
Boeing Built Deadly Assumptions into 737 Max, Blind to a Late Design Change - razin
https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html
======
tomglynch
I posted this as a comment the other day in another Boeing and MCAS
discussion.

In my research into the topic the saddest bit of information I've seen is the
image of the black box data for the flight (the first crash):
[https://i.imgur.com/WJuhjlO.png](https://i.imgur.com/WJuhjlO.png) You can see
from the graph that in the final minutes and seconds, the pilot put insane
amounts of force on the control column (aka the yoke) to try to pull the plane
out of the dive - to save the 189 people on board. But no, MCAS was
overpowering and lacked the documentation for the pilot to try anything else.

Also interesting to see is the amount of times the pilots bring the nose up,
only for MCAS to kick in and force the nose back down. 26 times.

All data from this Seattle Times article, which was written before the second
crash occurred: [1] [https://www.seattletimes.com/business/boeing-
aerospace/black...](https://www.seattletimes.com/business/boeing-
aerospace/black-box-data-reveals-lion-air-pilots-struggle-against-
boeings-737-max-flight-control-system/)

~~~
sirsuki
If the pilots were putting that much force on the yoke it is pretty apparent
that the pilots really truly wanted the plan to do what they asked of it.

I am curious what scenarios the designers of the plan drove then to not trust
that the human in the seat really has no idea what they are doing. Was the
ignoring the wishes of the pilot and attempt to prevent a crazed irresponsible
and unlicensed idiot from doing something? These are trained humans why does
the computer totally ignore there efforts?

~~~
sorisos
Perhaps related crash[0] where the autopilot was disabled because it was
listening to user input, in this case a child.

[0]
[https://en.wikipedia.org/wiki/Aeroflot_Flight_593#Accident](https://en.wikipedia.org/wiki/Aeroflot_Flight_593#Accident)

~~~
CydeWeys
Oooof. Well the real lesson there is that unqualified people (especially
children) shouldn't be in the cockpit of an airliner at all. Autopilot can't
be made smart enough to determine if the person operating the controls
actually knows what they're doing, and thus to follow/ignore them as
appropriate.

~~~
Ntrails
I mean, pick your poison. Either the humans are more reliable or the computers
are. Either way is subject to some level of fallibility.

~~~
sean2
The wikipedia article calls out that the compounding sequence of issues
started when autopilot was silently disabled, so the human system was in
control when the pilots did not intend it to be.

I think the critical issue in both cases is that the wrong system was in
control against the pilots wishes.

So, the pilots can pick my poison based on their training and best judgement
(and maybe not put their children in control?).

------
kejaed
I really see this as a failure of the Systems Engineering process. With so
many people unaware of the impacts of the changes, it’s up to the systems
types to have the big picture view and make sure these sorts of things are
taken into account.

Especially if as the article says a failure of the AOA sensor on the system
would be Hazardous (looks like it was Catastrophic when paired with MCAS in
retrospect), that would have made the functional Design Assurance level for
this system DAL B, which adds enough rigour not only in the software
development process but so much before you even get to that in terms of Safety
Assessments and ESPECIALLY change impact analyses when the function changes.

For sure there may have been pressure from management to keep MCAS out of the
manual but it’s not really up to he regulatory agency to be experts on the
aircraft design, if things are being hidden by the company then I’d consider
this bordering on professional misconduct on the parts of the engineers
overseeing this work.

I say this as a Professional Engineer working as an aerospace systems
engineer.

~~~
kejaed
Thinking about this a little more, I also see a failure here in terms of
naming things, which I have noticed in my career can be scoffed at but is so
important.

As the article says, the function of MCAS changed and its operational envelope
was greatly expanded. What if, internally at least, the new system was
referred to as MCAS2?

This is somewhere that things can get political, as was exactly the case with
the Max, where they did not want anything to be considered a change to the
aircraft type, let alone knowing the MCAS system existed in two majorly
differing versions.

~~~
suzzer99
This is so true. Naming to me is one of the most important decisions. When I
see someone who frets over naming decisions for hours, or will sit down with
me and really think through what we're going to name something - I know they
get the gravity of the situation. I trust those kinds of people much more for
big picture architectural or project lead decisions.

