Slashdot Mirror

← Back to Stories (view on slashdot.org)

Flawed Analysis, Failed Oversight: How Boeing, FAA Certified the Suspect 737 MAX Flight Control System (seattletimes.com)

Posted by msmash on from the closer-look dept.

In one of the most detailed descriptions yet of the relationship between Boeing and the Federal Aviation Administration during the 737 Max's certification process, the Seattle Times reports that the U.S. regulator delegated much of the safety assessment to Boeing and that the analysis the planemaker in turn delivered to the authorities had crucial flaws. 0x2A shares the report: Both Boeing and the FAA were informed of the specifics of this story and were asked for responses 11 days ago, before the second crash of a 737 MAX. [...] Several technical experts inside the FAA said October's Lion Air crash, where the MCAS (Maneuvering Characteristics Augmentation System) has been clearly implicated by investigators in Indonesia, is only the latest indicator that the agency's delegation of airplane certification has gone too far, and that it's inappropriate for Boeing employees to have so much authority over safety analyses of Boeing jets. "We need to make sure the FAA is much more engaged in failure assessments and the assumptions that go into them," said one FAA safety engineer. Going against a long Boeing tradition of giving the pilot complete control of the aircraft, the MAX's new MCAS automatic flight control system was designed to act in the background, without pilot input. It was needed because the MAX's much larger engines had to be placed farther forward on the wing, changing the airframe's aerodynamic lift. Designed to activate automatically only in the extreme flight situation of a high-speed stall, this extra kick downward of the nose would make the plane feel the same to a pilot as the older-model 737s.

Boeing engineers authorized to work on behalf of the FAA developed the System Safety Analysis for MCAS, a document which in turn was shared with foreign air-safety regulators in Europe, Canada and elsewhere in the world. The document, "developed to ensure the safe operation of the 737 MAX," concluded that the system complied with all applicable FAA regulations. Yet black box data retrieved after the Lion Air crash indicates that a single faulty sensor -- a vane on the outside of the fuselage that measures the plane's "angle of attack," the angle between the airflow and the wing -- triggered MCAS multiple times during the deadly flight, initiating a tug of war as the system repeatedly pushed the nose of the plane down and the pilots wrestled with the controls to pull it back up, before the final crash.

[...] On the Lion Air flight, when the MCAS pushed the jet's nose down, the captain pulled it back up, using thumb switches on the control column. Still operating under the false angle-of-attack reading, MCAS kicked in each time to swivel the horizontal tail and push the nose down again. The black box data released in the preliminary investigation report shows that after this cycle repeated 21 times, the plane's captain ceded control to the first officer. As MCAS pushed the nose down two or three times more, the first officer responded with only two short flicks of the thumb switches. At a limit of 2.5 degrees, two cycles of MCAS without correction would have been enough to reach the maximum nose-down effect. In the final seconds, the black box data shows the captain resumed control and pulled back up with high force. But it was too late. The plane dived into the sea at more than 500 miles per hour. [...] The former Boeing flight controls engineer who worked on the MAX's certification on behalf of the FAA said that whether a system on a jet can rely on one sensor input, or must have two, is driven by the failure classification in the system safety analysis. He said virtually all equipment on any commercial airplane, including the various sensors, is reliable enough to meet the "major failure" requirement, which is that the probability of a failure must be less than one in 100,000. Such systems are therefore typically allowed to rely on a single input sensor.

71 of 471 comments (clear)

  1. This is going to be one of the biggest lawsuits ev by Anonymous Coward · · Score: 4, Interesting

    This judgement is going to run into 10 digits.

  2. Questions for the system designers here by Anonymous Coward · · Score: 4, Insightful

    [quote]only two short flicks of the thumb switches[/quote]

    In the systems you design, typically how many times is the user expected to press the Stop Trying To Kill Us button before the system leaves off trying to do so?

    1. Re:Questions for the system designers here by alvinrod · · Score: 5, Funny

      Infinitely many, but then again I'm designing a robot system that's specifically designed to kill humans.

      Otherwise, I use two. I'd use one, but Amazon also has the patent for single-click Sop Trying to Kill Us buttons in addition to single-click purchasing.

    2. Re:Questions for the system designers here by Nidi62 · · Score: 4, Informative

      If they had turned off the faulty system, it would have stayed off and they would have been fine. They didn't tell the system to stop. They just counteracted its instructions.

      Especially with the Lion Air crash, it's kind of hard to turn off a faulty system when you aren't aware of it's existence. The crew on the final flight the night before got lucky: they had the same issue but went through a checklist that had the very fortunate but unintended side effect of disabling the system.

      --
      The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
    3. Re:Questions for the system designers here by michelcolman · · Score: 5, Informative

      They were flying by hand. The problem is that the MCAS system is designed to add extra control inputs to the pilot's inputs to make the airplane behave the same as older 737s. And at high angles of attack (or when it thinks the angle of attack is high) it pushes the nose down to prevent a deep stall which would otherwise be a serious risk on this variant of the 737 due to the placement of its engines.

      The part about single sensors being allowed if the chance of failure is less than 1 in 100000 is the biggest bullshit I've ever heard in my life as an airline pilot. If there are hundreds of parts that all have a 1 in 100000 chance of failure, that means failures will happen quite often, especially with thousands of planes flying around. And indeed failures do happen regularly, that's why airplanes normally have loads of redundancy. Airspeed, for example, is measured on most airplanes by three different pitot tubes that feed into three different air data computers that constantly compare their data. If one of them is different, it shuts down and throws a failure message.

      That's just one example of many. Airliners have two fuel pumps per tank, several isolated hydraulics systems, several electrical systems with equipment spread over many buses with fault monitoring on all of them, etcetera.

      If an engineer designs a plane so it overrides pilot inputs and pushes the nose down based on input from a single sensor, that engineer deserves to go to prison and be barred from practicing engineering for the rest of his life. In aviation, this kind of screw-up is simply unforgiveable.

      Boeing is currently testing the common sense fix which crosschecks the angle of attack with other data (airspeed, inertial reference system, attitude,...), which is what they should have done from the beginning.

      By the way, Airbus made a similar mistake not that many years ago, which was fixed with extra procedures and software updates. One would have expected Boeing to learn from Airbus' mistakes...

    4. Re:Questions for the system designers here by ceoyoyo · · Score: 2

      That's true, although the only way to turn off the system (which they didn't know existed) is to turn off the electric trim system entirely. Doing that would mean they would have to turn the trim wheels by hand. If you watch a video of it, the electrical system turns the wheels a lot, and quite fast.

      They should have turned it off, but if you have to keep trimming up and you're not sure why, you might hesitate to turn off the system that's letting you do so quickly.

    5. Re:Questions for the system designers here by thegarbz · · Score: 4, Informative

      A system designed to overcome aerodynamic flaws of larger engines is not a major failure scenario?

