point. We should be grounding the airlines, not the airliners.

            1. Anonymous Coward
              Anonymous Coward

              Re: @jake - Watch this video...

              The airlines can only make sure that pilots have the knowledge if the manufacturer passes on that knowledge. Did Boeing pass the knowledge on to some customers and not others, more likely a faulty sensor situation hasn't occurred with most airlines yet.

              If you listen to that Youtube clip to the end of the question he actually seems to sensitively say that Boeing messed up. He is just talking about the AOA display which isn't usually used by civilian pilots. However the AOA display was primarily useful as a ground check to ensure the sensors were reading correct. He also stated that the disagree sensor may be more useful as it would show that there is a problem with one of the two sensors. However he then said they will likely not be needed with the *new* software as that will *start* to check itself whether the sensors agree or not.

              So he does not at any stage say that the current base level delivery of an aircraft was safe and redundant. He is saying that the AOA display is not necessary if the system was made to check for disagreements or errors in the first place.

              1. jake Silver badge

                Re: @jake - Watch this video...

                All I can tell you is that of the dozen or so commercial pilots I personally know (flying for a handful of airlines), all tell me that not only were they aware of the so-called problem before the first crash, they all also knew how to mitigate the situation if it ever happened to them. Their airlines made sure of it.

                Every single one of them think that grounding all of the aircraft is over reaction by ignorant management-types (including politicians) looking to cull favor with TheGreatUnwashed, who were whipped into a frenzy over fear of the unknown by ThePress. Even here on ElReg. Look back through the comments here, how many of them calling for Boeing's head on a platter start with the infamous line "I'm no expert, but ..."?

                1. Anonymous Coward
                  Anonymous Coward

                  Re: @jake - Watch this video...

                  "All I can tell you is that of the dozen or so commercial pilots I personally know (flying for a handful of airlines), all tell me that..."

                  Extraordinary - you know and have spoken to a dozen commercial pilots who all fly the 787 Max?

                  Sounds like the 'old' Jake has resurfaced again...

                  P.S. Seems strange that no-one other than your 'friends' seems to dispute the basic facts about the training of the MCAS before the Lion air incident. Also it seems strange that initial reports seem to suggest that the Ethiopian Airlines pilots were carrying out the correct procedure to bypass the MCAS but it kept re-engaging.

    3. Mark 85

      Therein is a question that needs to be asked. Seatbelts in cars were "options" that you paid for but had no choice to take them. Seems like someone in sales had their head up a certain orifice to sell that way. Let's be real, an $80,0000 safety option is peanuts considering the cost of the aircraft and maintaining/flying it. And there are reputational costs... like if it's "unsafe" in the flying public's eyes, no one would want to fly on it.

      1. nematoad

        "...like if it's "unsafe" in the flying public's eyes, no one would want to fly on it."

        I have a confession to make. I have severe acrophobia and going on holiday is a real struggle if I am flying.

        I used to be concerned at the interior state of the aircraft I flew in. Mostly TUI. The worn state of the fixtures and fitting made me realise that some of these aircraft had been well used over a long period of time and that worried me, unreasonably I am sure, but good old acrophobia is not susceptible to reason.

        Now, however, if I were to board a Boeing 737 and it was all brand spanking new that would set off the alarm bells. How do I know if what I'm going to be flying in is a 737 Max? You see as airline passengers we have no choice in what type of aircraft we fly in so Mark85 is dead right if the flying public has no confidence that the aircraft they will using is "safe" or not is going to be a big problem for those airlines who use this type of plane. Hard luck on them and I have some sympathy for their situation. As for Boeing, no absolutely not. They will get what they so richly deserve, or so it should be hoped.

        1. A.P. Veening Silver badge

          as airline passengers we have no choice in what type of aircraft we fly in

          As airline passenger you still have the choice not to fly with an airline using types you consider unsafe. And for me that category includes all airliners with less than four engines.

          ETOPS: Engines Turn Or Passengers Swim

        2. British Flyer

          To MAX or not?