~~~
sooheon
Do you have examples off the top of your head of really great names that have
come as a result of this process?

------
ficklepickle
This whole plane sounds like any ugly hack. They slapped very different
engines on an existing airframe. Then, when it inevitability exhibited
undesirable behaviour, they tried to paper over the cracks. Then they hid this
information from their customers, regulatory agencies and the pilots.

It makes me wonder if there are other issues with the Max that the public
doesn't know about yet.

I hope a thorough review of Boeing's internal communications is already
underway. If there is proof that these decisions were made for financial gain,
they should face criminal charges.

IMO, whether it was greed or just general incompetence, Boeing has
demonstrated that they are not responsible enough to self-certify their
aircraft.

~~~
djsumdog
The sad thing is that we'll probably see this plane fly again by the end of
the year, because the millions of dollars in retrofits will still be cheaper
than having to scrap all existing planes.

We have no idea what other potentially lethal corners have been cut. What if
they go back into service, after several months of retrofitting all of them at
Boeing maintenance hangers, and then the following year there are two more
deadly crashes from some other overlooked hack.

Really, these planes need to be scrapped. The engines, equipment, seats, etc
can all be stripped and used in other planes, but the air frames will need to
be recycled and this line of planes should end here.

Even if it doesn't (probably won't), I highly doubt we'll see another
generation of 737s. They did survive the rudder problems way back from the...
80s? or 90s? .. So their reputation might recover, but they still can't make
the types of planes airlines want and keep that name/certification.

~~~
sk5t
In what world is scrapping the airframes due to a (serious) software fault the
best and most sensible solution? Do you believe there could be undiagnosed
problems with the wings, fuselage, tail, hydraulics, electrics, fueling
system, gear, etc.?

~~~
inferiorhuman
_In what world is scrapping the airframes due to a (serious) software fault
the best and most sensible solution?_

A world in which the faulty software was required to fix faulty hardware.

~~~
na85
The hardware isn't faulty. The problem is the way Boeing tried to achieve a
zero training delta so pilots wouldn't have to get a second type rating.

~~~
nopzor
the airplane did not have stable flight characteristics because of its
physical design.

that’s a hardware problem.

MCAS only exists because of that hardware problem.

the fact that boeing also did not train or tell pilots about MCAS, in order to
make the airplane more financially appealing by retaining the 737 type rating,
is a separate (also bad) issue.

~~~
cmurf
Citation needed.

FAR 25 applies to all transport category aircraft. The section on stability
(§§ 25.171 - 25.181). In exactly what manner is the airplane not stable, with
or without MCAS?

~~~
inferiorhuman
From TFA

 _But a few weeks later, Mr. Wilson and his co-pilot began noticing that
something was off, according to a person with direct knowledge of the flights.
The Max wasn’t handling well when nearing stalls at low speeds._

~~~
cmurf
Insufficient. Stability requirements in FARs are clear, and not handling well
might mean "substantially different from prior 737s" not unstable.

------
danols
The day someone very high up the corporate ladder truly gets held responsible
for this type of greed & negligence and will be put a way for a long prison
sentence would be a good day for society. But I am not holding my breath...

But I hope that the CEO Dennis Muilenburg deep down understands he seriously
fuxxed up real bad and every now and then is having a hard time falling a
sleep in his $10M mansion knowing that he is ultimately responsible for
hundreds of peoples unnecessary deaths due to his failed values as a leader.

~~~
01100011
Your comment makes it sound like you believe there was a single person with
nefarious intentions or criminal negligence who chose to put lives at stake in
exchange for profits.

That is almost certainly not what happened. It is more likely a system of
procedures and policies which failed. The company should take the hit, but
unless an investigation reveals otherwise, I see no reason a single individual
should take the blame for all of this.

~~~
krzrak
> That is almost certainly not what happened. It is more likely a system of
> procedures and policies which failed. The company should take the hit, but
> unless an investigation reveals otherwise, I see no reason a single
> individual should take the blame for all of this.

