
U.S. FAA proposes requiring key Boeing 737 MAX design changes - rbanffy
https://www.reuters.com/article/us-boeing-737max-idUSKCN24Z2HK
======
Nacdor
Given the option, would anyone choose to book a trip on one of these new
Boeing aircraft rather than anything else? I know I wouldn't, my family
wouldn't, and none of the friends or co-workers I've discussed this with
would.

Something tells me airlines are going to be making it even more difficult to
determine which aircraft you'll be flying on when you book a ticket. As far as
I know they're not required to tell you, nor are they required to use the
aircraft listed at the time of booking (they can swap it at the last minute if
they want).

~~~
shajznnckfke
Even though this model has big design flaws and a relatively bad safety
record, the absolute level of risk is still pretty low. I knowingly expose
myself to larger risks in my day-to-day life. So I won’t lose any sleep over
booking a flight on this type of plane.

~~~
dimitrios1
This is not a good argument.

You can control this level of risk. Taking on any unnecessary risk when you
don't have to is not a wise choice.

~~~
TylerE
How are you getting to the airport? However the method, it's far more likely
to injure you than flying on a 737 MAX.

~~~
shock
> However the method, it's far more likely to injure you than flying on a 737
> MAX.

That depends. If you take a bus to go to the airport and it takes you an hour
to get there, then your flight also lasts an hour (for simplicity's sake), you
are almost 3 times more likely(on average) to die during the flight than you
are during the bus ride [0]. In terms of number of journeys by plane and bus,
for the same number of journeys you are 27 times more likely to die in a plane
accident.

People repeat the "plane is the safest way to travel" mantra, but it's only
true in terms of nr. of km traveled.

[0] -
[https://en.wikipedia.org/wiki/Aviation_safety](https://en.wikipedia.org/wiki/Aviation_safety)

~~~
curryst
Measuring the risk of travel in terms of hours seems largely pointless, unless
I'm missing something. It equates an hour bus ride with an hour plane ride,
which are not interchangeable, so it makes sense that the associated risks are
also not interchangeable.

You could account for the additional time it takes to go on a bus to adjust
for the longer duration of risk, but at that point it seems like you're just
approximating for risk per km.

~~~
caconym_
I think it makes a lot more sense to look at risk per time, because it's
basically the same thing as risk per trip, and that's what I really care
about.

If you tell me I can fly to Mars in a few days on a brachistochrone torchship
and it's safer per mile than any other mode of transport, you may be right,
and a few days cooped up in a cramped cabin might be a small price to pay for
such an exotic vacation destination, but that risk calculus is really very
misleading. The distance involved is so vast that per mile it could be an
absurdly low figure by any terrestrial standard while still carrying an
absurdly high (by the same standards) risk of death during the trip.

In other words, if the odds are e.g. 1 in 10 that the trip will kill me, I
don't give a shit how low the risk per mile is.

~~~
apendleton
This seems like a mode of comparison that's disconnected from actual utility.
The distance comparison lets me consider a scenario like "I live in
Washington, DC. I want to go to New York. I can choose to either get there by
plane or car, and I want to know which is safer." This seems like a real,
sensible thing to contemplate.

The time comparison is "I live in Washington, DC and want to go... to wherever
it is that happens to be an hour away from me by whatever mode of transport I
happen to be using (so, either New York or someplace outside of Baltimore) and
I want to know which is safer"... but I can't for the life of me fathom why
the second is a tradeoff anyone would actually be forced to consider. People
generally travel with the objective of getting from some specific place to
some other specific place.

~~~
ponker
This assumes that people decide the destination before deciding the mode of
transport. In my experience this isn't true, specifically with the 737 MAX. I
had a 4-night trip booked with my family to Seattle from San Francisco on a
737 MAX and cancelled it when all that shit went down. Rather than driving
that weekend to Seattle we drove to Yosemite because I wasn't going to drive
12 hours to Seattle. In terms of total travel time (time to drive to airport,
check in, and fly) the travel time was about the same to Yosemite as to
Seattle but the mileage was obviously much less.

