This reminds me of the debate around not-quite-self-driving cars. Saying the product is safe to use, but that the user must be ready to do X immediately, despite evidence that the users you're selling to won't be ready to do X immediately. Then when people die you get to say it was totally safe, if they'd just done what they were supposed to do.
Or we could just design products that will be safe in the real world, rather than ones that could have been safe in a utopia of perfect people.
At least most car manufacturers, apart from one(guess who that is) are honest in the marketing about what the features is, a more advanced lane assist and don't sell it as self driving.
On planes pilots generally have time to take over if the autopilot fails. Falling from ten thousand feet takes a few minutes.
On cars, if autopilot fails, the driver might have a fraction of a second to recognize the failure, take over from the AI, and initiate corrective action. Generally, there isn't sufficient time for any of these steps, let alone the first one.
Pilots have significantly more training than drivers. Safety is drilled into them from the beginning and how to respond in emergency situations is continuously reinforced with recurrent simulator training and testing. There are also far fewer interactions between an airplane and physical elements of the world than with cars. Weather visibility is much less of a problem except on takeoff and landing. Finally, on commercial flights there are at least two pilots operating the aircraft at one time to balance the workload.
Certain items just have a danger level that requires an elevated sense of responsibility and awareness and I don't just mean firearms. Workshop tools like power saws or table saws need to be handled with respect and care and those that cannot provide it should just not use them. Those that have worked in some kinds of environments know what I mean. Some factories or manufacturing places have lots of extra safety regulations. Those that have been in the military also know of dynamic and changing circumstances of their operating environment with all the specific equipment they use.
Even on a sailboat you need to be aware of the boom.
As do cars. Which is why people need licenses to drive them. The question being asked is whether it is ethical for a company to market auto-pilot low-awareness chainsaws, designed to give the user only a half-second heads-up, and then disclaim responsibility when accidents happen.
Maybe the solution is for licensing authorities to call these auto-manual chimeras unlicenseable.
There are numerous devices for which the typical individual can function well in society without making direct use of them.
Skillsaws, 737-MAX airliners, full Linux server distros, and home flourine refining labs among them.
Automobiles, after a century-plus of integration and mutual reinforcement of the built infrastructure and virtually all aspects of life, commerce, government, employment, recreation, education, etc., are not amongst these.
It is possible, usually within narrow environments and/or with considerable compromise, to survive without owning, using, or access to one. It is exceedingly difficult, and the net household ownership rates within the US and most other Western / Industrialised countries, reveals this.
The standards are different.
Incidentally: I agree with your premise regarding the unacceptability of manufacuters' apparent self-driving cutout behaviours. No, this is not remotely acceptable.
It's definitely possible to survive without owning a car in multiple cities in the US, such as New York City or San Francisco. Other Western cities such as Paris, London, Zurich also can support car free lifestyles.
Looking at Asia, it's definitely possible not to own a car in Japan, and the ridership numbers for the Tokyo trains show this. Even rural areas have some kind of public transportation, either through trains or local buses.
Nearly 90% of the eligible population in the US have a drivers license. That's the bottom line.
It's definitely possible to survive without owning a car in multiple cities in the US...
That is a confirmation of the qualifier I gave: "It is possible, usually within narrow environments and/or with considerable compromise, to survive without owning, using, or access to one. It is exceedingly difficult, and the net household ownership rates within the US and most other Western / Industrialised countries, reveals this."
Note that owning a car is not the same as access to a car, and that in the context of understanding driving principles, car-share, hire, or borrowing a vehicle are included in use.
The Uber/Lift on-demand chauffeur service or traditional taxi/limo or van/paratransit services would not require driving skills by the customer, though I strongly suspect most such customers (possibly outside Manhattan) actually do, or did, drive.
Bunni Dybnis, a social worker at the Los Angeles-based geriatric care service LivHome, says [family intervention] is typically how older drivers decide to give up the car keys: Their child or grandchild intervenes. "I could probably say it's 99.99 percent not the older adult saying, 'I want to stop driving; help me,' " says Dybnis, because giving up driving feels like giving up one's independence.
I'd like to give the number of licensed drivers by state, as a percentage of population. That doesn't seem immediately available, though raw counts are:
Note that a licensed driver is one who is certified to drive, whether or not they own a car themselves or live in a household which does. And that rate tends to be high.
It also underlines my initial claim: that interacting in modern industrialised nations, and certainly the US, without any ability to directly use a car, is at best difficult and imposes numerous compromises.
That's a 67% rate for registered drivers, for all ages. Population under age 18 is 22%, so 11% of otherwise age-qualified adults do not have a drivers license.
You could even make the question more precise. If you market a product where you know it could be safe, but also know X% of the users will accidentally kill themselves (and maybe others), then for what X is it unethical? I think there are probably values on each end where it's clearly either. 100-epsilon is bad. epsilon is fine. Somewhere in between it gets fuzzy.
Another interesting question is that when accidents come up, do you get to blame those X% of users for failing, even though at the design stage you already knew and decided they would fail and be killed.
It's really more of a trolley problem, in that it's interesting to think about, but in reality there's more context and circumstances that make specific cases clearer.
This is off-topic, but WalterBright's participation here has reminded me of my own weaknesses. Everything I have read about the 737Max has put a pitchfork in my hands to go after Boeing. Walter's are the first comments I have read that make me think perhaps Boeing wasn't completely, utterly, criminally unjustified.
It is interesting that Walter has chosen to jump in like this, and to hold his position so firmly so publicly. He must realize that this action threatens to paint him very unfavorably to a lot of people. There seems to be no reason for him to speak out and take such a risk.
To do this seems to me to require either a certain level of stupidity or a certain level of conviction and courage. My impression is that Walter has considerable courage and some motivation to try to counteract public ignorance.
FWIW, Walter's courage has given at least one person pause. I'm going to put the pitchfork down for a little bit. Boeing still isn't on my good list, but now I admit that I don't know as much about this as I thought I did.
The outrage mob over this has made it difficult for the whole truth to surface. For months, many people have said exactly what Walter is saying in this thread, Walter just happens to be more eloquent and qualified than other people who have made generally the same points.
Most of these people receive insults and downvotes so they stop talking about it. This leads to the classic “spiral of outrage” and the truth becomes lost.
I’m tooting my own horn here, but I’ve said what Walter has said in previous threads, and my comments were often downvoted into invisibility and I eventually gave up trying to point out that the pilots, the airlines, and the maintenance staff of the 737-MAX deserve some portion of the blame in addition to Boeing. Planes have become so safe that some airlines skip out on pilot emergency safety training, and Airworthiness Directives were ignored by the two airlines which had a 737-MAX crash.
This doesn’t mean that Boeing has no culpability, but it does mean that Boeing is not the sole party at fault. For everyone saying “Boeing cut costs and cost lives”, this is equally true for the airlines which skimped on pilot training and skimped on maintenance. The 737-MAX crashes were the result of a series of bad decisions and mistakes, not merely the result of bad MCAS system design.
Note: my late father worked at Boeing for 25 years so I have some personal reasons for wanting to defend Boeing. My mother’s widow pension is also dependent on Boeing stock not cratering into the ground.
