I remember here in HN, there were cries why auto pilot didn't take over at that time and save lives. "Pilots should never be allowed to stall the plane."
Well, Boeing's new software did exactly that. Correct the situation when the pilot wasn't. And that crashed the plane.
Interesting indeed. Lesson: There's a lot to look beyond before taking a decision, even when the obvious decision is just in front of everyone.
The problem here is: in the transition from the -NG to the -MAX, Boeing added this protection and didn’t tell anyone.
Imagine someone added Adaptive Cruise Control to your existing car without telling you - the first time the car braked on its own, you’d freak out. The car is suddenly behaving in a way it should be able to.
If you know the system exists, you can recognise what’s happening and deal with it. If you don’t know it exists, the behaviour is going to be absolutely baffling, and no in-flight diagnostic procedure has a step for “did the manufacturer add an important safety device and not tell me?”
In fact, as a general rule of thumb, I believe any safety feature that would automatically change the state of the aircraft should be well educated to the pilots.
Totally out of my depth here, but how is it possible that they "didn't tell anyone" about a feature so crucial, how could pilots not know how the plane's computer will behave in such a fundamental, non edge-case scenario?
The FAA signed off. I guess the lawyers will argue if it was legal or not.
Here's some other examples of what happens when the stabilizer is trimmed without the pilot knowing. Sadly Capt. VanderBurgh died a couple years ago. Had he not it would have been fascinating to see his take on the Lion Air wreck.
And here's a quick overview of how the stabilizer functions in a 737:
Do the stabilizer trim tabs really have more authority than the elevator? That seems odd.
Do you really understand how your trim works? Many do not, and why it matters. Alex Fisher - GAPAN
It's quite an interesting one if you are into that kind of thing.
I couldn't even hazard a guess. Boeing told the Brazilian authorities about it. See the table on Page 18 under MCAS.
For comparison here's the FAA equivalent:
Note that MCAS is distinctly absent from the difference tables (also) on page 18.
The FAA signed off on the NG to MAX training as "B" level differences. This means no sim time necessary (although apparently American Airlines doesn't have a MAX sim in the first place). The Brazilians were made aware of MCAS and thought that also qualified as a "B" level difference. The question then is: did the FAA think MCAS constituted a C or D level difference?
1: See the table on page 14 for a list of the FAA definition of different categories of differences
I recently got a hell of a shock in my fathers BMW: I was driving with cruise control engaged, depressed the clutch, and when I released it, found the car re-accelerating to match it's previous speed. Every other car I've driven has disengaged cruise when the clutch is engaged, so this took be quite by surprise and could have put me in danger.
What gave me a scare was lowering the cruise speed on the steering wheel by clicking the button a few times, which in fact caused the car to actively break quite hard instead of naturally lowering its speed.
EDIT Now that I think about it, my BMW does not disengage the cruise when you shift up and ... I'm not sure if it does when you shift down.
My BMWs (E46, E39) all have two clutch switch outputs: one for the starter and one for cruise control.
If the clutch switch was inoperative and the cruise control was engaged, the cruise would not know the engine is disengaged from the transmission and would rev the engine up to redline.
I guess a good thing to note about this is that aviation is so close to optimum safety level that it's hard to find unambiguous ("pareto") improvements; you can just find a different tradeoff. The gradient is pretty close to zero.
What if a malicious pilot had been part of the threat model? instead of terrorist-proof cockpit doors, attacker-proof cockpit doors: split the cockpit in half (strong plexiglass), each has their own combination code for their own door. As soon as one pilot starts disobeying ATC, they can choose which pilot gets control of the airplane...
True, the pilots can no longer circle j* during their boring flights...
To the extent the ideas from the peanut gallery are terrible, it is because intellectual property does not allow the peanut gallery to inspect the full airplane designs, schematics etc... I feel confident the community at large (or the relatives and acquaintances of the deceased and their lawyers and or engineers they appoint) could provide better criticisms. But if my aunt had balls she would have been my uncle: intellectual property kills. What is the statistical value of a human life? What is the statistical value of intellectual property?
>No one can foresee all possible threats, or reliably predict which ones will come to pass.
I think that is an open question. But let's pretend you are right for the sake of argument. Improvement does not necessitate foreseeing all problems, excluding failure modes as they are discovered is still improvement, even if they aren't absolute panaceas.
>It's not possible to split cockpits down the middle because some critical controls such as circuit breakers exist only one one side or the other, but are reachable by both pilots. Adding duplicate circuit breakers on both sides isn't practical for space reasons, and would introduce additional failure points.
Space reasons? I'm sure the passengers appreciated their extra millimeter of legroom while crashing into the alps... why not each their own breaker and the circuit only breaks when their breakers agree on breaking? i.e. logical AND. Yes any additional complexity would make the problem space more complex, and should be dealt with using formal verification etc...
>And allowing ATC to block out a pilot from flight controls would itself be a failure point. What if ATC is compromised?