------
mathogre
That's bullshit. The MAX aircraft are not the same as the earlier 737 line.
These should be completely certified as new aircraft, and my guess is they
would fail real certification. The required "design changes" are nothing. Not
only would I not want to fly on one of the MAX aircraft, I wouldn't want to
live underneath a procedure - departure, airway, approach - used by a MAX.

Go for it. Let them fly. 'Boeing has built so many, we can't let them fail!'
Uh huh. Political Sunk Cost.

~~~
ryndbfsrw
Add to this the meta-problem this creates. Right now, there's trust in the
industry to not cut corners which is one of the reasons so many choose to fly.
If that trust erodes (even slightly) it is difficult to gauge what the impact
would be. I remember an AA exec saying they make their profit on the last 4/5
people per flight. Combo of thin margins, high gearing and the industry is
exposed to even small shocks in demand.

------
kevin_thibedeau
They need to implement triple redundant AOA indicators. It's obscene that
these failure modes are even possible much less approved. Knowing there is a
disagreement just lets you know you are close to being fucked.

~~~
imglorp
Triple is not needed, just double with a redundant "disagree" alarm.

Once the pilot knows there's one bad AOA, they can lock out the bad one as an
input to the autopilot/MCAS, or hand fly without automation. Of course this is
all a bunch of new software and training though.

~~~
Someone1234
> they can lock out the bad one as an input to the MCAS

The 737 MAX didn't support that as delivered.

Even with the warning (which some US airlines paid for), you couldn't "lock
out the bad one" even assuming you knew which one that was (you don't). All
_you_ could do is disable the electronic horizontal stabilizer completely, so
that MCAS couldn't command it into a dangerous and unrecoverable state.

MCAS has been fixed, in the sense that it won't command continuously bad trim
inputs until the aircraft is unrecoverable when bad AOA data is provided, but
ultimately the aircraft either needs to be designed around trustworthy AOA
data (i.e. triple) or you untrustworthy (i.e. double, even with the warning).
Half measures are exactly how we got to this point, with two crashes.

Both answers are actually acceptable. A lot of completely safe aircraft have
untrustworthy AOA inputs, the key there though is that automated systems are
designed around that assumption. MCAS had too much flight authority to be
linked to untrustworthy inputs.

~~~
LoSboccacc
> Half measures are exactly how we got to this point

also they increased the maximum stabilizer angles mcas could command, the
review/certification was done with a 0.6 cap (effective but not overwhelming)
and on production it was increased on a whopping 2.5 degrees.

it was also meant to be using vertical acceleration to understand whether the
plane was actually stalling, but that trigger was removed

it was also supposed to operate slowly enough to let people catch up with its
operation and be able to disconnect it in case of a runaway trim, but the
increased angle required to move the stabilizer faster

I don't know the exact English term for this kind of iterative failure of
people communicating changes to each other assuming they are both fixing a
problem, instead making it worse, but it's not just like they were doing half
measures, they were each tuning their systems in silos, without considering
cross system functionality from each system behavioral changes

~~~
salawat
Impedance mismatch I believe they call that in the Electrical Engineering
world. If you don't match up your output characteristics to the specified
input characteristics of the next circuit element, you're hosed.

------
cockpitherald
This proposed AD would require installing new flight control computer (FCC)
software, revising the existing Airplane Flight Manual (AFM) to incorporate
new and revised flight crew procedures, installing new MAX display system
(MDS) software, changing the horizontal stabilizer trim wire routing
installations, completing an angle of attack sensor system test, and
performing an operational readiness flight.

[https://kokpitherald.com/faa-releases-737-max-review-
propose...](https://kokpitherald.com/faa-releases-737-max-review-proposes-key-
design-changes/)

~~~
stx
Why not include a secondary angle of attack sensor. From what I hear some
military aircraft have 4 of them in case of failure. I do understand that the
bigger issue was not just that the angle of attack sensor failed but that the
crew was not informed of how to handle the failure.

~~~
stefan_
They have two AOA sensors. In a particular stroke of genius, the MCAS system
would select one randomly at boot and use it exclusively (so you have twice
the failure rate of a single sensor and no benefits from an extra one).

And the AOA disagree system the FAA "proposes" installing? That was already an
optional extra.

