
Boeing 737 Max: Automated Crashes [video] - HelenePhisher
https://media.ccc.de/v/36c3-10961-boeing_737max_automated_crashes
======
SAI_Peregrinus
As I see it there are several critical flaws in the MAX.

First, the engine placement means it has a non-linear control force curve, so
it needs some system to compensate for that. Hence MCAS. This is because the
landing gear can't be lengthened without expanding the gear bays, which would
void the type certificate AFAICT.

Second, the larger size of the plane means that a single pilot cannot be
guaranteed to be able to use the manual trim wheels in all flight modes. The
force required is extreme, weaker pilots may not be capable of trimming the
aircraft. This can't be fixed without changing the trim wheel size (which
requires a new cockpit layout) and/or the horizontal stabilizer, both of which
would void the type certificate.

Third, critical flight control systems need to be triple-redundant, and there
are only two AOA sensors. Since the plane cannot be certified without MCAS
(point 1) and MCAS can command a catastrophic failure (see two craters) it
should be a triple-redundant system. A new AOA sensor would void the type
certificate.

Canada stated that they would certify the MAX without MCAS and with required
pilot training, if its performance characteristics were acceptable. Boeing has
made no attempt (AFAICT) to try this, which raises suspicion that MCAS is in
fact required for certification, which would make it a Fly-By-Wire system (and
subject to appropriate regulations, requiring hardware changes) and not just a
stability augmentation system. Essentially Canada called Boeing's bluff.

It's not the software that's the (only) issue. If it were, the plane would be
flying by now.

~~~
missosoup
> First, the engine placement means it has a non-linear control force curve,
> so it needs some system to compensate for that. Hence MCAS.

No. Boeing wanted it to share a type rating with the rest of the 737 family,
hence MCAS. This plane would be perfectly safe to fly if it had no MCAS and
required a new type rating. Consider the 767 which has a stronger pitch-up
characteristic and operates just fine. This meme has been debunked several
months ago but keeps getting repeated along with the more ignorant 'the plane
is inherently unstable'.

> The force required is extreme, weaker pilots may not be capable of trimming
> the aircraft.

This is true in all planes. In certain conditions, aerodynamic loads exceed
the pilot's or even the hydraulic system's ability to overcome. Pilots are
trained for how to recover from these conditions and regain trim authority.

> Canada stated that they would certify the MAX without MCAS and with required
> pilot training, if its performance characteristics were acceptable. Boeing
> has made no attempt (AFAICT) to try this, which raises suspicion that MCAS
> is in fact required for certification

This claim contradicts your first claim, as the authority indicates they will
accept the plane without MCAS. So clearly, MCAS is not critical to safe the
operation of the plane in the eyes of this authority.

Without MCAS the MAX loses the 737 type rating and becomes a commercial
failure. Of course Boeing isn't going to even humour that avenue of action
except as a last resort.

Please stop spreading thoroughly debunked misinformation.

~~~
FabHK
> This plane would be perfectly safe to fly if it had no MCAS and required a
> new type rating.

GP didn't claim otherwise. GP claimed:

>> [...] so it needs some system to compensate for that.

And it does need that system - whether for safety is debatable, but it needs
it for certification (not within the 737 family certification, but for
certification full stop), because the FAA requires basically a linear control
force curve.

>> weaker pilots may not be capable of trimming the aircraft. > This is true
in all planes.

Source? I'd assume, in fact, that in most planes that is not the case -
superhuman strength is not required to trim.

> This claim contradicts your first claim, as the authority indicates they
> will accept the plane without MCAS. So clearly, MCAS is not critical to safe
> the operation of the plane in the eyes of this authority.

No, it doesn't. There are three possibilities:

1\. Without MACS, the plane is safe and certifiable, but not similar enough to
be certified with the 737 family.

2\. Without MACS, the plane is reasonably safe, but not certifiable under the
specific FAA rule requiring linear control forces (though possibly under more
lenient, eg Canadian rules).

3\. Without MACS, the plane is not safe and not certifiable.