>The paradox is that the failures of the 737 Max were really the product of an incredible success: a decades-long transformation of the whole business of flying, in which airplanes became so automated and accidents so rare that a cheap air-travel boom was able to take root around the world. Along the way, though, this system never managed to fully account for the unexpected: for the moment when technology fails and humans — a growing population of more than 300,000 airline pilots of variable and largely unpredictable skills — are required to intervene. In the drama of the 737 Max, it was the decisions made by four of those pilots, more than the failure of a single obscure component, that led to 346 deaths and the worldwide grounding of the entire fleet.
In a way, these accidents were inevitable. When safety is so assured, some airlines will begin to take a casual approach to training their pilots. Post-accident, this leads to Boeing/Airbus making their planes even more immune to poor airmanship, and the virtuous cycle continues until another accident inevitably happens, and Boeing/Airbus get fingered instead of the airline (because we want to blame the agents we think we can change, rather than the agents we cannot change).
Can you be a little more specific about what WalterBright said that changed your mind? Because the only thing I see that could possibly be considered a mitigating factor is this:
> Both the LA and EA did make the adjustments within 10 seconds. They then did NOT throw the cutoff switches
(Emphasis added, because I missed this the first time I read it.)
If I squint hard enough I guess I can see a tiny hint of merit in the argument that the fault for the two crashes lies at least in part with the pilots because they failed to throw the cutoff switches. But that seems like a mighty thin reed to me. Have I missed something?
I don't think you have. Bright's arguments have focused entirely on the design of the MCAS software, and have as far as I can tell completely ignored the fact that that software, driven by input from a single AoA sensor, creates a very short critical failure path which requires immediate and precise human intervention to avert a fatal accident. That such human intervention was imperfectly performed in two cases does not indict the humans in question, so much as it indicts a design which errs so far on the side of unsafety that perfection in human behavior is required to prevent it killing everyone on board a commercial aircraft.
Any competent engineer knows that a design which requires human perfection for safety is a design not only doomed to failure, but a failed design in itself. At least one Boeing engineer raised this very concern during the 737 MAX design process, only to be quashed by management. It would be invidious to suggest that at least one ex-Boeing engineer should argue in the defense of that design out of any motivation other than a genuine conviction of the merit in his argument. But conviction alone doesn't suffice to render that argument meritorious, and I'm surprised and disappointed to see anyone here or elsewhere claim otherwise.
Thanks, but I really would like to hear what supportlocal4h has to say about it. You're just repeating the party line. (And just for the record, I agree with the party line. But I think it's important to listen to and understand dissenting views.)
1. Boeing is not blameless.
2. Boeing has a point about MCAS issues manifesting exactly like another well-known event in other models and having the exact same solution.
3. The well-known solution to the well-known event is one that pilots must memorize because they don't have time to look it up.
4. The pilots seem to have demonstrated that they recognized the problem and, in fact, executed the well-known solution in time. They just failed to complete all the steps for some unknown reason.
5. Points 2-4 don't mean that Boeing is perfect. MCAS needs to be fixed. But it isn't completely absurd to argue that MCAS really is so similar in its misbehavior and so identical in the correct response that a reasonable person might expect pilots to do the right thing even if they had never heard of MCAS.
Taken together, this paints a picture to me that is different than the completely evil, conniving picture I had. I'm not sure where to draw the line between them, but probably not on the extreme end where I had it.
But my point is not so much about Boeing. I was observing the actions of a person who took what I expect to be a very unpopular stand in the face of overwhelming popular opinion. For what? Who cares if somebody else is mischaracterized? There's nothing you can do about it except get yourself muddy. Just let it happen and keep your head down.
I don't know why Walter is speaking up now. I'm not sure how much it changes my opinion. But I still tip my hat to a person who will say what they think is right even when they know they will be burned at the stake for it.
> Boeing has a point about MCAS issues manifesting exactly like another well-known event in other models and having the exact same solution.
No, they don't, because (a) the MCAS issue does not manifest exactly the same as another well-known event (runaway trim), and (b) the solution to the MCAS issue is not the same as the solution to runaway trim.
Re (a), normal runaway trim on a 737 manifests as a continuous automatic adjustment of trim. The trim starts moving and doesn't stop until the pilot disables the automatic trim system entirely.
The MCAS issue, however, manifests as an intermittent automatic adjustment of trim, at times that seem completely random to the pilot. It is not at all the same as normal runaway trim.
Re (b), the procedure for normal runaway trim on previous 737s is to shut off the automatic trim system. You can then use the manual electric trim system to put the trim back where it belongs. The critical fact here is that shutting off the automatic trim system does not shut off the manual electric trim system.
But on the 737 MAX, shutting off the automatic trim system, which is what you need to do to disable MCAS, also shuts off the manual electric trim system. So now the only way to get the trim back where it is supposed to be is to use the mechanical trim wheel; and MCAS has enough control authority to put the trim in a place where it is impossible for the pilot to exert enough mechanical force on the trim wheel to move the trim back to where it belongs. So the normal runaway trim response procedure does not work for an MCAS failure.
There is a way to recover from an MCAS failure, which is to wait until you are in between intermittent MCAS adjustments of the trim, use the manual electric trim system to put the trim where it is supposed to be, and then shut off the automatic trim system (which, as noted, also disables the manual electric trim system in the 737 MAX). Then you have MCAS disabled and you have the trim in a place where you can use the mechanical trim wheel if needed. But that procedure is not the standard procedure that 737 pilots are trained to do.
> MCAS issues manifesting exactly like another well-known event in other models and having the exact same solution
By "another well-known event" do you mean a runaway trim? Because if you do, then you're mistaken. MCAS and runaway trim differ in significant ways. And if you don't, what do you mean?
> I don't know why Walter is speaking up now.
Have you considered the possibility that he's a shill?
> Have you considered the possibility that he's a shill?
A fair question. I left Boeing's employ (as a flight controls engineer) in 1982. I am not a spokesman for Boeing, paid or otherwise. The facts I've presented here are all public information (though routinely omitted from sensationalist articles about it). My interpretation of those facts is mine alone.
We'll see what the final NTSB report says. They have earned a reputation for going where ever the facts lead them, regardless of political pressure. I sincerely hope they continue with this tradition, as it is the only way to make airline travel safe.
This highly political case will surely test the NTSB's commitment to dispassionate examination of the facts. We shall see.
> I am not a spokesman for Boeing, paid or otherwise.
Isn't that exactly what an effective shill would say? It could even be true. "Shill" and "spokesman" are not synonyms.
FWIW, I went back and re-read some of your comments in other branches of this thread and it's really hard for me to figure out what your position actually is. For example:
> It's true that if the MCAS software requirements weren't inadequate, the accidents would not have happened.
Apart from being a nearly-impossible-to-parse triple negative, it's just absurd on its face. No requirements can ever prevent an accident. I can write down as a requirement: "MCAS software must never cause the plane to crash." But obviously the planes did not crash because someone failed to write down that requirement.
If you're really a flight controls engineer then you obviously meant something else. But have no idea what that something else could possibly be.
> But I don't see why the shortcomings in the MCAS software design requirements were the result of cost savings.
