Boeing To Make Key Change in 737 MAX Cockpit Software (wsj.com)

← Back to Stories (view on slashdot.org)

Boeing To Make Key Change in 737 MAX Cockpit Software (wsj.com)

Posted by msmash on Tuesday March 12, 2019 @07:33AM from the up-next dept.

Boeing is making an extensive change to the flight-control system in the 737 MAX aircraft implicated in October's Lion Air crash in Indonesia, going beyond what many industry officials familiar with the discussions had anticipated. From a report: The change was in the works before a second plane of the same make crashed in Africa last weekend -- and comes as world-wide unease about the 737 MAX's safety grows. The change would mark a major shift from how Boeing originally designed a stall-prevention feature in the aircraft, which were first delivered to airlines in 2017. U.S. aviation regulators are expected to mandate the change by the end of April.

Boeing publicly released details about the planned 737 MAX software update late Monday [Editor's note: the link may be paywalled; alternative source]. A company spokesman confirmed the update would use multiple sensors, or data feeds, in MAX's stall-prevention system -- instead of the current reliance on a single sensor. The change was prompted by preliminary results from the Indonesian crash investigation indicating that erroneous data from a single sensor, which measures the angle of the plane's nose, caused the stall-prevention system to misfire. Then, a series of events put the aircraft into a dangerous dive.

130 of 211 comments (clear)

Min score:

Reason:

Sort:

I guess the incredibly obvious question is... by ZorinLynx · 2019-03-12 07:35 · Score: 5, Interesting

Why the hell wasn't this the case before?
Aren't flight control systems supposed to be triple-redundant anyway? Everything I've read about them says they are; three systems and if there is incorrect data it uses the two that agree.
1. Re:I guess the incredibly obvious question is... by lgw · 2019-03-12 07:40 · Score: 4, Interesting
  
  I assume they're talking about the sensor behind the pitot hole here. Making that the only sensor, and non-redundant, is particularly questionable. It's well known that pitot holes are very easily thrown off: an insect building a nest inside it (or ice forming, or etc) will throw off the sensor enough to crash a plane, if it's all you rely on.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
2. Re:I guess the incredibly obvious question is... by geekmux · 2019-03-12 07:44 · Score: 5, Insightful
  
  I assume they're talking about the sensor behind the pitot hole here. Making that the only sensor, and non-redundant, is particularly questionable. It's well known that pitot holes are very easily thrown off: an insect building a nest inside it (or ice forming, or etc) will throw off the sensor enough to crash a plane, if it's all you rely on.
  I would assume you're correct here, but it still begs the question as to why this sensor was non-redundant, and how that SPOF design ultimately got approved.
3. Re:I guess the incredibly obvious question is... by drinkypoo · 2019-03-12 07:57 · Score: 3, Informative
  
  Yes, this is absolutely bananas. Even the accelerator pedal position sensor on cars with throttle-by-wire is a pair of pots, not just one. If one sweeps smoothly and the other doesn't, the PCM throws a code and only listens to the smooth input.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
4. Re:I guess the incredibly obvious question is... by Geoffrey.landis · 2019-03-12 08:04 · Score: 2
  
  Why the hell wasn't this the case before?
  ...
  I assume they're talking about the sensor behind the pitot hole here. Making that the only sensor, and non-redundant, is particularly questionable.
  I would assume you're correct here, but it still begs the question as to why this sensor was non-redundant, and how that SPOF design ultimately got approved.
  I am baffled as to why, if the problem had been identified, the planes weren't grounded until the software fix was implemented.
  Alternate source:
  https://www.morningstar.com/ne...
  
  --
  http://www.geoffreylandis.com
5. Re:I guess the incredibly obvious question is... by mea_culpa · 2019-03-12 08:15 · Score: 1
  
  I was under the impression that each of the 3 redundant systems had their own set of sensors. Sounds like this particular system is not redundant and that they are now going to derive data from other sensors to compensate. I would feel a lot better if MCAS or any other system that takes control of flight also be triple redundant.
6. Re:I guess the incredibly obvious question is... by bobbied · 2019-03-12 08:21 · Score: 5, Interesting
  
  Why the hell wasn't this the case before?
  Aren't flight control systems supposed to be triple-redundant anyway? Everything I've read about them says they are; three systems and if there is incorrect data it uses the two that agree.
  Well.. I believe the way the system works allows the control inputs of the pilots are able to overcome anything the system does. It's basically like an autopilot, where the pilot can override the system by applying pressure to the controls. This system is designed to apply backpressure as the aircraft approaches a stall, making it harder for the pilot to continue to increase the angle of attack and hopefully avoiding the stall. So you can still stall the aircraft, just pull harder and keep increasing the AOA...
  The problem though, is that pilots are conditioned to change the trim to deal with unusual pressures for the desired pitch angle. So if the system believes the sensor and it's saying "STALL" but you are actually not, the system applies pressure to lower the nose, which the pilots will be conditioned to trim out. IF the stall doesn't go away, the system keeps the pressure there and unless the pilots realize what's going on they will keep trimming nose up. Eventually, the process ends up with an aircraft that's severely out of pitch trim which will be very confusing to the pilots, with really high control pressures required to do anything to the pitch. Thus "control problems" seems to describe exactly what I imagine was going on. It was a vicious cycle that makes the aircraft really hard to control.
  So, I understand the engineering and using one AOA sensor. Kind of makes sense... Hey, the pilots can just override this anyway, we are stopping them from actually stalling the aircraft, just making it harder to do. We've don't this before in fighter aircraft and other fly by wire systems w/o any problems. But I think there wasn't enough thought given to what happens when that sensor fails and if they can implement some cross checks between airspeed, rate of climb, rate of turn, they might be able to more gracefully fail the system and disable it, or at least not get into the vicious cycle that leads to a pitch trim issue.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
7. Re:I guess the incredibly obvious question is... by ceoyoyo · 2019-03-12 08:26 · Score: 1
  
  Technically this system is supposed to assist the pilots in avoiding or recovering from a stall, compensating for poorer aerodynamics on the MAX. It might have gotten approved without the normal redundancies because it only assists the pilot. I know a few other industries where that excuse flies....
8. Re:I guess the incredibly obvious question is... by JeffOwl · 2019-03-12 08:27 · Score: 1
  
  Do we actually know for certain that this second crash has the same cause as the first? I have not see anything official. However... they weren't grounded the first time because the first crash was the result of a hardware failure and the pilots not properly responding to the failure. So, two failures. Note that I don't say it was the fault of the pilot. The issue was the documentation and training provided by Boeing was insufficient to enable the pilots to identify and respond to the original failure in a timely way. Also, the system required the pilots to respond to a fault condition in a different way than the previous version of the aircraft and the change was not well communicated. After the first crash a bulletin was distributed to the operators of the aircraft that described how to deal with the condition, and it was apparently thought that this was enough until the software could be updated. Even with the change to use multiple sources of data so this theoretically doesn't happen again, I'm not sure it is really good enough. It sounds like the mechanism the pilots have to use to get the computer to back off is more complex than in the past.
9. Re:I guess the incredibly obvious question is... by Shotgun · 2019-03-12 08:30 · Score: 1, Insightful
  
  One would have to have a truly weak mind to believe that. Primitive peoples instinctively follow might makes right. Jesus Christ advocated personal charity. Having the government do your stealing for you is not charity.
  
  --
  Aah, change is good. -- Rafiki
  Yeah, but it ain't easy. -- Simba
10. Re:I guess the incredibly obvious question is... by Anonymous Coward · 2019-03-12 08:32 · Score: 1
  
  You know what they say about assuming...
  The sensor in question (in the story, not the pitot) is an angle-of-attack sensor and has only to do with the orientation of the wings to the wind flowing over them (or not, in a stall).
11. Re:I guess the incredibly obvious question is... by HornWumpus · 2019-03-12 08:33 · Score: 1
  
  They changed the system acronym (much has been made of this), but the response to 'runaway trim' remained throwing the same two switches. That's been on the troubleshooting checklist of Boeing airplanes forever.
  The second crash was reportedly trailing fire before impact. Eyewitness, so take it with a huge grain of salt.
  Also the copilot is reported to have 200 hours? 200 hours total and flying a multi engine commercial jet? I think it has to be 200 hours in the type.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
12. Re:I guess the incredibly obvious question is... by Solandri · 2019-03-12 08:34 · Score: 4, Interesting
  
  Usually there are 3+ pitot tubes. Looks like the 737 has 5, with 3 of them dedicated to measuring airspeed. It's incredibly rare that a single fault causes a crash. Reporters just like to write up their stories that way to give their stories more impact, even if it twists the truth.
  