~~~
refurb
Maybe I need to brush up on my probabilities, but why would you have twice the
failure rate?

If each sensor failed 5% of the time and the sensor was chosen at random,
wouldn’t the failure rate be the same?

~~~
mantap
Imagine flipping a coin. Your chance of tails is 50%. What is your chance of a
tails if you flip two coins? It's now 75% clearly (TT, HT, TH but not HH).

Now imagine it's not a coin but a normal distribution. If you sample from it
twice then take the minimum of your samples, the chance that the minimum is
below the mean is 75%. Just the same as with the coin but in another context.

Obviously the time-before-failure is not normally distributed, nor are the
sensors completely independent random variables. But the chance of failure of
_the system_ will be higher than one sensor, not double exactly but higher.

~~~
refurb
_What is your chance of a tails if you flip two coins?_

Thanks for explaining, but my understanding is the computer only looks at one
sensor at a time, it doesn't look at both.

------
Animats
That's a fairly mild fix. the FAA could have required that the MCAS system
meet the requirements for a full authority fly-by-wire system.

Boeing built an unstable airplane, then tried to fix it with a tweak to a non-
redundant auto-trim system. If this was a full fly by wire plane, like the 777
and later, or the Airbus 320 and later, there would be much more sensor and
compute redundancy. Plus the fly by wire system has more awareness of the
overall flight situation.

------
Freaken
Noob question here: Since, if I get this correctly, all these changes will
require new pilot training, why is the MCAS still needed?

My understanding was that this system was installed in order for the new plane
to behave exactly like the old one therefore not requiring costly additional
pilot training.

~~~
linuxftw
> why is the MCAS still needed?

Because Boeing and the FAA are talking out of both sides of their mouth. The
planes aren't safe to fly without MCAS, MCAS is unreliable, so the solution is
to disable MCAS whenever the plane determines it's best, even if it's going to
be highly detrimental to safely operating. We still don't have ANY data on
flying the planes safely without MCAS. We only have data on planes where MCAS
fails, and those planes crashed.

~~~
bkor
MCAS is only supposed to activate in extreme circumstances. The planes are
perfectly safe to fly and capable of flying without MCAS working.

I think you need to read up on MCAS a bit more.

~~~
salawat
No, they really don't. The prescriptive testing requirements are both clear,
and written in blood. If you can't handle those extremes in the prescribed
manner, you don't carry the flying public.

The regulation is clear cut, and unambiguous in that regard. Furthermore, the
crashes that occurred happened because a system that is only supposed to kick
in at the extremes did so in non-extreme situations repeatedly due to GIGO
(Garbage In, Garbage Out), and to disastrous effect.

I welcome you to look at the FDR telemetry curves for the two flights. The AoA
measurement for one of them was 70-80 degrees if I recall, the other was 20ish
degrees offset from where it should have been.

------
zaroth
[https://www.faa.gov/news/media/attachments/19_035n-R3-8-3-20...](https://www.faa.gov/news/media/attachments/19_035n-R3-8-3-20.pdf)

> "To address the unsafe condition, the FAA proposes to require four design
> changes: (1) installing updated flight control software (with new control
> laws) for the FCC operational program software (OPS), (2) installing updated
> MDS display processing computer (DPC) software to generate an AOA disagree
> alert, (3) revising certain AFM flightcrew operating procedures, and (4)
> changing the routing of horizontal stabilizer trim wires."

> "The first design change is intended to prevent erroneous MCAS activation.
> The second design change alerts the pilots that the airplane’s two AOA
> sensors are disagreeing by a certain amount indicating a potential AOA
> sensor failure. The third design change is intended to ensure that the
> flightcrew has the means to recognize and respond to erroneous stabilizer
> movement and the effects of a potential AOA sensor failure. The fourth
> design change is intended to restore compliance with the FAA’s latest wire
> separation safety standards."

Notably the FAA does not required a 3rd AoA sensor, but simply for software to
monitor both sensors, compare the values, and if they disagree beyond a given
threshold, to light an "AoA Disagree" lamp and disable MCAS for the remainder
of the flight.

MCAS will also only be allowed to activate one time per "High AoA" event. The
AoA sensors must return to a normal range before MCAS is allowed to activate
again.

Finally, they must limit the maximum MCAS command authority within a set range
so that manual control can always maintain altitude, whereas previously MCAS
would command horizontal stabilizer adjustments without any regard to the
current position.

It seems that in an AOA DISAGREE situation, the flight is still permitted to
take off.

In my non-expert summary, they seem to be doing the absolute minimum amount of
work possible to "address" the problem, and dodge completely the fundamental
contradiction of why one would implement an unreliable-by-design MCAS system,
hobble the control authority of that system, and further, permit flight when
that system is known to be disabled.

In light of these admissions, I cannot comprehend why the MCAS system exists
at all, and how the added complexity (variance in airframe operation) is worth
any possible benefit.

In Elon-speak, the best part is no part. The best system is no system. So if
you admit you can fly without it, why leave something in which is
unpredictable, unreliable, and already proven to be deadly?

EDIT: The total cost of compliance for applying these changes to 73 existing
airframes is estimated to be ~$1 million, 70% of which is the wiring harness
change. <s>The software change itself seems to amount to about 20 lines of
code, so let's call it $20 million.</s> Sorry, this seems like an absolute
joke, and right now I'm pretty angry that this is what they came up with after
"60,000 hours of review".