Again, it is hard for me to wring any plausible interpretation out of this sentence under the assumption that you are well informed. It is well known that the reason MCAS exists at all is because Boeing attempted to make a radical change to an existing airframe design without getting it re-certitifed, and the reason for doing that was cost savings, both for Boeing and its customers. What other underlying reason could there possibly be for MCAS to exist at all?
> I did not defend Boeing's MCAS design.
OK, but do you see how someone could come away with that impression?
> Isn't that exactly what an effective shill would say?
Of course. There's no telling how deep this conspiracy to point out publicly available facts goes :-)
> No requirements can ever prevent an accident.
That's not what I meant by requirements. Boeing came up with a set of rules for what the software must do in each situation. This is called the requirements specification for the software.
Anybody who contracts with someone to write some software comes up with such a specification.
> What other underlying reason could there possibly be for MCAS to exist at all?
There's nothing at all wrong with the concept of MCAS. There's a long history of flight control augmentation in jet airliners to make them behave better. In fact, you cannot control a jetliner at all without augmentation, it's too fast and heavy. It's the implementation that was faulty.
The B-17 was perhaps the largest successful airplane with no augmentation, and a strong man could barely handle it (source - my dad was a B-17 pilot).
The 757, which I worked on, has fully powered controls. The control column just opens and closes valves. In order to prevent the pilot from inadvertently making violent maneuvers a hydraulic "feel computer" was added to push back on the stick to fake the behavior of a manually controlled system. The forces it imparted had to be dialed back to accommodate the advent of female pilots, which caused some worry that the men would overcontrol the airplane. Fortunately, that turned out to not be a problem.
> OK, but do you see how someone could come away with that impression?
I not only never defended MCAS' design, I wrote that it was faulty several times. You should ask the someone why they conclude the opposite.
Everybody is at fault. Pilots for not flipping the switch. Foreign aviation regulations for not requiring more knowledge (hours) in the cockpit. Airlines for not buying safety equipment. Boeing for not making safety equipment standard and then playing the cover-up/shift-blame game.
You all can debate who is responsible for what %, but I’m not a judge nor a jury so I won’t speculate. But facts is facts, and everyone in the chain above deserves blame
> have as far as I can tell completely ignored the fact that that software, driven by input from a single AoA sensor, creates a very short critical failure path which requires immediate and precise human intervention to avert a fatal accident.
Not too precise. Lowering flaps or not raising them in the first place solves it since flaps disengage MCAS. And on the Lion Air flight, the AOA sensor was already squawked prior to the flight but the incompetent Lion Air maintenance process ignored it despite that sensor being on the MEL for that airplane. Lion Air allowed a legally un-airworthy aircraft to depart. Boeing owns some of the blame, but the pilot-factories of third world airlines deserve a lot of the blame as well. In Lion Air’s case, their maintenance failures deserve 100% of the blame because they allowed a plane to take off with a system required for airworthiness to not be fixed.
If a plane requires a widget to be legally airworthy and maintenance and the pilot in command knowingly allowed the plane in the air without that functioning widget, anything that happens as a result afterwards is the fault of the maintenance and pilot in command. That the widget was required; that’s on Boeing. That the widget failed, that’s also on Boeing; that the plane was allowed to fly by that airline — that’s on the airline.
> Lowering flaps or not raising them in the first place solves it since flaps disengage MCAS.
But the pilots weren't told that and didn't know it. Nobody was trained or informed that "lower flaps" was a proper response to "trim system malfunction", and I don't see why it would be an obvious thing to come up with on your own.
> they allowed a plane to take off with a system required for airworthiness to not be fixed
Did Lion Air know the AoA sensor was required for airworthiness? Nobody outside Boeing knew MCAS existed at the time.
They did use the cutoff switches with the nose down too far. The correct procedure (as stated in the Airworthiness Directive distributed to all MAX crews) is to use the column trim switches to restore normal trim, then use the cutoff switches.
They had already used the column trim switches twice to restore normal trim.
...but then turned them back on afterwards because they weren’t sure if that was the correct action. MCAS reenabled until aerodynamic failure caused the crash (wind speed prevented elevator from rising).
Ultimately, more knowledge in the cockpit would have helped, see previous LA flight where pilot with training knew the correct action to take.
> Walter's are the first comments I have read that make me think perhaps Boeing wasn't completely, utterly, criminally unjustified.
They shouldn't make you think that; the fact that, considered in the abstract, there were actions the pilots could have taken that would have avoided the fatal crashes does not change the fact that Boeing designed a system where the failure of a single sensor could cause a fatal accident. There can be responsibility in both places.
>Good people in a bad system is still a bad system.
That line right there is essentially the same response I had for the Langewiesche's piece. It is not an excuse to pawn off the accountability for a catastrophic loss to the pilot when even the basic design is as fraught with failures to deliver even basic sanity checks as the MCAS system was. Make no mistake either, the issues that were found were basic. FMEA was not performed once, but never updated because it wasn't legally required, nor was a full fault-tree enumerated or kept consistent through the system's lifetime. Either of which would have forced a consideration of what would happen in the event of a sensor failure. Furthermore, the overall architecture of the flight computer failed to comply with design requirements that require no single point-of-failure which would have been revealed by doing what amounts to a textbook case of "what is the worst conceivable bit flip that could possibly happen right now?"
This is one of the few points I tend to respectfully differ from WalterBright on. I don't give a damn if every pilot were a Chuck Yaeger or Sully clone. That plane was dangerous by design.
A dangerous plane flown by a Good pilot is still a dangerous plane. There is no place in something manufactured to be deployed in a careless or cavalier manner, and the MAX rollout checks every box for organizational negligence in my book.
I'll let blame rest with the pilot in so much measure as it is do, but a machine that will actively frustrate its operator, while endangering the lives of everyone using it is a machine whose place is in a scrapyard; not in the sky.
“Boeing decided to place the engines farther forward, just in front of the wing. The new position, and the greater thrust of the engines, produced an aerodynamic challenge during a maneuver called a windup turn — a steep, banked spiral that brings a plane to the point of stall, which is required for safety tests, though it’s rarely used in typical flying.”
This is a curiously disingenuous statement. Not only at ‘windup turn’ and not only for “safety tests”, but most importantly when the engines were at maximum thrust such as at take off. Causing the air-frame to experience a pronounced nose-up attitude. The nacelles adding even more upward thrust.
‘Boeing settled on a software feature called the Maneuvering Characteristics Augmentation System. As the nose of the jet approached a high angle, suggesting an oncoming stall, MCAS would adjust the stabilizer on the plane’s tail, pushing the nose down, to alleviate the slackness in the control column. “They were trying to make it feel the same, so the pilots wouldn’t require training,”’
No, they didn't tell the pilots as this would require retraining and this would require re-certification.
“Boeing considered the MCAS feature to be so minor that it removed mention of it from the 737 MAX’s pilot manual.”
Boeing lied by omission, that's why when MCAS kicked in on those two crashes the pilots were unaware of MCAS and had no way of knowing how to recover from an MCAS induced nose dive. It was Boeing executive decisions killed those people. If this had happened in the US there would have been uproar by now.