  This isn't the first time faulty airspeed readings led to a flight computer has led to a crash. It isn't even the second time. In all previous cases, the plane was flyable. It was the confusion as the pilots tried to diagnose the problem based on the bizarre behavior of the plane and the flight control software and alarms which doomed the flights. It requires a deep and thorough understanding of when different flight protection modes in the software are triggered and kick in, to work backwards from the behavior you're seeing, to what problem(s) could be triggering those modes. If you've debugged software, you've encountered this. Unlike natural laws like physics, software can be designed arbitrarily. So your intuitive feel for how things should work becomes useless for tracking down the problem. You're totally dependent on how thoroughly you understand the software's arbitrary design.
  
  Bear in mind that the stall warning is pretty much a "you're gonna die if you ignore me" warning. So it takes quite a bit of convincing before pilots will decide it's the warning that's faulty, not something else that they're doing wrong. That may be the cause of the reluctance of pilots to simply shut it off and fly the plane "by the seat of their pants" based on how the throttle settings, altitude, and attitude. So while theoretically the stall warning triggering incorrectly is a recoverable problem, it may take pilots a long time to diagnose and clear up the problem. Long enough for the plane to crash.
13. Re:I guess the incredibly obvious question is... by Shotgun · 2019-03-12 08:34 · Score: 3
  
  The question here is why is the computer listening to a sensor instead of the pilot. A plane can be flown just fine without any instrumentation other than the front window. Why does that sensor get to override the pilot?
  
  --
  Aah, change is good. -- Rafiki
  Yeah, but it ain't easy. -- Simba
14. Re: I guess the incredibly obvious question is... by Bryansix · 2019-03-12 08:45 · Score: 3, Informative
  
  There is a way to disable the systems but the procedure to do so is incredibly complicated. It's also hard to do anything when an emergency happens seconds after takeoff and the plane isn't even far off the ground yet.
15. Re:I guess the incredibly obvious question is... by Anonymous Coward · 2019-03-12 08:52 · Score: 1
  
  A plane can be flown just fine without any instrumentation other than the front window.
  A pilot can fly with just a window only on clear days. When it is dark or not clear out, a pilot that isn't used to flying via instruments will enter a death spiral and crash.
16. Re:I guess the incredibly obvious question is... by drinkypoo · 2019-03-12 09:01 · Score: 2
  
  The question here is why is the computer listening to a sensor instead of the pilot. A plane can be flown just fine without any instrumentation other than the front window. Why does that sensor get to override the pilot?
  A car can be driven just fine through no information but the window view and the butt dyno, but the [mandatory] ESP system will still start fucking with your brakes if the accelerometer says that you're yawing in a way that isn't called for by the steering angle sensor. The answer to the question of why is the same in both cases, assistive technologies. When everything is working correctly, the vehicle is much better than you are at figuring out what is happening. Normally, as has been pointed out several times in this discussion, multiple sensors are used to cross-check, to make sure that a single malfunctioning sensor can't make the system go bananas.
  Barring that, software monitors are used to determine whether sensor input is implausible. For example, OBD-II mandates a "comprehensive" monitor whose job is to perform such checks; it is one of the basic monitors which must be set in order to pass an emissions test. It continually looks for implausible sensor activity (like a temperature sensor which suddenly changes from cold to hot or vice versa, instead of gradually changing) as well as implausible combinations of sensor activity, like a very high coolant temperature reading combined with a very low transmission fluid temperature reading.
  In short, Boeing demonstrated gross incompetence here — but it was related to improper use of sensors, not the very idea of helping to fly the aircraft. Even auto manufacturers are more responsible.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
17. Re:I guess the incredibly obvious question is... by gweihir · 2019-03-12 09:08 · Score: 1
  
  Naa, that is the old thinking. The new thinking is that it must be as cheap as possible, profits must be maximized and if it goes wrong, blame the young end inexperienced engineers that did not have the guts to give management a clear "no". Also, do not tell the pilots about the crap engineering you put in there, they may refuse to fly that thing otherwise.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
18. Re:I guess the incredibly obvious question is... by Anonymous Coward · 2019-03-12 09:23 · Score: 2, Interesting
  
  This is what happens when you stop expecting your companies to compete on the free market and instead protect them with a combination of defacto and real terms state aid, such as trying to destroy competition such as Bombardier with illegal trade acts.
  As soon as you let your companies stop competing and instead give them a position of immunity, determine them too big to fail, and no longer deemed in need of competing on the free market, then they'll get lazy, they'll get incompetent, and shit like this will happen.
  Boeing desperately needs to face real competition, and stop being protected by an protection racket artificially created by US government protectionism, and that extends to military contracts too; it can't keep just getting given them on a plate even when it's the worst option.
  It's sad that people have to lose their lives for the growing complacency of companies like Boeing to be unveiled and tackled. Even now it's refusing to admit any real fault, claiming the aircraft is still safe when it's very clearly not.
19. Re:I guess the incredibly obvious question is... by lgw · 2019-03-12 09:24 · Score: 1
  
  The sensor in question (in the story, not the pitot) is an angle-of-attack sensor and has only to do with the orientation of the wings to the wind flowing over them (or not, in a stall).
  Pitot tubes are commonly used as angle angle-of-attack sensors. They measure air pressure very finely, and that pressure changes with angle of attack.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
20. Re:I guess the incredibly obvious question is... by BostonPilot · 2019-03-12 09:51 · Score: 2
  
  I think you're mixing up fly-by-wire with the previous technology. Fly by wire is what we have: the pilot tells the computer what they want to happen (through the controls) and the computer tells the control surfaces what to do. I have to say that I don't like the idea of a FBW system without a manual reversion mode. Software is just too difficult to get right. The manufacturers are worrying about a bunch of stuff, safety is one of them, but economics is what sells airplanes so there are tradeoffs Airbus and Boeing make that you and I might not agree with.
  BTW, split flaps: https://www.law.cornell.edu/cf...
  As for training for the impossible... it comes down to pragmatism. Yes, the "impossible" can happen, but do you really want to spend time training people for the impossible? If the goal is to reduce the overall accident rate you're much better off spending additional training effort on things that are more likely to happen than the "impossible" ones like United 232... I heard a talk by Al Haynes about that accident and it was very impressive that they got the airplane (mostly) on the ground... but it probably doesn't make sense to train people for that kind of thing - better to improve the mechanical systems to make it even more impossible.
  Bell had a terrible crash in 2016 testing their FBW 525 helicopter - they lost the crew. It reinforced my fears about software flying the aircraft (and now, automobiles). It's a tricky thing to get right. Arguably Boeing and Airbus (and Embraer and Bombardier) and probably some of the top organizations in the world for writing reliable code, but obviously even they have a hard time getting it right 100% of the time...
21. Re:I guess the incredibly obvious question is... by dunkelfalke · 2019-03-12 09:58 · Score: 2
  
  Only a tiny general aviation aircraft can be flown that way. And even then it can only be flown that way at low altitude and full visibility because the vestibular system doesn't work correctly during flight. An airliner must be flown using instruments.
  https://en.m.wikipedia.org/wik...
  And don't delude yourselves that you are special and would be able to feel your position correctly.
  
  --
  "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
22. Re:I guess the incredibly obvious question is... by exolon42 · 2019-03-12 09:59 · Score: 1
  
  No the angle of attack sensor is an actual vane that turns around based on the airflow. There are several of them but this system is only connected to one of them. All the other important systems are connected to multiple redundant sensors and inputs, so it's strange this was designed with only one - seems to go against all principles of eliminating single point of failures...
23. Re:I guess the incredibly obvious question is... by dgatwood · 2019-03-12 09:59 · Score: 1
  
  Was there a parked fire truck nearby?
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
24. Re:I guess the incredibly obvious question is... by dunkelfalke · 2019-03-12 10:33 · Score: 1
  
  Without fly by wire this happens:
  https://en.m.wikipedia.org/wik...
  