Obviously, the plane only listens to ATC pilot selection when one pilot disagrees (visualize a big red disagree button if you will). As long as none of the pilots has the disagree button engaged the plane ignores ATC. ATC can not initiate selection of pilot. Yes there situations that still admit malicious pilots like: collusion between 2 pilots, collusion between a pilot and an ATC controller. Use things like sortition, and reward ratting out proposals of collusion...
1. Prevent any passenger on the flight from crashing the plane
2. Prevent anyone from crashing the plane into a location of their choice
Locking cockpit doors prevent the first one. Locking cockpit doors plus 2-in-cockpit rules (as mandated by the FAA, and not implemented by GermanWings) do a good job of preventing the second.
yeah, in the Airbus A300 just kick the rudders a few times fully left to right (see American Airlines Flight 587) 
> 2-in-cockpit rules (as mandated by the FAA, and not implemented by GermanWings)
Just to clarify, GermanWings was not under FAA jurisdiction, so the 2-in-cockpit rule did not apply.
Also, EASA implemented the 2-in-cockpit rule in 2015 after the GermanWings accident , but withdrew it in 2016 and replaced it with a more flexible rule  after consultation with stakeholders, as "the rule to have 2 persons in the cockpit at all times introduces additional safety and security risks." 
As I said somewhere above, there's rarely scope for a pareto improvement in aviation.
Kicking the rudder fully left to right a few times would most likely put any modern airliner outside of its structural limits (and would probably injure lots of passengers even if it didn't). I believe the A300 had very sensitive rudder controls, which made it possible to create extreme loads on the rudder via a sequence of relatively small back-and-forth movements.
The English language is a bit poor on existential and universal quantifiers, which renders the above sentence a bit ambiguous: it could be interpreted as 1) "For every flight and prevention method there will always exist some opportunities for a pilot to crash the plane" (with which I tend to agree) or 2) "For every flight and prevention method, the pilot will at all times be able to crash the plane" (with which I don't agree)
>(How do you prevent an intentional cartwheel on takeoff or landing? There are regions of the flight envelope where 2-3 seconds of pessimal input are unrecoverable. ATC override won't help you there)
I tend to agree.
>So given that, we aren't trying to prevent the pilot/copilot from intentionally crashing the plane
This doesn't follow. We can still limit the attack scenarios to say situations like landing and taking off. It doesn't need to be binary, a reduction in threats is still desriable. For example if Lubitz had been even more antisocial in his destruction by suicide, he could easily have crashed the plane into the surface storage for nuclear waste next to a nuclear power plant. The reactor itself does not house that much nuclear material, while the typical surface storage next to it tends to contain a lot of nuclear waste. He might still kill the passengers on landing and take off, but as crude as it sounds, it's still better than losing the very same passengers and having a nuclear contamination on our hands!
The 2-in-cockpit rule sounds rather weak in my opinion, as it becomes a matter of who is stronger or who strikes first, the element of surprise etc...
From a systems engineering standpoint, everything you have described would add complexity and would likely be a net negative for safety.
I believe FAA of US specifically alerted German government's air travel agency (?) about the need to have another crew member (like flight attendant) to be in the cockpit if one of the two had to leave cockpit to use restroom etc, exactly to avoid this kind of scenario.
But the Germany govt agency apparently thought it was unlikely to happen and ignored the recommendation.
I could be wrong, but pretty sure about reading that bit while reading about the incident...
Article suggests that pilot didn't know about new system nor how to disable it. In case of faulty sensor (Boeing can't stupid enough not to have quorum of sensors, can it?) crew should be able to disable possibly deadly autopilot.
1. YES - for automation
2. YES - for sensible and safe handling of sensor failure
3. YES - for allow human to override auto-pilot
If instruments cannot measure key environmental indicators such as velocity, temperature etc - no amount of automation will save the plane.
Instrument meteorological conditions (IMC) / Instrument Flight Rating (IFR) flights are when the plane is flying through darkness, or through conditions that do not allow for a judgement of the visual elements and therefore pilots can easily make incorrect judgement calls on the position of the plane, leading to a crash.
The pitot tube is a primitive equipment to measure wind velocity and easily can be jammed by ice, insects etc. I think it was the Pitot tube malfunction in this plane that caused the incident.
I believe the issue is that this hidden system (MCAS) relies on AoA data which can, per the above, not be validated by the pilots or the computers. Thus the fear is that the plane will go full nose down for no obvious reason. Granted the emergency AD indicates some secondary indicators that your AoA vanes have gone wonky.
Per the AA email:
> The MCAS function becomes active when the airplane Angle of Attack exceeds a threshold based on airspeed and altitude. Stabilizer incremental commands are limited to 2.5 degrees and are provided at a rate of 0.27 degrees per second. The magnitude of the stabilizer input is lower at high Mach number and greater at low Mach numbers. The function is reset once angle of attack falls below the Angle of Attack threshold or if manual stabilizer commands are provided by the flight crew. If the original elevated AOA condition persists, the MCAS function commands another incremental stabilizer nose down command according to current aircraft Mach number at actuation.
