
Boeing Withheld Information on 737 Model, According to Safety Experts and Others - SREinSF
https://www.wsj.com/articles/boeing-withheld-information-on-737-model-according-to-safety-experts-and-others-1542082575
======
z92
Before this incidence, at least 3 to 4 accidents occurred where the pilot was
in fault. Like : They were pulling the sticks too high. The autopilot was
screaming "Stall" "Stall". But the pilots were too busy or incompetent to
notice. And ultimately crashed the plane.

I remember here in HN, there were cries why auto pilot didn't take over at
that time and save lives. "Pilots should never be allowed to stall the plane."

Well, Boeing's new software did exactly that. Correct the situation when the
pilot wasn't. And that crashed the plane.

Interesting indeed. Lesson: There's a lot to look beyond before taking a
decision, even when the obvious decision is just in front of everyone.

~~~
daveoflynn
That analogy doesn’t hold up. All Airbus and most Boeing aircraft have systems
to push the nose down in event of a stall.

The problem here is: in the transition from the -NG to the -MAX, Boeing added
this protection _and didn’t tell anyone_.

Imagine someone added Adaptive Cruise Control to your existing car without
telling you - the first time the car braked on its own, you’d freak out. The
car is suddenly behaving in a way it should be able to.

If you know the system exists, you can recognise what’s happening and deal
with it. If you don’t know it exists, the behaviour is going to be absolutely
baffling, and no in-flight diagnostic procedure has a step for “did the
manufacturer add an important safety device and not tell me?”

~~~
ateng
Something similar happened in the past: Scandinavian Air 751 (MD-81 with twin
engine aft-mounted) had both engine surged due to ice ingestion shortly after
takeoff. Pilots were not aware of auto throttle control, which revert pilots’
action of reducing throttle (to fix the engine surging). Both engines
ultimately failed and aircraft crash landed. Luckily all survived.

[https://en.m.wikipedia.org/wiki/Scandinavian_Airlines_Flight...](https://en.m.wikipedia.org/wiki/Scandinavian_Airlines_Flight_751)

~~~
brainpool
Well, the throttle control was one issue, but it is far from certain that it
would have saved the engines. The main issue was still the ice that went in to
the engines to begin with. The full report is available here:

[https://www.havkom.se/assets/reports/English/C1993_57e_Gottr...](https://www.havkom.se/assets/reports/English/C1993_57e_Gottrora.pdf)

~~~
ateng
I agree. Improper de-icing + aft-mounted engine is the main cause of this
disaster (although ice on wing itself is already a problem as it reduces lift
and could cause stalls). My (rather subtle) point is that Boeing can’t really
go “oh this has never happened before”.

In fact, as a general rule of thumb, I believe any safety feature that would
automatically change the state of the aircraft should be well educated to the
pilots.

------
iliketosleep
This is part of an unsettling trend where companies prefer to keep users in
the dark about the underlying tech of their products. For normal consumer
tech, I can kind of understand, but what astonishes me is that this mindset
has extended to aircraft, where the "users" are pilots of commercial aircraft!

The article's quote from a high-ranking boeing official sums it up: _the
company had decided against disclosing more details to cockpit crews due to
concerns about inundating average pilots with too much information—and
significantly more technical data—than they needed or could digest._

~~~
black-tea
That is worrying. Part of the reason the roads are so dangerous relative to
the skies and railways is that the people operating those cars are not
professional drivers but merely normal people who are barely trained. Has it
got to the point where pilots of commercial aircraft are just normal people
who can't handle actually knowing how a plane works?

~~~
iliketosleep
No. Just compare the difficulty of getting a regular driver's license to that
of a license to fly commercial airliners. It's safe to say that _almost_ every
pilot can control a plane without incident when sensors / automated systems
fail, so long as they are given full manual control. Automation overriding
pilot inputs during sensor failure is a recipe for disaster.

~~~
jakobegger
> Automation overriding pilot inputs during sensor failure is a recipe for
> disaster.

In 2009 an Airbus A330-200 crashed into the Atlantic ocean killing more than
200 people because a confused pilot kept pulling the plane up, despite loud
stall warnings from automatic safety systems [1]. In the discussions of that
event, one commenter asked, "Why did [the plane] not override the pilots'
inputs and force a pitch-down?" [2]

Designing safety critical systems is difficult. If the automated system fails,
the pilot needs to be able to take over manual control. But at the same time,
if the pilot does something stupid, the automatic system should prevent that.

I'm not sure how to square that.

[1]: [https://www.telegraph.co.uk/technology/9231855/Air-France-
Fl...](https://www.telegraph.co.uk/technology/9231855/Air-France-
Flight-447-Damn-it-were-going-to-crash.html)

[2]:
[https://news.ycombinator.com/item?id=8452080](https://news.ycombinator.com/item?id=8452080)