  --
  "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
25. Re:I guess the incredibly obvious question is... by uncqual · 2019-03-12 10:38 · Score: 5, Interesting
  
  My lay person's understanding...
  In order to increase fuel efficiency on the 737 MAX, the engine fan diameter was increased. These "underwing" engines would have been too close to the ground if mounted as on other 737 models. Thus, the engineers moved the engines forward and upward to achieve necessary ground clearance. This, along with some other changes, moved the force of thrust forward which made the plane more prone to lift its nose too high and stall. To guard against this, Boeing introduced the Maneuvering Characteristics Augmentation System (MCAS) which activates automatically when the autopilot is off in some conditions which include when the angle of attack (AOA) is too high. The MCAS system, when needed, attempts to prevent a stall by adjusting the horizontal stabilizer trim upward and will do this over, I believe, about 10 seconds or until the pilot overrides it or the angle of attack is within limits. If the pilot activates the trim control switch on the yoke, MCAS will be disabled -- but, five seconds after the switch is released, MCAS will reengage if the conditions call for it (esp. AOA). When MCAS is altering the trim, the manual trim controls on each side of the center "console" will be spinning away and, if a pilot looks down, they will see that motion as there is a white stripe extending outward from the center in order to make the movement obvious.
  The best speculation I've heard about the Lion Air crash was that there was a problem with one of the AOA sensors. There are two such sensors - one on both side of the 737 Max.
  As in most crashes, due to the redundancy of systems and procedures, it's rarely one thing that causes a crash but rather a cascade of events.
  There had been problems with at least one of the AOAs on previous flights but maintenance attempts appear not to have solved the problem. So, first there was a failure of maintenance, but of course AOA sensors will fail from time to time, so one can't blame the crash on that failure.
  I've not heard how MCAS handled conflicting AOA sensor readings but I suspect this is one of the big areas of change that they will push in the April "patch". But, it's likely that the failing AOA caused the MCAS to activate when it shouldn't have and push the nose down by adjusting the trim - but this actually pushed the plane's nose down too far. When the pilots tried to correct, they ended up disabling MCAS (although perhaps not explicitly aware that they were doing so) only to have it start undoing what they had accomplished five seconds after they released the trim control on the yolk - and this was a vicious loop.
  Had the pilot recognized what was happening, they simply would have ran the "runaway trim" procedure (which would have disabled MCAS and some other automatic trim controls completely via a switch on the center "console") and flown the plane manually with no problems. Unfortunately, the pilots likely didn't figure out what was causing the problem and failed to execute the necessary procedure. So, that was a pilot error (and, that's probably what will be determined to be the main problem here, with contributing factors).
  There is much debate on why the Lion Air pilots may have failed to recognize what was going on. Many pilots and their union claim that they were not told about the existence of MCAS. Boeing hasn't been talking a lot, but they seem to assert that there was no need to train the pilots on MCAS beyond what the manuals/training did as it was a classic "runaway trim" scenario and the training was sufficient to cause the pilots to detect that case and initiate the proper procedure. Boeing did, however, issue documentation updates to operators worldwide soon after the Lion Air crash.
  After Boeing issued the documentation updates, every 737 MAX pilot should have been fully aware of MCAS and what to do if was doing the wrong thing. This, coupled with the witness reports that the Ethiopian Airline 737 MAX that crashed was spewing smoke and fire from the back of the plane a
  
  --
  Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
26. Re: I guess the incredibly obvious question is... by DigressivePoser · 2019-03-12 10:38 · Score: 2
  
  While the pilot shouts "The override. Where's the override!", the co-pilot laughs at the unintentional Star Trek II reference.
27. Re:I guess the incredibly obvious question is... by uncqual · 2019-03-12 10:41 · Score: 2
  
  There are two AOA sensors on the 737 MAX - one on each side. The erroneous one may give a rational, yet wrong, signal. However, I suspect that the Boeing "patch" will add cross checking and perhaps more explicit alerts to the pilots when something seems "off".
  
  --
  Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
28. Re:I guess the incredibly obvious question is... by DigressivePoser · 2019-03-12 10:49 · Score: 1
  
  Aren't flight control systems supposed to be triple-redundant anyway? Everything I've read about them says they are; three systems and if there is incorrect data it uses the two that agree.
  Was wondering this myself. I can't believe the FAA let this one slip through. There must have been some other type of fail-safe mechanism Boeing used to convince the FAA that this system was safe. I'd like to know what that mechanism was.
29. Re:I guess the incredibly obvious question is... by 140Mandak262Jamuna · 2019-03-12 10:53 · Score: 2, Informative
  
  It raises the question, does not beg the question.
  
  --
  sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
30. Re:I guess the incredibly obvious question is... by dgatwood · 2019-03-12 11:05 · Score: 2
  
  The best speculation I've heard about the Lion Air crash was that there was a problem with one of the AOA sensors. There are two such sensors - one on both side of the 737 Max.
  One problem is that, if I understand correctly, not all of the 737 aircraft have even so much as an indicator light when the two AOA sensors disagree. At least one airliner (Southwest) insisted on an explicit AOA indicator so you can see both AOA sensors' data and see how much they disagree. But if you don't have that and don't have the indicator light, all you know is that the aircraft keeps trimming the nose down every few seconds. One might still arguably call it pilot error to not recognize the symptoms, but it starts to really blur the lines at that point.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
31. Re:I guess the incredibly obvious question is... by tinkerton · 2019-03-12 11:11 · Score: 1
  
  Boeing added MCAS mechanism to helpfully(Clippy) push the nose down when a sensor detected risk of stalling. The mechanism was using single sensor (per side) , was not obvious to disable and kept interacting with the pilot. And marketing claimed costly retraining wasn't needed? Sounds like a major fuckup.
  This article from last year suggests the pilots were already pretty pissed off about the last incident: https://christinenegroni.com/7...
32. Re:I guess the incredibly obvious question is... by Strider- · 2019-03-12 11:36 · Score: 2
  
  So, that was a pilot error (and, that's probably what will be determined to be the main problem here, with contributing factors).
  As someone who's a technical trainer (in a different transportation field, but still mission critical), this sounds to me like a design failure compounded by insufficient training, rather than pilot error. Training is incredibly important, but it also shouldn't be making up for poor design choices.
  
  --
  ...si hoc legere nimium eruditionis habes...
33. Re:I guess the incredibly obvious question is... by Strider- · 2019-03-12 11:41 · Score: 1
  
  Well, airliners should be flown with instruments. But sometimes you can't, such as what happened with the Gimli Glider (a 767 that ran out of fuel at altitude). The only instruments they had left after the fuel ran out were the pneumatic airspeed indicators, and the barometric altimeter, both of which are purely mechanical devices. The pilot landed it safely, and the aircraft spent another 30 years in revenue service after being refueled (and minor repairs due to a collapsed nose wheel).
  
  --
  ...si hoc legere nimium eruditionis habes...
34. Re:I guess the incredibly obvious question is... by drinkypoo · 2019-03-12 11:58 · Score: 1, Informative
  
  A car can not at this point ever be described as being able to understand whats going on. And it certainly can not exceed the ability of even the average asshole
  It's not better than a human overall at either, but it's better at detecting wheelslip and doing something about it, whether it's ABS, ESP, or EDL. Traction control is usually pretty crap, unless it's something modern like crawl control. Old ABS was also pretty crap, but still better than most drivers anyway.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
35. Re:I guess the incredibly obvious question is... by uncqual · 2019-03-12 12:18 · Score: 1
  
  Boeing's contention seems to be "this looked like runaway trim", detect that and follow the "runaway trim procedure". If that's bears out, then I think it's primarily pilot error with, likely, significant contributing factors of design and/or training deficiencies.
  Obviously the design could have been "better" (else, why update the software - except for political reasons), but that doesn't mean it's necessarily a "failure".
  