~~~
henryfjordan
> disable MCAS for the remainder of the flight.

My understanding is that the MCAS or something equivalent is necessary on the
737 MAX because the engines sit lower than they really should and the forward
propulsion creates torque that raises the nose of the plane. Something needs
to counteract that force.

If the MCAS is disabled, is the pilot able to trim the airplane manually
similar to how MCAS works? Or will they have to just kinda hold the nose down
with the main steering controls?

~~~
karmelapple
This might be oversimplification, but I'll venture it and hope someone
corrects me if I'm wrong:

If MCAS is disabled, then the airplane will fly very differently from the 737s
that everyone with an existing 737 flight rating is used to.

So the plane can fly, but it'll feel different.

And that sure does seem like a problem to get back safely to the ground.

~~~
tzs
MCAS only kicks in at high angle of attack with the flaps up. I believe that
most flights never come near having it activate.

If it disables due to faulty sensors and the pilots are told it is disabled,
most flights won't have to do anything different at that point. The plane will
handle just like it normally does.

If there are flights that are supposed to have maneuvers that would trigger
MCAS, pilots are going to need to be trained to avoid those maneuvers when
MCAS is disabled.

~~~
tgsovlerkhgsel
But if a MCAS failure and an unexpected unusual attitude does line up, there
will be another crater.

~~~
linuxftw
This seems to be the part that everyone's missing. "Oh, this rarely happens"
is ambiguous, we don't have any data on how often MCAS operated correctly
during flights.

Also, in events that 'rarely happen' one of which is approaching a stall
(according to the FAA's report), is it safe to disable the system in the
actual scenario when encountered? It doesn't seem so. I can't see how both
"Need this system for extremely rare scenario" and "Disabling this system
because scenario is extremely rare is okay" can both be true.

~~~
tgsovlerkhgsel
> I can't see how both "Need this system for extremely rare scenario" and
> "Disabling this system because scenario is extremely rare is okay" can both
> be true.

The benevolent interpretation is:

a) the plane being in a situation where the system is required is rare, but
frequent enough that the risk wouldn't be acceptable without MCAS.

b) MCAS breaking is rare, but frequent enough that we can't allow it to fly
the plane into the ground when it does (as has been demonstrated).

c) Both things happening at the same time is so exceedingly rare that a crater
is an acceptable outcome, just like we accept that all engines simultaneously
failing at the same time during take-off will likely result in a crash.

(compare:
[https://commons.wikimedia.org/wiki/File:FAA_8040.4B_Risk_mat...](https://commons.wikimedia.org/wiki/File:FAA_8040.4B_Risk_matrix.svg))

That said, I hope EASA takes a very close look instead of blindly trusting the
FAA again...