IOW hey the plane might try to kill you and while you're busy trying not to die at 5,000 ft please disable the electronic aids and grab the trim wheels by hand. Noting, of course, that it take the computer ~30 seconds to move the stabilizer from one end of its travel to the other. It'll take a person longer if you're cranking it by hand. This is, of course, all after the pilots have realized what the problem actually is. All of this at five thousand feet where you might not have 30 seconds to respond. I'd suggest that if this scenario is at all close to what transpired those pilots didn't have a chance.
Just to clarify, with two AoA sensors, you can know that there is a problem (if they disagree), but you don't know which one is erroneous.
What I find surprising about this crash is that even if there's an indication of unreliable readings, the automation proceeds to actively do stuff - I thought Boeing philosophy was to hand everything to the pilots in such a case.
> I'd suggest that if this scenario is at all close to what transpired those pilots didn't have a chance.
Yeah, absolutely devastating. In the time they had, how were they supposed to diagnose that error condition (automatic down trim), given that a) it sneakily recurs every now and then, and b) it was not prepared/trained for?
The AoA disagree alert is an optional feature on the 737. My understanding is that the AoA display is optional as well but does not break down the info per vane. I don't know if the gauge and alert are bundled together or available separately. So maybe you can know, maybe not.
If you watch a cockpit video of an airliner taking off you will usually hear the co-pilot announce "80 knots" and the pilot reply "cross-checked". What they are doing is checking that their air-sensor data agrees (within a reasonable margin) for the most critical information at that stage of flight (since takeoff speed is very important with the modern wing shape on an airliner).
Similarly they have A and B autopilot systems which are driven independently by two AHRS units (except in special cases like during auto-land where both systems are operational).
Which is all to say that I think they likely have two separate AoA sensors. Although, perhaps being an optional element the failure of one doesn't automatically trigger a AHRS disagree message.
Correct, the 737 NG has two separate alpha vanes and I believe the MAX does as well. However the "alpha vanes disagree" alert is a paid option per the emergency AD. Likewise the AoA indicator is a paid option. There is redundancy, but the plane may be configured such that the pilot cannot determine if there is a failure.
Failure of one or both alpha vanes on an NG isn't a good thing, but failure of an alpha vane on a MAX could cause MCAS to essentially try to kill you and without that AoA disagree alert you may not know why because you've never been informed about this system, and at low altitude you likely wouldn't have time to figure out what's going on.
Edit: if that all sounds fucking insane, it is. That's why American and Southwest pilot unions are livid.
In the 737 Max this probably got exacerbated to the point that it was possible to fly the plane into a stall by sharply increasing power in a high AoA situation (typically in a go-around). This was probably different enough to the 737NG that they felt it necessary to add the MCAS system to prevent having to do, what they considered, excessive differences training in that phase of flight.
> A former Boeing executive, speaking on condition of anonymity because discussion of accident investigations is supposed to be closely held, said that Boeing engineers didn’t introduce the change to the flight-control system arbitrarily.
> He said it was done primarily because the much bigger engines on the MAX changed the aerodynamics of the jet and shifted the conditions under which a stall could happen. That required further stall protection be implemented to certify the jet as safe.
Wow, the information in that Seattle Times article is really damning! Differences training from the 737 NG to the MAX consisted of a one hour iPad session (plus crosswind training because the permissible roll is reduced due to vertical wing tips). Livid indeed.
The series of events that caused the accident are a long story, but power was knocked out to the pilot's controls (where the one stick shaker was installed), but not the copilot's controls (which didn't have a stick shaker due to the selected options). TBH, it's doubtful that the pilots could have recovered in that specific situation, but the chances of success dropped to basically zero when they didn't have a device capable of communicating what was happening to them in time.
Of course, this is obviously different than having no warning system for the type of failure whatsoever (as appears to be the case on the MAX), but it was still a little surprising for me.
>Instrument meteorological conditions (IMC) / Instrument Flight Rating (IFR) flights are when the plane is flying through darkness
In the US flight in darkness is not flight in IMC. Neither does darkness impose instrument flight rules. Recall that IMC is governed by ceiling, proximity to visible moisture, and visibility: Fail one of those criterion and you're in IMC, governed by IFR.
A pilot lacking an instrument rating may fly in pitch black, no moon, (high) overcast over an ocean and still be VFR compliant. Whether it's wise or not is a different issue...
But, that's theoretical. I'm hearing pilots get massively underpaid for the responsibility they have, unless they gain an x amount of flight hours and years of experience so they can do big intercontinental flights (= more flight hours, = more income). It's up to the industry to fix this problem, also to fix their own shortage of pilots. Pay pilots a decent wage when they're starting out on their career. Give them the opportunities to gain the flight hours.
IMHO the long term solution to improving safety is to make the pilots increasingly redundant. With the current generation of technology this is not yet feasible since they are depending on a wide range of technologies dating back decades. Also a lot of the planes flying are decades old designs. This makes them hard to automate and human-computer interaction has not evolved to the point where a computer can take over these tasks and deal with all the critical human interactions that are involved with operating a plane. In principle the problem is solvable, however. It's mostly just a matter of enough sensors and computation redundancy and improving communication technology to get humans out of the loop.