~~~
StreamBright
I disagree. Flying a plane is pretty much a simple state machine with very
well defined states. We have hundred thousands of flight hours available and
we can also build a very realistic simulator which is used extensively to
train pilots. It is should not be a challenging task to build a reliable auto-
pilot and in fact we have already one that covers most of the aspects of
flying. On the top of this, most of the flight related incidents are human
errors.

~~~
Scramblejams
You have been misled concerning the accuracy of simulators. "All models are
wrong, some are useful" is a helpful quote to remember here. Certified sims
are typically very accurate when it comes to avionics and systems. They are
often much less representative where vehicle dynamics are concerned.

Even the most heavily analyzed aircraft can produce surprises once they
actually take to the air. Look up "Super Hornet uncommanded wing drop". Or
look at dynamic scaling tests
([https://www.nasa.gov/pdf/483000main_ModelingFlight.pdf](https://www.nasa.gov/pdf/483000main_ModelingFlight.pdf))
which uncovered two spin modes in the F-15 that were previously entirely
uncharacterized. (Not sure if the linked doc covers that instance specifically
-- I learned this from speaking with the study PI. And no, most aircraft
programs don't get to do dynamic scaling tests.)

All this is to say that a variety of potential non-linear behavior is lurking
inside any given airframe, and all the wind tunnels and CFD in the world will
merely allow you to model most of the useful operating conditions, but
certainly not all of them.

Simulators, just like autopilots, are useful for finite input ranges. If you
leave those input ranges, your simulator will precisely and repeatably model a
fantasy, and your autopilot will disconnect.

Source: Short career as an aerospace engineer.

~~~
StreamBright
And how do you train pilots for these unexpected non-linear events? What stops
you to train auto-pilot the same way?

~~~
Scramblejams
The point of my post was to say that these unexpected events will not come up
in your simulated environment, so you simply will not have the data needed to
train the autopilot.

The human, by and large, figures it out. We generally accept that risk. But
how will the autopilot react to the unexpected event for which you haven't
trained it? Who knows?

------
danso
> _Boeing is working on a software fix, according to industry and government
> officials, that would likely mitigate risks. On Saturday, the company went
> further than before in spelling out dangers pilots can face if they
> misinterpret or respond too slowly to counter automated commands._

So the issue seems to be that Boeing didn’t even tell pilots and airlines that
the auto-stall-prevention system has been added to new variants. So I wonder
if this software mitigation is something as simple as a warning screen or
dialog box. If they’re writing software, at this point, to fix/patch how the
system actually functions, that seems to imply they released a flawed
system/heuristic, if such a patchBle flaw was found out so soon after the Lion
Air crash.

~~~
mjevans
It probably worked just fine in perfect maintenance / test conditions, but
degrades badly (very badly) when poor users, poor maintenance, and flying well
past 'sane' response to errant sensors happens; as in this case.

Testing new variations of software for a product that works when used as
designed/tested already may have been (I'll speculate probably was, and at a
low back-burner update priority baked in to some other larger change) in
progress; but that's still re-testing and validating a complex system that
must fulfill the other test cases (probably with real flight time and
conditions).

Particularly when a well trained operator (pilot) is supposed to be able to
safely work around the existing defect, and seems to have done so in prior
flights of that plain as well.

~~~
kevin_thibedeau
Brand new planes shouldn't have these sort of issues.

------
beefield
Did I understand correctly that basically air speed sensor was faulty and
because of that the autopilot decided that we need more speed to avoid stall
and put the nose down all the way to the ground/sea?

~~~
Someone
The essential bit is that the autopilot made that decision even if it was
switched ‘off’, and Boeing never told anybody the autopilot couldn’t really be
switched off.

It seems they added a second autopilot that prevents pilots from doing truly
stupid things without telling anybody. Problem? Failure modes of that
autopilot can easily be lethal.

I think they may have been right in saying pilots don’t need additional
training for this new feature. If the plane flew itself into the ground, and
there’s nothing the pilots could have done to prevent that, they don’t need
additional training.