It's true that if the MCAS software requirements weren't inadequate, the accidents would not have happened. It's also true that if the pilots had followed the runaway trim procedure, like the first Lion Air pilots did, like was reiterated to all MAX crews by Airworthiness Directive, the accidents would not have happened.
But I don't see why the shortcomings in the MCAS software design requirements were the result of cost savings.
Maybe one general remark, from one engineer who spent half his professional life in aerospace to another. Aerospace is, rightly so, proud of the whole industries relentless pursuit to eliminate errors, improve systems and learn from accidents. Your argumentation, in the whole discussion, conveys a different image and does no favour to the sector in general. Some people are already afraid to fly, so the very least we all can do is to be open and honest about errors in the system and the actions taken to prevent the same accident from happening twice.
And generally on engineering. If a system, regardless of the application, fails I consider it bad engineer behavior to single out the user. Systems, especially in aerospace, include everything from design over manufacturing, software, the parts to maintenance, logistics and ultimately training. Failure in any single one of these means failure of the system. Which directly implies all entities involved in development and certification. Failure in more than one is catastrophic. Defending it is bad engineering. Just my 5 cents.
EDIT: MCAS relied on a single AoA sensor. Non-redundant safety critical systems in an aircraft? Seriously?
I did not defend the MCAS software design. Not once. Quite the opposite.
> the very least we all can do is to be open and honest about errors in the system and the actions taken to prevent the same accident from happening twice.
I totally agree with that. That also means being open and honest about all contributing factors to these crashes.
I've read all your responses in this thread, and to be honest, I don't really understand what point you're trying to make. I don't really see anyone else arguing against the fact that there are things that the 2 crews could have done to not crash the plane, and that their actions contributed to the crash. But is there something you disagree with the following?
1. In a safety critical system design, any change that results in fallible humans being more likely to crash their plane into the sea means the fault lies with the system, not the individuals.
2. I think people are (rightfully IMO) so angry with Boeing because so many of their actions look like they were cost-saving measures. If the system worked exactly as it did, but Boeing had been very clear about the difference in handling MCAS caused, which would likely have required recertification and additional retraining of pilots, I think people would have at least been somewhat more sympathetic. But it looks like so many of the MAX design constraints were driven by the bean-counter directive of "don't do anything that would require recertification", and that's why people are pissed.
> that their actions contributed to the crash ... the fault lies with the system, not the individuals
I believe these two statements are contradictory. The pilots were a contributing factor to the crashes. This needs to be investigated to determine why they did not respond appropriately, and corrective action taken. In addition to Boeing correcting the MCAS system, and the maintenance issues.
All contributing factors must be accounted for.
> I think people are (rightfully IMO) so angry with Boeing because so many of their actions look like they were cost-saving measures.
Some of this anger seems to stem from inaccurate, incomplete, and sensationalist reporting, such as the cost saving one. The problems with MCAS were in the software requirements for it. Not bugs in the software, not outsourcing the programming, not in the design of the airframe, etc. The fix is in the software, too. Using the correct software rules in the first place would have cost the same amount of money. Having the MCAS software compare the two independent AOA sensor readings would not have cost more money.
It is in so far as the 737 MAX had an inherent stability issue due to the mounting position of the larger engines. And every system that can directly affect the control of the aircraft is by definition safety critical. Otherwise the majority of aircraft systems wouldn't be as all modern passenger aircraft can glide without engines pretty well. Following your logic engines wouldn't be safety critical neither.
> It is in so far as the 737 MAX had an inherent stability issue due to the mounting position of the larger engines.
I haven't heard it characterized as an instability by any reputable source. Just that the behavior in certain unusual circumstances did not match the earlier 737 behavior.
The aircraft did not have stability issues. The purpose of MCAS was about providing the right resistance profile to the controls. The aircraft was still stable from an aeronautical perspective.
Your arguments are simply baffling due to a very simple reason: two planes crashed! Even if everything you say is true and the pilots were at "fault", it means that Boeing is designing planes where some significant percentage of pilots flying today will crash it. Do you want to fly on that plane?
This is basic Human Factors 101. Designing something where some percentage (even a small percentage, and especially when tragic consequences are involved) of properly trained people will be confused by the design means the design is at fault, not the people.
And equally importantly, other planes don't crash nearly as much. Boeing managed to make a new plane that's much more deadly than existing planes on the market. It doesn't even matter so much why it's more deadly, just that it is. Placing blame on pilots misses the point, when those same pilots would not have crashed in those same conditions in a different plane.
Well it can matter if it turns out the issue wasn’t engineering so much as clearly communicating that it’s a different aircraft so the pilots can be trained correctly.
It's still unacceptably dangerous even if this difference is communicated. To be safe, at a very minimum you would need triply redundant AoA sensors, an MCAS engaged notification, and an MCAS cutoff switch.
There is an MCAS cutoff switch and the side effects of MCAS runaway are visible on the trim wheel. This was a non-issue for the pilots that were correctly trained.
> It's also true that if the pilots had followed the runaway trim procedure
The aircraft did not act how the manuals define runaway trim condition. MCAS was intermittent, runaway trim is constant. Checklist: https://i.imgur.com/K7El4K4.jpg
> The aircraft did not act how the manuals define runaway trim condition.
I'm curious. How do the manuals define runaway trim?
I'll tell you what actual flight controls engineers consider is runaway trim who actually worked on the 757 system - the trim running when it is not supposed to. All imagined faults that could result in trim running when it wasn't supposed to were accounted for and blocked. But STILL the backstop is the trim cutoff switches, which were deliberately and prominently put on the console within easy reach just in case.
All three crews knew it was the trim repeatedly running because they successfully countered it with the electric trim switches.
All 737s bracket the center console with a pair of large wheels with a white stripe on it that are directly connected to the stabilizer jackscrew and spin when the trim is running, making a loud clacking sound. This is deliberate to make it clear to pilots when the trim is running.
The trim running can also be stopped by simply grasping that wheel hard.
737 quick reference handbook: "Runaway stabilizer. Condition: uncommanded stabilizer trim movement occurs continuously." Source: https://i.imgur.com/K7El4K4.jpg
It advises turning off the autopilot after first uncommanded movement and pulling the yoke firmly (triggers trim hold), and hitting trim cutoff switches after the second. That's what they did, but by then MCAS had moved the stabilizer so much that they were struggling to maintain control. Aerodynamic forces from their speed rendered manual trim ineffective. Checklist offered nothing beyond this point.
When they restored electric trim three minutes later in an attempt to trim the nose up, everything was normal for 30 seconds, but then MCAS kicked in for the third time and put the aircraft into a 40-degree nosedive.
All they needed was a bit of electric trim.
It's possible they confused 737MAX with older 737NGs, considering the virtually non-existent retraining. Older ones have two cutoff switches, one for pilot-controlled electric trim and the other for automated systems. MAX retains two switches for commonality, but they have the same function: both turn off all power to stabilizer trim, it's impossible to isolate automated systems without losing all electric assist.
> "Runaway stabilizer. Condition: uncommanded stabilizer trim movement occurs continuously."
Thank you for the reference.