          You are lucky as they are grounded.

          TUI , Norwegian and Ryanair (none so far) are the main UK operators.

          Pick Easyjet and you will be on an Airbus...peace of mind.

      2. CrazyOldCatMan Silver badge

        Seatbelts in cars were "options" that you paid for but had no choice to take them

        Not in this country[1] - once seatbelts became mandatory[2], there was no additional option cost to the customer for them. Of course, the cost will be built into the base cost of the vehicle but that's another thing.

        [1] The UK - seat belt anchorage points were mandatory in 1965 and front seat belts themselves were mandatory in 1972 (although mandatory use didn't happen until 1983. Rear seat belts had to be fitted from 1986 and mandatory to use from 1991. However, the olny time I recall ever not using a seat-belt in the front of the car was the early 1970s - my parents refused to let us be in the car (certainly in the front seat when rear belts were not fitted) unless we wore a seat belt.

        [2] My wifes' Morris Minor, being made in 1966, would have had the old-style fixed seat belts and was later retro-fitted with proper inertia-reel seat belts. But, if a car didn't have them fitted when new, you are not required to fit them later - much like indicators.

        1. Mark 85

          I'm in the US on this. They play the "base price" but you'll never find one that's "base" at a dealer.

  5. JaitcH
    Thumb Down

    Avoid the MAX AND THE 737NG

    Serious concerns have been raised about the airworthiness of the BOEING 737NG fuselarge (not the engines).

    Turns out a subcontractor hand-made parts that were supposed to be CNC manufactured. When mated with other subcontractor assemblies much use of the 'Detroit Screwdriver' aka 'Birmingham Screwdriver' (hammer) had to be made, some of which were patched with filler, smoothed and they sprayed with green paint.

    The affected bodies are supposed to survive 7-8 years of take-off and landing cycles.

    Even the US Air Force is complaining about Boeing!

    Compare this against the WWII Dakota 3 - some of which are still flying today!

    1. S4qFBxkFFg

      Re: Avoid the MAX AND THE 737NG

      "Compare this against the WWII Dakota 3 - some of which are still flying today!"

      TOL cycles are less relevant with unpressurised aircraft.

    2. MrXavia
      WTF?

      Re: Avoid the MAX AND THE 737NG

      do you have a source for this?

  6. sanmigueelbeer

    U.S. lawsuit filed against Boeing over Ethiopian Airlines crash

    And don't forget that Ethiopian Airlines crash victim has filed a lawsuit against Boeing.

    U.S. lawsuit filed against Boeing over Ethiopian Airlines crash

  7. Timbo

    Safe to say now is a better time to fly...

    esp as all the 737 MAX are grounded. !!

    I can't see Boeing having a good legal defence against families of those who died as well as airlines with grounded planes - they all will need compensation for their losses.

    One assumes that the software writers (if 3rd party) and the sensor manufacturers will also have to shoulder their share of the blame.

    1. Tom Chiverton 1

      Re: Safe to say now is a better time to fly...

      Depends. Might be cheaper to pay them off out of court and avoid the trial....

    2. Anonymous Coward
      Anonymous Coward

      Re: Safe to say now is a better time to fly...

      I would be surprised if blame is made of the sensor manufacturer unless it specifically didn't do something it said it would or had manufacturing faults. It is up to the airline to choose suitable components for it's aircraft, test them and fit them sensibly and redundantly.

      If the sensor is damaged by an external influence then that is unlikely to be the fault of the sensor manufacturer.

  8. Tom 38
    Facepalm

    Upon receipt, the FAA will subject Boeing’s completed submission to a rigorous safety review.

    Shame they didn't do that the first time around, instead of letting Boeing self-certify that it was OK.

    1. JassMan

      Downvote?

      I don't know who downvoted Tom38 but I suggest you read several articles in the vein of Engadget article before voting.

      It seems Boeing have been self certifying subsystems since 1956.

