Slashdot Mirror

← Back to Stories (view on slashdot.org)

Pilot Who Hitched a Ride Saved Lion Air 737 Day Before Deadly Crash (bloomberg.com)

Posted by msmash on from the getting-to-the-bottom-of-things dept.

As the Lion Air crew fought to control their diving Boeing 737 Max 8, they got help from an unexpected source: an off-duty pilot who happened to be riding in the cockpit. Bloomberg reports: That extra pilot, who was seated in the cockpit jumpseat, correctly diagnosed the problem and told the crew how to disable a malfunctioning flight-control system and save the plane, according to two people familiar with Indonesia's investigation. The next day, under command of a different crew facing what investigators said was an identical malfunction, the jetliner crashed into the Java Sea killing all 189 aboard.

The previously undisclosed detail on the earlier Lion Air flight represents a new clue in the mystery of how some 737 Max pilots faced with the malfunction have been able to avert disaster while the others lost control of their planes and crashed. The presence of a third pilot in the cockpit wasn't contained in Indonesia's National Transportation Safety Committee's Nov. 28 report on the crash and hasn't previously been reported. The so-called dead-head pilot on the earlier flight from Bali to Jakarta told the crew to cut power to the motor driving the nose down, according to the people familiar, part of a checklist that all pilots are required to memorize. Further reading: Flawed Analysis, Failed Oversight: How Boeing, FAA Certified the Suspect 737 MAX Flight Control System.

10 of 353 comments (clear)

  1. So, pilot error? by OffTheLip · · Score: 5, Interesting

    Is this a 737 Max 8 problem or a training problem?

    1. Re: So, pilot error? by 0100010001010011 · · Score: 3, Interesting

      Boeing intentionally [re]worded parts of how the system behaves so that the "FAA" (themselves) wouldn't have to recertify.

      Aerospace has a huge recycling problem where once something is certified they'll just reuse it as "COTS" (commercial off the shelf) so that they don't have to recert.

      It also leads to incredibly stupid decisions that are more political than engineering.

      I just ditched a gig at a Tier1 vendor because they picked a Coldfire (68k) processor because it was "in production". They had no dev boards. They can't find dev boards. But the whole project was stuck with the decision because of politics that happened far away from where I was.

    2. Re:So, pilot error? by Anonymous Coward · · Score: 2, Interesting

      I agree that more information about this new system should have been included in training. I disagree that a properly trained pilot would have any issues with responding to this MCAS trim issue without that information. There seem to be enough occurrences of the problem being effectively handled by other pilots to demonstrate that. It should have been immediately recognized as a trim problem and the proper response taken. The response for trim problems are the same for this MCAS problem. Pilots are required in training to respond to runaway trim by memory, without resorting to a checklist. The training for runaway trim is already in place, this is a variation on that, it should have been recognized by any properly trained pilot. It would be interesting to know more details about the training the accident pilots had. Runaway trim should be in the syllabus and failure to properly respond should be a fail item.

    3. Re: So, pilot error? by bondsbw · · Score: 4, Interesting

      I don't believe it and I don't really want it to happen. Killing the company would be like saying NASA should have been killed after Challenger.

      A better response to both, which keeps us flying and fixes future fuckups, is to hold the people who authorized bypassing such reasonable procedures criminally liable.

      --
      All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
    4. Re:So, pilot error? by geoskd · · Score: 3, Interesting

      Um.. Not really.. Boeing is guilty of being a bit short sighted about the failure modes of the MCAS and not effectively communicating critical information to anybody, the pilots, their trainers, and likely the certification inspectors.

      Boeing is absolutely guilty for using a single point of failure.

      The number one rule for safety critical systems is: Never, ever, EVER have a single point of failure in a safety critical system. That is why commercial planes have THREE hydraulic systems, two people in the cockpit, at least two engines, multiple fuel tanks and fuel pumps, etc. Anything that can affect the control surfaces or engines on an aircraft in motion is, by any reasonable definition, Safety Critical. The engineer who designed this thing, the manager who approved it, and the FAA regulator who signed off on it should all be put in prison for criminally negligent homicide.