Having it repeatedly come on and run is runaway trim. Trying to interpret the meaning of "continuous" makes for great courtroom drama, but is unhelpful when you're faced with a crisis. Besides, if the runaway trim was caused by an intermittent electrical short, would you dismiss that as well, too? Or would you turn the sucker off and save your life and let the mechanics sort it out on the ground?
> it's impossible to isolate automated systems without losing all electric assist.
The column electric trim switches override all other trim inputs. That's why the procedure is as follows:
Boeing Emergency Airworthiness Directive
"Initially, higher control forces may be needed to overcome any
stabilizer nose down trim already applied. Electric stabilizer trim can be
used to neutralize control column pitch forces before moving the STAB
TRIM CUTOUT switches to CUTOUT. Manual stabilizer trim can be
used before and after the STAB TRIM CUTOUT switches are moved
to CUTOUT."
> Having it repeatedly come on and run is runaway trim
And they recognized it as such and completed the runaway trim checklist, but they couldn't use manual trim (as advised) to recover from the situation, because aerodynamic forces acting on the stabilizer overpowered them.
Two Swedish pilots demonstrated this scenario in a 737NG simulator: https://youtu.be/aoNOVlxJmow?t=606 Ethiopian pilots were in even more stressful situation, because they also had broken AOA sensor with unreliable airspeed indication, active left stick shaker, occasional terrain proximity warnings and overspeed clicker.
No procedures or training existed for the situation they were in. Pilots of early 737s were taught the so-called rollercoaster maneuver to temporarily relieve the load to allow manual trimming, but that was scrapped decades ago.
This is pure Boeing apologism. Why was it even necessary to follow the "runaway trim procedure" in the first minutes of a flight, in a brand new plane? Yes, it's possible expert pilots could have gotten out of the jam - as they did in the first Lion Air incident. But Boeing's shoddy workmanship, and the FAA's total lack of oversight, created the jam in the first place.
Boeing's victim-blaming can be understood, if not excused, from a liability perspective. It baffles me why anyone would take on that point of view otherwise.
Exactly. The suggestion that it is acceptable that a well engineered system would require heroic intervention with 4-10 seconds as the plane rapidly points nose down is baffling.
Listen to you. Yes the second LA crew managed to couteract the malfunctioning system 25 times before they finally succumbed.
What's your argument? "Real pilots need to work against the aircraft's malfunctioning systems 26 times" ? Oh these poorly trained Lion Air idiots, only prepared to counteract the badly programmed airframe 25 times
They incorrectly counteracted the malfunctioning system 25 times. If they had followed the correct procedure for handling runaway stab trim, they would have only needed to respond once. It's a three-step procedure that takes just a few seconds - press the override button on the yoke, turn off the master switches for the stab trim automation, set the stab trim manually.
The Lion Air flight crew caused that crash because they lacked fundamental piloting skills. Like many low-cost carriers in middle-income countries, Lion Air have systematic problems with poor pilot training and supervision. The poor design of the MCAS system contributed to the crash, but any number of other system failures could have caused a similar accident if handled equally poorly.
I'm not excusing Lion Air. I actually live in the region and everyone knows about their problems; I and many others refuse to fly with them. But that doesn't let Boeing off the hook at all. And I note you didn't mention Ethiopian air, who have a far better reputation.
I think a lot of us here are software developers. As such, we all know that if a user does the wrong thing once, that's their problem. If they do the wrong thing 25 times in a row - that's our problem. I don't care how good the pilots are, or what country they're from. If a software system silently activates, with no immediately obvious way to turn it off, and ends up killing hundreds of people - I blame the developer. Fail-deadly systems have no place in commercial aviation.
I don't want Boeing to go bankrupt, but I want them to hurt very badly from this. $25B of stock buybacks but they cut corners on this jet, to the cost of ~300 lives. This needs to cut right to their core and I'd be happy to see the entire C-suite and board fired.
Which still was not enough, as the crash showed. The simple fact that neither the FAA nor EASA have yet cleared the 737 MAX for flight is a pretty good indicator that it was, indeed, the planes fault. I think the "human error" argument phase should be over by now.
I, for one, would jump at the chance on flying on commercial planes so problematic a reaction by the pilot of less than 10 seconds causes the whole passenger list's death
When Walter worked for Boeing he worked on the 757 trim system, which has never had a problem yet, therefore Gigablah can probably relax about the fact that Walter worked for Boeing.
They used the column trim switches to override the trim and restored the trim setting to normal, per procedure. The next part of the procedure is to throw the cutoff switches, which they did not do.
I'm sure you studied a lot of accident reports and analyses.
I'm sure you know the human factor plays a role in tons of cases.
What I don't quite understand is where you want to go from what you repeat again and again, pointing at supposed faults of the pilots, and then when more directly asked on the line if you are trying to diminish Boeing responsibility, you conveniently answers on the line of "of course not, I did not say there was no engineering problems".
So yeah, maybe pilots did not do a critical step in a critical phase of the plane doing utterly stupid things trying to kill everybody, because of various economics factor that have been debated to hell.
So... what?
You know Air France is a reputable company. You know that the pilots of AF 447 did some really weird things in the cockpit. That does not make the pitot tubes used at the time less defectives. And MAX trim (and the whole story around it) is way worse than that. I mean common, were you not once subject to a high stress situation that made you fuck one thing? And even if you were, can't you also not understand some people react differently and the human factor must be taken into account?
If they do this 25 times, and still end up crashing is it possible that perhaps the procedure is a touch too complicated for a life and death situation?
This incident happened 2 times in a distance of a few months, if you would just use logic you can deduce that something is wrong , it is more probable that this 2 pilots forgot how to handle a standard procedure or that things are more complex then you are trying to imply, this could have been avoided if the pilots were informed about the new system and the warring lights would have been made default but doing this would have cost Boeing a lot of money
I've been reading these comment threads with increasing amazement. I understand where you're coming from but if you really want to make the case that this system is faulty and that the pilots did something wrong at the same time you're doing a poor job of it by not taking into account the human angle: (1) there's 600 people dead; (2) HN'ers likely fly a lot and have little to no control over the systems on the planes that they fly with, but know all - or think they know all - about bad software and systems design; (3) The planes are still grounded pending investigation and fixes. Taken all those together I think you should take a dose of your own medication and not take such a strong position given that the facts aren't in yet.
Best case you manage to convince one or two people that there is more than one factor at play here, worst case people will associate you with Boeing in a way that helps neither. Finally, it is none of my business but ex-employees often hold stock in their former employer, if it should ever come out that you hold Boeing stock that would be held against you, so I really hope that is not the case.
> Why was it even necessary to follow the "runaway trim procedure" in the first minutes of a flight,
Because the stabilizer trim was running away.
Emergencies can happen in any stage of the flight, and the flight crews are supposed to follow their training.
For example, sometimes an engine catches fire. This is never supposed to happen. But the pilots are trained to deal with it. Probably 90% of pilot training is learning to deal with problems that shouldn't happen.
As an example American nuclear control room crews are given 20 hours of simulator training with an exam every six weeks. Fail and they are taken off shift for extra training and given another exam. How often are airline pilots given emergency procedure simulator training?
The MCAS had too much authority , Boeing give it extra functionality that was not initially designed for, this are facts that were revealed so far , I am not sure if you are trying to shift the blame to the pilots or only argue that they could have saved the plane despite Boeing fault.