~~~
linuxftw
These are fair points, but the FAA report used the wording "extremely rare"
(or similar) instead of a concrete quantity, and I find that extremely
reprehensible. As we all know, "extremely rare" needs to be quantified. There
are 44k flights in the US alone every day (pre COVID).

> MCAS breaking is rare

This is the part I'm not particularly inclined to agree with. The scenario is
no longer breaking, it's breaking OR disabling. There are a host of new
conditions that will result in MCAS being disabled according to the report.
Some of these conditions disable MCAS for the remainder of the flight, and the
way that I read the scenarios, it's certainly possible for these conditions to
stack together.

Reading the report gives the impression that the FAA is completely
incompetent. They didn't specify any rate of failure or disabling of MCAS, and
the 'failure scenarios' that are proposed to be carried out in the near future
are lacking in exposing these disabled scenarios.

Also, the FAA stated in the report that the plane handles similar to the 737
NG when STS is disabled; however, the MCAS automation disables MCAS and STS.
There is no information about the rate at which STS has been disabled in
flights in NGs, and no comparison on how disabling STS during the 'near stall'
portion of a 'rare event' behaves in those planes.

They wrote this long-winded document that's almost entirely devoid of
meaningful factual detail. It reads like a Boeing PR piece if I've ever seen
one.

------
jmann99999
Given the upcoming Microsoft Flight Simulator 2020 release, I wish it could
provide us non-commercial flyers with a simulation of the flight controls
under the specific events that cause failure in the Max 737.

I realize the subject isn't something a corporation would touch or code for,
nor do they have a 737 in the lineup for 2020, but it would provide me with
better understanding of the problem.

~~~
xvf22
Given that the 737 isn't fly by wire the forces needed to operate the controls
is something critical that a home sim isn't going to be able to model.

~~~
morganw
Watch how much effort it takes to adjust trim with the motors disabled
[https://youtu.be/xixM_cwSLcQ?t=1106](https://youtu.be/xixM_cwSLcQ?t=1106)

It's good that MCAS will now disable itself without having to disable the trim
motors completely. I wish they'd just taken the hit on a new type rating and
given up on MCAS completely after the failures. Perhaps new 737 pilots could
get training on NG and MAX at the same time?

One thing I'm not seeing much discussion of today (though it was addressed in
previous posts about the MAX) is the development process issues that led to
the problems in the first place. Some blame it on post-McDonnell-Douglas-
merger penny-pinching, non-engineer-indulging managers. Whatever it was, the
investigation should have resulted in not just plane modifications, but
company ones.

~~~
ummonk
The type rating is not the reason for MCAS. MCAS is there to make the aircraft
satisfy certain stability requirements mandated for all planes by the FAA to
prevent an inadvertent stall.

So even with a new type rating, MCAS would still be needed unless the airframe
were massively redesigned.

------
cm2187
Boeing and the FAA. Feels like an old couple that has to live under the same
roof, so it is broken dishes and shouting all day long.

~~~
jonathanliu
FAA was the battered spouse until Boeing had those two very public crashes.
Thanks regulatory capture.

~~~
yborg
In a way, it's fortunate that the two MAX crashes happened overseas. If they
had happened in the US, Boeing could have used its regulatory leverage to
cover up the problem for a few more crashes.

~~~
jonathanliu
Hmm I wonder how true that is (I have no personal experience/knowledge). I
feel like two large crashes would get a very hard look by the NTSB.

------
onde2rock
Hum, it doesn't seem like a lot.

Maybe I missing something, but looks like a software update to make MCAS more
robust. And if it bug, raise an alarm and flight-crew operating procedures
should be (?) to deactivate MCAS and fly without ?

Could pilots actually fly the plane without MCAS ? It must feels like an
entirely different aircraft.

~~~
rootusrootus
> It must feels like an entirely different aircraft

No, if MCAS is disabled then the vast majority of the time it will fly just
like normal. MCAS is only there to adjust flying characteristics when the wing
is at a high angle of attack.