I think 2 is the case. 1 has been debunked, and you argue that 3 is false,
too.

~~~
LandR
>> Source? I'd assume, in fact, that in most planes that is not the case -
superhuman strength is not required to trim.

[https://youtu.be/aoNOVlxJmow](https://youtu.be/aoNOVlxJmow)

Showing the strength required to trim a 737 in certain circumstances.

------
EddieCPU
"Underestimating the dangers of designing a protection system"

[https://www.youtube.com/watch?v=PlaMQBEg-9M](https://www.youtube.com/watch?v=PlaMQBEg-9M)

“In the course of the investigation, a new type of flight assistance system
known as the Maneuvering Characteristics Augmentation System (MCAS) came to
light. It was intended to bring the flight characteristics of the latest (and
fourth) generation of Boeing's best-selling 737 airliner, the "MAX", in line
with certification criteria. The issue that the system was designed to address
was relatively mild. A little software routine was added to an existing
computer to add nose-down trim in situations of higher angles of attack, to
counteract the nose-up aerodynamic moment of the new, much larger, and
forward-mounted engine nacelles.”

“Apparently the risk assessment for this system was not commensurate with its
possible effects on aircraft behaviour and subsequently a very odd (to a
safety engineer's eyes) system design was chosen, using a single non-redundant
sensor input to initiate movement of the horizontal stabiliser, the largest
and most powerful flight control surface. At extreme deflections, the effects
of this flight control surface cannot be overcome by the primary flight
controls (elevators) or the manual actuation of the trim system. In
consequence, the aircraft enters an accelerated nose-down dive, which further
increases the control forces required to overcome its effects.”

------
mechhacker
Right around 37:30 it shows how difficult it is to use the manual trim wheel
to affect the plane's attitude.

One pilot has to move all focus to it, without touching the other controls.

It is still baffling to me how everything, from one sensor to a control system
that can overwhelm the pilots with stick forces with no sanity checks in
software, got through Boeing and then the FAA.

~~~
cjbprime
> One pilot has to move all focus to it, without touching the other controls.

And even that may not be enough.

It's quite plausibly physically impossible if the pilot happens to be less
strong than this one, or if the aircraft's situation is worse than this
simulator's.

In particular, the Ethiopian flight was in extreme overspeed (if I recall,
past the max safe structural speed for the plane!), which increases all of
these forces. I'm not sure whether that was being modeled by the simulator, or
if the simulation's model of trim wheel force is a correct one.

There's certainly no guarantee that a pilot can produce the force required to
relieve aerodynamic load on the stabilizer here. It's a purely mechanical
system.

~~~
inferiorhuman
_In particular, the Ethiopian flight was in extreme overspeed (if I recall,
past the max safe structural speed for the plane!)_

While the Ethiopian crew did have the overspeed warning going off, it was well
below the "do not exceed" and "max dive" speeds.

 _I 'm not sure whether that was being modeled by the simulator, or if the
simulation's model of trim wheel force is a correct one. _

It wasn't. Boeing's already admitted that their simulators don't correctly
emulate the forces on the trim wheel.

~~~
salawat
The borked AoA vane also meant the computer was not calculating airspeed
correctly. They were in an Airspeed Unreliable situation, which warrants being
generous with power based on the stage of flight.

Climb-out from Adis Ababa (a hot and high airport) means you've got precious
little excess in terms of sacrificial power to begin with. The MAX 8 could
only take-off at all due to an unusually long runway as I recall.

------
lovehashbrowns
The video was taking ages to load for me, but I believe this is the same video
from the same source:
[https://youtu.be/PlaMQBEg-9M](https://youtu.be/PlaMQBEg-9M)

------
fhub
In the Q&A, there were two questions about topics that the speaker wasn't
really aware of.

1\. A purchase option for an instrument/indicator that shows discrepancies
between Angle of Attack sensors on each wing.

2\. In the KC-46A Pegasus it seems the pilots are able to override the MCAS
system by simply pulling on the controls.

For me, #2 would have been an interesting discussion as perhaps Boeing chose
not to re-use this system because it might delay certification. Imagine being
the person who (may) have made the call to create a worse software than
something that existed to sneak past compliance.

~~~
gsnedders
Note that for the 767-2C/KC-46 it's very likely the case that the 767-2C
wouldn't share a common type-rating with the rest of the 767 family (as this
wasn't a requirement for the KC-46 contract!), and for the 737 MAX a lot of
design decisions were driven by the desire for the 737 MAX to have a common
type rating with earlier 737 models.

From the 767-2C type certificate:

> The Boeing 767-2C has not been evaluated by the Flight Standards Board. No
> pilot type rating or training, checking and currency requirement
> determinations have been made.

Note the only 767-2Cs built were to certify the type, no airline has ordered
the freighter aircraft.

------
HelenePhisher
Youtube link:
[https://www.youtube.com/watch?v=PlaMQBEg-9M](https://www.youtube.com/watch?v=PlaMQBEg-9M)

------
logjammin
"Apparently the only design of the MCAS system the FAA saw was limited to a
0.6 degree deflection [of the stabilizer] at high speeds and only single
deflection only. _And that was changed_ and ... it is still unclear how that
could happen ... it was changed to multiple activations, even at high speed,
and each activation could move the stabilizer as much as 2.5 degrees, and
there was no limit to how often it could activate." (~28min; emphasis added)

For me, in a crisis with a lot of burning questions, one I haven't seen raised
much is: _who_ changed the MCAS behavior after the FAA "saw" the first
version? _Someone_ decided this should happen, and _someone_ implemented it
(perhaps the same person). Forget the C-suite for a moment; someone in middle
management made this call. Shouldn't they answer for it?

