
The Case Against Boeing - axiomdata316
https://www.newyorker.com/magazine/2019/11/18/the-case-against-boeing
======
6gvONxR4sf7o
This reminds me of the debate around not-quite-self-driving cars. Saying the
product is safe to use, but that the user must be ready to do X immediately,
despite evidence that the users you're selling to won't be ready to do X
immediately. Then when people die you get to say it was totally safe, if
they'd just done what they were supposed to do.

Or we could just design products that will be safe in the real world, rather
than ones that could have been safe in a utopia of perfect people.

~~~
kortilla
That comparison falls flat because planes are filled with technologies where
the pilot has to be ready to do X and it works fine (see autopilot).

~~~
gamblor956
On planes pilots generally have time to take over if the autopilot fails.
Falling from ten thousand feet takes a few minutes.

On cars, if autopilot fails, the driver might have a fraction of a second to
recognize the failure, take over from the AI, and initiate corrective action.
Generally, there isn't sufficient time for any of these steps, let alone the
first one.

------
supportlocal4h
This is off-topic, but WalterBright's participation here has reminded me of my
own weaknesses. Everything I have read about the 737Max has put a pitchfork in
my hands to go after Boeing. Walter's are the first comments I have read that
make me think perhaps Boeing wasn't completely, utterly, criminally
unjustified.

It is interesting that Walter has chosen to jump in like this, and to hold his
position so firmly so publicly. He must realize that this action threatens to
paint him very unfavorably to a lot of people. There seems to be no reason for
him to speak out and take such a risk.

To do this seems to me to require either a certain level of stupidity or a
certain level of conviction and courage. My impression is that Walter has
considerable courage and some motivation to try to counteract public
ignorance.

FWIW, Walter's courage has given at least one person pause. I'm going to put
the pitchfork down for a little bit. Boeing still isn't on my good list, but
now I admit that I don't know as much about this as I thought I did.

~~~
lisper
Can you be a little more specific about what WalterBright said that changed
your mind? Because the only thing I see that could possibly be considered a
mitigating factor is this:

> Both the LA and EA did make the adjustments within 10 seconds. They then did
> NOT throw the cutoff switches

(Emphasis added, because I missed this the first time I read it.)

If I squint hard enough I guess I can see a tiny hint of merit in the argument
that the fault for the two crashes lies at least in part with the pilots
because they failed to throw the cutoff switches. But that seems like a mighty
thin reed to me. Have I missed something?

~~~
throwanem
I don't think you have. Bright's arguments have focused entirely on the design
of the MCAS software, and have as far as I can tell completely ignored the
fact that that software, driven by input from a single AoA sensor, creates a
very short critical failure path which requires immediate and precise human
intervention to avert a fatal accident. That such human intervention was
imperfectly performed in two cases does not indict the humans in question, so
much as it indicts a design which errs so far on the side of unsafety that
perfection in human behavior is required to prevent it killing everyone on
board a commercial aircraft.

Any competent engineer knows that a design which requires human perfection for
safety is a design not only doomed to failure, but a failed design in itself.
At least one Boeing engineer raised this very concern during the 737 MAX
design process, only to be quashed by management. It would be invidious to
suggest that at least one ex-Boeing engineer should argue in the defense of
that design out of any motivation other than a genuine conviction of the merit
in his argument. But conviction alone doesn't suffice to render that argument
meritorious, and I'm surprised and disappointed to see anyone here or
elsewhere claim otherwise.

~~~
lisper
Thanks, but I really would like to hear what supportlocal4h has to say about
it. You're just repeating the party line. (And just for the record, I agree
with the party line. But I think it's important to listen to and understand
dissenting views.)

~~~
supportlocal4h
This it's how I read it:

1\. Boeing is not blameless. 2\. Boeing has a point about MCAS issues
manifesting exactly like another well-known event in other models and having
the exact same solution. 3\. The well-known solution to the well-known event
is one that pilots must memorize because they don't have time to look it up.
4\. The pilots seem to have demonstrated that they recognized the problem and,
in fact, executed the well-known solution in time. They just failed to
complete all the steps for some unknown reason. 5\. Points 2-4 don't mean that
Boeing is perfect. MCAS needs to be fixed. But it isn't completely absurd to
argue that MCAS really is so similar in its misbehavior and so identical in
the correct response that a reasonable person might expect pilots to do the
right thing even if they had never heard of MCAS.

Taken together, this paints a picture to me that is different than the
completely evil, conniving picture I had. I'm not sure where to draw the line
between them, but probably not on the extreme end where I had it.

But my point is not so much about Boeing. I was observing the actions of a
person who took what I expect to be a very unpopular stand in the face of
overwhelming popular opinion. For what? Who cares if somebody else is
mischaracterized? There's nothing you can do about it except get yourself
muddy. Just let it happen and keep your head down.