      Of course it is, but what is the safe action? Return control to the pilot when the system is designed to actively kick in to prevent the pilot stalling, or to maintain control in the face of being wrong (which is what happened here).

      what pilot would trim up 21 times before disconnecting auto pilot and flying by hand while figuring out what is going on. This is showing the pilot is way to reliant on computers rather than hand flying the plane

      You made a dangerous assumption and misplaced your blame. Autopilot was not enabled here. Engaging autopilot disables MCAS and disabling autopilot enables MCAS, which comes back to the pilot training component of the Lion Air investigation. The system as designed is too complex to disable under stress.

      Who's at fault here, Boeing or the country with lax pilot regulation?

      With your second point specifically identified early in the investigation, Boeing. They are the ones who provide the pilot training materials for their planes.

    6. Re:Questions for the system designers here by Anonymous Coward · · Score: 2

      this is like you are going up a hill and cruise control decides

      Not really. What it is actually "like" is you are trying to climb in an aircraft but the "cruise control" keeps trying to fly you into the ground. So you tap "Stop Trying to Kill Us" and it does for a few seconds, only to resume trying the exact same thing again. Repeat 22 more times until either your thumb or your brain's capacity for CRM is overhwhelmed and everyone dies.

    7. Re:Questions for the system designers here by fahrbot-bot · · Score: 4, Insightful

      If an engineer designs a plane so it overrides pilot inputs and pushes the nose down based on input from a single sensor, that engineer deserves to go to prison and be barred from practicing engineering for the rest of his life.

      I'd argue that the Boeing and FAA managers that approved such a system should get locked up while the engineer should be sent back to engineering school and learn how to say "no" if asked to design such a system again.

      --
      It must have been something you assimilated. . . .
    8. Re:Questions for the system designers here by fahrbot-bot · · Score: 2, Funny

      Infinitely many, but then again I'm designing a robot system that's specifically designed to kill humans.

      But, like Octillion Killbots, Boeing 737 MAX planes have a preset kill limit. The only way to defeat them is to throw wave after wave of passengers at them ...

      --
      It must have been something you assimilated. . . .
    9. Re:Questions for the system designers here by green1 · · Score: 5, Interesting


      <quote><p>A system designed to overcome aerodynamic flaws of larger engines is not a major failure scenario?</p></quote>
      <p>Of course it is, but what is the safe action? </quote>
      The safe action is the one that nobody is talking about. The previous version of the 737 had engines so big that they had to flatten the intake on the bottom so it would fit under the wing. That should have been a clue that the existing 737 design was already at its limit. By putting even larger engines on it, they had to mess up the aerodynamic stability of the aircraft such that they had to implement this software fix just to get through the approvals. It's pretty obvious that someone should have said: "look, the 737 is great, but it's at end of life. We need to make a new aircraft design now."

      Imagine if we were still flying the DC-3 with every new technological advance since it was designed kludged on to it even though it was never designed for them? At a certain point you need to realize that your design is at the end of its life and move on.

      But that costs money, and apparently hundreds of lives.

    10. Re:Questions for the system designers here by Xylantiel · · Score: 5, Interesting

      In some sense nobody really made the decision to use this design without redundant sensors. According to the article, the system was approved with a relatively small amount of authority - it could only move the tail by 0.6 degrees. That wasn't a bad enough issue to warrant redundancy. The problem is that the authority was then increased to 2.5 degrees, more than 4 times larger, and the safety impact was simply never re-evaluated due to the rush to get it on the market. Even documents given to other country's air safety bodies still listed the 0.6 degrees. The explosive thing about this, which is why the article predates the second crash, is that this puts the whole process in doubt. How many other numbers in the documents are just fiction? How many other safety evaluation chains have not been updated due to the rush to market? Does this amount to fraudulent behavior on the part of Boeing? My expectation is that the engineer who upped the authority from 0.6 to 2.5 did so with the intent, possibly even documented, that the safety would be re-evaluated before the jet went to market.

      It's also unclear why the authority was listed as 0.6 degrees when the system could repeatedly reset itself and do it again, effectively giving it infinite authority. That is more along the lines of your question, but I think it actually wasn't clear why the ability to reset was not included in the safety analysis. This really looks a lot like an updated safety analysis was planned, postponed, and then just never done until after the Lion Air crash.

    11. Re: Questions for the system designers here by Megol · · Score: 2

      The system for disabling the system is relatively complex especially in a scenario when both pilots use all their strength to keep the plane level. Also it's my understanding that pilots weren't trained in doing this or even informed about the existence of the system, could be wrong.

    12. Re:Questions for the system designers here by Anonymous Coward · · Score: 2, Informative

      If you actually RTFA, a runaway stabiliser does not behave the same way, it doesn't operate in sort of pulses, so it was just luck the previous crew tried that procedure even though it WASN'T a runaway stabilizer, and it didn't feel like one either.

  3. Now I am even more worried... by mrlinux11 · · Score: 4, Insightful

    The statement of using only one sensor is scary especially for something that automatically adjust the flight path, but even having two is scary. With 2 sensors how does the software know which is right when they disagree ? For true fault tolerance you need a minimum of 3 sensors

    1. Re:Now I am even more worried... by Anonymous Coward · · Score: 2, Interesting

      Yeah, but that costs extra, and making it an option allows Boeing to nickel-and-dime the airlines that want to look more professional.

      And we can't have these costly things being mandatory in a free market neo-liberal economy!

    2. Re:Now I am even more worried... by maroberts · · Score: 5, Interesting

      In general if you have 2 sensors that disagree significantly, you disable all functions that rely on those sensors and issue an alarm.

      You might be able to decide which sensor is correct from data from other systems, but that is another story

      --

      Donte Alistair Anderson Roberts - hi son!
      Karma: Chameleon

    3. Re:Now I am even more worried... by mattmarlowe · · Score: 3, Interesting

      Right, automation is good but when lives are on the line....one needs to take every precaution and think about failure cases. I saw a video elsewhere that said that there was an easy way to disable the sensor, but when the pilot only has a few seconds to respond and he is busy trying to keep the plane in the air... in either case, even if we agreed that 1 sensor is enough, 1 in 100K chance doesn't sound reliable enough to me.....I'd rather see 1 in a million minimum, 1 in a billion ideally.. You might need to 5 sensors where at least 3 of them must trigger fault to get super reliability. I'm not sure how expensive or tricky placing several of these sensors is.... In any case, non of us are pilots so its all speculation here.

      Politics and economics wise, the US Air Force was reported to have recently chastened Boeing for QA issues. China and Europe, which want to dominate high tech airplanes have a vested interest in taking down Boeing. But, it sounds like Boeing did this all to themselves....perhaps cutting corners to increase time to market and production speed.