~~~
HeyLaughingBoy
No, "they" shouldn't.

When stuff like this happens, it's a _process_ issue, not an issue with a
particular engineer. It's human nature to try to assign blame to people and
that's why it's so important to avoid that. Whatever process created the
flawed product is where the blame lies.

Somewhere in the group that produced MCAS, there's a process to permit changes
to be submitted, reviewed, accepted or rejected, implemented and tested along
with the documentation produced at each stage.

Maybe that process is broken, maybe it isn't. From the outside we can't tell.
However, as responsible professional software developers what we should do is
understand that these are _system problems_ and not just look around for
someone to pin the blame on.

~~~
mikehollinger
Yeah, my first reaction after watching the video (it was a good video to watch
over a morning coffee!) was that the author used passive voice several times
without making it clear _who_ took a particular action ("It was decided" and
other phrases like that). You make a good point that no one person might've
made the call, however someone _must_ be accountable for it even if no single
party is responsible (a single person at some level, possibly the CEO,
probably below that level). That's what I'm personally curious to know.

------
floki999
This is a great presentation, goes into a lot of details. Thanks for sharing.

------
nojvek
Site videos aren't loading. Seems like HN hug of death.

~~~
thamer
CCC has a CDN, documented here:
[https://media.ccc.de/about.html](https://media.ccc.de/about.html)

To get a list of mirrors for a file, copy the URL of the file you want to
download, and append ?mirrorlist to get a list of mirrors.

For example, here's the list of mirrors for the video in 1080p MP4 format:
[https://cdn.media.ccc.de/congress/2019/h264-hd/36c3-10961-en...](https://cdn.media.ccc.de/congress/2019/h264-hd/36c3-10961-eng-
deu-fra-Boeing_737MAX_Automated_Crashes_hd.mp4?mirrorlist)

I had the same issue with another link posted today where the video wasn't
loading at first. I downloaded it from a mirror using wget at over 200 Mb/s.

------
trymas
Unrelated to the content of the video - is it possible to remove French voice-
over?

EDIT: I guess only option is to download the video file and switch the audio
language as browser's player cannot do this.

EDIT2: from html - there are multiple sources, english is the first one,
though player starts automatically from the second source. Link to english
video:
[https://koeln.ftp.media.ccc.de//congress/2019/h264-hd/36c3-1...](https://koeln.ftp.media.ccc.de//congress/2019/h264-hd/36c3-10961-eng-
Boeing_737MAX_Automated_Crashes.mp4)

EDIT3: after couple reloads and waiting couple dozen of seconds native html
video player have switched to some custom CCC player with settings option
available. Probably needed some time before JS fully loaded and did it's job.
Apparently /u/lovehashbrowns had loading issues, so this sounds related. Maybe
CCC is getting hug of death from HN, Reddit or whatever.

~~~
jmkni
I was able to change language by clicking on the gear icon in the web player
(bottom right).

~~~
trymas
For whatever reason latest Chrome and FF on MacOS does not have any
settings/gear icon ¯\\_(ツ)_/¯ .

~~~
HelenePhisher
Strange, Chrome on MacOS shows it here. Ugly workaround, you could download
the video and select the appropriate audio track in your video player.

------
ryanmarsh
Does anyone else feel like we're going to be having a nearly identical
conversation about a car some day? Some mixture of design changes, sensors,
and software, (driven by business) that lead to avoidable deaths?

Warrant against hyperbole: I'm not against the idea of self driving cars. In
fact I have a Tesla and use auto steer daily.

~~~
aeternum
I'd argue this already happens with vehicles and many other products. Many
safety features themselves can lead to avoidable deaths in certain scenarios.
From something as simple as the seatbelt to something as complex as auto-
braking and collision avoidance. IE a seatbelt can cause a death by inhibiting
egress. Fancy collision avoidance may prevent you from getting off a train
track if there is a car or gate in front of you.

Car manufacturers already have to make calls not only about whether these
features are worth it for the greater good, but also whether or not it will
make the car too expensive.