Mostly pilots these days take executive decisions that boil down to religiously following checklists for basically every scenario imaginable and programming the auto pilot to act accordingly. The auto pilot is activated right after take off and typically disabled on final moments before touch down; or in some cases after landing. Or as in this case, in an emergency.
That's not to marginalize their role. Flying an airliner is a two man operation and they tend to be extremely busy dealing with flying complex procedures, routing around weather, ad hoc queues from controllers, cross checking each other, etc. Most of that stuff requires pilots to have good situational awareness. Most of that awareness is created through reading their instruments, communicating on their radio, and looking outside (when weather permits).
All of that could be automated but it would require a complete rethink of how this business works. For example modern planes are basically equipped with multiple redundant computers and fly by wire control (i.e. a computer controls everything). Yet, critical information is passed to these computers via a non digital communications channel involving people trying to exchange crucial bits of information over a badly congested, low quality radio channel with limited range. This is a ridiculously convoluted, error prone, and hopelessly inefficient way of communicating. The only reason it exists is because agreeing and standardizing on something sensible is going to take decades and has taken decades already.
Most of the chatter on the radio is people cross verifying completely routine information. Worse, people on both sides tend to be very overloaded with information and yet lack the mechanisms to share information other than verbally. Controllers can be juggling communication with dozens of planes and pilots are bogged down in a barrage of instructions, complex procedures, and checklists. A lot of the training focuses on teaching both to stay on top of this (this is very hard). A lot of accidents result from their failure to do so. Emergencies are stressful and stress makes all this even harder.
So, a completely computer based system would do away with most of that to reduce task overload for pilots and controllers and ultimately reduce both of them to the role of remote managers that intervene by exception and very rarely. Ultimately such a system would run itself. Military drones are slightly ahead of the curve here.
This is really arguable.
People always go on about how voice radio communication on a shared channel is from the Stone Age, but what’s better, and why, and can you prove it?
I feel like people drastically underestimate the degree to which the current radio system succeeds in providing situational awareness. We are wired to processs and respond to input from human voices extremely quickly and intuitively with lots of nuance, and our visual and tactile systems are pretty well saturated with information while flying.
What’s your superior suggestion? Saying “computers” or “automation” is going to have to address the fact that those things have some issues as well.
Much of the pilot training for an instrument rating is about staying on top of the radios, dealing with the enormous task load, and planning ahead as to what is going to be required next. As soon as you loose the plot there, you are in trouble: you lose situational awareness, controllers get pissed, things get very stressful, mistakes get made, etc. Many private pilots chicken out from ever getting their instrument rating since it is so enormously challenging and intimidating and since maintaining it is such a big commitment as well.
Most of this is for the perfectly valid reason that this extremely limited and unreliable medium of shouting out letters as words over congested and distorted radio channels is literally the only way to communicate with controllers.
The fix is obvious: send messages over authenticated digital channels with some integrity/sanity checks using some well defined protocol. Start requiring this for all commercial aviation and ban planes from critical air space that are not able to communicate that way. Important messages should require acknowledgement from pilots. There should be zero doubt for pilots about the current status of controller provided altimeter settings, weather report, most recent instructions, etc. Likewise controllers should be able to pick up planes the second their radios and transponders are turned on. This should not be optional. There should be no need for transponder codes. There should be zero doubt about which plane is where for the controller,the entire history of that plane, it's current journey, it's pilot,all previous communications, etc. None of that should need to be communicated or verified by voice, ever.
Voice channels should be reserved for emergencies. Controllers should be able to talk to any plane without delay. These channels should have stuff like caller id and other fancy stuff any decent mobile phone has been capable off for decades. There should be no need to ever yell out call signs and hope that the other side got it jotted down correctly. Etc.
This is not particularly hard to design technically and hasn't been for a long time. Sure you'd want a sane design and lots of built in checks and balances and back up systems, etc.
But agreeing that it needs to be designed, and then agreeing on a particular design is what the problem is here. If you doubt there is a problem, consider that essentially every major plane crash gets blamed on "pilot error" and translate that as "they accidentally crashed the plane because they got confused about what to do under the enormous task-load". When shit goes wrong, having a lot of confusion about who said what, who did what, what was the pilot, plane doing, etc. seems standard. There's no need for that, at all. E.g. Most of the stuff on a black box should be stored remotely long before the plane hits the ground.
There’s no question that staying on top of a complex flight has a heavy mental load. But I’m not convinced radio is the problem.
The information has to be conveyed somehow. Having humans at every step is a clear sanity check.
Either you cut humans out of the job of decision making and have computers make decisions, which introduces all sorts of new issues, or you have to give humans information and context.
And as long as humans are in charge, humans talking to other humans is underrated as a means of getting a lot of information across quickly and effectively.