Aren't the insane compensations of executives justified by their "great
responsibility"? So I think it makes them eventually responsible for what
their companies do.

~~~
munchbunny
I heard someone say this and I can't remember who, but it seems very
appropriate. One of the key responsibilities of the CEO (and by extension
upper management) is to acknowledge reality. When the company is given
permission to act on what it already knows, then employees have the right
incentives to do the right things and not just the things that won't get them
fired.

In that sense, it absolutely is the fault of Boeing management for not
acknowledging reality.

------
tuna-piano
How MCAS slipped through certification process was not the main issue
(mistakes in complex products can happen). The main issue was Boeing not
caring that MCAS was dangerous even after discovering it.

After the Lion Air crash, it was very apparent to Boeing that MCAS was not
safe. This whole article focuses on how MCAS slipped through
development+certification - but really even after Boeing new the dangers of
MCAS, the MAX still was allowed to fly.

It was hidden and dangerous. Then it was open and dangerous but was still
defended by Boeing. Damning.

~~~
dhimes
_How MCAS slipped through certification process was not the main issue_

I think it's a huge issue, but perhaps not criminal. The hiding/lying/etc is a
criminal issue in my view.

------
sho
Great article. But for me there's a huge question being left unanswered, like
the elephant in the room:

Why did exactly did the engineers/test pilots feel the need to "enhance" the
original MCAS with the new, more powerful version that worked at lower speeds?
What did they know? I doubt they did it for the hell of it. And therefore,
what has changed that that enhanced functionality is now no longer necessary,
and it's fine that MCAS is being returned to its original, more subtle
implementation?

These things just don't add up for me and Boeing's constant pronouncements
that they did nothing wrong, everything was fine, and now they're fixing it so
everything will be even more fine ring very hollow indeed. I would almost like
to see everyone involved in this subpoenaed so the public can learn the truth
of what, exactly, took place.

Until we have some answers, especially to my main one - what was so bad about
the airframe's handling that it was necessary to massively increase the power
of the MCAS system, but is now apparently not necessary anymore and it's fine
for them to nerf it - I don't think I'll be flying on a MAX.

~~~
TazeTSchnitzel
The answer to why they wanted to “enhance” MCAS is that they wanted it to be
certified as a 737 like all previous versions, which means pilots need to be
able to fly it exactly like previous 737s without additional training, and a
technical hack which “corrects” pilots' actions facilitates that.

------
aivisol
Is this only me, or all this one-vs-two AoA sensor talk seems some kind of
diversion from the real problem with this plane.

I mean, if one-sensor based MCAS failed twice so early in the life span of the
plane model, what is the probability that a two-sensor model will fail pretty
soon as well? The math should be simple, we have all data needed: combined
hours flown by all planes of the type and number of failures (at least two
known, which can help us to estimate a MTBF of the sensor).

~~~
mikeash
The problem isn’t failure, but detecting failure.

If the sensor had just stopped responding, there wouldn’t have been any
problem. The planes would keep flying, the sensors would get replaced, and
everyone would be fine.

What happened was that the sensor gave erroneous readings. The MCAS system
reacted to those erroneous reading and crashes the plane.

With two sensors, you can detect failure. It’s very unlikely that both would
fail simultaneously. If they did, it’s very unlikely that both would provide
the same erroneous readings.

~~~
HarryHirsch
_It’s very unlikely that both would fail simultaneously._

Birgenair 301 crashed into the Atlantic because mud dauber wasps built nests
in _both_ pitot tubes while the plane was on the ground. It happens.

~~~
mikeash
Airspeed is required for safe flight. The failure on that flight was detected
immediately, it just couldn’t be handled. AoA on a 737 MAX is not required for
safe flight and the system just needs to refrain from taking any action if it
fails.

~~~
phkahler
But MCAS was added because the plane doesn't handle well in some situations.

~~~
cameldrv
I haven't heard of it ever activating except in the incident/accident flights.
It's required for certification, but you would either have to be mishandling
the plane or get in some extreme weather for MCAS to activate.

