I had my first flight on the Max [to] ZZZ1. We found out we were scheduled to fly the aircraft on the way to the airport in the limo. We had a little time [to] review the essentials in the car. Otherwise we would have walked onto the plane cold.My post flight evaluation is that we lacked the knowledge to operate the aircraft in all weather and aircraft states safely. The instrumentation is completely different - My scan was degraded, slow and labored having had no experience w/ the new ND (Navigation Display) and ADI (Attitude Director Indicator) presentations/format or functions (manipulation between the screens and systems pages were not provided in training materials. If they were, I had no recollection of that material).We were unable to navigate to systems pages and lacked the knowledge of what systems information was available to us in the different phases of flight. Our weather radar competency was inadequate to safely navigate significant weather on that dark and stormy night. These are just a few issues that were not addressed in our training.I recommend the following to help crews w/ their introductory flight on the Max:Email notification the day before the flight (the email should include: Links - Training Video, PSOB and QRG and all relevant updates/FAQ's)SME (Subject Matter Expert) Observer - the role of the SME is to introduce systems navigation, display management, answer general questions and provide standardized best practices to the next generation aircraft.Additionally, the SME will collect de-identified data to provide to the training department for analysis and dissemination to the line pilots regarding FAQs and know systems differences as well best practices in fly the new model aircraft.
This is why corporations cannot police themselves and it's where the FAA dropped the ball.
I don’t see why airlines should be given a pass on trusting the vendor on hundred million dollar products that both employees and customers are literally entrusting their lives with.
https://titan-server.arc.nasa.gov/ASRSPublicQueryWizard/Quer... put in ACN = 1555013.
The software relied on input from sensors at least in the Lion Air crash and the fact is the sensors failed on new aircraft.
I would trust the NTSB as much as the European counterparts. I have read some of their reports and they are very dilligent and fair.
We should avoid placing blame now on anyone whether it is Boeing, pilots, national agencies, until the full reports are available. The grounding of the aircraft was perfectly justified with the available data from a security point of view.
The air industry has been focused on avoiding a blame culture. Even I, as a passenger sometimes look for the lowest price, so the pressure for cost cutting may come from us as well.
Of course you do, and that is not your fault. This is why we have independent regulation organizations like FAA or EASA, to not have matters of security solely in the hand of the free market.
Thankfully the aviation industry nowadays out of self interest cares about safety.
That is, every one of these regulations exist because somebody died as a direct result of that regulation not existing.
1. Boeing's suggested process (including flipping the two trim switches and spinning a wheel) does not work for some reason.
2. The Ethiopian pilots did not follow this process.
I see #1 as putting a huge, huge amount of blame on Boeing and the FAA - especially given their months of "safe plane" reaction after Lion Air and their cavalier few days after Ethopian.
I see #2 as still keeping a good deal of blame on Boeing, but also adding a significant training+capability element to Ethiopian and the pilots. Since Lion Air, how much had Boeing done to specify that the 737-MAX and the 737-NG are not the same plane and require different things to be aware of? Could a 737-MAX pilot really not have run through in their head a thousand times what MCAS related issues look like and what they would do if they started having those issues?
A plausible explanation for (1) that I've seen discussed is that, after disabling the auto trim, it may be impossible to manually re-trim while the yoke's pulled back, without first relieving aerodynamic stress on the elevator -- in this case by pointing the nose even farther down temporarily, which no sane pilot is going to want to do close to the ground.
(I don't know whether it could actually happen this way.)
I don't find 1 particularly compelling, it would have been noted by now if it was impossible to trim the aircraft using the manual trim wheels. Unless this is very specific to the MAX.
That said, I think it's entirely possible there is something else wrong in the control of the MAX.
It has been noted:
737 Flight Crew Training Manual, chapter Non-Normal Operations/Flight Controls, sub heading Manual Stabilizer trim:
"Excessive air loads on the stabilizer may require effort by both pilots to correct mis-trim. In extreme cases it may be necessary to aerodynamically relieve the air loads to allow manual trimming. Accelerate or decelerate towards the in-trim speed while attempting to trim manually."
In this case the excessive air load would be caused by the yoke control pulling the elevator up while the trim controlled stabilizer is doing the opposite.
Like you say, it's hard to know whether this actually happened.
What would it have to say? It says you might have to do X before Y, where Y is a thing that you need to do quickly while at low altitude to avoid dying and X is a thing that gives you even less time to do it in and makes the problem worse.
From your senario when the trim moves nose down. You apply nose up on the elevator which makes the trailing edge of the elevator go up which applies a downwards force on the trailing edge of the stabilizer. In order to move the trim back towards neural you need to lift the trailing edge against this force.
If the trim is extreme you may have to relax back pressure to reduce that force.
By in trim speed they mean the speed at which the aircraft would naturally settle at given the current trim setting.
Perhaps the phrase "aerodynamically relieve the air loads" means to minimize the aerodynamic force generated by the stabilizer? The stabilizer of a conventional airplane will invariably generate a downwards force when the aircraft is in pitch equilibrium at high speed, but it may be upwards at low speed, even with the C of G within limits. In such cases, the speed at which it has no load will be an intermediate one, and therefore could be either above or below the speed to which the airplane is currently (mis-)trimmed.