Basically, aviation has a long history of increasing safety by taking tedious complicated tasks away from humans (e.g. dedicated navigators, radio operators, and engineers used to be a thing). This is just the next obvious thing to tackle.
I'd also argue pilot stress and task load is the biggest killer in the aviation industry and the single biggest root cause of every crash ever.
Also, I'd argue this is an extra tool. Of course talking to controllers and other pilots in the area should always be an option. Especially, at uncontrolled fields. Wouldn't it be nice if you can skip the formalities of telling over and over again who you are, where you are, etc. because the other side already knows this?
From an instrument proficiency point of view, I'm much more worried about efficiently understanding the information on the approach plate, maintaining situational awareness with respect to the approach path, adhering to minimums, and so on. Missed something that a controller said? "Say again." There's a reason it's aviate, navigate, and communicate--in that order.
You bring up a fine point: aviate, navigate, and communicate - in that order. Very sensible when everything is manual and you are task saturated to drop tasks in that priority; which is what this is about. If you automate communication and remove most of the task load related to that and navigation, it frees you up to let the auto pilot do the aviation bit.
1 - http://fortune.com/2014/03/03/why-airlines-are-running-out-o...
2 - https://daytonabeach.erau.edu/admissions/estimated-costs/
I think this is outdated from the post-2008 crisis time, when Airlines cut back on flights. Currently there is a massive shortage of pilots, some make 150k ~ 300k in the Middle East of China.
I was going to quote parts of it, but it's all quite insightful that, making 150k-300k is not quite how it goes. Take a read.
The article's quote from a high-ranking boeing official sums it up: the company had decided against disclosing more details to cockpit crews due to concerns about inundating average pilots with too much information—and significantly more technical data—than they needed or could digest.
This might have contributed to their reluctance to talk about adding flight envelope protection features and hiding that even when pilots are "manually" flying, the flight control computers can kick in.
Seems like a reminder that "reality must take precedence over public relations".
RE that Boeing quote, I'd really love to know on what research on human mental capacity they based this decision. This is not a snark, I understand that a lot of decisions that go into airplanes are based on solid reasons. This particular doesn't seem to be one, though I'd love to know if I'm wrong about this.
In 2009 an Airbus A330-200 crashed into the Atlantic ocean killing more than 200 people because a confused pilot kept pulling the plane up, despite loud stall warnings from automatic safety systems . In the discussions of that event, one commenter asked, "Why did [the plane] not override the pilots' inputs and force a pitch-down?" 
Designing safety critical systems is difficult. If the automated system fails, the pilot needs to be able to take over manual control. But at the same time, if the pilot does something stupid, the automatic system should prevent that.
I'm not sure how to square that.
The lack of stall warning meant two different things: "not stalling", and "stalling so extremely it can't be sure, so don't report it"; as you say. I wondered if there should be a different sounding alarm for "can't determine". Or, the pitch of stall alarm could rise, such that pilots could tell "which side of the stall" the plane is on, so that entering stall from one side would side start with a very high pitch or very low pitch. (I'd guess there's a better way..)
So, in this case, it's more subtlety more tragic than you describe, because the pilot did correct the AoA, and nose down, but when he did that, the stall warning resumed (albeit from the extreme other "side" of the interval), confusing him: no alarm, alarm resumes, so he thought he "re-stalled" it and he pulled up again. This kept him mentally "stuck" in the extreme stall. They needed to "pass right through" the stall warning window, and come out the other side. They had sufficient altitude for this to succeed.
Since you already have allegedly redundant pilots and alarm systems and hopefully sensors, the remaining part is figuring out which failure detector has ultimately failed to work and why.
Also if redundant pilots are failing, it's a systematic failure in training, fatal to airlines and whoever designs training simulators.
The most potentially fatal to Boeing scenario is a systematic failure or negligence in terms of redundancy. Hampering pilot training is bad enough.
Another potential failure point is a software issue which means negligence in safety critical software engineering.
Even the most heavily analyzed aircraft can produce surprises once they actually take to the air. Look up "Super Hornet uncommanded wing drop". Or look at dynamic scaling tests (https://www.nasa.gov/pdf/483000main_ModelingFlight.pdf) which uncovered two spin modes in the F-15 that were previously entirely uncharacterized. (Not sure if the linked doc covers that instance specifically -- I learned this from speaking with the study PI. And no, most aircraft programs don't get to do dynamic scaling tests.)
All this is to say that a variety of potential non-linear behavior is lurking inside any given airframe, and all the wind tunnels and CFD in the world will merely allow you to model most of the useful operating conditions, but certainly not all of them.
Simulators, just like autopilots, are useful for finite input ranges. If you leave those input ranges, your simulator will precisely and repeatably model a fantasy, and your autopilot will disconnect.
Source: Short career as an aerospace engineer.
The human, by and large, figures it out. We generally accept that risk. But how will the autopilot react to the unexpected event for which you haven't trained it? Who knows?