Think about it like the Antilock brakes on your car. Suppose the wheel
position sensor fails. It's fine if the car puts up a warning light and says
that you don't have antilock brakes anymore. You can drive fine without them
until you can get them fixed with a minor safety impact. It's not fine if the
wheel position sensor fails and this causes the car to slam on the brakes
going 65mph down the highway.

~~~
CydeWeys
ABS isn't the best example because it does prevent lots of accidents in its
own right, including a >50% prevention rate of some types of accidents in
rainy, snowy, or icy weather. The overall fatal accident reduction is 15% for
cars and 27% for trucks and light trucks. Source:
[https://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/...](https://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/811182)

And, anecdotally, I've had ABS kick in in some occurrences for which I was
very thankful.

~~~
cameldrv
Having a safety system that rarely _fails to prevent_ an accident is much
different statistically than a safety system that rarely _causes_ an accident.

Suppose the crash probability on a normal flight is 1/1E7, but without MCAS
it's 100x more dangerous, or 1/1E5. Suppose MCAS failure probability is 1/1E6,
the probability of an additional crash due to the failure of MCAS is 1/1E11,
which is acceptable.

The problem is that in practice, the crash probability if MCAS fails is
empirically 2/3 instead of 1/1E5, because MCAS actually causes the crash
rather than merely failing to prevent a crash.

------
cmurf
_Boeing engineers did consider [MCAS activation due to failed sensor] in their
safety analysis of the original MCAS. They classified the event as
“hazardous,” ... could trigger erroneously less often than once in 10 million
flight hours._

The incuriosity of all parties to an event categorized as hazardous is
astonishing. Boeing says it's a system that's completely transparent to the
pilot, and therefore there is no need to describe a failure that they say
would be hazardous. What part of that passes a reasonable smell test? It's
safe unless it fails, which would be rare, but if it fails people could die?
But meh, it's rare so let's not even find out what would happen if it
happened?

Boeing must be compelled to show their work for this probability computation,
because it is clearly wrong. And both Boeing and the FAA have to answer why
there's no mandatory testing of hazardous events. At least what does a
simulator think will happen in various states of perturbed sensor data, and
how does a pilot react when not expecting such an event?

Oh, and the part about depending on a single sensor is not, per Boeing, a
single point of failure because human pilots are part of the system? That's a
gem. The pilots are the backup? This poisonous form of logic is perverse.

~~~
jaggirs
If the pilots had recieved training, __then __they could be a backup. So
probably whoever did that safety analysis was assuming pilots would know how
and when to turn off the system, but the pilots in fact didn 't know this
system existed at all.

~~~
bumby
Administrative mitigation like pilots are usually the least preferential ways
of mitigating hazards. Humans are often the least consistent, most fallible
part of a system. If there were engineering solutions available I would hope
Boeing would implement them.

~~~
jplayer01
There are many examples of automated systems not accounting for novel or rare
situations that the original designers didn't plan for or ignored. This is why
manual override should always be available as a last resort if possible. No
automated system we can design today is perfect. While protections and
automatic mitigation should be implemented, taking away agency from pilots or
whoever else is a recipe for disaster.

~~~
bumby
I wasn't implying that humans should be taken out of the loop. I was more
referring to the hierarchy of mitigation. Most preferable are to design the
hazard out of the system, followed by engineering controls, and lastly
procedural/administrative mitigation.

Too often systems are designed with procedural mitigation as the primary way
of controlling a hazard without realizing all the human factors that come into
play. Maybe the pilot is distracted because she just had a fight with her
spouse. Maybe her co-pilot a bad night's sleep. Or maybe he isn't physically
capable generating the force necessary to move the trim wheel.

I think too often designs can over rely on administrative mitigation because
the engineering controls seem too costly or difficult to implement. In some
cases, this rationalization that a person "just" has to do XYZ activities to
control the outcome falls short because we don't acknowledge all the factors
that person is dealing with in the moment.

In this case, to someone like me without intimate knowledge of the Boeing
process, it looks like they failed at their hazard analysis. They did not
design the hazard out of the system (airframe design), the engineering
controls were inadequate (MCAS), and the administrative controls were poorly
managed (pilots did not understand the procedures for disabling MCAS or the
procedures were not capable of being executed effectively). In other words,
they did not apply appropriate hazard analysis and mitigation. Hindsight is
easy, I know, but when schedule pressure hits a lot of these processes are
rushed.