  --
  Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
36. Re:I guess the incredibly obvious question is... by caseih · 2019-03-12 12:27 · Score: 3, Interesting
  
  The MCAS spins the same trim knobs that the pilot spins. So the pilot can trim the nose back and after MCAS spins it down. They might fight each other, but ultimately they are both adjusting (and potentially undoing) the same thing. I'm sure it's initially confusing to pilots for sure, especially because older planes would cancel the automatic trims when the stick was pulled on, but apparently this is not the case with MCAS. If it turns out the MCAS contributed to the Indonesian crash, then it was a matter of training. But Boeing screwed up the design.
37. Re: I guess the incredibly obvious question is... by arglebargle_xiv · 2019-03-12 13:36 · Score: 1
  
  It's not that complicated, here's John Oliver explaining the process.
38. Re:I guess the incredibly obvious question is... by nyet · 2019-03-12 13:46 · Score: 1
  
  I believe there are two, not one, that are inputs to MCAS
39. Re:I guess the incredibly obvious question is... by sjames · 2019-03-12 17:56 · Score: 1
  
  Unfortunately, you need three to have real redundancy since otherwise the system can't decide which one is wrong.
40. Re:I guess the incredibly obvious question is... by dunkelfalke · 2019-03-12 19:25 · Score: 1
  
  A direct mechanical linkage (mostly bowden cables) between the stick and the rudders runs over the whole length of the airplane and through several corners. It has to be maintained carefully lest it snaps. It is also not very precise and lenghtens with use. This is not the only crash where a bowden cable snapped. I can recall several examples, like this one:
  https://en.m.wikipedia.org/wik...
  Decoupling the steering physically from the rudders also makes envelope protection possible.
  
  --
  "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
41. Re:I guess the incredibly obvious question is... by Hognoxious · 2019-03-12 20:50 · Score: 2
  
  I think that pulling the stick back disables it - but only temporarily. It waits till the pilots think the problem has gone away, then starts shoving the nose down again.
  Why anyone could think this is better is beyond me.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
42. Re:I guess the incredibly obvious question is... by Hognoxious · 2019-03-12 20:56 · Score: 1
  
  I am baffled as to why, if the problem had been identified, the planes weren't grounded until the software fix was implemented.
  On my keyboard, you press shift and 4 together.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
43. Re:I guess the incredibly obvious question is... by nosfucious · 2019-03-12 21:55 · Score: 1
  
  I'll throw in a side issue here. The changes made to the 737 within a gnat's testicle of having to declare the 737 MAX a new model of plane. Using the old model number as helped. As such, they haven't had to do full testing to have it declared "flight ready" but rather use grandfathered flight approvals and just minor testing.
  The 737 MAX should have been a new model.
  As I said before, it would have new testing. Add to this new documentation, and new training for pilots. It simply would not have been possible to generate revenue as quickly if they had to go the full testing cycle.
  The FIRST and MAJOR failure is the failure recognise the new requirements for testing for this model of plane. Then, the new documentation, testing and training.
  Secondary issues are then conditions "on the day" and in the cockpit.
  
  --
  Q:I was listening to a CD in Grip and it sounded horrible! What's up? A:Perhaps you are listening to country music
44. Re:I guess the incredibly obvious question is... by sonamchauhan · 2019-03-12 22:30 · Score: 1
  
  A plane that can turn an expert pilot into an "idiot" is not one I wish to fly in.
45. Re:I guess the incredibly obvious question is... by dunkelfalke · 2019-03-12 22:52 · Score: 1
  
  There had to be more backup instruments powered by the ram air turbine or the batteries than just two. At the very least a compass, an artificial horizon and a bank and turn indicator.
  
  --
  "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
46. Re:I guess the incredibly obvious question is... by sonamchauhan · 2019-03-12 23:16 · Score: 1
  
  Nice summary. My take: this jet is unsafe. To make a cheap new jet fly longer routes, Boeing made engineering compromises: they stuck on new engines that were too large, onto an existing design. They saved money by opting not to properly redesign the airframe. This introduced a mechanical bug. To mitigate it, they introduced a workaround in controls and software. They saved further money by not implementing and/or 'documenting' the workaround properly (skipping on sensor redundancy, indicators, training).
  Well, the workaround turned out buggy. It began fighting the pilot, trying to crash the plane. It succeeded twice. The Boeing CEO's response, in effect, 'read the manual'.
  The benefit - to Boeing: 4000+ orders for this plane.
  The cost - to us: 346 lives in 2 crashes in 5 months.
  Australia, China, Singapore have already banned this jet flying. The US has not. Boeing wants to 'improve' the jet in the cheapest way: in software. The same software that helped crash these planes. No airframe redesign. No sensor redundancy, indicators, training..
  #PassengerUnion
  #BoycottBoeingMAX
  #MadMAX
47. Re:I guess the incredibly obvious question is... by Pikoro · 2019-03-13 03:06 · Score: 1
  
  There are actually 2 Angle of Attack sensors, one on the leading edge of each wing, that are averaged for a single input into the MCAS system. They now appear to be separating them into 2 inputs instead of averaging.
  Imagine, one sensor fails and is reporting an AoA of 80 degrees and the other is reporting a more normal AoA of 3 degrees. averaged out you're still getting WAY over the critical AoA. With 2 sensor inputs, they can then balance those against the other sensors on the aircraft to determine which sensor is faulty and stop using it as valid input.
  
  --
  "Freedom in the USA is not the ability to do what you want. It is the ability to stop others from doing what THEY want"
48. Re:I guess the incredibly obvious question is... by Shotgun · 2019-03-13 09:30 · Score: 1
  
  I'll just go ahead and ignore your shallow reading and gross misinterpretation of the text, except to say:
  -the people selling at the temple were perverting the teachings of the Tora. It was along the lines of what the Catholics were doing with indulgences.
  -and the part about getting into heaven was a reference to people's love of what they have interfering with what they should do.
  In no way is there any support of the government redistribution. In fact, that interferes with a person need to overcome their selfishness. Statistics show that Democrats give less to charity that Republicans, which lines up with the idea that Democrats feel the government should take care of others.
  
  --
  Aah, change is good. -- Rafiki
  Yeah, but it ain't easy. -- Simba
49. Re: I guess the incredibly obvious question is... by Bryansix · 2019-03-13 09:42 · Score: 1
  
  I guess he never heard of stamps.com
50. Re:I guess the incredibly obvious question is... by Hognoxious · 2019-03-13 16:28 · Score: 1
  
  He doesn't understand what the "co" part of "copilot" means, that's for sure.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
editor fail by nyet · 2019-03-12 07:41 · Score: 1

msmash: that alternative link has even less useful information than the truncated wsj article.
1. Re:editor fail by nyet · 2019-03-12 07:43 · Score: 1, Informative
  
  Jesus you suck at being an editor, msmash
  https://boeing.mediaroom.com/n...
Obvious by Anonymous Coward · 2019-03-12 07:43 · Score: 5, Funny

if ( goingToCrash ) {
dontCrash();
}
1. Re:Obvious by darkain · 2019-03-12 08:35 · Score: 2
  
  Error 404: variable "goingToCrash" not found. Application will now crash.
The Tesla People by Anonymous Coward · 2019-03-12 07:43 · Score: 1

It's funny how they point to aviation as nearly infallible when they talk about self-driving cars.
1. Re:The Tesla People by Geoffrey.landis · 2019-03-12 08:08 · Score: 3, Insightful
  
  It's funny how they point to aviation as nearly infallible when they talk about self-driving cars.
  Well, it's a little less than one failure in four million flight hours, that's a pretty amazing safety record. If Tesla self-driving was one failure in four million driving hours, I'd call that very near infallible, compared to human drivers, anyway.
  But when they do fail, it's spectacular, and makes news.
  Source: http://planecrashinfo.com/caus...
  