      As for the FAA, I never have high expectations of any government agency to look out for public safety over vested national and economics interests. Letting companies get sued into bankruptcy with the CEO's unemployable when they massively screw up is a much more compelling and reliable way to ensure corners aren't cut.

    4. Re:Now I am even more worried... by Discgolferusa · · Score: 2

      Technically at 1 failure out of 100k makes this a seven 9's system. That's on pair with medical devices and aerospace systems. That's a very stable system in general. To put that into perspective, if you were running trying to run a system with a seven 9's uptime that ran 24/7/365 you would only have outage of about 36 mins over the course of a year. These are very stable and dependable systems.

    5. Re:Now I am even more worried... by ceoyoyo · · Score: 4, Informative

      With two sensors, if they disagree, you scream and don't do anything. The human then has to decide what's going on. That scenario is fine (even desirable) for a supplemental system like the MCAS. It's very, very unlikely that both of the sensors would get stuck in the same position, although you'd want to make sure that doesn't happen if some twit leaves a protective cover on them or something.

      A really critical system, that can't be shut off, should have triple redundancy.

    6. Re:Now I am even more worried... by drinkypoo · · Score: 2

      I saw a video elsewhere that said that there was an easy way to disable the sensor, but when the pilot only has a few seconds to respond and he is busy trying to keep the plane in the air...

      ...then it's a training issue. They didn't train for that failure enough. If airlines want to fly planes with new technology, they have a responsibility to make sure that pilots are trained on it. Fighting the plane while ignoring the warning that the plane thinks something wacky is going on is pilot error, but the fault likely lies with the airlines' training requirements being designed primarily for low cost rather than for adequacy.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    7. Re:Now I am even more worried... by Anonymous Coward · · Score: 2, Informative

      Technically at 1 failure out of 100k makes this a seven 9's system. That's on pair with medical devices and aerospace systems. That's a very stable system in general.

      To put that into perspective, if you were running trying to run a system with a seven 9's uptime that ran 24/7/365 you would only have outage of about 36 mins over the course of a year. These are very stable and dependable systems.

      99.99999% ("seven nines") is only 3.16 seconds per year, not not 36 mins. That is closer to 4 nines, which might be fine for Facebook, but not the plane that I'm getting on.

    8. Re:Now I am even more worried... by Shotgun · · Score: 3, Informative

      It doesnt' have to cost extra. There are already other sensors that would give signals corresponding to an approaching stall condition that the computer could use to correlate.

      --
      Aah, change is good. -- Rafiki
      Yeah, but it ain't easy. -- Simba
    9. Re:Now I am even more worried... by Shotgun · · Score: 4, Informative

      You can't disable a primary flight control system suddenly. That's what the problem is here. They get data from 2 sensors to determine AOA, one gets anomalous readings but the system doesn't know that. There's no way to know with 2.

      Except, with an airplane, there is. There is GPS data. There is historical telemetry (and by historical, I mean the past ten seconds). There is engine speed data, altitude data, and airspeed data. All of this is already collected.

      If the AoA is increasing, you'd expect the altitude to start increasing, the plane to start slowing, the engine RPM to decrease due to the increase load. All of these would correlate with GPS telemetry. Having the lives of 150 people hang on the reliability of a potentiometer attached to a weather vane is incredibly stupid.

      --
      Aah, change is good. -- Rafiki
      Yeah, but it ain't easy. -- Simba
    10. Re:Now I am even more worried... by l0n3s0m3phr34k · · Score: 2

      Really, Chernobyl was a "man caused" catastrophe. From it's very, er, "unique" design; purposely "disabling of automatic shutdown mechanisms", "peculiarity of the design of the control rods", a STILL UNKNOWN employee initiating an emergency shutdown...it wasn't an accident as in "oops how did that happen" but more of a "what the fuck are you thinking?!?" and completely avoidable.

  4. Collusion between Govt and Business by Anonymous Coward · · Score: 3, Insightful

    This smells like a collusion between Boeing and the US Government (FAA) in order to rush through certification to be anti-competitive to the Airbus product that was ready for this area.

    The resulting hundreds of dead is a testament to failed oversight and cost-cutting, lack of redundancy, and what appears to be basic lying to other air regulators.

    Almost certainly this will come back to bite Boeing badly - firstly the lawsuits from the families of the dead, second with sales on what many people would consider a flying death trap of a plane design. It will take a while for this taint to be forgotten, assuming that it is fixed, redundant systems are installed on all planes, and that they pass more robust certification processes around the world.

    1. Re:Collusion between Govt and Business by bobbied · · Score: 4, Interesting

      Well, you may be right that this smells... And you may be right in your assumption that Boeing rushed through the certification process and the FAA failed in its oversight capacity and Boeing will be left liable for a pile of money... However, the implication that there was some kind of behind the scenes collusion deal between the FAA and Boeing though is a pretty heavy lift as you have crossed over from civil liability into criminal activity where the burden of proof moves from preponderance of evidence to beyond a shadow of a doubt.

      But, the Civil liability problem here will be borne by Boeing's insurance companies and punitive damages will rack up some pretty big numbers for the victims as a result which will come out of Boeing's profits after being tied up in court for about a decade on appeal.

      The end result will be that the aircraft will be rendered fit for service pretty quick and sales of the 737 MAX will resume unabated perhaps with a new name, with some PR efforts by Boeing and the airlines that fly these aircraft for a reason (they are cheaper to operate). There is nothing systemically wrong with the aircraft mechanically or aerodynamically and this flight control issue will be resolved, albeit by adding multiple sensors, cross checking of existing and redundant sensor data along with some software fixes and pilot training.

      I'm no Boeing fan boy, but let's be reasonable here. Yes, this will hurt Boeing in the short term and the awards will initially be sizeable, with the punitive part getting appealed and appealed for at least a decade before they get paid. This will largely be paid by their insurance carrier and their premiums will be assured to rise. However, these awards pale in comparison to the cost of an aircraft development program and Boeing won't struggle to pay them when they come due. The aircraft system will be reevaluated and redesigned as necessary to account for lessons learned. Any folks who should have known better in the decision tree for fielding and certifying the 737 MAX will be rooted out, processes to make sure this kind of thing doesn't slip by again will be introduced and we will return to normal.

      Where this mistake is bad, let's put it in prospective for the nations air safety. We've come a LONG way from the 60's when the accident rates where huge compared to now or even the 90's on air safety, when DC-10's where crashing right and left from Cargo doors blowing open and uncontained turbine failures. It's been a LONG time since the last major management mistake in air safety. A very long time. Humans make mistakes and flying is a risky business that quickly turns mistakes into tragedy, we won't avoid human error in the future, all we can do is try and catch it before it kills anybody.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  5. Regulatory capture at its worst by JoeyRox · · Score: 4, Informative

    Forget the revolving door between the aerospace industry and the FAA - Boeing took out the middleman by convincing the government to let it self-regulate, even on matters of extreme importance like the airworthiness certification of aircraft. It's a win-win: Boeing wins because they reduce R&D and materials costs in getting subpar designs certified that otherwise would be rejected. Politicians win because they get their healthy campaign donations. The only people who lose are the ones who screamed for their lives as their plane plummeted to the earth.