------
acje
This was premature automation caused by not fully understanding the context.
Results in less friction at the cost of enabling a black swan. Bad trade off.
The Viking Sky cruise ship that was 1 minute away from releasing its damage
potential of about 1300 people. 4 engines stoped simultaneously to protect
them selves. Risking the entire ship in one of Norway’s most dangerous waters
during harsh weather. There are so many similar examples. Tank turrets self
protecting and killing soldier during peace time. Automatic gearbox on
military vehicle self protecting against overheating although vehicle is under
enemy fire, but the sensor can’t know that.. we need to rethink how “security
automation” should work. How do you know if an override is relevant? How to
train the operator?

~~~
acje
It’s like these examples of security automation are designed to have the exact
opposite effect as chaos engineering.

------
uptownfunk
Whatever it's worth, this whole thing has traumatized me so much it makes me
fearful of flying at all. But one thing's for sure, if I have any say, I'll
probably never fly a 737 MAX again.

I'm sure there are many people who will do the same. In fact, every flight I
do go on now, I check to make sure it is not a MAX.

I doubt there will be enough people who think this way that it would cause a
problem economically for any airlines that carry this line, and I'm sure with
time, people will forget, but I sure as hell will do my best not to.

------
throw7
"As part of the fix, Boeing has reworked MCAS to more closely resemble the
first version."

Be very wary if pilot training is not part of the "fix" to getting the Max
back up in the air. If MCAS is being "rolled back" then certain situations
such as "The Max wasn’t handling well when nearing stalls at low speeds." come
back.

~~~
oldjokes
Anything short of admitting "we fundamentally screwed up, and are rethinking
the poor decision to pair this engine with this airframe" as well as "we are
reviewing all our design processes and how the FAA oversees every step of the
process" is unacceptable. MCAS is just the horrific bloody bandage that is
peeling away, it's not actually the problem here.

This probably won't happen of course, all they seem to want to do is fix as
little as possible as quickly as possible while denying they ever knew
anything.

If I were someone powerful like a pilot union leader I would start throwing
conniption fits in public and refuse to let my people fly on Max's at all.

~~~
CamperBob2
_Anything short of admitting "we fundamentally screwed up, and are rethinking
the poor decision to pair this engine with this airframe"_

Can you cite the basis for this often-expressed sentiment? There's absolutely
no reason why a properly-designed and -vetted MCAS system wouldn't have been a
perfectly acceptable solution to any handling irregularities caused by the
engine configuration.

The idea was fine. The fault was 100% in the implementation.

And no, downvotes are not a valid citation.

~~~
tacosx
It's not impossible to make it work, and in the future I'd expect more and
more automated systems in planes for sure.

But you have to recognize the whole engine hack is just a convoluted
workaround to avoid as much pilot training as possible. The entire goal of the
project seems to be to avoid ever training pilots for as long as possible.
It's a brand new plane, the newest plane on the market, and the first thing
you need to do to take off is turn off the cabin air conditioning. Why?
Because that's what we had to do 50 years ago in the first 737.

God forbid this plane startup any way besides turning off the cabin air
conditioning. If we changed that, we'd have to... _gasp_ retrain pilots!

~~~
_ph_
The problem with training pilots for a new machine isn't the training itself
but rather, that a pilot is rated for one machine type only. If the MAX had a
different type rating, MAX pilots would no longer be rated for the non-MAX
737. There are some larger US carriers which are 737 only, partly so that all
pilots are trained for all of the machines. Having to split the fleet into two
types would have a huge impact on business. Most likely these carriers would
avoid getting any MAX as long as possible.

I don't know what is the correct answer to the problem, but clearly good
safety regulations are trapping some carriers and Boeing. Sooner or later
Boeing will have to build a true successor to the 737 (and I guess, they now
wish they had sooner)

~~~
magduf
>The problem with training pilots for a new machine isn't the training itself
but rather, that a pilot is rated for one machine type only.