  --
  http://www.geoffreylandis.com
2. Re:The Tesla People by PvtVoid · 2019-03-12 08:23 · Score: 4, Interesting
  
  It's funny how they point to aviation as nearly infallible when they talk about self-driving cars.
  Self-driving cars don't have to be infallible. They just have to be safer than the average person, which is a really low bar.
3. Re:The Tesla People by HornWumpus · 2019-03-12 08:35 · Score: 2
  
  Let us know when one gets there. All current claims are thoroughly debunked.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
4. Re:The Tesla People by ShanghaiBill · 2019-03-12 08:48 · Score: 1
  
  They just have to be safer than the average person, which is a really low bar.
  Actually, they don't even need to be average, since the worst drivers will likely be the early adopters.
5. Re:The Tesla People by green1 · 2019-03-12 12:16 · Score: 1
  
  Statistically the worst drivers are young. Statistically this same group are the least likely to buy the newest tech that's only preset on new, high-end, vehicles.
ONE?? by Daerath · 2019-03-12 07:48 · Score: 1

One errant sensor can bring down a plane? Yeah. That makes sense....
1. Re:ONE?? by darkain · 2019-03-12 08:38 · Score: 1
  
  One bad network card took out almost all of CenturyLink nation wide, including 911 services in many states, for several days.
  So yeah, technology is fickle like that.
2. Re:ONE?? by Bryansix · 2019-03-12 08:48 · Score: 1
  
  Oh, this reminds me of that one time the maintenance guy was helping an employee plug in their computer and plugged the switch into itself. Literally nothing worked until we removed the loop.
3. Re:ONE?? by gweihir · 2019-03-12 09:02 · Score: 1
  
  If you ignore all principles of safety engineering, then it can. Otherwise it cannot. Seems that Boeing is doing on their planes what Intel does on its CPUs. If you optimize profits at any cost, things usually gets hugely expensive at some time.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
4. Re:ONE?? by gweihir · 2019-03-12 09:03 · Score: 1
  
  No spanning tree in that box? What cheap crap were you using?
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
5. Re:ONE?? by gweihir · 2019-03-12 09:04 · Score: 1
  
  Technology is fine. But redundancy costs money and an MBA moron telling an engineer to do it cheap or look for a new job can do untold damage.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
6. Re:ONE?? by uncqual · 2019-03-12 10:45 · Score: 1
  
  A single engine failure can crash a twin engine plane -- if it happens at the wrong time and the pilot fails to initiate the documented corrective action. That's the case with a LOT of failures. After the Lion Air crash, every 737 MAX pilot knows how to detect an deal with that problem so there's no excuse for a repeat (if the Ethiopian Airline crash was a repeat - which I'm not confident of given the witness reports that the plane was on fire on the way down to the crash site).
  
  --
  Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
7. Re:ONE?? by Obfuscant · 2019-03-13 10:23 · Score: 1
  
  A single engine failure can crash a twin engine plane -- if it happens at the wrong time and the pilot fails to initiate the documented corrective action.
  
  It would seem obvious that a twin would be safer than a single from an engine failure view.
  But that's also something that new pilots are taught: twins are less safe than singles. In a single engine aircraft where one engine dies, the pilot knows without a doubt he's got to find a safe landing place right now. In a twin, the pilot can hope his other engine will get him someplace safe, he can be distracted while trying to fix the problem with the dead engine, or he can simply goof up and shut down the working engine by mistake.
  There was an Airbus crash in England, IIRC, where the engine instruments or controls were cross wired on a two-engine airplane by mistake. One failed, and the pilot dutifully went through the the emergency shutdown procedure for ... the working engine. And then there were none.
Re:Redundant Systems? by Lothsahn · 2019-03-12 07:58 · Score: 2

You think that's bad, how about the aircraft brought down by a burned out light bulb?

https://en.wikipedia.org/wiki/...

Flying is routine until it isn't. Planes are essentially balancing in the air. It doesn't take much to make one stop flying, and one momentary loss of attention at the wrong time or improper control input can end very badly. All of this x10 if the Pilots haven't been informed of or trained on the failure scenario they're encountering.

--
-=Lothsahn=-
Re:Ground every last one of them by david.emery · 2019-03-12 08:01 · Score: 1

Well, there's an obvious fix: Turn off the the control system that handles the anti-stall provisions that are likely at fault. Talking to my neighbor (AA pilot who's been trained on 737 Max 8), that was his comment. "It's pretty obvious the pilots need to be trained to turn off the system when they see that behavior."
But to an earlier comment: From the bit I know about commercial avionics safety, if there really is a single sensor that feeds into a control system, that does feel like a violation of safety design standards (for triple redundancy).
I'm betting this is at least in part a 'supplier management' problem on the part of Boeing. That's what led to the Dreamliner battery fires. And the current CEO of Boeing was PM for the big Army FCS program (that I was part of, on the government side.) Boeing did a piss-poor job of supplier/subcontractor management there, and it seems that Dennis Muilenberg took that problem with him when he moved over to the lead for the Dreamliner.
Next one will crash due to stall by jfdavis668 · 2019-03-12 08:03 · Score: 3, Interesting

That would have been prevented by the current system.
1. Re:Next one will crash due to stall by gweihir · 2019-03-12 09:00 · Score: 2
  
  Probably. The whole thing is a mess, these engines have no business being on that plane. Add an apparently completely incompetent belief that software can fix anything and you get a lot of dead people, all for profit optimization.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:The problem is normal and alternate control law by HiThere · 2019-03-12 08:05 · Score: 1

Unh... Dorsai reference? All my mental banks pull up for "alternate law" is the Chantry Guild. But I'd really like to understand why you think that relates.

--

I think we've pushed this "anyone can grow up to be president" thing too far.
Arrogant engineering and being beta testers by Anonymous Coward · 2019-03-12 08:16 · Score: 1

Given such a serious error, it feels like that Boeing has taken the approach of completely overhauling the flight-control systems, rather than issuing a (relatively) quick change that'd (say) allow the pilot to switch off the system. But this 4.5 month delay has likely caused the deaths of another 157 people.
I'm shocked that anyone at Boeing thought it'd be a good idea to use only use either one sensor or the other (as opposed to a majority rule system with at least three sensors). It makes me wonder how such a critical design decision got past their (internal) peer review process. And now they will undoubtedly be rushing an "extensive change" (before another crash occurs), makes me even more wary of flying in Boeing 737 Max for at least a year or so until it has proven its reliability in the laboratory that is Mother-Nature.
It also seems like Boeing is finally moving to a fly-by-wire system which overrides the pilot like what Airbus has had for decades. But rather than taking a safe, humble approach (such as assuming sensors will go wrong and over-packaging with redundant sensors; as well as putting fly-by-wire into a plane that would operate safety even if the fly-by-wire system is disabled), we have a plane that's apparently more prone to stalling without this immature fly-by-wire system which assumes sensor data is reliable. So we're stuck in an uncomfortable position whereby Boeing can't switch off the fly-by-wire completely (until the more extensive changes are properly tested and incrementally rolled out to airlines on an optional basis over time).
There are undoubtedly Boeing fan-boys/girls who believe Boeing can do no wrong. Awesome, please be beta testers on my behalf.
1. Re:Arrogant engineering and being beta testers by HornWumpus · 2019-03-12 08:37 · Score: 1
  
  The pilot has always been able to turn off the system. Using the same two switches that turned off the equivalent (but different) system in previous versions.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
2. Re:Arrogant engineering and being beta testers by JoeyRox · 2019-03-12 08:54 · Score: 2
  
  The pilot has always been able to turn off the system.
  
  Except up until recently 737MAX pilots didn't even know "the system" (MCAS) existed, which IMO is Boeing's biggest mistake in this matter.
3. Re:Arrogant engineering and being beta testers by gweihir · 2019-03-12 08:56 · Score: 1
  
  I doubt very much than any senior, experienced engineer was in favor of this. It was very likely management that said "do it or look for a new job". Some will have looked for a new job instead, but some people cannot afford to.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
4. Re:Arrogant engineering and being beta testers by gweihir · 2019-03-12 08:58 · Score: 1
  
  Being able to turn it of and having actually been informed how to turn it off ans what it does are two different things. Boeing tried to keep this system secret, probably because pilots would have refused to fly a plane that has such a critical system dependent on a single sensor.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
5. Re:Arrogant engineering and being beta testers by HornWumpus · 2019-03-12 09:18 · Score: 2
  
  They knew it existed but thought it had its old name. The same two switches turn both off.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
6. Re: Arrogant engineering and being beta testers by HornWumpus · 2019-03-12 10:18 · Score: 1
  
  What's the alternative? Any pilot with an ATP endorsement has spun a few trim wheels.
  