    1. Re:Regulatory capture at its worst by fermion · · Score: 2
      Another data point. The pentagon is being run by a Boeing yes man who recently put in a billion dollar order for 1972 jet fighters.

      This is what happens when oversight is thrown away and the lobbyist run the government.

      --
      "She's a scientist and a lesbian. She's not going to let it slide." Orphan Black
  6. wrestling with automatic systems by roc97007 · · Score: 2

    > Yet black box data retrieved after the Lion Air crash indicates that a single faulty sensor -- a vane on the outside of the fuselage that measures the plane's "angle of attack," the angle between the airflow and the wing -- triggered MCAS multiple times during the deadly flight, initiating a tug of war as the system repeatedly pushed the nose of the plane down and the pilots wrestled with the controls to pull it back up, before the final crash.

    Jesus, what a nightmare. And, I'm sure, no way of turning off the MCAS even though it was clearly malfunctioning. That has to be the worst last moments for a pilot, ever.

    I read in a different article that the reason for the airframe design has its roots in the way airports were designed decades ago. Before they had those mobile tunnels that connected between the terminal and the plane, passengers had to walk out to the plane and ascend on a portable stairway. To make boarding easier, the original 737 was designed to be lower to the ground, so there wouldn't be as many steps to board. That part of the 737 design was never changed, and it made the airframe changes for the Max very awkward to implement. Hence the necessity for something like the MCAS, and hence the current mess.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
    1. Re:wrestling with automatic systems by darkmeridian · · Score: 4, Informative

      There's an auto-trim cut-out switch that shuts off MCAS. The pilots on the Lion Air flight kept on manually adjusting the trim (correctly diagnosing the problem as an auto-trim issue) but didn't cut off the auto-trim system. The penultimate flight crew on the same Lion Air jet also experienced the same problem, but disabled auto-trim and landed.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
    2. Re:wrestling with automatic systems by ceoyoyo · · Score: 2

      I don't think the reason for the 737's ground clearance is really passenger boarding (although that might have been nice). A major feature of the 737 is that it's low to the ground so you can more easily load and unload cargo, including baggage. Passengers hike up stairs no problem... their bags and other cargo doesn't.

      Boeing has done a lot to keep that feature into the present day, including special engines with the bottom of the fairing flattened on the upgraded classic and NG 737s.

    3. Re:wrestling with automatic systems by nitehawk214 · · Score: 2

      The 737 predates modern turbofan engines. The old turbojets were narrower and longer, which fit under the 737's wings.

      https://airwaysmag.com/wp-cont...

      https://www.preferente.com/wp-...

      They don't even look like the same aircraft, which is how Boeing can slip continuous changes to the 737 line in.

      --
      I'm a good cook. I'm a fantastic eater. - Steven Brust
    4. Re:wrestling with automatic systems by turbidostato · · Score: 4, Insightful

      "but I think knowing the root of the design decisions points up another failing -- the company's tendency (or perhaps industry's tendency) to reuse old airframes for new designs."

      Only this has nothing to do with current situation. Of course incremental development is inherently cheaper and safer and of course too, when time comes a new development is due, which Boing perfectly knows.

      This was just because of time and time only: they wanted to fight in the current wave of companies' renovation against Airbus, which, because of timing too, was on the market with a more modern system (it will probably be the other way around in, say, five years): they couldn't reach the market on time with a new airframe but they could do if they just scratched a bit more from the bottom of the old barrel.

      They tried, and it's just OK for them to do so.

      But then, all checks and balances were outplaced: instead of letting FAA do their job, more and more parts where self-assessed by Boing itself (what could possible go wrong? duh!): "Good" for Boing, which could reach their goal date, and "good" for the overwhelmed FAA which was strongly pressured to do more with less.

      As basically with any other accident, a lot of circumstances need to get aligned for the fatality but then, corporate greed and corporate greed alone put those planes much more near the tragedy line than they should.

      * An old airframe design already squeezed.
      * Pressure for passing approval at speed.
      * Pressure for more and more processes to be pushed to Boing's side so they can reach their dates
      * Business interest to offer the new MAX to be just like the old NG so there would be no re-training for pilots (not only cheaper, but also sooner and, you know, time is money)
      * Moving posts for the approval process (0.6 to 2.5 degrees)

      * ...and to top it all, the quite minor mistake among all this rush and changes, of forgetting that the final MCAS implementation would end up having full authority instead of just either 0.6 or even 2.5 degrees which in "standard" circumstances wouldn't fly past the first or maybe second reviewer.

      So you ended up with a system categorized as non-critical (which it wast, by first draft), with (indirectly) full authority, and that was not even mentioned at least in the first batch of training manuals (because we made the new MAX to feel-fly exactly like the older NG for your convenience).

      A magnificent example of the effects of modern capitalism in action.

    5. Re:wrestling with automatic systems by Pyramid · · Score: 2

      In the United States, a runaway trim problem would have immediately grounded the aircraft. The 2nd (doomed) crew would have never taken off in that aircraft.

      Either the last crew failed to log it correctly or that country's failure laws are absolutely insane.

      --
      ~Any apparent grammatical or typographic errors are caused by defects in your display device.
  7. You what? by mrbester · · Score: 4, Interesting

    > "Going against a long Boeing tradition of giving the pilot complete control of the aircraft, the MAX's new MCAS automatic flight control system was designed to act in the background, without pilot input"

    Or notify them either, it seems. Or be disabled when it erroneously kicks in over 20 times causing unexpected dives. Fuck everything about this system. Even if they fix it I'm not flying on any aircraft that has this.

    > "this extra kick downward of the nose would make the plane feel the same to a pilot as the older-model 737s"

    And that's also ridiculous. Because of the change in the engine configuration it is an aircraft that handles differently. "Compensating" so the pilot doesn't know the difference causes confusion, something you don't need when in charge of a passenger jet. Do they make 747s feel like you're flying a TriStar? Of course not.

    --
    "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
    1. Re:You what? by turbidostato · · Score: 2

      "And that's also ridiculous."

      No, it isn't.

      "Because of the change in the engine configuration it is an aircraft that handles differently."

      No, it doesn't. That's exactly the point of MCAS.

      ""Compensating" so the pilot doesn't know the difference causes confusion"

      No, it doesn't. The pilots were not confused about the flight envelope of their planes in the slightest.

      "Do they make 747s feel like you're flying a TriStar?"