All the facts revealed so far from the investigation show that the plane was rushed and things that could have improved safety like training and warring lights were omitted because of money.
They did. Just that the training manuals were inadequate. Part of Boeing trying to grandfather the MAX as a normal 737. Issuing comprehensive training plans would have gone against that claim. Os they didn't. And pilots flew a plane they had every reason to believe to behave like any other 737 out there. But which didn't.
Walter is right here. This procedure is the same (and not just for the 737 airframe family). Even though the cutout switches changed function (and this is the main area I actually fault Boeing on), if the flights had executed the cutout properly after the needed adjustments, they could have stabilized.
Source: my former business ran heavy check maintenance software for most of the world's largest airines.
Does it really help so if the procedure is the same but the critical element, the cut-off switch changed function? I'd say no, in that case procedure had changed. If it would have just been some kind of human error, like Air France 447, it wouldn't have grounded the whole fleet for the time being.
It didn't change in a way that would have not stabilized the plane.
What it did do is remove granularity (again, not sure why, as the 737NG setup is perfectly fine) in the options available to the pilot. Regardless, the SOP on using the cutout switches did not change.
The thing that you are missing is that they said it flew EXACTLY like all other 737s. The same thousands of 737s that have been flown around the world for years. The fact that you are saying they didn't follow the "proper runway trim procedures" doesn't hold water. Not following the trim procedures caused ZERO crashes in the last (what?) million 737 flights!!! Whether that was the proper procedure is completely irrelevant. The pilots were given 30 minutes on an iPad and sent on their way being told they needed to do nothing different. Two crashes in (what?) a few hundred flights is the result of pure greed. Lots of people should be in jail.
The Lion Air maintenance department should be in jail then. They let a plane in the air when they knew they had a bad AOA sensor. That sensor is required by the Type Certificate and they allowed the plane to fly knowing it was faulty.
"These emergencies did not present as a classic runaway stabilizer problem"
Since the LA and EA crews both successfully countered the runaway trim with the electric trim switches, this statement by Captain Sullenberger is inadequate. Furthermore, I have no idea what "classic runnaway stabilizer" is. When the trim starts erroneously pointing the airplane down, it's runaway trim. There is no other kind.
BTW, I worked for three years on the 757 stabilizer trim system. I know what runaway trim is.
> When the trim starts erroneously pointing the airplane down, it's runaway trim.
No, "runaway trim" as it was defined for every 737 variant prior to the MAX was more specific than that: it meant the trim system would continuously adjust the trim in an erroneous direction. The continuously is key.
In the 737 MAX during erroneous MCAS operation, the trim is not adjusted continuously: it is adjusted intermittently. An adjustment of a given fixed increment is made; then nothing happens. Then, a short time later, another adjustment of a given fixed increment is made; then nothing happens. Then...
This presentation is not at all the same as normal runaway trim that 737 pilots are trained to deal with. So what is inadequate is not Capt. Sullenberger's statement, but yours.
It continuously activated and ran forcing the nose down. Your pedantism is suitable for courtroom drama, but is inappropriate when you're in command of an airplane. In fact, I suspect a judge would ridicule such an argument. I was involved in a court case once where the opposition based their case on navigating around the overly literal definitions of words. The judge ruled against them on every point. They appealed, and it went before a 3 judge panel, that unanimously ruled against them on every point.
Do you seriously believe a pilot, faced with trim that kept turning on trying to dive the airplane, would not think "I need to shut off the stabilizer trim. Oh wait, I'll leave it on because it's intermittent!" ?
There's a reason airplanes have not dispensed with pilots and gone fully automated.
> It continuously activated and ran forcing the nose down.
Normal runaway trim does, yes. MCAS failure does not, and did not in the incidents. MCAS only intermittently adjusted the trim. (Yes, the computer was continuously running the MCAS algorithm, but that's not visible to the pilot, and if you're going to hang your hat on that definition of "continuously" you are the one being pedantic, not me.)
> Do you seriously believe a pilot, faced with trim that kept turning on trying to dive the airplane, would not think "I need to shut off the stabilizer trim. Oh wait, I'll leave it on because it's intermittent!" ?
First, I have not said the pilots could not have done anything to prevent the crashes. Of course they could. But the thing they could have done was not "the runaway trim procedure".
Second, the pilots were being bombarded with multiple warnings and conflicting information. Sure, it's easy to sit in your armchair and say they should have figured out that shutting off the stabilizer trim was the right thing to do (and even then they would have had to first figure out that they needed to use the manual electric trim to put the trim where it was supposed to be, since shutting off the automatic stabilizer trim would also shut off the manual electric trim). But pilots are not omniscient and they're not magicians. There are limits to what humans can figure out under the conditions those pilots were subjected to.
> There's a reason airplanes have not dispensed with pilots and gone fully automated.
And there's a reason that pilots are supposed to have full information about any system in the plane that they might be expected to have to override. Pilots weren't even told about the existence of MCAS until after the Lion Air crash; and even then they weren't told exactly what it did or how it worked or how an issue could arise or how the system could put the plane into an unrecoverable state.
There's also a reason that the plane is not supposed to subvert the pilots' attempts to control it when it starts doing wrong things.
"In the deadly Lion Air crash in October, the pilots lost control after initially countering the Maneuvering Characteristics Augmentation System (MCAS)"
They successfully countered it 25 times before the crash, meaning they had 25 opportunities to remember to use the cutoff switches.
"Boeing advised the airline about it after the crash."
An Airworthiness Directive was issued to all MAX flight crews after the Lion Air crash specifically laying out the procedure of countering with the trim switches and then throwing the cutoff switches.
> An Airworthiness Directive was issued [...] and then throwing the cutoff switches
So the response was "there's a known-lethal fault in our product X, when it happens, do Y"
but not
"there's a known-lethal fault in our product X, withdraw X from use immediately"
Edit: given C programmers have many, many of opportunity to learn "not to do that" in an unsafe language, instead you wrote D. That's silly, why not continue to tell C programmers "don't do <dangerous thing>"? I mean, you could have completely saved yourself year of your time writing a new language which makes it hard to do <dangerous thing>, right? Just tell them not to make mistakes is better, right?
Oh, I quite agree that Boeing screwed up the MCAS software design and needs to fix it. My experience with designing safe systems at Boeing has led to a lot of design decisions in D. I often look at lists of common bugs in programs to see if I can find a way to design such bugs out of the programming language.
I also regularly tell people that if you don't have a plan for when your software fails, you're going to be sorry. In this case, the plan is for the pilots to follow the runaway trim procedure.
As for software people, do you have a backup plan for when the software goes berserk? No? Well, someday it will go berserk and delete all your files. Have a backup plan. Suing the software maker won't get your files back.
About 90% of pilot training is dealing with emergencies that are never supposed to happen. One of them is runaway trim. Nobody has a plan to dispense with pilots and rely totally on automation.
Walter, what puzzles me with your line of argumentation is the single minded focus on the pilots behavior and ignoring everything else including the fact that we know training manuals were inadequate and MCAS proofed to not be airworthy. As the still missing FAA and EASA certification shows. Including one near crash during simulator flights, conducted with an updated MCAS, hyper-trained crew that knew more or less what would happen in a protected environment.