  --
  John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
7. Re:Arrogant engineering and being beta testers by Obfuscant · 2019-03-13 10:31 · Score: 1
  
  Except up until recently 737MAX pilots didn't even know "the system" (MCAS) existed,
  Every one of them knew that the electric trim system existed and how to disable it. It doesn't matter what you name it. If there are uncommanded trim changes that are creating a flight hazard, you pull the breaker(s) on the electric trim motors and then diagnose the problem while hand-flying the aircraft.
  Even private pilots learn this the first time they fly an airplane with autopilot (and thus an electric trim system). And that's why every airplane with an autopilot (which drives the electric trim) has a dozen ways of disabling the autopilot, starting with the "off" button on the autopilot itself and ending with the circuit breaker feeding power to the autopilot system.
  An ATP/commercial pilot who doesn't know how to disable electric trim isn't passing his checkrides and won't be piloting a commercial aircraft, especially when their ability to fly passengers depends on regular simulator evaluations with simulated emergencies.
Re:Redundant Systems? by bobbied · 2019-03-12 08:31 · Score: 3, Informative

million dollar aircraft brought down by a cheap sensor failure
Well that's better than the aircraft accident I helped to investigate... The pilot died because of a power switch position he specifically set in order to turn off the system that prevented his aircraft from departing it's "flying" envelope by applying back pressure to his control inputs. When he went to "break" during some ACM training looking over his shoulder at his opponent, he applied too much rudder input, the aircraft snap rolled as it stopped flying and started to tumble, his head was caught between the ejection seat and the canopy and he died of a broken neck before his aircraft hit the water.
That guy died because he wanted the competitive edge and specifically tried to cheat by putting the aircraft in a forbidden configuration....
I'd rather die from a sensor failure than by some stupid mistake I made to get an unfair advantge because I want to win some competition..

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Re: I guess the incredibly obvious question is.. by Anonymous Coward · 2019-03-12 08:37 · Score: 2, Informative

There is an option to disable the system. It's a new system and there was not a lot of training about it though.
Re:Redundant Systems? by bobbied · 2019-03-12 08:37 · Score: 1

Well... What really happened is they ran out of fuel and although it was noticed by some of the crew, nobody thought it was important enough to interrupt the captain in the left seat as he was trying to make sure the wheels where down. Somebody should have been assigned to call out fuel status and not shut up even if the captain was fixated on that stupid light bulb.
It was one of the prompters for the Crew Resource Management movement, which makes subordinates more assertive while still maintaining the authority in the cockpit.

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Re:How about... by bobbied · 2019-03-12 08:42 · Score: 1

The have the "bitching betty" who will say "terrain, pull up.... Terrain, Pull up.."
But if the aircraft is fighting you on the "pull up" because the stall avoidance system is run amuck I can see how the mixed signals would be confusing.
Also, it may not be obvious but "Lowest safe value" is constantly changing as you fly around and the way you measure altitude is subject to knowing the local barometric pressure with enough precision, data that the pilots generally provide.

--
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Additional sources by Anubis+IV · 2019-03-12 08:43 · Score: 4, Informative

Since the alternative source link in the summary appears to link to an article about stock prices, here's some alternative alternative links that actually contain more relevant information:
- Boeing press release
- Gizmodo
- Washington Post
1. Re:Additional sources by nyet · 2019-03-12 13:50 · Score: 1
  
  The /. editors are trash. Betcha $100 they never fix the link in the summary. They're completely incompetent.
2. Re:Additional sources by thegarbz · 2019-03-13 08:30 · Score: 1
  
  Since the alternative source link in the summary appears to link to an article about stock prices
  Could be worse. We could have an article about spaghetti.
What about the yoke? by jordan314 · 2019-03-12 08:49 · Score: 1

Are they going to enable pilots to disable the MCAS from nose diving the plane by pulling up on the yoke too?
1. Re:What about the yoke? by Strider- · 2019-03-12 11:48 · Score: 2
  
  It does, but as soon as they let go, the MCAS kicks in again, because it's still active, so if the pilot doesn't catch what's going on, they wind up fighting the aircraft all the way into the ground.
  
  --
  ...si hoc legere nimium eruditionis habes...
seems like the logic here is flawed. by goombah99 · 2019-03-12 08:50 · Score: 2

Okay lets suppose that some or all of the stall sensors are malfunctioning. There's another sensor that the computer can look at and that's the altitude. If the ALTITUDE is rapidly falling of course the plane might think, see I was right about this stall! But there's one more thing. Namely if the pilots pulled the stick back and the altitude stops falling the plane should now have enough information to figure out that pushing the stick forward is not the right thing to do.
So it seems like the plane should be able to figure out that it's sensors can't be right even if it doesn't know what's exaxtly wrong.
That is, it's job is to overide the pilots if it's convinced they are ignoring a serious problem or doing something to make it worse. But if they do take action and it improves the situation then the logic should be, trust the pilot. Not, continue assuming the pilot is doing the wrong thing.

--
Some drink at the fountain of knowledge. Others just gargle.
1. Re:seems like the logic here is flawed. by BostonPilot · 2019-03-12 09:36 · Score: 5, Interesting
  
  No, you're trying to grossly oversimplify the problem, and it's causing you to say things that are silly.
  Having worked as a vendor to the avionics group at Boeing, and having had a student who wrote test code for the 777, I can tell you that the testing / verification process for their software is mind boggling. They've had decades to fine tune their processes for creating reliable computer software. Believe me, you sound idiotic second guessing them, and it doesn't sound like you're a pilot either...
  The one thing I will agree with you about is that the system should trust the crew. However, I must say that some of my airline captain buddies would strongly disagree with that. Just look at Air France Flight 447 as a perfect example of why trusting the crew can go wrong. However, I still lean towards this... if you don't trust the crew then it's like the old joke about the perfect crew:
  The ideal flight crew is a pilot and a dog.
  The pilot is there to feed the dog, and the dog is there to bite the pilot if he touches anything.
  Seriously, if the automation is so complicated and opaque that the crew can't tell what it's doing and why... that's a problem. The move towards more automation seems to be to make up for an inexperienced crew... I think more training / sim time is the right solution, not more automation. Still, both Airbus and Boeing seem to think more automation is the right way to go.
  I'll be interested to hear what they learn from the FDR...
2. Re:seems like the logic here is flawed. by 140Mandak262Jamuna · 2019-03-12 10:51 · Score: 1
  
  Stall warning happens before the plane loses altitude. The idea is not to lose altitude.
  The angle of attack is NOT the orientation of the plane. It is the orientation of the plane measured relative to the air flow direction. Without knowing the airflow you can not estimate it. That is why there is a sensor outside (basically a weather wane with instrumentation to measure its orientation with respect to the plane's axis).
  Again why they rely on a single sensor, why they did not make this critical sensor redundant I don't know. There have been a case where a worker pressure washed the plane near the sensor and water got into the casing. No problem at sea level, but at altitude water froze and the sensor got stuck. So I would have assumed they would have made it redundant.
  I can think of a better system, but even if the idea is sound it would take years. Basically we can emit a very thin stream of microscopic water droplets and/or smoke from the fuselage. And have a small glass window and a camera watching the path of the droplets, and measure the flow direction. From there we can estimate the angle of attack.
  