Citation needed. I've never heard this before, except for some other person on
a message board, and I've been involved with aviation and known pilots with
multiple type ratings.

------
kdazzle
> It never tested a malfunctioning sensor, according to the three officials.

That one popped out to me. Man. Lots to learn.

> Boeing continued to defend MCAS and its reliance on a single sensor after
> the first crash, involving Indonesia’s Lion Air.

Also...how? So many non safety critical services use a load balancer and at
least a couple of servers because who can trust just one thing working
perfectly all the time?

~~~
m_mueller
Another one that popped out: test pilots were pushed to simulator-only by
management, with simulators apparently being incomplete with regards to MCAS
behavior. Bean counting and incompetence abound in safety critical areas of
airplane design - I will think twice before stepping in another recent model
of Boeing.

------
KaoruAoiShiho
How would you design your bureaucracy so that this kind of thing can't happen?
I see this type of failure all the time in organizations big and small.
Sometimes things are just too complex to have an auteur that can understand
the entire system and when every department strives to optimize for its
specific goal shit can really hit the fan.

~~~
keiru
Eventually, artificial intelligence.

Maybe not in the near future, but as technology progresses and every
manufacturer strives to optimize their designs with the latest features, it
will become an unsourmountable task to oversee every aspect of it
(efficiently). I'm not talking about actively designing, but rather for
warning/flagging for potential error. In very complex enterprises like global
transport or building skyscrappers there is a lot to learn from experience and
little human time, but it might be very cost-efective to train all-observing
self-learning AI to look over everyone's shoulder, and warn you about using
the right type of bolts, or how the coming heavy rains in Guatemala might
affect your supply chain.

It's not that far-fetched when you realize it doesn't need to really
understand anything, just be very good at playing word association and
micromanaging.

~~~
csours
AI is only as good as its training data and goals/success conditions.

~~~
keiru
Yes, AI is designed in very particular situations to fit ver specific tasks. I
never meant there to be a single mind controlling the whole world. Today you
could program an assisting AI that told you when "you missed a spot" when
painting your house. It's simply not cost effective. But eventually driving
and medical diagnosis AI, while imperfect, will have a better success rate
that humans. Do you really think that won't apply to industrial production
eventually, say in a hundred years?

------
rmtech
I've never understood why they make planes with 1-2 sensors for a crucial
reading like airspeed.

Why not have 20 airspeed sensors of 5 different types? It's an obvious failure
mode that your one sensor will fail and then the pilots and the computer will
be left in a state of dangerous uncertainty about the situation.

------
sixdimensional
I am surprised that I haven’t seen anyone make the connection to “normal
accidents” [1] yet, but feel it is quite relevant in this case.

[1]
[https://en.wikipedia.org/wiki/Normal_Accidents](https://en.wikipedia.org/wiki/Normal_Accidents)

------
basicplus2
All this talk about how mcas was not designed properly or how it could be
prevented from failing is eroneous.

Good safe airplane design is about a neutral flying design without the need
for complex systems.

This plane is fundamentally flawed because the engines are in the wrong
position because the landing gear is two short to fit them in the correct
position.

The test pilot was clear about very poor flying characteristics at slow flyong
speeds requiring mcas to be more aggressive.