      Was the intention when designing a TriStar that it should behave like a 747? Of course not.

      You, of course, understand that these accidents have absolutely nothing to do with pilots being confused on how the flight envelope of these planes look like but because they were not trained on a specific failing scenario that kept moving the plane's control surfaces against the pilot's will, right?

  8. Part of the problem ... by Anonymous Coward · · Score: 2, Insightful

    Going against a long Boeing tradition of giving the pilot complete control of the aircraft, the MAX's new MCAS automatic flight control system was designed to act in the background, without pilot input.

    Part of the problem is Boeing didn't want pilots to have to retrain and certify under a different type of aircraft.

    So they've jiggled things around to make it look like it's just like any other 737, but it now has different flight characteristics.

    So now Boeing has created a situation where they wanted this to appear seamless to the pilots, but that it apparently doesn't work and is anything but seamless to the pilots. They took something which wasn't fly by wire, and made it fly by wire.

    What we're seeing now is a case where the FAA let Boeing decide there was no material difference for pilots, when there actually was ... in which case their attempt to not have to force pilots to re-certify in type has now potentially led to two crashes.

    When the pilot is saying up, and the system is saying down ... bad things happen.

    And clearly, despite Boeing saying it would fly exactly the same, it doesn't.

  9. VERY defective safety analysis! by Futurepower(R) · · Score: 5, Informative

    The safety analysis:

    "1) Understated the power of the new flight control system, which was designed to swivel the horizontal tail to push the nose of the plane down to avert a stall. When the planes later entered service, MCAS was capable of moving the tail more than four times farther than was stated in the initial safety analysis document."

    "2) Failed to account for how the system could reset itself each time a pilot responded, thereby missing the potential impact of the system repeatedly pushing the airplane's nose downward."

    "3) ...

    I think this is the most important story on Slashdot in a long time.

    The article linked by Slashdot is the best, deepest story in a long time: Flawed analysis, failed oversight: How Boeing, FAA certified the suspect 737 MAX flight control system.

    1. Re:VERY defective safety analysis! by thegarbz · · Score: 3, Interesting

      What we see here is reflected somewhat in most major incident investigations through industry involving instrumented systems, the reliability of the equipment is not in question. Throughout the process industry some 80% of safety system failures were systematic. Poor design, poor maintenance, poor interaction, incorrect operation, etc. One in 100000 units failing is not what ultimately caused these planes to crash, it was a bunch of engineers who didn't think about how the system works in operation.

  10. Did the FDA take over the FAA? by cj9er · · Score: 2

    Just like how the FDA relies on the drug companies to run all the tests, submit supporting docs, etc.

    1. Re:Did the FDA take over the FAA? by ceoyoyo · · Score: 2

      That's not *quite* true. The actual human testing is usually planned by independent academics, performed by independent groups (often a whole bunch of hospitals around the world) and often coordinated by an independent contract research organization. The analysis of that data may be done by the company, or might be done by another independent company. Either way, there's a good paper trail, and a whole bunch of people involved who are not paid by the company.

      It's done that way because abuses have happened in the past, of course.

  11. Stick pusher... by b0s0z0ku · · Score: 3, Insightful

    Why not just use a stick pusher, like any other non-FBW aircraft with stall issues? Design it so it can be overridden with appropriate back force on the control wheels. Using trim for this is stupid, since with full down trim, you might not have enough elevator authority to recover quickly from a dive (i.e. even if the system is turned off, trim may have to be cranked back manually before the plane can recover).

    This looks like criminal stupidity on the part of Boeing engineers.

  12. Auto pilot was off. by Anonymous Coward · · Score: 2

    Dude, auto pilot was off. All auto systems that were in the manual were off.

    1. Re: Auto pilot was off. by bobbied · · Score: 5, Informative

      Auto pilot has nothing to do with this.

      Except in the 737 MAX it kind of does. The mode of the adjustments used by the autopilot and the stall avoidance system is by adjusting the aircraft trim by turning the rear horizontal stabilizer trim jack screw. Also, I'm told that the same sensors used by the autopilot, or at least some of them, are used by the stall avoidance system.

      However, turning off the autopilot doesn't disengage the stall avoidance system. It keeps doing it's thing regardless.

      The problem here is that the aircraft is pretty much flyable even with the system malfunctioning, IF you understand what's happening and how to counter it. IF you don't understand what's happening though, the aircraft becomes unstable and your natural tendency is likely to do the wrong thing.

      There are a number of non-intuitive things about flying that pilots must be trained to do. Stall/spin recovery is one of these things. When the nose of the aircraft fall though the horizon when you are tying to pull it up, the tendency is to pull harder, but when you are stalled, the right thing to do is push the nose down, stay coordinated and add power if you can. If you go with your natural tendency, and keep pulling, you are going to spin it eventually, which is MUCH worse. So, pilots practice this... A LOT... Fly into a stall, or nearly a stall, recognize how the aircraft feels as the AOA approaches the limit and then when it actually stalls, immediately do the right recovery... How do I know? It was one part of my check ride that I nearly failed when I went for my license. The Examiner said I spun on departure stalls (i.e. didn't stay in coordinated flight on stall so it broke one side first) but let me pass when he tried it twice and spun himself because the C150 was so badly rigged. Made me do 5 hours of departure stall and spin recovery training as a condition of granting my license.

      --
      "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    2. Re: Auto pilot was off. by Pinky's+Brain · · Score: 5, Interesting

      The pilots thought it was relevant, they thought that without auto-pilot on there were no automatic systems overriding their controls.

      Should they have treated it like any other trim failure, sure. Does the system betraying expectations increase the chance of cognitive dissonance and them failing to do so, of course.

  13. What about the ASI? by NewtonsLaw · · Score: 3, Interesting

    Attitude is only one element of the aircraft's operation -- what about airspeed?

    Surely if there was a large disparity between the aircraft's airspeed and its attitude (ie: it is accelerating beyond 500mph while the attitude sensor says it's in a steep climb) then the safety system ought to have recognized that there was a fault condition and triggered an alarm which would allow pilots to disable it with the simple flick of a switch.

    Sadly, it seems that this system was never designed to be disabled -- because it was part of the FBW system used to modify the apparent flight characteristics of the new Max8 model so that it would fly like an earlier 737. This was done (so I understand) solely to make the plane more attractive to airlines that didn't want the extra expense of having to get their pilots "rated" for a new aircraft type.

    When it comes to the mighty dollar versus safety -- you *know* which one wins :-(

    Meanwhile, some people are still saying "it's only a matter of time before a drone brings down an airliner". I wish they'd shut up and focus on the *real* risks that are *actually* claiming hundreds of lives in the aviation industry.

  14. Re:Disabling the system is okay. I designed one by Anonymous Coward · · Score: 4, Insightful

    > This system is designed to detect when the pilot has seriously screwed up, pointing the nose way too high.