      Even our system of oversight is supposed to have redundancy built in, so when the FAA starts abdicating its oversight responsibilities, disaster is one step closer. Anyone who thinks that regulation is bad needs only look to this accident to see what inadequate regulation does.

      --
      I wish I had a good sig, but all the good ones are copyrighted
    5. Re:So, pilot error? by sjames · · Score: 4, Interesting

      It really is both. Initially, Boeing did not document the existence of MCAS. Some pilots may have stumbled over it's existence and applied a checklist for similar failures in documented systems.

      Later, Boeing was required to document the existence of MCAS and state clearly that the runaway trim checklist should be followed when it malfunctions. Apparently not all pilots got that memo (so also a training problem).

    6. Re: So, pilot error? by c6gunner · · Score: 3, Interesting

      No, Boeing was trying to avoid the training necessitated by the aircraft having new handling characteristics as compared to the previous model. The MCAS itself required zero training.

      The "training" to go from a previous 737 to the 737 MAX consists of a 1 hour video and some short reading. They could have added a section to it which said "yeah, btw, we put this new box in, if your trim starts acting up just follow your standard runaway-trim checklist", and that would have been it. Not exactly a big hit to the budget there. Leaving it out was just dumb, not greedy.

  2. Re:Collection of errors by 0100010001010011 · · Score: 4, Interesting

    The smoking gun for this incident isn't going to be what the final report says. It'll be on some notes by some engineer when this project started saying everything above. There isn't a way that this project made it this far without some intelligent engineers speaking up and getting over ruled by management.

    I lasted exactly 45 days in Aerospace and it was terrifying, they picked a "COTS" architecture that hasn't been "COTS" since the Macintosh moved away from 68k. I was told to 'deal with it'. Other people quipped that "this wasn't the worst design decision he's seen". The schedule was everything because customers had already bought what we were working on.

    But everything HAD to move forward according to THIS timeline because someone already bought it. In those 45 days I had to work on trial versions of everything, they couldn't figure out how to get us licensed in to their network. Everyone else on the project had always been in aerospace, so this was 'par for the course'. I came from automotive where we actually did put safety first (at least where I worked).

    I want to see the MIL/SIL/HIL reports. This should have been caught in the plant model long before it came to market. There should be a high-fidelity model that shows this exact scenario and how it plays out. It was buried for some reason or another. If there isn't then they didn't test as comprehensively as they should have (because of rushing to market).

    There are a lot of people, that have been coming to similar conclusions about the MAX8. It's an 'unstable pendulum' that they thought they could just 'fix it in software'. Good hardware design is crucial to a good controllable system.

    Someone spoke up, either they have an e-mail in a safe (like Audi's Dieselgate) or they're no longer with Boeing (or one of their subcontractors like GE, or GE's subcontractors) because they did speak up and were told they were 'toxic to the project'.

    This is the boring un-sexy parts of engineering. But 'Failure Mode and Effects Analysis (FMEA)s' are important. We literally sit down and go "What happens if this fails" and then write out a full plan in software. Plus a full test plan.

    dSpace makes aerospace hardware-in-the-loop (HIL) test benches. They make them for automotive and off highway too. We literally 'drive' around a vehicle for thousands of hours for software releases.

    I don't have a doubt this was caught by someone somewhere. Management got involved and now this is going to be another Challenger O-Ring example for freshmen engineers.

    Is ignoring a plugged sensor a bad idea? Absolutely. Should the failure mode be plowing into the ground an full tilt after fighting the pilots? No.

  3. Responsibility????? by sgt_doom · · Score: 4, Interesting

    Although I haven't been in the aviation arena for some years, I recall that this should have been disseminated in a NOTAMN (notice to airmen) --- why didn't that aircrew spread that correction to others within the airport and airlines????? If they did not, it displays a massive show of irresponsibility on their part!

  4. What about a runaway throttle? by Anonymous Coward · · Score: 2, Interesting

    Toyota had a runaway throttle caused by recursive software. People died as a result.

    Toyota's response - replace the floormats!

    Someone should have gone to prison over this.