  --
  sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
3. Re:seems like the logic here is flawed. by dgatwood · 2019-03-12 10:58 · Score: 2
  
  Okay lets suppose that some or all of the stall sensors are malfunctioning. There's another sensor that the computer can look at and that's the altitude. If the ALTITUDE is rapidly falling of course the plane might think, see I was right about this stall! But there's one more thing. Namely if the pilots pulled the stick back and the altitude stops falling the plane should now have enough information to figure out that pushing the stick forward is not the right thing to do.
  No, you're trying to grossly oversimplify the problem, and it's causing you to say things that are silly.
  Not sure what's silly about that. If the computer says you're beyond the maximum AOA, then pushing the nose up should always cause the aircraft to lose altitude. If a nose up action results in an altitude increase and the sensors still say that the aircraft is beyond the maximum AOA, then the sensors have to be wrong, period, unless I'm missing something about the physics.
  There is, of course, a region in which the avionics system would think you're *near* the maximum AOA and a nose-up maneuver would still increase your lift, albeit less than normal. So a nose-up maneuver causing increased altitude during a stall indication isn't *always* an indication that the data is crap, but it certainly could be, if the AOA sensor data is far enough off from reality.
  Also, I don't understand why the computers in these planes don't take advantage of all the other sensor data that is at their disposal. The 737 has both pitch/roll inclinometers, GPS, airspeed indicators, and altimeters. With that data, it should be possible to crudely estimate the AOA. The change in velocity relative to the ground is acceleration, which you subtract from the inclinometer data to get your actual angle relative to the earth. Your air speed relative to ground speed gives you some crude indication of how far off your AOA is likely to be (more wind = larger margin of error). And you can also detect an updraft or downdraft with the altimeter to further determine the amount of bias.
  If the combination of those pieces of data comes up with an AOA estimate that is radically different from the AOA sensors, then either your inclinometer is stuck, your airspeed indicator is malfunctioning, the GPS ground speed estimate is wrong, or the AOA sensors are lying. And clearly, the AOA data should take priority by default, because it is likely to be the most accurate. But if the numbers are way off for an extended period of time, or if they get farther and farther apart while the pilot is deliberately fighting against the plane's MCAS-derived trim adjustment, that's probably the point where the avionics system should throw up its hands, tell the pilot that it has no idea what is going on, and disable MCAS, or at least clearly alert the pilot that the stall indicator is unreliable and recommend that the pilot override the MCAS-derived trim.
  What am I missing?
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
4. Re:seems like the logic here is flawed. by K.+S.+Kyosuke · 2019-03-12 11:20 · Score: 3, Insightful
  
  I can tell you that the testing / verification process for their software is mind boggling. They've had decades to fine tune their processes for creating reliable computer software.
  Haven't we had ample evidence by now that it's all too easy to make computer software that very reliably and very accurately does exactly the wrong thing?
  
  --
  Ezekiel 23:20
5. Re:seems like the logic here is flawed. by William+Baric · 2019-03-12 11:27 · Score: 1
  
  If the testing / verification process for their software is as mind-boggling as one student (!) told you and if, as you assume, they've had decades to fine-tune their processes for creating reliable computer software, how do you explain that Boeing had to fix their cockpit software?
6. Re:seems like the logic here is flawed. by goombah99 · 2019-03-12 16:28 · Score: 1
  
  No i'm not oversimplifying or at at least you have not shown how. If the plane is dropping the plan knows this. If every time the pilot pulls back on the stick and overrides the automatic dive the plane goes up, the plane knows that too. So the plane has the info it needs to make a better decision. Show me how I'm wrong.
  
  --
  Some drink at the fountain of knowledge. Others just gargle.
7. Re:seems like the logic here is flawed. by twosat · 2019-03-12 22:44 · Score: 1
  
  The opposite happened on XL Airways Flight 888, an acceptance flight for an Air New Zealand Airbus A320 going back to ANZ after a lease to XL Airways Germany. The Airbus A320's computers noticed the conflicting readings from the sensors and put the pitch trim into manual mode. The pilots didn't notice the warning on a screen and were relying on the flight computers to prevent the plane from stalling. https://www.youtube.com/watch?...
8. Re:seems like the logic here is flawed. by BostonPilot · 2019-03-12 22:55 · Score: 1
  
  I would say that the evidence is that software is incredibly difficult to get 100% right, so that it will do the correct thing under all circumstances. Companies like Boeing are incredibly good at the job, and yet even they get stuff wrong.
  What I'd like the average slashdot reader to understand is that it's bogus to think that there are simple answers to a lot of the issues. An incredible amount of thought goes into the process. I worked on avionics software and I can tell you that the average software engineer has no idea what goes into producing Level A safety critical software. Our parent company had a Level A autopilot, and it took an entire year to do a full release test of that software. The process was that involved.
  In the past I've been critical of Airbus and liked Boeing's philosophy better - the control yokes move, are interconnected, etc. Same thing with the auto-throttle... when the computer moves the throttle the physical handles move so the crew knows what the computer is up to. In this case, the suspect system trims the aircraft and you can see that the trim wheels are moving. Yet obviously it is confusing crews to the point that they lose control of the airplane.
  So yeah, I'll agree with you... it's incredibly easy to produce software that does the wrong thing, especially in the corner cases where the computers are getting garbage in. The NTSB database is full of the results.
9. Re:seems like the logic here is flawed. by BostonPilot · 2019-03-12 23:08 · Score: 1
  
  I'm really curious to hear that myself. In the famous words of HAL 9000:
  Well, I don’t think there is any question about it. It can only be attributable to human error. This sort of thing has cropped up before, and it has always been due to human error.
  Which of course doesn't address your comment. So yeah, the fact that a design defect may have crept through the process raises lots of questions in my mind.
10. Re:seems like the logic here is flawed. by thegarbz · 2019-03-13 08:29 · Score: 1
  
  However, I still lean towards this... if you don't trust the crew then it's like the old joke about the perfect crew
  That isn't a joke, it's a lesson learnt in the industry. There's a few industries which in the last 50 years have made leaps and strides in safety, airlines, cars, and the process industry are among the top three. Each of them share a common approach to the problem: The realisation that humans are fallible and there are situations where in the name of safety control should be taken away from a human and not returned.
  The problem is we're starting to exhaust low hanging fruit in terms of simplified absolute automation and the more complicated systems get the more chance those damn fallible humans screw up the system that is supposed to take away control from those other fallible humans.
11. Re:seems like the logic here is flawed. by Hognoxious · 2019-03-13 15:23 · Score: 1
  
  You keep babbling on about how complex the implementation is. Nobody's disputing that.
  The point people are making is that it's a design problem. Not doing the thing wrong, but doing the wrong thing.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Single sensor? by gweihir · 2019-03-12 08:54 · Score: 1

For a system that can kill the aircraft? That sounds like criminal negligence to me. Somebody wanted to do things on the cheap obviously, ignoring all rules of the design of critical systems. In particular, you never, ever rely on a single sensor, and you make damn sure the operators (pilots) understand how things work. About 300 killed people later, Boeing seems to have remembered at least some of the basics.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Solution without a problem? by Ogive17 · 2019-03-12 08:56 · Score: 1

Admittedly I have not researched it but was stalling a big issue with these planes prior to implementing this anti-stall feature?

Just seems like a solution in search of a problem which often does not end well.

--
"Action without philosophy is a lethal weapon; philosophy without action is worthless."
1. Re:Solution without a problem? by Anonymous Coward · 2019-03-12 09:18 · Score: 1
  
  I'm no expert in the area, but from what I've read the replacement of the engines with more efficient ones (which are bigger and thus needed to be moved forward) made the plane more prone to stall. So they made this system to try to avoid it.
2. Re:Solution without a problem? by Cassini2 · 2019-03-12 16:56 · Score: 1
  
  Stalling is a huge issue. In Air France Flight 447, pilots stalled a large Airbus, because they were used to the automated anti-stall system. With the system in place, if you pull back on the stick the plane goes up. The pitot tubes plugged briefly. The system went to a manual mode (alternate law) that the pilots were unfamiliar with. The pilots pulled up, put the plane into a stall, and crashed the plane. They did not understand why they were not gaining altitude.
  On average, it uses less fuel and is safer to fly in automatic (while the automatic systems work). As such, airlines push pilots to fly in automatic almost all the time. This results in pilots not flying in manual often enough. Automatic modes and long periods of routine flying mean that pilots lack the instincts to "take over and fly manually".
  The issue with planes flying in automatic too much creeps into the design of the planes and manual modes on those planes. As the manual modes are used 0.001% of the time, companies don't prioritize safe manual flight. For instance, the manual (alternate law) mode on the Airbus did some wonky things with the flight controls (they averaged the command inputs). This meant that the plane would only recover from a stall if both pilots simultaneously commanded a dive. Boeing tries to make things more pilot friendly, however the 737MAX plane design is such that it is difficult to fly without automatic stall warning systems.
  With
  a) stall being a major failure mode,
  b) pilots not getting enough practice as stall recovery while flying manually,
  c) aircraft operators and aircraft manufacturers not prioritizing manual flying, and
  d) the possibility of the anti-stall system failing,
  the end result is many crashes of many different planes involving stall and pilots reactions to it.
3. Re:Solution without a problem? by dunkelfalke · 2019-03-13 04:20 · Score: 1
  
  Well, while averaging the command inputs sounds ridiculous at first, there is no good solution for this.
  Dual input only made sense in classic aircraft with mechanical controls where it could happen in an emergency that one pilot alone wouldn't have enough strength to steer. In all other situations only one pilot must have control over the aircraft (except maybe when one of the pilots is suicidal). In a FBW aircraft no physical effort is involved so there is never need for dual input. For this reason any dual input is wrong and averaging it might mitigate a wrong input until the pilots resolve the control ownership. After hearing the "dual input" warning the pilot flying should have said something along the lines of "Dude, are you deaf? I said I have control, get your paws off the side stick!" and the situation would be resolved.
  