    Not even close! The plane NATURALLY wants to stand on it's tail at high power output. That's what moving the engines CAUSED. To compound the matter, the engine nacelle shape itself at certain AoA adds to the lift which can exacerbate the problem till it's no longer recoverable. Put your RC plane near vertical and watch what happens... (Well, RC planes generally have massive imbalance of thrust to weight ratio unlike real planes so doubtful you can actually demonstrate the problem)

  15. I don't know if I'd call it self regulation by rsilvergun · · Score: 4, Insightful

    "regulation" implies a neutral third party. The Credit Card Industry has PCI. Video Games have ESRB. Movies the MPA. None of those things are as immediately lethal as a busted airplane though.

    But I wouldn't call it "regulatory capture" either, since Boeing were left to their own devices. They didn't have anything to capture.

    No, what we have here is plain, good 'ole deregulation. These days regulation > deregulation is automatic in most people's minds. Between this, Flint Mi, and the 2008 crash I hope folks are starting to change their minds in that regard.

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
    1. Re:I don't know if I'd call it self regulation by Solandri · · Score: 2, Insightful

      That's a rather convenient argument. When regulation succeeds, you laud it. When regulation fails, you blame it on deregulation. Therefore regulation can never fail and is thus always good. Brilliant. Successful regulation requires proper implementation of regulations. Failure to implement those regulations properly is a regulatory failure, not a failure due to deregulation.

      It should be noted that lots of other regulationors offload the work (and thus the cost) of implementing those regulations onto the companies being regulated. The EPA doesn't test the mileage of every car model that's made to come up with the official EPA mileage ratings. The leave it up to the car companies to do that themselves. The EPA only double-checks the mileage of a few random car model to keep the car companies honest. You may recall the scandal a few years back when Kia and Hyundai were caught cheating on these MPG ratings.

      Likewise, Americans calculate their own tax returns. The IRS only does some basic cross-checking of your return (the W-2 from your employer), and does a few random in-depth audits to keep people honest. By your reasoning car fuel mileage and tax returns are deregulated, and thus the EPA mileage ratings and IRS tax returns are useless?

      In cases like this where implementation of the regulation is mostly left up to the entity being regulated, it's done as a cost-saving measure. You accept that occasionally someone will cheat while self-regulating, because over time the cost of that occasional cheating is less than the cost of regulating with an iron fist and having regulators duplicate all the testing/calculating work that the company/individual did to comply with the regulation. If you insist that regulation be so ironclad that there is zero incidence of cheating, the cost of implementing the regulation balloons far in excess of the gain from eliminating occasional cheating. That is, the marginal decrease in cheating for each additional dollar spent enforcing regulation becomes smaller as the incident rate of cheating approaches 0%. So the most cost-effective regulatory point is not at zero cheating.

      So while it's regrettable that lives were lost due to this cheating incident, overall, airliner travel remains the safest mode of transportation by far. So I'd say the FAA's approach of judiciously allowing self-regulation has on the balance been successful. Understand that if you opt for more stringent FAA regulation, that higher cost will show up both as higher taxes (to fund the FAA) and higher airfares (manufacturers, airlines, and airports having to do more work to comply with the more stringent enforcement). Sometimes this is worth it, sometimes it is not. In the case of air travel, IMHO the money would be much better spent on improving regulation of the most dangerous form of transportation - passenger cars and motorcycles.

    2. Re:I don't know if I'd call it self regulation by Pyramid · · Score: 2

      If you think for a second that PCI is a neutral party, you're out of your mind.

      --
      ~Any apparent grammatical or typographic errors are caused by defects in your display device.
  16. Re:They have been working for a while you know by thegarbz · · Score: 3, Insightful

    This issue seems like something the pilots can work around if they know what is going on, which the U.S. pilots seem to.

    Based on:

    That's a lot of flights they have done with the plane, so it's not like the plane is inherently unsafe

    You can't draw that conclusion from the data they presented you. This isn't like a plane that is hard to fly. What we are talking about here is pilots responding to a very specific instrumentation problem. The only relevant statistic for how well U.S. pilots can cope with this is how many times Southwest Cargo pilots have suddenly had MCAS fail on them and try to trim down the nose, and how many times in the face of this problem they successfully disabled the system and landed safely. The total number of hours in the air is entirely meaningless to what your pilots know or are capable of.

    so it's not like the plane is inherently unsafe

    Indeed the plane is not inherently unsafe, however it presents an incredible risk to crew and cargo when a very specific instrumented failure occurs.

  17. Re:How can the Trumpists blame Obama for this? by jbengt · · Score: 4, Interesting

    So I checked the schedule for the certification of the 737 MAX and confirmed that it happened in 2017, but early enough to blame on REAL president Obama.

    You could blame it on the Obama administration or the Trump administration, but it goes back a long time.

    The Federal Aviation Act of 1958 was the original statute allowing FAA to delegate activities, as the agency thinks necessary, to approved private people employed by aircraft manufacturers. Although paid by the manufacturers, these designees act as surrogates for FAA in examining aircraft designs, production quality, and airworthiness. The FAA is responsible for overseeing the designees' work and determining whether the designs meet FAA requirements for safety.

  18. Re:Maybe I'm jumping to the wrong conclusion by thegarbz · · Score: 4, Interesting

    Often old and simpler is far better....

    Right until you look at outcomes. You're speaking emotionally from a recent tragic incident. You're not speaking based on data. The airline (along with others such as the process and automotive) industries have had a long downward trend of safety incidents. One of the primary drivers of that has been taking control away from people. As a Boeing noses down to prevent a stall, a car somewhere in the world saves a drive thanks to forward crash avoidance. An operator who mistakenly lowers the level from a high pressure separator is greeted by flashing alarms on his screen and a valve slamming shut in the field to prevent an explosion.

    Humans make mistakes, giving them full control is not the answer. It's always worth remembering why this system was built, and how in the past pilots have through their own failure demolished plenty of planes due to putting the aircraft into a stall.

    Sidenote: The thing that is really missing here which goes against industry trends is a lack of inherently safer design. A more stable plane is preferable to a plane that is only stable when a certain control system is active.

  19. Dept of Transport - OIG Report by ytene · · Score: 5, Informative

    On June 29th, 2011, the Department of Transport's Office of Inspector General issued a detailed (23 page) audit report that examined the Federal Aviation Authority's approach to Risk Management.

    You can read the report directly here.

    This report, published in June 2011, documents in stark detail that the approach taken by the FAA - to significantly scale back oversight of aircraft manufacturers - represented significant risk, even if that activity were performed adequately.

    In more detail, the report explains how the FAA took the decision to delegate responsibility for the hiring of individuals to serve as "FAA engineers" - essentially the supposedly independent inspectors who are intended to be able to objectively assess the effectiveness of the design and modification procedures conducted by the company that hired them.