This plane should not be flying with this engine configuration as it fails the
most fundamental principal of good aeroplane design of neutral handling.

~~~
cmurf
FTA: _The Max wasn’t handling well when nearing stalls at low speeds.

In a meeting at Boeing Field in Seattle, Mr. Wilson told engineers that the
issue would need to be fixed. He and his co-pilot proposed MCAS, the person
said._

It is not clear this translates into a fundamentally flawed design. It's a
serious assertion, even though at the same time it's vague. Why did it need to
be fixed? To avoid pilot training? Or to pass a FAR 25 airworthiness
certification requirement? We can't tell from this reporting. Months after
these accidents, people are still asking this question. The difference
matters.

I'm very skeptical that software can legally be used to paper over aerodynamic
flaws, as I read FAR 25. In fact, neutral design is not adequate, it must
exhibit positive static and dynamic stability in all three axes. Fly by wire
software doesn't make a plane with negative stability behave as if it has
positive stability, the software provides various safeguards in a layered
manner.

------
laythea
Sounds to me like the main failure here is that Boeing went _too far_ with
optimising cost, in the sense that MCAS was not properly designed.

I'm certain correctly designed software can safely control critical functions,
otherwise failure in a large category of aircraft systems would result in many
more MCAS unrelated accidents.

This particular MCAS control philosophy seems to be a flawed control system.
With reference to the the graph (link provided by obituary_latte):

[https://i.imgur.com/WJuhjlO_d.jpg?maxwidth=1640&shape=thumb&...](https://i.imgur.com/WJuhjlO_d.jpg?maxwidth=1640&shape=thumb&fidelity=high)

With only one sensor being "looked at" at any time, and with the system not
having the sense to know to stop commanding pitch down after 26 times with
attempted pilot overrides, it would seem almost beyond belief that any
competent team of on-the-ground engineers (as per Boeing) would not see that
the system is flawed.

Would be interesting to see if this was the case, and how the likely good
engineering decision was overridden by the commercial aspect.

With increased tech, comes increased scope for this kind of cost optimisation,
and we must be careful in many more industries. Eg Automotive self driving
cars.

------
hwestiii
This article reads to me like Boeing and the FAA have gotten their stories
straight with each other and in naming names have settled upon someone who is
no longer associated with either in an effort to take the heat off of both.

------
pseingatl
Why didn't they just bring back the already-certified 757 instead of
stretching the 737?

~~~
_ph_
The problem isn't the certification of the plane, it is the certification of
the pilot. A 757 or a true successor to the 737 would have meant that pilots
would have to be certified for the new plane - and that means they lose their
certification for the plain 737. The MAX is targetted at carriers which
already have large fleets of 737 and the idea was that the same pilot could
fly both.

------
zeristor
How confident is everyone on all the other changes to the 737?

They’ve found the MCAS issues, but with a procedure this lax I’d expect
several other issues to have gotten through.

------
Haga
Empires destroy institutions.. they hollow them out until are barely cloths
for one figure residing within. Proofing something to an institution is hard.
Proofing something to one person is "easyish". The problem is not that one
plane manufacturers internal culture allowed falling behind, but that this rot
and decay bypassed controlling institutions, because these where hollowed out
for empire reasons. You can not defeat this problem unless you solve the root
node. Which are hidden deals instead of proper procedure replacing the physics
of capitalism.

------
supergirl
how is it that boeing still has not admitted fault? i guess they bet to get
out through a loophole in the investigation result; investigation that they
are part of i assume? something like "it was 1% pilot error" is enough to make
a pr campaign from.

------
csours
I'm surprised no one has mentioned Therac 25 or Normal Accidents yet.

For reference, the Therac 25 was a computer-controlled radiation therapy
machine involved in several over-exposures due to replacement of physical
controls with computer based ones without complete understanding of the
interactions of the controls.

The Max feels very much like that. No one can really keep a whole aircraft in
their head, much less a whole aircraft development project. We use computers
for that, as well as mental heuristics. But if those computers and brains are
not fed all the proper data and connections, they will not find the all the
problems.

Additionally, there seems to be a lot of the tail wagging the dog. If this
system is expected to perform according to X specifications, then by golly it
will, and we will show that it does.

[https://en.wikipedia.org/wiki/Therac-25](https://en.wikipedia.org/wiki/Therac-25)

Edit: Please don't take the above as absolution of Boeing. Someone (a lot of
someones) really should have known better.

~~~
mehrdadn
I don't see these as equivalent, at least not based on what I've learned about
the cases (feel free to correct). As I understand, Therac-25 was due to
software bug and a genuine design process inadequacy that allowed it to cause
a problem, that could happen with people acting entirely in good faith, simply
because they didn't know better. That's why they created standards to address
the design process. With 737MAX... pretty much literally everyone could tell
you the decisions were bad, and so many seem to have been made in bad faith,
specifically to e.g. avoid recertification and increase revenues in a pretty
reckless manner.