Chances are they didn’t tell buyers of the plane because, for years, they have
marketed their planes as “if the software fails, pilots can take control,
unlike in Airbus planes” (counter-acting Airbus’ message that their planes
were more modern)

~~~
VBprogrammer
I can't read the article due to the pay wall but if what you said is accurate
then I don't believe it's an accurate reflection of the real complexity of a
modern airliner.

See
[http://www.b737.org.uk/flightcontrols.htm](http://www.b737.org.uk/flightcontrols.htm)

The pitch trim can be controlled by a number of different systems for
different reasons, see the section on mach trim for an interesting one. I
would be shocked if the inputs here weren't disabled by switching thd stab
trim - autopilot switch to the off position.

I've mentioned in previous comments, this sounds like a trim runaway incident.
The mechanism may be new but the underlying fault and the symptoms would have
been the same.

~~~
FabHK
Yes, and in particular it seems likely that the pilots could have stopped the
automatic down trim by either invoking two trim cutout switches, and/or
manually holding/turning back the trim wheel. But it appears they a) had many
other things to deal with, and b) did not expect this particular failure mode,
so did not recognise it. Terrible.

------
binarnosp
The book "Aviation Psychology: Practice and Research" by Klaus-Martin Goeters
explains exactly this kind of situation, when the flight control system and
the pilot are not in sync and don't know each other intentions.

------
neonate
[http://archive.is/NIF8y](http://archive.is/NIF8y)

------
rajacombinator
If true, situations like this clearly should result in substantial jail time
for various Boeing execs involved. But it won’t, so no one will care.

------
catchmeifyoucan
I fly out of Renton, where these aircraft are made, and the lot is
overflowing. The faulty software could only be an indicator of the quality
going into the newer aircraft to roll out fast enough to please the
stakeholders. I hope that is not the case. It's not ok that Boeing didn't
disclose the feature, but it's even more concerning that it wasn't captured
during testing as a potential flaw.

[https://www.seattletimes.com/business/boeing-
aerospace/737-p...](https://www.seattletimes.com/business/boeing-
aerospace/737-problems-have-grown-in-renton-despite-boeings-reassurances/)

~~~
cylinder
I remember seeing a documentary about some Boeing employees who were
whistleblowing about safety issues with the upcoming 737MAX. I can't find it
now. Any connection?

I don't see how Boeing will remain immune to the race to the bottom culture
plaguing American business.

~~~
Reason077
You may be thinking of “The Boeing 787: Broken Dreams - Al Jazeera
Investigates”.

------
circlingthesun
Nice headline to see as I'm about to board a 737 :\

~~~
SmellyGeekBoy
Did you drive to the airport? Without even giving it a second thought?

Don't sweat it.

~~~
FabHK
Actually, it's not that easy. Airplanes are safer per mile.

Per trip, it looks different (for two reasons: a) planes are faster than cars,
b) plane trips are generally longer than car trips).

You're probably around 10x more likely to die on your next plane trip than on
your next car trip, from what I can tell.

~~~
nkurz
For those questioning these numbers, 10x might be a little high, but I think
it's at least in the right direction. Consider how many car trips the average
person takes per year, versus the number of times they travel by plane. Travel
by commercial airline is 100's of times safer per mile than travel by private
vehicle, but the average plane trip is well over 100 times the distance of the
average car trip.

Here are Wikipedia's numbers for a 1990-2000 in the UK (because that's what
they happen to have easily available):

    
    
      Deaths per Billion  
          Journeys Hours Kilometers
      Car:    40    130    3.10
      Air:   117     30     .05
    

[https://en.wikipedia.org/wiki/Aviation_safety#Transport_comp...](https://en.wikipedia.org/wiki/Aviation_safety#Transport_comparisons)

So for an average journey by each a couple decades ago, this says that
travelling (a long journey) by plane is about 3x the risk of death as
travelling (a short journey) by car. Does anyone have more recent numbers for
the world as a whole?

~~~
FabHK
Come to think of it, I probably misspoke, because I was looking at fatalities
per vehicle journey instead of per passenger journey (and a plane carries more
pax than a car).

Best as I can estimate now, the risk of dying on your next (scheduled air
carrier, part 121) plane journey is maybe a third as on your next car journey
(in the US, thanks to the amazing safety record there).

The aviation industry likes to quote fatalities per passenger mile, which is
very favourable to air travel, and of course also relevant if you decide which
mode of transport to take for a given journey from A to B.

However, if we want to look at how twitchy you feel for taking a typical car
journey vs a typical plane journey, we need to look at fatalities per
passenger journey, and they bring the numbers closer together by a factor of
around 100.

Numbers for general aviation are much worse: you're about 200 times as likely
to die on the next GA trip than car trip.