I don't know why Walter is speaking up now. I'm not sure how much it changes
my opinion. But I still tip my hat to a person who will say what they think is
right even when they know they will be burned at the stake for it.

~~~
lisper
Thanks for the response. Two follow-up questions:

> MCAS issues manifesting exactly like another well-known event in other
> models and having the exact same solution

By "another well-known event" do you mean a runaway trim? Because if you do,
then you're mistaken. MCAS and runaway trim differ in significant ways. And if
you don't, what do you mean?

> I don't know why Walter is speaking up now.

Have you considered the possibility that he's a shill?

~~~
WalterBright
> Have you considered the possibility that he's a shill?

A fair question. I left Boeing's employ (as a flight controls engineer) in
1982. I am not a spokesman for Boeing, paid or otherwise. The facts I've
presented here are all public information (though routinely omitted from
sensationalist articles about it). My interpretation of those facts is mine
alone.

We'll see what the final NTSB report says. They have earned a reputation for
going where ever the facts lead them, regardless of political pressure. I
sincerely hope they continue with this tradition, as it is the only way to
make airline travel safe.

This highly political case will surely test the NTSB's commitment to
dispassionate examination of the facts. We shall see.

~~~
lisper
> I am not a spokesman for Boeing, paid or otherwise.

Isn't that exactly what an effective shill would say? It could even be true.
"Shill" and "spokesman" are not synonyms.

FWIW, I went back and re-read some of your comments in other branches of this
thread and it's really hard for me to figure out what your position actually
is. For example:

> It's true that if the MCAS software requirements weren't inadequate, the
> accidents would not have happened.

Apart from being a nearly-impossible-to-parse triple negative, it's just
absurd on its face. No _requirements_ can ever prevent an accident. I can
write down as a requirement: "MCAS software must never cause the plane to
crash." But obviously the planes did not crash because someone failed to write
down that requirement.

If you're really a flight controls engineer then you obviously meant something
else. But have no idea what that something else could possibly be.

> But I don't see why the shortcomings in the MCAS software design
> requirements were the result of cost savings.

Again, it is hard for me to wring any plausible interpretation out of this
sentence under the assumption that you are well informed. It is well known
that the reason MCAS exists at all is because Boeing attempted to make a
radical change to an existing airframe design without getting it re-
certitifed, and the reason for doing that was cost savings, both for Boeing
and its customers. What other underlying reason could there possibly be for
MCAS to exist at all?

> I did not defend Boeing's MCAS design.

OK, but do you see how someone could come away with that impression?

~~~
WalterBright
> Isn't that exactly what an effective shill would say?

Of course. There's no telling how deep this conspiracy to point out publicly
available facts goes :-)

> No requirements can ever prevent an accident.

That's not what I meant by requirements. Boeing came up with a set of rules
for what the software must do in each situation. This is called the
requirements specification for the software.

Anybody who contracts with someone to write some software comes up with such a
specification.

> What other underlying reason could there possibly be for MCAS to exist at
> all?

There's nothing at all wrong with the concept of MCAS. There's a long history
of flight control augmentation in jet airliners to make them behave better. In
fact, you cannot control a jetliner at all without augmentation, it's too fast
and heavy. It's the implementation that was faulty.

The B-17 was perhaps the largest successful airplane with no augmentation, and
a strong man could barely handle it (source - my dad was a B-17 pilot).

The 757, which I worked on, has fully powered controls. The control column
just opens and closes valves. In order to prevent the pilot from inadvertently
making violent maneuvers a hydraulic "feel computer" was added to push back on
the stick to fake the behavior of a manually controlled system. The forces it
imparted had to be dialed back to accommodate the advent of female pilots,
which caused some worry that the men would overcontrol the airplane.
Fortunately, that turned out to not be a problem.

> OK, but do you see how someone could come away with that impression?

I not only never defended MCAS' design, I wrote that it was faulty several
times. You should ask the someone why they conclude the opposite.

~~~
lisper
Fair enough. Thanks for the reply.

------
salawat
>Good people in a bad system is still a bad system.

That line right there is essentially the same response I had for the
Langewiesche's piece. It is not an excuse to pawn off the accountability for a
catastrophic loss to the pilot when even the basic design is as fraught with
failures to deliver even basic sanity checks as the MCAS system was. Make no
mistake either, the issues that were found were _basic_. FMEA was not
performed once, but never updated because it wasn't legally required, nor was
a full fault-tree enumerated or kept consistent through the system's lifetime.
Either of which would have forced a consideration of what would happen in the
event of a sensor failure. Furthermore, the overall architecture of the flight
computer failed to comply with design requirements that require no single
point-of-failure which would have been revealed by doing what amounts to a
textbook case of "what is the worst conceivable bit flip that could possibly
happen right now?"

This is one of the few points I tend to respectfully differ from WalterBright
on. I don't give a damn if every pilot were a Chuck Yaeger or Sully clone.
That plane was dangerous by design.

A dangerous plane flown by a Good pilot is still a dangerous plane. There is
no place in something manufactured to be deployed in a careless or cavalier
manner, and the MAX rollout checks every box for organizational negligence in
my book.

I'll let blame rest with the pilot in so much measure as it is do, but a
machine that will actively frustrate its operator, while endangering the lives
of everyone using it is a machine whose place is in a scrapyard; not in the
sky.