~~~
linuxftw
> only there to adjust flying characteristics when the wing is at a high angle
> of attack.

No, that's a Boeing talking point. It's there to prevent the aircraft from
stalling, not to 'adjust flying characteristics.' The nose pitches up during
high thrust, MCAS kicks in to to counter what the pilot is doing (stick and
thrust) so the plane doesn't stall.

~~~
rootusrootus
All planes with low mounted engines (read: most current jet airliners) pitch
up with increased thrust. It's not controversial, and pilots deal with it
routinely. MCAS does not activate under normal flight conditions.

~~~
linuxftw
> MCAS does not activate under normal flight conditions.

This is entirely the problem. If MCAS operates, you're already doing something
wrong. It was required in the first place because the likelihood of pilots
doing something wrong is high. Now, instead of MCAS backing up the pilot's bad
decision making, it might cut out at a critical moment.

We already know that Boeing revised (increased) the authority of MCAS without
notifying the FAA because testing found the MCAS to be inadequate initially.

You can't simultaneously need MCAS and be okay with it being disabled
intermittently. Those two things are directly at odds.

------
thanatos519
What really needs design changes? Boeing's organization! This is going to keep
happening until it is restructured to take safety seriously again.

------
inamberclad
Their requirement is to make the AoA disagree light standard? Wow that's next
to nothing.

For those that don't remember, the AoA disagree light is an optional, costs-
extra safety feature on this model.

How about we add a big fat MCAS disengage button to the yoke instead, and make
it separate from the trim cutout switch?

~~~
tgsovlerkhgsel
Or repurpose the _existing_ second trim cutout switch... (AFAIK there are two,
that used to serve different purposes, and are now both left in to keep the
same type rating).

~~~
toast0
Yes! If this was available, at least the second crash seemed likely
preventable given the timeline of events. I didn't read the timeline for the
first one.

~~~
salawat
Relevant article:

[https://www.seattletimes.com/business/boeing-
aerospace/boein...](https://www.seattletimes.com/business/boeing-
aerospace/boeing-altered-key-switches-in-737-max-cockpit-limiting-ability-to-
shut-off-mcas/)

That would allow a pilot to put the plane in a configuration for which it is
not certified to transport passengers, however, and the triggering thereof
should always be deemed an emergency if we're going to take our regulations
with any level of seriousness.

~~~
toast0
That article has opposing viewpoints on if it would be a good idea.

But, imagine if the switches were as before --- the left turns off automation
control of electric trim, and the right turns off all electric trim. In that
case Boeing's notice for what to do in case of MCAS failure would be turn off
the left switch and then they'd have advice about how immediate the need to
land is. As opposed to their notice which was insufficient for Ethiopia Air
pilots because they weren't able to trim the stabilizer manually and tried
reenabling electric trim and MCAS continued to be broken.

Hopefully the MCAS changes described will be sufficient to prevent it from
causing more crashes, and Boeing has republished a procedure to gain manual
control by easing off the yoke temporarily, but it still seems to me that
providing electric trim without automation input, as was available before (but
never suggested to be used) would provide an additional tool for pilots in
exceptional circumstances.

------
heyflyguy
I thought for sure an SFAR would be the result, but they should count
themselves lucky as hell that it was only an AD.

I'm not usually in the group hating on big corporations but in this case it
may be simply because Boeing is a behemoth.

------
josemanuel
I wonder what EASA will do..

~~~
jacquesm
Run their own evaluation and make their own set of recommendations. With some
luck they will not be incompatible with each other.

~~~
sgc
My guess is their evaluation is somewhat in parallel and at least some
communication existed before this proposal was made. Thus I expect their
requirements to be largely compatible with this proposal.

------
bedhead
Can we just scrap this thing and move on already? Isn’t all of this back-and-
forth alone evidence that this thing shouldn’t be flying?? It’s over, Boeing,
you lose.

~~~
valuearb
Because it’s far cheaper to make them safe than to trash them. The problem
isn’t the basic airplane, it’s the short shrift Boeing gave the safety
systems.

~~~
dmead
that is not the commonly held interpretation of this my dude.