      1. Anonymous Coward
        Anonymous Coward

        @JassMan - Re: Downvote?

        And what do they do to avoid complacency ?

    2. pavel.petrman

      Re "letting Boeing self-certify"

      Self certification is not a problem in itself and most certainly not a root cause in this tragic case.

      Self certification takes place all around us, most often in very complex areas (my first real job was in self certification of safety examination programmes in nuclear power plants). It can be very broadly compared to accounting and tax declaration paperwork: rules and guidelines are set by authorities (including requirement of, say, external audit), you do the heavy lifting and submit the result back to your respective authority for review. In place of certification are usually strong incentives to do your self certification right. My gut feeling is that in the field of nuclear power generation the failures of self certification which could be ascribed to failing of the incentives were similar in rate to failures of the certification authorities where self certification was not permitted or desired. I imagine the situation may be similar in the airliner business.

      It is important to remember that certification in highly sensitive areas (security wise, like airliner building or nuclear power generation) can be either done directly by authorities (who tend to be badly equipped both in personnel and in budget as they run off taxpayer money which over time finds more and more of "better use" elsewhere) or by third parties (where again the situation can be broadly compared to tax & accounting and the landscape of formerly big eight, now big four accounting companies whose history in cases like Enron failure passes as a good illustration). Neither looks like a much better alternative to self certification.

      1. Potemkine! Silver badge

        Re: Re "letting Boeing self-certify"

        Self certification is a heresy. One cannot be at the same time the defendant, the judge and the jury if the certification should have any value. Lack of independent certification in nuclear industry may well explain Three Miles Island incident.

  9. sbt

    "Safety is our first priority"

    No, it isn't.

    And I can think of at least 346 people who would agree with me.

    1. seven of five
      Devil

      Re: "Safety is our first priority"

      Not "people", just foreigners. Big difference.

    2. Gonzo_the_Geek

      Re: "Safety is our first priority"

      I don't disagree with the sentiment, but the bigger problem is that they can't agree with you anymore...

  10. James Anderson

    Which version of the 737 went through full testing etc.

    Does anyone know which version of the 737 actually went through the full testing and approval process?

    I suspect this was so long ago that the MAX series has not a single component in common with the aircraft that was originally certified.

    Sticking an old name on a new plane seems to be enough to get FAA approval. Heads should roll.

    1. A.P. Veening Silver badge

      Re: Which version of the 737 went through full testing etc.

      It is even a bit worse than you think. The original 737 pre-dates the full testing and approval process. When the full testing and approval process got started, the 737 got grandfathered in as a time and practice proven design. That is another one of the reasons the Boeing bean counters tried to avoid the full testing and approval process, it might even show up the original 737 as non-conforming after more than 50 years.

  11. eldakka
    Coat

    We don't know whether 737 Max MCAS update is coming or Boeing: Anti-stall safety fix delayed

    You could say that the anti-stall fix has stalled?

  12. Anonymous Coward
    Anonymous Coward

    Unbelievable that Boeing would initially design the MCAS system to use just one AOA sensor, that in itself is criminally negligent. Issues with malfunctioning AOA sensors and interactions with software were well known to be capable of bringing a plane down long before the 737MAX was on the drawing board so they can't say it was unforeseeable:

    https://en.wikipedia.org/wiki/XL_Airways_Germany_Flight_888T

  13. Electronics'R'Us
    Alert

    It is not all Boeing software

    For those unfamiliar with commercial aircraft avionics, here is how it works.

    Boeing has a new* aircraft and it has been decided it needs electronic flight control system hardware and software so they issue a RFP (request for proposal) pack.

    Various vendors of this type of avionics bid for the job**

    Boeing awards the lowest bidder the job***

    The vendor is supplied with control laws that are to be implemented (amongst a great deal of other information such as communication interfaces and protocols). This is where the first push back should have occurred. There should be no way any flight controls vendor would look at the single sensor for a system that can vary the control surfaces and not say 'Are you nuts?' I hope the vendor has something in writing from Boeing on this subject or they may well get dragged into the inevitable sueballs. A safety analysis is supposed to be done that would have thrown up a common mode failure big red flag; that is the next issue that should have been dealt with.