The directive issued is literally just reminding pilots of a procedure they should already know - reset the trim to stabilize the plane and throw the cutout switch. The issue with MCAS changing how the plane performed was remediated by skills pilots should have irrespective of feature descriptions in a manual.
Yes. That's orthogonal to whether or not the manual defeciency should have stopped pilots from following the checklist they should have down to rote memory.
This yet again pushes the issue onto just the pilots. Anything but the planemaker. I agree with the GP, there's far too much apologism for boeing here.
Pilots are already supposed to be trained in runaway trim procedure. That's a reasonable evaluation to make, and the FAA agreed with it.
One of the crews followed it, the other two didn't. Crews aren't always trained properly, that isn't on Boeing.
Note that each of the three crews used the column trim switches to restore normal trim, why two did not think to then use the cutoff switches is something for the NTSB to determine.
If you watch "Air Disasters" on the Smithsonian Channel, many many crashes have an inadequate pilot training component, and/or pilots who did not do what they were trained to do.
Timeline:
"At 05:40:35, the First-Officer called out “stab trim cut-out” two times. Captain agreed and FirstOfficer confirmed stab trim cut-out."
Initial Findings:
"The crew performed runaway stabilizer checklist and put the stab trim cutout switch to
cutout position and confirmed that the manual trim operation was not working."
What happened was by the time they did, they were trimmed nose down really far and it took all their effort on the controls to keep the nose up. The aerodynamic forces prevented them from being able to manually trim. They eventually turned the trim back on because they had to use the electric manual control to try to get the nose up because it was physically impossible for them to do so manually. They adjusted the trim in the ANU direction electrically, but then "an AND automatic trim command occurred and the stabilizer moved in the AND direction from 2.3 to 1.0 unit in approximately 5 seconds" which caused them to lose control completely.
To the best of my understanding, this is an accurate summation of events.
With the MAX it isn't possible to have electric trim without MCAS, so if MCAS is malfunctioning pilots have to trim manually. The problem with the EA flight is that it occurred shortly after takeoff, so they lacked altitude (unlike the LA flight). A complicating factor was that they were flying east out of Addis Ababa (i.e uphill).
(from wikipedia): Two minutes into the flight, the plane's MCAS system activated, pitching the plane into a dive toward the ground. The pilots struggled to control it and managed to prevent the nose from diving further, but the plane continued to lose altitude. The MCAS then activated again, dropping the nose even further down. The pilots then flipped a pair of switches to disable the electrical trim tab system, which also disabled the MCAS software. However, in shutting off the electrical trim system, they also shut off their ability to trim the stabilizer into a neutral position with the electrical switch located on their yokes. The only other possible way to move the stabilizer would be by cranking the wheel by hand, but because the stabilizer was located opposite to the elevator, strong aerodynamic forces were pushing on it. As the pilots had inadvertently left the engines on full takeoff power, which caused the plane to accelerate at high speed, there was further pressure on the stabilizer. The pilots' attempts to manually crank the stabilizer back into position failed. Three minutes into the flight, with the aircraft continuing to lose altitude and accelerating beyond its safety limits, the captain instructed the first officer to request permission from air traffic control to return to the airport. Permission was granted, and the air traffic controllers diverted other approaching flights. Following instructions from air traffic control, they turned the aircraft to the east, and it rolled to the right. The right wing came to point down as the turn steepened. At 8:43, having struggled to keep the plane's nose from diving further by manually pulling the yoke, the captain asked the first officer to help him, and turned the electrical trim tab system back on in the hope that it would allow him to put the stabilizer back into neutral trim. However, in turning the trim system back on, he also reactivated the MCAS system, which pushed the nose further down. The captain and first officer attempted to raise the nose by manually pulling their yokes, but the aircraft continued to plunge toward the ground.[8][9]
The electric trim column thumb switches override the MCAS. Turning the cutoff switches back on, activating the thumb switches to bring it to normal trim, then turning the cutoff switches back off would have recovered it.
"Initially, higher control forces may be needed to overcome any
stabilizer nose down trim already applied. Electric stabilizer trim can be
used to neutralize control column pitch forces before moving the STAB
TRIM CUTOUT switches to CUTOUT. Manual stabilizer trim can be
used before and after the STAB TRIM CUTOUT switches are moved
to CUTOUT."
In Indonesia this was not even in the manual, and the pilots were never even told MCAS existed.
That’s beside the point. In the story they discuss how airplanes are not intended to require this level of superhuman ability to stay airborne.
You are avoiding that this was a combination of an engineering flaw (reading from a single AOA sensor guiding MCAS, when in reality it should have been redundant) and a regulatory flaw (the role of MCAS was increased despite it being initially regulated as a much milder intervention).
> In Indonesia this was not even in the manual, and the pilots were never even told MCAS existed.
It wasn't necessary to know MCAS existed - the procedure for runaway trim is in the manual and is the correct response to MCAS failure as MCAS failure exhibits itself as runaway trim.
> superhuman ability to stay airborne.
Turning off the stab trim with the cutoff switches is part of the memory procedure to deal with runaway trim, and no superhuman abilities are required. Just remembering to do it.
> You are avoiding
Not at all. I just take issue with the claim that pilots had no role in the accidents, and take issue with the bad design of the MCAS software being a cost saving measure.
Note that the fix is redesigning the MCAS software.
Did you read in the article where Captain Sullenberger said he couldn’t do it in time in a simulator, even expecting it? Have you seen the YouTube videos? It’s a disaster.
> Did you read in the article where Captain Sullenberger said he couldn’t do it in time in a simulator
I did read the article, and that isn't what he said. Furthermore, Captain Sullenberger is an Airbus pilot and hasn't flown 737s in a long time and is not rated on the 737NG.
I don't know what runaway trim procedures are on Airbus airplanes.
It is also possible he is being a guy who knows exactly what he is talking about and has the qualifications and experience to back it up.
If an aircraft starts pitching down, and it wasn't commanded by the pilot, and resetting the trim (temporarily) fixes the problem, the issue is almost certainly with the trim. If it is MCAS and a malfunctioning sensor or a failing motor that occasionally kicks on and drives the trim to its limits, the pilot response should be the same. This is what I hear Walter saying, and it makes sense. MCAS just makes it more probable to manifest.
The thing is the checklist says in a runaway stabilizer scenario, it will trim continously, but MCAS does not apply trim continously. Therefore it does not exhibit itself as a "normal" trim runaway. Checklist: https://i.imgur.com/K7El4K4.jpg
Hence, they might not have thought it was a trim runaway.
Not every emergency manifests as a textbook case. It isn't too farfetched to imagine an intermittent short running the trim motor on an intermittent basis rather than continuously. I'd still shut off the trim motor as a possible remedy, but I'm not an airliner pilot, just a guy who flys for $100 hamburgers.
I'd really like to see the NTSB report on this when it is released. I've read some of them, they're far more detailed and contain a lot of pertinent facts that were omitted from the usual clickbait sensationalist journalism.