~~~
WalterBright
We are in agreement that the MCAS design was dangerous. I don't think we
disagree at all on the points you mentioned.

------
EddieCPU
“Boeing decided to place the engines farther forward, just in front of the
wing. The new position, and the greater thrust of the engines, produced an
aerodynamic challenge during a maneuver called a windup turn — a steep, banked
spiral that brings a plane to the point of stall, which is required for safety
tests, though it’s rarely used in typical flying.”

This is a curiously disingenuous statement. Not only at ‘windup turn’ and not
only for “safety tests”, but most importantly when the engines were at maximum
thrust such as at take off. Causing the air-frame to experience a pronounced
nose-up attitude. The nacelles adding even more upward thrust.

‘Boeing settled on a software feature called the Maneuvering Characteristics
Augmentation System. As the nose of the jet approached a high angle,
suggesting an oncoming stall, MCAS would adjust the stabilizer on the plane’s
tail, pushing the nose down, to alleviate the slackness in the control column.
“They were trying to make it feel the same, so the pilots wouldn’t require
training,”’

No, they didn't tell the pilots as this would require retraining and this
would require re-certification.

“Boeing considered the MCAS feature to be so minor that it removed mention of
it from the 737 MAX’s pilot manual.”

Boeing lied by omission, that's why when MCAS kicked in on those two crashes
the pilots were unaware of MCAS and had no way of knowing how to recover from
an MCAS induced nose dive. It was Boeing executive decisions killed those
people. If this had happened in the US there would have been uproar by now.

------
WalterBright
It's true that if the MCAS software requirements weren't inadequate, the
accidents would not have happened. It's also true that if the pilots had
followed the runaway trim procedure, like the first Lion Air pilots did, like
was reiterated to all MAX crews by Airworthiness Directive, the accidents
would not have happened.

But I don't see why the shortcomings in the MCAS software design requirements
were the result of cost savings.

~~~
hef19898
Maybe one general remark, from one engineer who spent half his professional
life in aerospace to another. Aerospace is, rightly so, proud of the whole
industries relentless pursuit to eliminate errors, improve systems and learn
from accidents. Your argumentation, in the whole discussion, conveys a
different image and does no favour to the sector in general. Some people are
already afraid to fly, so the very least we all can do is to be open and
honest about errors in the system and the actions taken to prevent the same
accident from happening twice.

And generally on engineering. If a system, regardless of the application,
fails I consider it bad engineer behavior to single out the user. Systems,
especially in aerospace, include everything from design over manufacturing,
software, the parts to maintenance, logistics and ultimately training. Failure
in any single one of these means failure of the system. Which directly implies
all entities involved in development and certification. Failure in more than
one is catastrophic. Defending it is bad engineering. Just my 5 cents.

EDIT: MCAS relied on a _single_ AoA sensor. Non-redundant safety critical
systems in an aircraft? Seriously?

~~~
WalterBright
> Defending it is bad engineering.

I did not defend the MCAS software design. Not once. Quite the opposite.

> the very least we all can do is to be open and honest about errors in the
> system and the actions taken to prevent the same accident from happening
> twice.

I totally agree with that. That also means being open and honest about all
contributing factors to these crashes.

~~~
hn_throwaway_99
I've read all your responses in this thread, and to be honest, I don't really
understand what point you're trying to make. I don't really see anyone else
arguing against the fact that there are things that the 2 crews could have
done to not crash the plane, and that their actions contributed to the crash.
But is there something you disagree with the following?

1\. In a safety critical system design, any change that results in fallible
humans being more likely to crash their plane into the sea means the fault
lies with the system, not the individuals.

2\. I think people are (rightfully IMO) so angry with Boeing because so many
of their actions look like they were cost-saving measures. If the system
worked exactly as it did, but Boeing had been very clear about the difference
in handling MCAS caused, which would likely have required recertification and
additional retraining of pilots, I think people would have at least been
somewhat more sympathetic. But it looks like so many of the MAX design
constraints were driven by the bean-counter directive of "don't do anything
that would require recertification", and that's why people are pissed.

~~~
WalterBright
> that their actions contributed to the crash ... the fault lies with the
> system, not the individuals

I believe these two statements are contradictory. The pilots were a
contributing factor to the crashes. This needs to be investigated to determine
why they did not respond appropriately, and corrective action taken. In
addition to Boeing correcting the MCAS system, and the maintenance issues.