    The vendor implements the control laws which are rigorously tested****

    The kit, after a lot of integration rig testing is installed in an aircraft and eventually flown by a test pilot who is supposed to test the entire flight envelope. There are usually numerous test flights where sensors are supposed to be deliberately disabled or errors injected.

    The system then moves to platform certification.

    A lot of things apparently went wrong in this process that really should not have occurred, so whatever else comes out of this a major process fix will be in order.

    *Boeing claimed this was not a new aircraft, but simply a derivative. Adding an extra AoA sensor would not let them claim this. Based on the aerodynamics of the aircraft, it is a far cry from the original 737 apparently but no-one challenged Boeing effectively on this, or so it would seem.

    **In commercial avionics, the development cost of the kit has to be amortised across sales; there is usually no NRE payment (although there are some cost sharing arrangements for technology insertions and upgrades under some circumstances). For this reason, there has to be an expectation of several thousand sets of kit for a vendor to bid a reasonable price. As soon as a piece of kit is level A (safety critical, failure can cause death) there is at least 5000 hours of paperwork involved. It is not much less for level B (which is what Boeing classified the system as which may be the get out of jail card for the vendor).

    ***Generally, although vendor reputation is supposed to be a key part of the decision

    ****Usually on an integration rig at the aircraft manufacturer after being tested at the vendor to show the control laws are met. There are strict standards for software and firmware (DO-178B/C and DO-254) that are supposed to be met.

  14. PeterM42
    FAIL

    Clearly....

    The 737 as a basic design has been MAXed out.

    Time for something completely new.

    1. JimC

      Re: Clearly....

      Ah well, there you have put your finger on the problem. There wasn't time to design something new and stop Airbus pinching all the sales.

  15. Mystic Megabyte
    FAIL

    To any airline companies reading this forum

    If you have *any* of these planes I won't be flying with you in the next few years. Boeing have created a total bodge job of an aeroplane, the sooner they are scrapped the better.

  16. British Flyer

    737 Max Killer?

    I have flown on Boeing planes for decades and never worried about safety. I think the 737 MAX is a game changer and for that reason i will never fly on one software fix or not.

    The 737 is a 1960s design which has been updated numerous times and there becomes a time when you cannot do it anymore. Is the 737 MAX at that stage or even slightly above it?

    I worked for British Midland when a 737 400 crashed. It was a new design and the crew became over wealmed in an emergency and shut the wrong engine down.

    As planes grow more complex the issue of crew overload becomes more of a threat in an emergency. Add to this airlines who use inexperienced First Officers to.save money. The stage is set for disaster.

    A way to mitigate this is by training, especially in the simulator. PROBLEM : the 737 MAX only needs a couple of hours on an ipad, saves loads of $$$$$. Cost lives?

    Boeing should be forced to include significant groundschool and simulator time in training and pick up the bill. There should also be a minimum number of hours to be a First Officer without a supervisor in the jump seat.

  17. Potemkine! Silver badge

    So sad FAA became careful after two fatal crashes. FAA's collusion with Boeing led to hundreds of casualties.

  18. This post has been deleted by its author

  19. Anonymous Coward
    Anonymous Coward

    Software Development and Testing

    Someone should ask Boeing whether the software was developed using "agile" or "scrum".

    *

    If yes, then Boeing should be asked about how the MCAS "user story" (or "use case") was integrated into the rest of the software environment on the MAX. If the process simply tested the CHANGES (i.e. only the new MCAS software on its own), then a part of the problem is the whole software development and testing process.

    *

    ....and of course Boeing would self-certify the process!!

  20. doug_bostrom

    So much easier and cheaper than doing it correctly the first time.

  21. YetAnotherJoeBlow

    Insurance

    I'll bet by the time this is over, Lloyds of London will be calling some numbers...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like