    If that wasn't bad enough, the report goes on to say that once the FAA had conducted initial inspections [the document quotes a 2 year time window of monitoring] it then stepped back from even an oversight role. In other words, there was no way that the FAA could have had any confidence that the modifications introduced with the 737 MAX aircraft were actually functional as claimed.

    If you read around this news story in search of more details, you might find a couple of other relevant pieces of information. Staggering pieces of information...

    One is that Boeing's design/development process broke down, so that when the "final" aircraft was reviewed / safety inspected by their in-house "FAA engineer", all the presented paperwork showed that the force imparted on the contol column by MCAS was set at relatively low, original design levels. In truth the design had changed, to the extent that one of the pilots in Lion Air flight incident had been attempting to fight the controls with over 100lbs of force - and had failed to overcome the aircraft's systems.

    Another is that the sensor input to the MCAS system that turned out to be closely related to the problem may have been basing decisions on a single, faulty attitude sensor.

    Whatever the causes of the two recent failures in terms of the operational characteristics of the two aircraft involved, I think the 2011 Inspector General's report clearly shows that both of these events were clearly avoidable and could have been prevented had the FAA leadership performed their duties responsibly.

    1. Re:Dept of Transport - OIG Report by ytene · · Score: 2

      Friend of mine is a commercial pilot. When he still had spare time, he also used to own and fly an ultralight - I couldn't tell you the make, but it was a pretty good little 3-axis machine with robust performance and thoughtful design. He also had to go through routine inspections... and on one occasion this review happened to coincide with another pilot, at the same airfield, who was having an original (as opposed to replica) WW1- or WW2-era biplane check out.

      The inspector made a visit to look at these and other aircraft in one go.

      At one point one of the owners asked the inspector if they flew themselves (they did) and whether they had a preference as to which of the two aircraft they would like to fly. A preference was expressed for the biplane, augmented [and forgive me, this is anecdotal from ~20 years ago] by the observation that it was a "proper" aircraft, "properly" built.

      My friend, a little indignant at the imagined slight, offered a counter argument, pointing out that his ultralight was formed from 6061, employed state-of-the-art, UV-resistant fabric, while the original had wooden spars, sketchy steel for bolts and wing cloth treated with (many) coats of butyrate dope (which, for non-aviators, is some seriously flammable stuff). The inspector just shrugged, as if to say that they would disregard the maybe 50 or more years of advances in materials science and computer-aided design because my friend's ultra-light "wasn't a real aircraft".

      And yes, he had to pay for the privilege of this imagined slight, too.

  20. Re:Maybe I'm jumping to the wrong conclusion by dunkelfalke · · Score: 3, Interesting

    You are. This crash merely shows yet again that a badly trained pilot - and many of them are - will crash the aircraft as soon as something unexpected happens. The cycle repeated for 21 bloody times yet the pilot kept fighting the aircraft instead of executing the correct procedure for a runaway stabiliser (essentily flicking two switches and manually cranking the stabiliser in the correct position).

    Bad pilots are a fact of life, hence the only way to protect passengers from pilots is more automation, not less.

    --
    "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
  21. Re:Bobbiedickless you know nothing. by bobbied · · Score: 2

    Yea, just so you know.. My father was an avionics and radio mechanic for a major US airline for 38 years, including a decade stent keeping flight simulators running at their pilot training center (to which I got to regularly go and "fly" the big sims), so I grew up around airplanes all my life. I also worked as an avionics engineer on a Navy fighter aircraft and I've done some private flying on my own. I'm not a expert on Boeing's avionics or modern flight control systems, but I do have a few clues about how they work.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  22. Re:Volkswagen AG by bobbied · · Score: 2

    Everything will be in the paper trail. That, and dead bodies, is a conviction.

    If not in the USA, then in any other country willing to prosecute on behalf of their dead citizen.

    Sure, but if said person is not IN said country and extradition treaties are not in existence, what does it matter? Not a whole lot.

    I can go to Sealand and get a judgment, but who's going to enforce it? Who's going to honor the judgment in the USA? It's not like you can contact the local Sherriff and get him to enforce a judgment from outside the country.

    Also, don't forget there is a vast difference between civil judgments (i.e. money awards) and criminal charges.

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  23. Test Engineers -- throw off your chains ! by Btrot69 · · Score: 2

    I love software testing, but I quit and moved on cause the field just doesn't get the respect/resources is needs.
    Developers and managers are always trying to "reign in" the testing staff and make them stick to a stupid script --
    written by the same developers that made the mistakes in the first place.

    My most important bug discoveries were almost always the result of informal testing, or thinking about the test script
    and "trying something" that wasn't on the script. Overnight "random monkey testing" with the automated test harness was
    very effective at finding real world problems -- but invariably got a rebuke from some manager, "Why were you doing that?"

    This sounds a lot like that, but with the added bureaucracy of Aerospace+gov't.
    The development process then adapts to minimize bureaucracy, instead of maximizing safety.

    So as I see it, one of two things happened:

        1. There was a test engineer somewhere who thought about these failure modes before the first crash. He was ignored and didn't have the power to escalate the issue.

        2. The tests were stupid and were run by stupid people.

    There were enough red flags -- I think it was #1.

    Test Engineers -- throw off your chains !
    The safety of the world depends on you.

  24. Re:This is going to be one of the biggest lawsuits by Anonymous Coward · · Score: 2, Interesting

    There's a good chance the aftermath of this is going to bankrupt Boeing.

    The evidence for gross engineering negligence is piling up, and they are not going to live through the results.

  25. I used to do certification - backwards by FeelGood314 · · Score: 2

    And my ex-wife likely was responsible for the OS that the plane was using. Certification is backwards. The company making the OS or plane or drug should not be paying for the certification. The buyers of the product need to group together to do it. When I did security certification at IBM no one ever failed. Our customer was the maker of the product so we couldn't fail them. We almost never asked the customer to make changes (and when we did we never verified that they did make the changes), all the certification process was about getting the paper work correct. For the OS certification it might actually be worse. The certifiers probably aren't very good programmers. Their tests are running automated code checkers and running a subset of the tests the OS maker made. One really bad mistake my ex's team made was misunderstanding a processor errata spec on cache misses. A non-trivial percentage of the worlds aircraft were nearly grounded because of that*. My ex's team had misread the errata and the certification house had relied on her teams interpretation of the errata (or more likely had no clue what it meant).

    Critical systems don't allow free() so all non-stack memory will be in static locations. Someone was able to write a program to analyse the executable images to determine if this particular cache miss would ever happen. Turned out that no production systems were affected. The scary part though is change the length of a single text string could trigger this problem.