There are just many more cars around than planes. Also, note that 2% of all
B737, 4% of all B747, and 5% of all A300 ever built have been hull losses
(including non-fatal incidents). But yeah, aviation has gotten amazingly safe
in the last decades.

Would be interesting to look at corresponding numbers for Europe or the world.

See the Uber Elevate report, page 17, for some numbers.

[https://www.uber.com/elevate.pdf](https://www.uber.com/elevate.pdf)

------
smackay
Pilots are expensive to train, expensive to maintain in terms of salary and
cost a lot afterwards with regards to pensions. I am sure airlines are doing
everything they can to reduce these costs and as a result competence is
suffering. It used to be the case that air force pilots retired to become
commercial pilots. Now commercial pilots are trained straight out of high
school. (I'm not sure this is entirely true but bear with me as it supports
the point I want to make).

Airlines are the final customers of Boeing, Airbus, etc. I am sure they want
as much automation on a plane as is possible to reduce the training
requirements and so decrease the cost of having pilots on the balance sheet.

The problem I think is that the abstraction that is the modern flight deck is
not quite up to the job of dealing with poorly trained pilots or pilots with
little experience of unusual situations. That gap was nicely addressed by
having military trained people in the cockpits where unusual situations are
somewhat more "routine".

So what we are seeing is the mismatch of cost-constrained customers and the
failings of technology in a situation where failures are less forgiving. It's
the same story with automation that is being played out everywhere. The only
difference, if you exclude x-ray machines, is that the impact is higher.

~~~
Cthulhu_
> and cost a lot afterwards with regards to pensions

I'm going to jump on this in particular; please don't go full late stage
capitalism and make people feel guilty for a retirement plan they've invested
part of their lifetime salaries into.

~~~
smackay
You misunderstand. I am not making a value judgement on the cost of pilots. I
absolutely want somebody who is highly trained flying the plane. However
whenever strikes hit airlines it's because of poorly paid flight crews so
clearly the airlines are wringing costs out of their operations and safety is
being compromised as a result - from scanning the comments here that point is
not being made. Instead Boeing are being blamed for not delivering systems can
can deal with incompetent pilots. Nobody is stopping to think why the problem
is occurring in the first place.

~~~
macintux
> Instead Boeing are being blamed for not delivering systems can can deal with
> incompetent pilots.

That's not the impression I'm taking out of this discussion. It sounds like
they're being blamed for not giving competent pilots the information they need
to fly safely.

------
dcow
So what happens? Is the model grounded until people are trained to fly it or
until the new “feature” is disabled?

~~~
mrpippy
The feature is part of the airplane’s certification (probably added to make
the handling characteristics more similar to previous 737 generations), it
won’t be disabled. An FAA AD might be coming to fully document it in the FCOM,
and pilots/operators will raise hell that it wasn’t documented already.

~~~
ovi256
They can't possibly keep flying this model that is crashed by a single sensor
(angle-of-attack sensor) failure ? Can they ?

~~~
markdown
They've barely begun the investigation. It'll be a long time before we know
why and how this crash happened.

------
JustSomeNobody
So, would this be negligent homicide?

------
Someone1234
I'm going to get a little meta here.

After the crash, reading the online comments about it (and the things said
about Lion Air and the pilots) was pretty interesting given how things have
turned out. It is also interesting how much play the initial discussion
received relative to the follow up stories about the safety bulletin and now
criticism from within the industry.

And when we finally do get an article on the safety issue, the top comment is
focused on the pilot's supposed issues instead:

[https://news.ycombinator.com/item?id=18409041](https://news.ycombinator.com/item?id=18409041)

Or trying to continue to blame Lion Air:

[https://news.ycombinator.com/item?id=18408540](https://news.ycombinator.com/item?id=18408540)

I guess what I am saying is; there seems to be a deep unwillingness to
criticize Boeing. This isn't recent or specific to this accident, Boeing is a
very challenging topic to discuss without people getting tribal. Why is that?

~~~
A2017U1
I know little about aviation nor this incident, but the pilot never once
radioed panpan let alone mayday despite having the time to do so.

This is very unusual.

For anyone interested the best sources of knowledgeable commentary is ppprune
and avherald. Every other site is armchair speculation.

~~~
cjbprime
It's a little unusual, but not extremely. There's both the instruction to
"aviate, navigate, communicate" \-- in that order -- and the fact that when
you are "task-saturated" you often straight up _fail to hear people talking to
you_.