All contributing factors must be accounted for.

> I think people are (rightfully IMO) so angry with Boeing because so many of
> their actions look like they were cost-saving measures.

Some of this anger seems to stem from inaccurate, incomplete, and
sensationalist reporting, such as the cost saving one. The problems with MCAS
were in the software requirements for it. Not bugs in the software, not
outsourcing the programming, not in the design of the airframe, etc. The fix
is in the software, too. Using the correct software rules in the first place
would have cost the same amount of money. Having the MCAS software compare the
two independent AOA sensor readings would not have cost more money.

------
throw7
When the FAA Chief of Aviation Safety says there was "nothing he could have
done", that is sign of deep systemic problems where someone else is to blame.

------
V_Terranova_Jr
I'm an Aerospace Engineer, currently working for the U.S. Gov, but have spent
time on the Industry side. I don't have a thesis per se after reading this,
but several thoughts:

\- I don't think it's unfair to vilify Boeing's accumulated divergence from
"doing the right thing". On the other hand, it's quite sad that it takes
significant events like this to force anyone to act against the long-term
pressure of corporate behavior that leads to such events.

\- As per a thread I had with WalterBright,
[https://news.ycombinator.com/item?id=21037522](https://news.ycombinator.com/item?id=21037522)
, I agree Airbus has a number of significant flaws in their vehicle management
systems for which there has been insufficient criticism and action.

\- It's not easy being on the side of the gov/regulators. There is continuous
pressure from industry, and from up the management/political chain, to be a
cooperative partner. Especially in light of how quickly industry can execute
tasks, it's very hard to say "we need to take a pause" or "we need to go back,
do some more homework, and be deliberative about this". If the gov/regulator
is excessively slow, there are concrete costs that industry incurs. These
realities, with the continued pressure, have trended in the U.S. to lead to
ultimately less effective oversight.

\- The U.S. Government insufficiently values in-house technical expertise. In
the aerospace realm, NASA is the principal exception. But within the DoD and
FAA, while there is is technical expertise, much heavy-duty technical lifting
is done by FFRDCs (e.g., Aerospace Corp., MITRE's CAASD, the national labs) or
UARCs (e.g., Johns Hopkins Univ's Applied Physics Lab). In my view, the DoD
and FAA should build in-house engineering capability sufficient to properly
oversee and advise major programs without having to outsource as much as they
do. You cannot do an effective job overseeing complex engineering developments
if you are insufficiently technically-competent. The DoD is starting to
realize this and places like AFRL are starting to swing back toward that
direction, but there's a very very long way to go. If you are going to
effectively push back against industry pressure, you have to be equipped to
make strong technical arguments, not just appeals to precedent or vague
statements about risk.

\- If you can find people with the right mindset and competence levels, it's
better, in my view to have ex-Industry engineers working for the government.
Those that go straight from school to government don't often have direct
experience as practitioners, and as per my previous point, that often makes
them less effective than they could be.

\- "Follow the plan," from the article, sounds exactly like what I've heard
from Boeing. The article captured well the context and implications of that
kind of talk.

\- "... engineers had to accept that they were no longer the center of the
universe" really resonated with my own experience at another (non-Boeing)
large American aerospace company. I was told by the man in charge of a major
subsystem discipline that "engineering is out of favor [with the company
management]". He was an engineer and on the side of engineers, he was just
telling it the way it was. I couldn't believe what I heard then, and decades
later, still can't believe it. How can engineering be "out of favor" in a
company that specifically engineers systems at the edge of what humans can
accomplish in hardware? I think you will find most large American aerospace
companies helmed by people who really see no irony in making statements like
that.

\- The aerospace industry is not one I would encourage my children to work in.
I'm driven heavily by my passion for aerospace - it's an integral part of my
identity. But it's really hard in industry to find job security, avoid rampant
pigeonholing, avoid corporate mistreatment, work on multiple well-executed
flight programs in your career (the equivalent of "shipping" software), and
generally work somewhere where there is a strong corporate motivation to "do
the right thing". It's a lot harder than in software for the corporate culture
to not permeate everything around you because of how capital-intensive the
field is. Also, the U.S. Government sucks as a customer, which makes it harder
for small companies to thrive in the field. The job security issue can go away
if you work in government, but then your ability to be an implementer (why a
lot of people become engineers) also diminishes.

------
ReptileMan
>Boeing instructed pilots to deal with excessive downward pitching

That is my favorite newspeak so far.

~~~
EddieCPU
@ReptileMan >> Boeing instructed pilots to deal with excessive downward
pitching

> That is my favorite newspeak so far

Going by the faded out aspect of your post, someone here doesn't like you
quoting facts.