~~~
csours
It's not the equivalent, but it is the consequence of a chain of incremental
changes, each of which is not sufficient to subvert safety margins, but
together they change the paradigm.

As to bad faith, yes, I'm sure there was some of that, but generally decisions
like these don't look like bad faith to the people making them. It's easy to
get swamped by technical details.

~~~
mehrdadn
> consequence of a chain of incremental changes

> As to bad faith, yes, I'm sure there was some of that

You're downplaying this. This is not downplayable, and this is not similar to
Therac. "A consequence of incremental changes" is a rather gross way to paint
this, as if it's hard for a single guy to see how e.g. non-redundant sensors
is an extremely bad idea on its own, let alone everything else. There have
been _multiple_ huge missteps, not made by accident, each of which is
_individually_ worth a huge red flags obvious to people in different areas.
That 1 single mistake wasn't enough to bring the plane down doesn't mean the
mistakes must've been small or somehow downplayable. And no, this isn't some
kind of gray area with people getting genuinely swamped by technical details.
It's abundantly clear here's been a _ton_ of bad faith here, that there is
still _ongoing_ bad faith even after the fact, and that they're _still_
unwilling to address the problem properly.

~~~
csours
I'm sorry that it seemed like I was downplaying it.

What I was actually thinking is that this kind of thing is likely to crop up
in complex systems, and if we work on complex systems we should be wary for
it.

------
Glawen
I'm surprised noone yet on HN mentionned how Rust would have avoided the
failure :)

------
tus87
> a fundamental overhaul to an automated system that would ultimately play a
> role in two crashes

Are they STILL blaming the computer instead of the unstable air-frame after
the engines were moved?

~~~
Obi_Juan_Kenobi
The redesign did not make the aircraft unstable. I don't know how this became
such a meme, but it's trivial to see that it's not true. Commercial passenger
aircraft _must_ be aerodynamically stable by FAA regulation:
[https://www.ecfr.gov/cgi-bin/text-
idx?node=14:1.0.1.3.11#se1...](https://www.ecfr.gov/cgi-bin/text-
idx?node=14:1.0.1.3.11#se14.1.25_1171)

The engine change really wasn't a big deal. The net effect is "flight stick
feels lighter at high AoA with high thrust." That's it. My understanding is
that the 737-MAX flys more like a 757 in this regard. Nothing crazy, just a
difference.

Now, that's enough to require re-certification by FAA standards, because it's
enough of a difference that it _could_ cause problems of pilot error. But
going on like the aircraft wants to fall out of the sky isn't helping anyone
here.

MCAS was intended to be a small tweak that avoids the re-cert. And it would
have been fine if they had neutered the system such that it couldn't input
such extreme trim angles, or else has more reliability as needed in a system
that could have such dramatic effects when malfunctioning.

~~~
salawat
The meme comes from the fact that according to the technical definition of
aerodynamic stability, the MAX has pitch instability at high AoA.

FAA certification regulations appear to be willing to accept minor deviance in
regard to them so long as they can be convinced there are sufficient
technological controls in place to manage the instability.

This is the danger of self-certification by the way. The company signs off
that everything is fine, and the regulator is blissfully unaware they've been
rused until after people have already died.

------
runciblespoon
“After Boeing removed one of the sensors from an automated flight system on
its 737 Max, the jet’s designers and regulators still proceeded as if there
would be two.”

No, no, no. This is just more of shifting the blame from Boeing upper
management. They couldn't use two Angle of Attack (AOA) sensors as when there
was a differing reading there would be no way to know the correct reading,
which is why MCAS used a single AOA sensor on the right-hand side.

~~~
empath75
This doesn’t seem correct to me, but I can’t put my finger on why. Surely if
both agree that’s more certainty than a single sensor reading. Granted a
disagreement would be bad, but at least you would have some warning that one
of them is wrong, whereas you would have none at all if relying on a single
sensor.

~~~
kejaed
You wouldn’t be able to know which one was wrong but you’d be able to know and
annunciate an AOA MISCOMPARE (which was an option on the Max) and then disable
MCAS.

~~~
weaksauce
Which was not an option to upper management because that would cause training
for the event of disengagement and a new type rating.