If you believed your airplane was at imminent risk of a stall, it would be
deeply negligent to spend mental cycles talking to ATC instead of fixing it.
ATC exists to sequence traffic; they can't fly your plane for you.

~~~
A2017U1
The pilot negotiated turning around and returning to the airport with ATC,
which takes more effort than a distress call.

The previous flight which suffered the same problems called in a PanPan before
resolving the faulty sensor issue.

Reports are also saying that this fault was noted on the last 4 flights.

------
neya
Alternative story link: [https://www.marketwatch.com/story/boeing-withheld-
crucial-sa...](https://www.marketwatch.com/story/boeing-withheld-crucial-
safety-information-on-new-737-models-experts-say-2018-11-12)

~~~
inamberclad
> The automated stall-prevention system on Boeing 737 MAX 8 and MAX 9 models
> ... can push it down unexpectedly and so strongly that flight crews can’t
> pull it back up.

I'm surprised that Boeing designed a system that could override the strength
of the pilot. I don't know how strong the normal autopilot controls are on a
B-737-800 but on lighter aircraft it's a normal part of the preflight to make
sure that you can overpower the autopilot with muscle if it fails.

~~~
cmurf
These are all fly by wire airplanes, muscle has exactly zero to do with simply
ignoring the input. You have to know what system is confused, and possibly
why, in order to know what component or system needs to be reset or disabled.

And these are the kinds of scenarios that continue to make me think autonomous
cars in a hybrid environment (i.e. with human drivers) is just absurd. Flying
planes is a standardized environment, and we can't even automate it end to end
with available technology in idealized conditions, let alone in emergencies.
And car driving is way more complicated (and I say that as a pilot).

Having one inch precision for every bit of concrete, light bulb, paint on
every airport in the world, is less data than what you'd see in one town, let
alone a city, let alone all of them. The infrastructure standardization within
a city is poor let alone across the country, and it evolves daily perhaps even
by the hour.

~~~
cjbprime
This doesn't sound right. Boeing planes are much less fly-by-wire than Airbus,
and this is especially true for the older models such as the 757 in this
crash.

~~~
sitharus
This crash involves a 737 MAX - a very modern fully fly-by-wire aeroplane. I
think the 777 was the last Boeing jet with mechanical backup flight controls.

The difference you're probably thinking of is the Boeing philosophy of
ultimate pilot control vs the Airbus one of software restrictions. A pilot can
fly a Boeing aircraft outside of its designed envelope, but an Airbus will
restrict the inputs.

~~~
inferiorhuman
> This doesn't sound right. Boeing planes are much less fly-by-wire than
> Airbus, and this is especially true for the older models such as the 757 in
> this crash.

The plane that crashed was not a 757 it was a 737 MAX.

> This crash involves a 737 MAX - a very modern fully fly-by-wire aeroplane.

The 737 MAX is NOT a fully FBW airplane. The MAX does have a FBW spoiler which
the previous 737s (Jurassic, Classic, NG) lack.

> The difference you're probably thinking of is the Boeing philosophy of
> ultimate pilot control vs the Airbus one of software restrictions. A pilot
> can fly a Boeing aircraft outside of its designed envelope, but an Airbus
> will restrict the inputs.

That's not entirely true, all 737s will put additional pressure on the yoke
when a stall is detected. You can fly a 737 into a stall, but with quite a bit
of effort. Similarly you can fly a modern Airbus into a stall provided you're
in one of the degraded "laws". Air France pilots did just that with an A330.

Where the MAX differs from other 737s is that when a stall is detected it will
trim the stabilizer -- even worse when the computer predicts a stall the 737
may end up trimming the stabilizer to the point that you cannot overcome it
with the elevator.

On a 737 the elevators respond quickly while the trim adjustments are much,
much slower. If you're 5,000 ft in the air and Boeing decides to trim the
stabilizer full down you may already crash by the time you can re-trim the
plane and regain control. Previous 737s did NOT do this. I believe that LOT
specifically emphasizes this in their MAX training, unsure if Lion Air
did/does.

~~~
FabHK
inferiorhuman appears to know what he is talking about; you can safely ignore
the comments preceding his (except the useful alternative link).

------
CathyWest
I would have thought Scandinavian Airlines Flight 751 would be well known
enough to make manufacturers think twice about sneaking in features and not
telling pilots about them and CAAs about certifying them.

------
gesman
.... "According to Safety Experts and Others"

Very convincing. If "others" say so - it must be true.

~~~
mil4n
Did you read the article?

~~~
wereHamster
I couldn't. Because paywall.

~~~
CathyWest
[http://archive.is/NIF8y](http://archive.is/NIF8y)