1. Why did they not inform operators about changed system behavior?
2. Why wasn't the system capable of detecting sensor failure and/or act accordingly? In the automation industry one goes to great length to be able to tell good sensors apart from bad ones. Why was that not the case here? If it is not possible to tell bad sensors from good ones, why wasn't there (sufficient) redundancy (=multiple sensors) which at least deactivate the system on conflicting input?
There are two AoA sensors. However, good question - why aren't there 3 (so you can have majority quorum in case of one failure), and why wasn't automation disabled once a discrepancy between the 2 existing ones was detected?
Did it disable the ABS? No. Instead, it continued to rely on the faulty sensor information, activating ABS under moderate deceleration on dry pavement, greatly reducing the available braking force and creating a severe danger.
I think there may be a bias among people designing safety equipment to always try to provide the intended safety benefit, even when part of the system isn't working. The problem is it's easy to lose sight of how the safety feature fits into the overall picture. A pilot can almost always safely fly a plane that doesn't use automation to recover from a stall, but not necessarily one that uses the trim to point the nose at the ground in spite of control inputs to the contrary.
This 'roads are so dangerous' is part of the self driving crowd scaremongering program. That 'humans can't be trusted' but their tech can obviously.
But when looking at the global picture and the sheer number of cars in all sorts of traffic conditions on roads everyday without incident this narrative falls apart.
We need far more facts, data and critically 'contextualization' than sweeping disingenuous statements by parts of the tech community motivated by self interest and greed.
I think for a variety of reasons you cannot equate Boeing with, dunno, tech startups and IoT makers. The history, culture, and regulatory environment in commercial aviation is very different from "normal consumer tech". (In other words, even if there were a superficial similarity here, it would not constitute part of or evidence for some sort of overarching trend affecting both normal consumer trend and commercial aviation.)
So the issue seems to be that Boeing didn’t even tell pilots and airlines that the auto-stall-prevention system has been added to new variants. So I wonder if this software mitigation is something as simple as a warning screen or dialog box. If they’re writing software, at this point, to fix/patch how the system actually functions, that seems to imply they released a flawed system/heuristic, if such a patchBle flaw was found out so soon after the Lion Air crash.
Testing new variations of software for a product that works when used as designed/tested already may have been (I'll speculate probably was, and at a low back-burner update priority baked in to some other larger change) in progress; but that's still re-testing and validating a complex system that must fulfill the other test cases (probably with real flight time and conditions).
Particularly when a well trained operator (pilot) is supposed to be able to safely work around the existing defect, and seems to have done so in prior flights of that plain as well.
It seems they added a second autopilot that prevents pilots from doing truly stupid things without telling anybody. Problem? Failure modes of that autopilot can easily be lethal.
I think they may have been right in saying pilots don’t need additional training for this new feature. If the plane flew itself into the ground, and there’s nothing the pilots could have done to prevent that, they don’t need additional training.
Chances are they didn’t tell buyers of the plane because, for years, they have marketed their planes as “if the software fails, pilots can take control, unlike in Airbus planes” (counter-acting Airbus’ message that their planes were more modern)
So no: in Airbus planes the pilot can and do absolutely control everything. If needed the pilot can always go into Direct Law. When sensors fail (like the pitot tubes in AF447) Airbus planes step down to Alternate Law. “If the software fails, pilots can take control, unlike in Airbus planes” has never been true.
There is however a difference in that Boeing pilots are supposed to always have the last word without needing to deactivate protections or anything. The plane would for instance apply physical resistance on the yoke to alert the pilot that something is wrong, but pulling/pushing hard enough is enough to override the protection. Well, that was my understanding until this accident (investigation pending, of course).
The pitch trim can be controlled by a number of different systems for different reasons, see the section on mach trim for an interesting one. I would be shocked if the inputs here weren't disabled by switching thd stab trim - autopilot switch to the off position.
I've mentioned in previous comments, this sounds like a trim runaway incident. The mechanism may be new but the underlying fault and the symptoms would have been the same.
> Runaway Stabilizer
> Disengage autopilot and control airplane pitch attitude with control column and main electric trim as required. If relaxing the column causes the trim to move, set stabilizer trim switches to CUTOUT. If runaway continues, hold the stabilizer trim wheel against rotation and trim the airplane manually.
When autopilot is off, you'll still have stall/overspeed protection that will pitch down/up in the corresponding condition. This protection can also be disabled by switching off some flight computer control. This is the case for both Airbus and Boeing, and the specific controls required depend on the particular plane model.
The issue at hand is ensuring that training for these situations and knowledge of the flight control computers is adequate.
I don't see how Boeing will remain immune to the race to the bottom culture plaguing American business.
Don't sweat it.
Per trip, it looks different (for two reasons: a) planes are faster than cars, b) plane trips are generally longer than car trips).
You're probably around 10x more likely to die on your next plane trip than on your next car trip, from what I can tell.