"It wasn't necessary to know MCAS existed...". If I ever read something as dangerous as that I don't when. First, MCAS had only one sensor input foregoing redundancy. Second, everything I know about airworthiness, which is by no means complete, says otherwise.
Sorry, but this is a naive understanding of aviation safety. Have a look at "the Swiss cheese model" as a starting point to gain insight.
Of course many accidents have a "pilot error" component, the central issue is what made the pilots do the wrong thing. This needs to be analyzed on a systemic level, i.e. was the training good enough, did the pilots receive adequate information, did the aircraft system provide the pilots understandable feedback, etc.
For the pilots to do the right thing, they first need to identify the problem. That can be very difficult when a lot of visual and auditory alarms -- sometimes contradicting each other -- goes off at the same time. The aircraft manufacturer has to account for the human factors.
Boeing failed miserably in this regard: 1) MCAS didn't work as intended, 2) they deliberately left out essential info about the system from flight manuals. In addition the FAA failed in their oversight of Boeing.
> Sorry, but this is a naive understanding of aviation safety.
Very few aviation crashes are the result of a single failure. Usually, they are a combination of failures, all of which were required to produce the crash.
These crashes are no different:
1. the design shortcomings of MCAS
2. the refurbished AOA sensor on the LA airplane was not calibrated properly
3. LA put the plane back in service despite the failed AOA sensor
4. The crew of the LA flight were not informed of the failed AOA sensor
5. The flight crews did not follow the memory runaway trim procedure
All of these had to happen. A typical NTSB crash report dispassionately identifies all the contributing factors to an accident and issues corrective action recommendations for each of them.
"On Nov. 5, CNN published an update on the crash investigation from Capt. Nurcahyo Utomo of Indonesia's National Transportation Safety Committee (KNKT) noting that the FDR review also concluded that the aircraft's airspeed indicator had been malfunctioning on four consecutive flights prior to the crash. Utomo also indicated the pilots should have recognized the malfunction when it occurred on flight JT610."
There's no excuse for LA putting the airplane back in service after the first crew had to cut off the stab trim, or even bothering to inform the next crew of the issue.
They throw the switch that turns off automatic trim. That the automatic trim system is going nuts due to some new system (MCAS) they don't know about as opposed to it going nuts for one of the reasons it might do so on earlier planes doesn't matter.
Sully Sullenberger's opinions is that the MCAS failure is not a "normal" trim runaway failure:
> These emergencies did not present as a classic runaway stabilizer problem, but initially as ambiguous unreliable airspeed and altitude situations, masking MCAS.
Also, the stab trim runaway procedure is a "memory" item, meaning the pilots are supposed to memorize it rather than digging out a checklist and referring to it.
Since each crew did restore normal trim more than once, they did have more time than just seconds.
Cost savings came from not retraining pilots and not requiring airports to be redesigned, and so on.
Boeing needed to use a larger engine for the new plane because larger, hotter engines burn less fuel. When the engine is made larger the wings and fuselage have to raised to accommodate the larger engine, which means jet bridges at airports have to be modified to accommodate the new plane. Boeing wanted to avoid this, so they designed the airframe such that the overall geometry of the plane is still compatible with existing infrastructure at airports, but this meant that the airframe was unstable---it has a tendency to tilt up when accelerating. Boeing compensated for this hardware flaw with a software fix.
The two serious mistakes Boeing made are (1) designing a multilayer system where bottom layers rely on upper layers for safe operation (i.e., airframe relies on software for stability) and (2) lack of redundant sensors.
The upward tilt behaviour is not a flaw, as much as it is a quirk. Had they kept it unmitigated, they would have had to retrain pilots before they could fly the plane. (Their software fix was also a cost saving measure, and it didn't work.)
When the FAA Chief of Aviation Safety says there was "nothing he could have done", that is sign of deep systemic problems where someone else is to blame.
I'm an Aerospace Engineer, currently working for the U.S. Gov, but have spent time on the Industry side. I don't have a thesis per se after reading this, but several thoughts:
- I don't think it's unfair to vilify Boeing's accumulated divergence from "doing the right thing". On the other hand, it's quite sad that it takes significant events like this to force anyone to act against the long-term pressure of corporate behavior that leads to such events.
- As per a thread I had with WalterBright, https://news.ycombinator.com/item?id=21037522 , I agree Airbus has a number of significant flaws in their vehicle management systems for which there has been insufficient criticism and action.
- It's not easy being on the side of the gov/regulators. There is continuous pressure from industry, and from up the management/political chain, to be a cooperative partner. Especially in light of how quickly industry can execute tasks, it's very hard to say "we need to take a pause" or "we need to go back, do some more homework, and be deliberative about this". If the gov/regulator is excessively slow, there are concrete costs that industry incurs. These realities, with the continued pressure, have trended in the U.S. to lead to ultimately less effective oversight.
- The U.S. Government insufficiently values in-house technical expertise. In the aerospace realm, NASA is the principal exception. But within the DoD and FAA, while there is is technical expertise, much heavy-duty technical lifting is done by FFRDCs (e.g., Aerospace Corp., MITRE's CAASD, the national labs) or UARCs (e.g., Johns Hopkins Univ's Applied Physics Lab). In my view, the DoD and FAA should build in-house engineering capability sufficient to properly oversee and advise major programs without having to outsource as much as they do. You cannot do an effective job overseeing complex engineering developments if you are insufficiently technically-competent. The DoD is starting to realize this and places like AFRL are starting to swing back toward that direction, but there's a very very long way to go. If you are going to effectively push back against industry pressure, you have to be equipped to make strong technical arguments, not just appeals to precedent or vague statements about risk.
- If you can find people with the right mindset and competence levels, it's better, in my view to have ex-Industry engineers working for the government. Those that go straight from school to government don't often have direct experience as practitioners, and as per my previous point, that often makes them less effective than they could be.
- "Follow the plan," from the article, sounds exactly like what I've heard from Boeing. The article captured well the context and implications of that kind of talk.
- "... engineers had to accept that they were no longer the center of the universe" really resonated with my own experience at another (non-Boeing) large American aerospace company. I was told by the man in charge of a major subsystem discipline that "engineering is out of favor [with the company management]". He was an engineer and on the side of engineers, he was just telling it the way it was. I couldn't believe what I heard then, and decades later, still can't believe it. How can engineering be "out of favor" in a company that specifically engineers systems at the edge of what humans can accomplish in hardware? I think you will find most large American aerospace companies helmed by people who really see no irony in making statements like that.
- The aerospace industry is not one I would encourage my children to work in. I'm driven heavily by my passion for aerospace - it's an integral part of my identity. But it's really hard in industry to find job security, avoid rampant pigeonholing, avoid corporate mistreatment, work on multiple well-executed flight programs in your career (the equivalent of "shipping" software), and generally work somewhere where there is a strong corporate motivation to "do the right thing". It's a lot harder than in software for the corporate culture to not permeate everything around you because of how capital-intensive the field is. Also, the U.S. Government sucks as a customer, which makes it harder for small companies to thrive in the field. The job security issue can go away if you work in government, but then your ability to be an implementer (why a lot of people become engineers) also diminishes.
Or we could just design products that will be safe in the real world, rather than ones that could have been safe in a utopia of perfect people.