  26. Re:This is going to be one of the biggest lawsuits by Humbubba · · Score: 5, Insightful
    The underlying problem is the FAA has a revolving door to the Aviation Industry where people, regulation and oversight passes through unobstructed by responsibility or moral conscience.

    On a side note, this story from the Seattle Times shows how important investigative reporting is to society. If the government ever gets serious about regulating private enterprise again, it will be due to stories like this, and the resulting public outrage. We are yet again in their debt.

  27. MCAS could cause to-the-stops nose-down trim. by presidenteloco · · Score: 4, Interesting

    "One current FAA safety engineer said that every time the pilots on the Lion Air flight reset the (trim) switches on their control columns to pull the nose back up, MCAS would (reset its 0 degree reference and) have kicked in again and “allowed new increments of 2.5 degrees.”

    &ldquo;So once they pushed a couple of times, they were at full stop,&rdquo; meaning at the full extent of the tail swivel, he said.

    So in summary a system FAA-certified on the basis of being able to adjust nose-down trim by 0.6 degrees could actually, (after a few cycles of the pilot correcting it a little bit with trim up), command full nose-down trim, about 5 or 6 degrees tailplane tilt.

    All of this relying on input from a single angle-of-attack sensor. Get this, the plane has two such sensors, one on each side, but the MCAS only uses input from one of them!!! ! !! ! ! ! ! What the hell? If you use two of them, then your software can check if they diverge, and disable systems relying on the input, and warn the pilots. That is some criminally bad development cost saving judgement there.

    --

    Where are we going and why are we in a handbasket?
  28. Re:This is going to be one of the biggest lawsuits by cayenne8 · · Score: 3, Insightful

    The underlying problem is the FAA has a revolving door to the Aviation Industry where people, regulation and oversight passes through unobstructed by responsibility or moral conscience.

    It isn't just the FAA, this is a problem with many if not MOST of the Federal Regulatory agencies....

    Look at the FDA rosters, and you can easily see why we won't ever get sensible food regulations/recommendations the would actually help address obesity, etc....in the US.

    --
    Light travels faster than sound. This is why some people appear bright until you hear them speak.........
  29. boing is at fault by aepervius · · Score: 2

    Boeing offered options to provide detailed insight to these sensors that the customer opt'd out of. Who's at fault here?

    Boing is at fault. They should have made it mandatory and presented it as a major system which could lead to major lethal problem in case of misunderstanding or failure or mishandling. Instead they made it an option, a "don't worry not too important" case. They are the one knowing the consequence, so they are the ones which should have insisted. But by the sound of it, it was passed off as a minor problem or no accent was really put on it.

    --
    C. Sagan : A demon haunted world:
    http://www.amazon.com/gp/product/0345409469/
    visit randi.org
  30. "one in 100,000" WHAT! by brausch · · Score: 2

    One in 100,000 what? Seconds, minutes, hours, lifetimes?

    It is stupid to make something that can kill people rely on a single input sensor. I programmed experimental tests in nuclear reactors and we always had multiple inputs (thermocouples, flow sensors, etc.) and had sanity checks on the values to identify failed equipment.

    Seems like Boeing's software could have taken more things into consideration than just the angle of attack? What about speed, altitude, rate of climb/descent, etc.

    --
    "Almost every wise saying has an opposite one, no less wise, to balance it." - George Santayana
  31. Re:This is going to be one of the biggest lawsuits by Tough+Love · · Score: 4, Insightful

    Boeing did all these dodgy hardware and software hacks just to avoid the time and cost of certifying a new type. This was a panicked rush to market, to compete with Airbus 320neo. Which isn't crippled by stubby landing gear like the 737, so its engines can placed in an inherently aerodynamically stable position.

    Because it wasn't a new type, FAA did not require that pilots be certified. And furthermore Boeing buried the details of how to fully return the plane to manual control, because that would conflict with the story they told the FAA about unchanged flight characteristics. Unfortunately for all involved, Max 8 really did have a new flight characteristic: falling out of the sky under computer control.

    So yes, Boeing is going to pay out the biggest settlement in aviation history. There is just no way to escape culpability. And we have a huge indictment of Trumpist deregulation too: industry didn't win by weakening FAA oversight, rather it lost big league.

    --
    When all you have is a hammer, every problem starts to look like a thumb.
  32. Re:Or 7 Times Redundancy by ceoyoyo · · Score: 4, Interesting

    I'm not a big fan of MBAs, but this was a pretty long and complicated chain of errors. From what I gather: Boeing wanted to keep the 737's low ground clearance but needed to put bigger engines on to match the efficiency of the new A320s, which meant changing the aerodynamics. Boeing also wanted pilots to be able to do a simple difference training course, rather than have to recertify on a new aircraft, so they invented MCAS. The engineers must have figured that it was a supplemental system, and easy to turn off if it malfunctioned, so they chose to make it kick in aggressively rather than conservatively (either sensor says go, rather than both sensors say go). They also made it harder to turn off than the old system, probably by accident. Then Boeing decided not to mention the new system to pilots in that difference course, to avoid confusing them.

    Lots of errors to go around. Some are definitely cost saving, but some are probably a result of not enough whole-system oversight. The decision to go based on one sensor is a bit mystifying. There are already two AoA sensors on the aircraft, and lots of other ways of cross checking them. In fact, Boeing is releasing a software update to add all that cross checking in, so it's not even a hardware limitation.

    The 737 MAX isn't actually aerodynamically unstable in normal flight. Any airliner, including all the 737s, with the standard under-the-wing engines will have off-axis thrust that will add a bit of pitch up. The aircraft is designed to compensate for that in normal flight, but in a stall if the pilot gooses the engine it can make it impossible to recover. 737 pilots (including the older model) are trained NOT to increase throttle in a stall because of it. The MAX handles differently in that situation, so they added MCAS so the pilots wouldn't have to be trained in a new stall recovery procedure.

  33. Re:This is going to be one of the biggest lawsuits by Beeftopia · · Score: 5, Informative

    The term is "regulatory capture", and it's been blamed for the Deepwater Horizon incident, and Wall Street's shenanigans.

    From that second link, "the process by which regulatory agencies eventually come to be dominated by the very industries they were charged with regulating. Regulatory capture happens when a regulatory agency, formed to act in the public's interest, eventually acts in ways that benefit the industry it is supposed to be regulating, rather than the public."

  34. Re:Maybe I'm jumping to the wrong conclusion by Tough+Love · · Score: 2

    This crash merely shows yet again that a badly trained pilot - and many of them are - will crash the aircraft as soon as something unexpected happens.

    Your post merely shows that you are an idiot. The pilots were properly trained, however the MCAS and means of disabling it are undocumented, and Boeing claimed that pilots did not need to be retrained for this version of the 737.

    --
    When all you have is a hammer, every problem starts to look like a thumb.