Here are Wikipedia's numbers for a 1990-2000 in the UK (because that's what they happen to have easily available):
Deaths per Billion
Journeys Hours Kilometers
Car: 40 130 3.10
Air: 117 30 .05
So for an average journey by each a couple decades ago, this says that travelling (a long journey) by plane is about 3x the risk of death as travelling (a short journey) by car. Does anyone have more recent numbers for the world as a whole?
Best as I can estimate now, the risk of dying on your next (scheduled air carrier, part 121) plane journey is maybe a third as on your next car journey (in the US, thanks to the amazing safety record there).
The aviation industry likes to quote fatalities per passenger mile, which is very favourable to air travel, and of course also relevant if you decide which mode of transport to take for a given journey from A to B.
However, if we want to look at how twitchy you feel for taking a typical car journey vs a typical plane journey, we need to look at fatalities per passenger journey, and they bring the numbers closer together by a factor of around 100.
Numbers for general aviation are much worse: you're about 200 times as likely to die on the next GA trip than car trip.
There are just many more cars around than planes. Also, note that 2% of all B737, 4% of all B747, and 5% of all A300 ever built have been hull losses (including non-fatal incidents). But yeah, aviation has gotten amazingly safe in the last decades.
Would be interesting to look at corresponding numbers for Europe or the world.
See the Uber Elevate report, page 17, for some numbers.
Besides this is based on old data and as others have pointed out flying has become even safer in the last years.
 - https://en.wikipedia.org/wiki/Aviation_safety#Transport_comp...
Modern cars have also become much safer. Which has become safer faster, and thus in which way has the ratio changed? (Real question, I don't know the answer but would be interested in the updated numbers)
With both flying and driving you can take steps to get better than average odds.
With flying, you can pick airlines that have a better safety record. You can schedule your trips to avoid flying in bad weather. Flying nonstop, or minimizing layovers if you cannot get nonstop, should help, too.
With driving, you can pick a car that has good crash protection. You can keep your car well maintained. You can travel at times when accident rates are lower. You can pick routes with low accident rates. You can drive like you are a 35+ year old female. You can drive at a time when you are sober, not on drugs, well rested, and healthy.
There's so much variation on the driving side, I doubt it is possible to actually figure out the risk if someone takes most or all of those steps.
Airlines are the final customers of Boeing, Airbus, etc. I am sure they want as much automation on a plane as is possible to reduce the training requirements and so decrease the cost of having pilots on the balance sheet.
The problem I think is that the abstraction that is the modern flight deck is not quite up to the job of dealing with poorly trained pilots or pilots with little experience of unusual situations. That gap was nicely addressed by having military trained people in the cockpits where unusual situations are somewhat more "routine".
So what we are seeing is the mismatch of cost-constrained customers and the failings of technology in a situation where failures are less forgiving. It's the same story with automation that is being played out everywhere. The only difference, if you exclude x-ray machines, is that the impact is higher.
I'm going to jump on this in particular; please don't go full late stage capitalism and make people feel guilty for a retirement plan they've invested part of their lifetime salaries into.
That's not the impression I'm taking out of this discussion. It sounds like they're being blamed for not giving competent pilots the information they need to fly safely.
After the crash, reading the online comments about it (and the things said about Lion Air and the pilots) was pretty interesting given how things have turned out. It is also interesting how much play the initial discussion received relative to the follow up stories about the safety bulletin and now criticism from within the industry.
And when we finally do get an article on the safety issue, the top comment is focused on the pilot's supposed issues instead:
Or trying to continue to blame Lion Air:
I guess what I am saying is; there seems to be a deep unwillingness to criticize Boeing. This isn't recent or specific to this accident, Boeing is a very challenging topic to discuss without people getting tribal. Why is that?
Boeing is a large employer in the United States, people will get defensive when it threatens their livelihood. That said, as evidenced by the internal AA email Boeing fucked up. Rational or not I'm not planning on setting foot on a MAX anytime soon (and was fully prepared to get a refund if Southwest were to sub a MAX on my last flight).
But... you've also got the Indonesian aviation industry to contend with. Indonesian air travel is notoriously unsafe and in fact all Indonesian airlines were banned from EU airspace for a while. Lion Air, as well, stands out as being less safe than the Indonesian average.
Here's an example:
Watch the second landing. I'm not a pilot but I'm pretty sure that the pilot not flying is NOT supposed to adjust the control surfaces in an unannounced manner. Likewise I'm pretty sure you're supposed to arm the speed brakes BEFORE you touch down. Shit like that is why people pile onto Lion Air (and Indonesian airlines).
They fixed the previous issue. Why is flying a fixed aircraft after following Boeing's own procedures to fix it a "egregious decision?"
The New York Times accused Lion Air of falsifying maintenance records.
> Pilots and former safety regulators said that Lion Air flight and maintenance crews regularly filled out two log books, one real and one fake, to hide malfeasance.
On the other hand, Lion Air does have a bad reputation even in Indonesia, and I suspect not without reason. So some speculation in that regard was to be expected. What's a shame is that some commentators pinned it on Lion Air without waiting for the full picture to emerge, and it seems Boeing screwed up, here.