  --
  "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
Re: I guess the incredibly obvious question is. by Anonymous Coward · 2019-03-12 09:35 · Score: 1

It's not a button on the dashboard. It's a complex maneuver:
https://www.nytimes.com/interactive/2018/11/16/world/asia/lion-air-crash-cockpit.html
Re:The problem is normal and alternate control law by uncqual · 2019-03-12 09:44 · Score: 4, Informative

A description of alternate law as it applies to aviation can be found here although this focuses on Airbus.

--
Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
Bad management: "sensor failure", not redundant. by Futurepower(R) · 2019-03-12 09:55 · Score: 1

Boeing is insufficiently managed?
Re:Redundant Systems? by BostonPilot · 2019-03-12 09:59 · Score: 1

They didn't run out of gas, they disengaged altitude hold mode on the autopilot inadvertently and didn't notice the loss of altitude in time to do anything about it. Widely used to teach pilots that someone has to keep flying the airplane while the rest of the crew debugs the situation.
Since you mention CRM you're probably thinking of a different accident, maybe Avianca Flight 52 (a Boeing 707) that was run out of gas... but that was mostly because the Captain didn't understand English and the co-pilot didn't keep the Captain informed enough about whether ATC understood their low fuel situation. (they had informed the previous controller about their fuel situation but after a frequency change the Captain was confused about whether the current controller knew about their fuel situation).
Re: Back in my day,... by jrumney · 2019-03-12 10:21 · Score: 2

Back in your day, plane crashes were a regular occurrence, even though there were far fewer aircraft flying.
Re:The problem is normal and alternate control law by Dunbal · 2019-03-12 10:38 · Score: 1

Because the transient and eternal are the same.

--
Seven puppies were harmed during the making of this post.
The 2 crashes are even more related by hcs_$reboot · 2019-03-12 10:45 · Score: 2

Something struck me regarding latitudes: the Air Lion crash was 6 degrees South (Djakarta), the Ethiopian crash was 9 degrees North (Addis Ababa) ; both flights were close to the Equator (symmetrically). Could have something to do with sensors reliability.

--
Slashdot, fix the reply notifications... You won't get away with it...
1. Re:The 2 crashes are even more related by Obfuscant · 2019-03-13 10:38 · Score: 1
  
  One crash was in the northern hemisphere, the other in the southern hemisphere. Everyone knows that Coriolis causes the AOA sensor to operation backwards in the south from the way it does in the north. I bet this was a problem with the GPS ignoring the negative sign on the latitude value. That's what it had to be.
Re:Redundant Systems? by cmdahler · 2019-03-12 10:46 · Score: 1

Well... What really happened is they ran out of fuel and although it was noticed by some of the crew, nobody thought it was important enough to interrupt the captain in the left seat as he was trying to make sure the wheels where down.
You're thinking about United 173 that crashed outside Portland, OR. Different accident from the "lightbulb" Eastern Airlines flight.
Re:Back in my day,... by uncqual · 2019-03-12 10:47 · Score: 1

Yep -- and the fatality rate per passenger mile was much higher "back in the day".

--
Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
Re:Ground every last one of them by uncqual · 2019-03-12 10:50 · Score: 1

There are two AOA sensors. What the software does with their inputs is of course another matter. It seems like it would be nice to have three, but there other things that there are only two of (like engines on most commercial airliners) and pilot input is needed to respond to a failure of one. Of course, the pilot needs to understand that there's been a failure.

--
Why is there an "insightful" mod and why isn't it "-1"? If I wanted insight, I wouldn't be reading /.
Re:The problem is normal and alternate control law by HiThere · 2019-03-12 10:56 · Score: 1

Thank you. Someone please mod parent up as informative.

--

I think we've pushed this "anyone can grow up to be president" thing too far.
Re:Ground every last one of them by david.emery · 2019-03-12 11:09 · Score: 1

Your point about "know there's a failure" is relevant. But if the two sensors don't agree, then the '3rd factor' is the pilot. System reports "sensor failure" and the pilot turns off that anti-stall system. The rules as I understood them (I am not a safety engineer, but I've had some training in this area) is to use voting to detect the failure. For an engine, there are other ways to detect the failure than seeing if the engines are all turning at the same RPMs :-)
Re: The problem is normal and alternate control l by j33px0r · 2019-03-12 11:23 · Score: 1

Uh...no. Have you seen the simulators? Are you aware of the cost? These are not rookie pilots but pros with typically 2 decades of experience under their belt. The simulators are essentially the real deal. This isn't Chuck Norris air combat.
Remove the Big Red "Crash NOW!" button by MonsterMasher · 2019-03-12 12:55 · Score: 1

After consideration they decided that the big red elbow-activated "Crash NOW!" button was to easily accidentally struck when pilot stretches, or scratching self.
Re-thinking similar function button small button next to light button above each passenger seat, and in bathrooms.
https://youtu.be/LwjP8HCpE4E.
Re:So Boeing Knew The Problem... by hcs_$reboot · 2019-03-12 13:21 · Score: 1

... after the Lion Air crash, knew of the needed fix
Boeing doing something while nobody is requesting a change is highly suspicious, and could be seen as an acknowledgement of responsibility.

--
Slashdot, fix the reply notifications... You won't get away with it...
Re:So Boeing Knew The Problem... by nnull · 2019-03-12 17:33 · Score: 1

It's especially highly suspicious when they start doing it before we even have a public available investigation report.
Re: I guess the incredibly obvious question is.. by Hognoxious · 2019-03-12 20:53 · Score: 5, Funny

There is an option to disable the system.
It's a button in the aft toilet under a locked flap with "beware of the leopard" written on it.

--
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Blumenthal trashing Boeing for Airbus? by sabbede · 2019-03-13 00:38 · Score: 1

If you've heard Sen. Blumenthal talking about how the Max 8 is "unsafe at any speed", needs to be grounded, and that Boeing and the FAA need to be raked over the coals, note that he's in the pocket of Boeing's only real competitor, Airbus.
Boeing emulating Airbus... by Pyramid · 2019-03-13 01:02 · Score: 1

This is why you NEVER override the pilot. Warn them, fight them, irritate them, but *never* override.

--
~Any apparent grammatical or typographic errors are caused by defects in your display device.
Boeing 737 M8 pilots complained to feds for months by schwit1 · 2019-03-13 01:16 · Score: 1

https://www.dallasnews.com/bus...
“The disclosures found by The News reference problems during Boeing 737 Max 8 flights with an autopilot system, and they all occurred while trying to gain altitude during takeoff — many mentioned the plane turning nose down suddenly. While records show these flights occurred during October and November, the information about which airlines the pilots were flying for is redacted from the database. Records show that a captain who flies the Max 8 complained in November that it was ‘unconscionable’ that the company and federal authorities allowed pilots to fly the planes without adequate training or fully disclosing information about how its systems were different from previous 737 models.”
Re:Redundant Systems? by samwichse · 2019-03-13 08:07 · Score: 1

My ground school instructor used that exact example and called it the "three idiot rule" that you couldn't have everybody trying to troubleshoot a problem at once.
He likened it to 3 points of contact in free climbing. Of your four limbs, you can lift one from the surface at once.