But I don't think Boeing specifically is sacrosanct here; the discussion would have been much the same if it had been an Airbus.
FWIW, I've suggested to my Indonesian friend (who's just been to the funeral of one of the victims) to avoid both Lion Air and Boeing 737-8, -9 MAX for now.
This is very unusual.
For anyone interested the best sources of knowledgeable commentary is ppprune and avherald. Every other site is armchair speculation.
If you believed your airplane was at imminent risk of a stall, it would be deeply negligent to spend mental cycles talking to ATC instead of fixing it. ATC exists to sequence traffic; they can't fly your plane for you.
The previous flight which suffered the same problems called in a PanPan before resolving the faulty sensor issue.
Reports are also saying that this fault was noted on the last 4 flights.
Probably because he was too busy trying to keep the plane flying. Also, apparently Boieng hadn't notified the airlines and their pilots about this most recent "feature" that could see the airplane "pushing it down unexpectedly and so strongly that flight crews can’t pull it back up", which certainly must have added to the pilots' confusion in this case.
> That warning came as a surprise to many pilots who fly the latest models for U.S carriers. Safety experts involved in and tracking the investigation said that at U.S. carriers, neither airline managers nor pilots had been told such a system had been added to the latest 737 variant—and therefore aviators typically weren’t prepared to cope with the possible risks.
If you can't Aviate you don't do the other 2
As with any story, don't slavishly follow one source. In fact with aircraft accidents my general advice is to ignore all 'coverage' for a year.
As with any story, don't slavishly follow one source.
Accident after accident.
That is not to excuse anything Boeing has done, but it's easy to see why most had that reaction.
This happens every single day on thousands of aircraft worldwide. Problems show up, the engineers fix them, and the aircraft are returned to service.
I'm not sure what you're suggesting should happen... if you want Boeing to sign-off every pitot-tube cleaning or AoA sensor replacement, most planes would be grounded waiting for Boeing to show up.
I'm surprised that Boeing designed a system that could override the strength of the pilot. I don't know how strong the normal autopilot controls are on a B-737-800 but on lighter aircraft it's a normal part of the preflight to make sure that you can overpower the autopilot with muscle if it fails.
And these are the kinds of scenarios that continue to make me think autonomous cars in a hybrid environment (i.e. with human drivers) is just absurd. Flying planes is a standardized environment, and we can't even automate it end to end with available technology in idealized conditions, let alone in emergencies. And car driving is way more complicated (and I say that as a pilot).
Having one inch precision for every bit of concrete, light bulb, paint on every airport in the world, is less data than what you'd see in one town, let alone a city, let alone all of them. The infrastructure standardization within a city is poor let alone across the country, and it evolves daily perhaps even by the hour.
Well, it's not that we can't, it's that we haven't yet. Both Boeing and Airbus have treaded lightly into this territory. Hard to blame them, since most polling indicates a overwhelming majority of the public wouldn't get on an unmanned airplane.
Furthermore, there's a few misconceptions here. Weather at 30,000 feet is nothing like weather on the surface of the earth. That said, the tech is pretty close to a reality, but when you have to drag the public along it slows the process down.
The difference you're probably thinking of is the Boeing philosophy of ultimate pilot control vs the Airbus one of software restrictions. A pilot can fly a Boeing aircraft outside of its designed envelope, but an Airbus will restrict the inputs.
The plane that crashed was not a 757 it was a 737 MAX.
> This crash involves a 737 MAX - a very modern fully fly-by-wire aeroplane.
The 737 MAX is NOT a fully FBW airplane. The MAX does have a FBW spoiler which the previous 737s (Jurassic, Classic, NG) lack.
> The difference you're probably thinking of is the Boeing philosophy of ultimate pilot control vs the Airbus one of software restrictions. A pilot can fly a Boeing aircraft outside of its designed envelope, but an Airbus will restrict the inputs.
That's not entirely true, all 737s will put additional pressure on the yoke when a stall is detected. You can fly a 737 into a stall, but with quite a bit of effort. Similarly you can fly a modern Airbus into a stall provided you're in one of the degraded "laws". Air France pilots did just that with an A330.
Where the MAX differs from other 737s is that when a stall is detected it will trim the stabilizer -- even worse when the computer predicts a stall the 737 may end up trimming the stabilizer to the point that you cannot overcome it with the elevator.
On a 737 the elevators respond quickly while the trim adjustments are much, much slower. If you're 5,000 ft in the air and Boeing decides to trim the stabilizer full down you may already crash by the time you can re-trim the plane and regain control. Previous 737s did NOT do this. I believe that LOT specifically emphasizes this in their MAX training, unsure if Lion Air did/does.
> “We’re pissed that Boeing didn’t tell the companies and the pilots didn’t get notice obviously, as well,” said Capt. Jon Weaks, president of Southwest Airlines Co.’s pilot union. “But what we need now is...to make sure there is nothing else Boeing has not told the companies or the pilots.”
Very convincing. If "others" say so - it must be true.