The quoted passage says it is referring to correcting what it calls a mis-trim, so if your interpretation is correct, then where it says "in-trim speed", it actually means "the speed to which the airplane is mis-trimmed", while the general usage of the term "in trim" means trimmed to fly at the intended speed, and I would take the phrase "in-trim speed" to refer to that speed - the speed that the pilots intend to fly at, or, in other words, the speed that this out-of-trim airplane would tend to fly at when put back in trim.
Furthermore, if things are as you describe, then the rule could have been more simply and clearly phrased as "reduce your pressure on the control yoke". Maybe your interpretation is correct, but if so, it seems to me to be an unnecessarily confusing way to describe it.
In general pitch trim runaway incidents are easiest to control at low speeds. It gives you more aircraft configuration options available to try and reduces the aero loads general.
But perhaps they were just not ruling out either.
Frustrating to have a question that could be answered quickly by a 737 pilot! (Whether the trim wheel becomes much harder to turn after you set STAB TRIM CUTOUT to cutout, mistrim down, and pull up.)
I've never suggested having a trim runaway close to the ground is trivial. It's certainly going to result in brown trousers when it happens, but it should be within the abilities of a well trained crew to handle.
Following the outcry over Lion air I just don't believe a pilot on type wouldn't have known the procedures for getting the aircraft to a safe altitude and disabling the stab trim.
As a pilot your hands are on the controls. You notice pretty instantly that your having to pull the nose up. You instinctively reach for the trim control on the yoke. This disables the MCAS system for 5 seconds. You get the pitch forces under control. A few seconds later MCAS decides you've still got the nose too high because of a faulty sensor and tries to trim it back down once more.
How many times before you remember that fatal bug from that crash a few months ago. Maybe twice? Three times tops.
I am not saying this is likely to be what happened! But given that Boeing didn't even mention any of this in the manual before Lion Air, it seems plausible that they either didn't test it carefully, or tested it at high altitude and imagined that it would never happen at low altitude?
The bit about the 'effort by both pilots' raises the issue of the 200-hour first officer.
From another perspective, having one new sensor fail would seem to suggest that one should increase the prior probability for failure.
> 1. Boeing's suggested process
so I just happened to see the dramatization of this crash yesterday, and here boeing suggestion for a thrust reversal engaging in flight was likewise simple: cut throttle and fuel to engines. that was based under specific assumption of limited testing, while in the crash the pilot had 6 seconds between the engagement and total irrecoverable loss of control.
assuming that just because there's a process the plane is safe is somewhat disingenuous, as it is placing the blame as an 'either/or' preposition. it might be that training is insufficient, but pilots don't control the training material. and following a checklist is somewhat hard if the plane constantly pulls down.
This happens in a critical time of flight, when pilots are busy with other tasks and are at a low altitude (less time to fix any problems).
So no, Boeing's process is not a good solution.
If you are referring to the documented procedure for recovering from a trim runaway, then all 737s would be dangerous, as this is the same procedure for trim runaway recovery as it is for the prior versions, and regardless of whether it is caused by an MCAS fault or for any other reason. The pilot is not expected to determine whether it is an MCAS fault before acting, because the recovery from runaway trim is the same, regardless of cause.
I'm not sure where they got that from, but why would it be okay if the US pilots got training immediately, while others had to wait?
And ET pilots felt they had received adequate advice and information from Boeing.
> I'm not sure where they got that from, but why would it be okay if the US pilots got training immediately, while others had to wait?
Something like https://www.forbes.com/sites/tedreed/2019/03/13/who-says-the...
How that statement meshes with
"Pilots repeatedly voiced safety concerns about the Boeing 737 Max 8 to federal authorities, with one captain calling the flight manual “inadequate and almost criminally insufficient”
"U.S. regulators are mandating that Boeing upgrade the plane’s software by April"
Back in 2016 it seems that the pilots union felt the MAX was a different plane:
Bhavye Suneja, the pilot - Suneja had logged more than 6,000 flight hours, according to Lion Air.
His co-pilot, whose name was Harvino - Harvino had logged more than 5,000 flight hours, according to Lion Air, which named him alongside Suneja.
And yet at least one previous Lion Air crew had a run-in with MCAS and survived.
Saying that some crews in some circumstances coped with the problem therefore all crews in all circumstances should be able to is disingenuous
Up until five or so years ago the FAA only mandated 250 hours of flight time to obtain an airline transport pilot license. Has American aviation gotten that much safer since then?
Option 3 happening at 40,000 feet has a very much better chance of a positive outcome than at 4,000 feet
Agreed. When users of my software fail to use the software properly some large part of the blame is still on me.
They should have reacted faster after the latest crash, but fortunately this delay has had no consequences.
One would hope that the question of MCAS not being triply redundant will be reassessed, but the argument that it could do no more harm than a fault in the existing trim mechanism is not an unreasonable one, again if considered without hindsight.
As a passenger I expect pilots to fully know the plane they are flying and to previously have flown this exact type and model of aircraft in training sessions without any passengers whatsoever. 737 MAXs seem to have significant differences compared to other 737 models and airlines appear criminally negligent in the use of these aircraft.
I used to be a mere bus driver as a college job and I _had_ to train on all models before transporting any sort of organism with a central nervous system.
But apparently, flying hundreds of people at hundreds of mph at several thousand feet above the ground doesn't require this sort of familiarity with the machine. Having flown other 737s and skimming a manual 20mins before departure was often deemed sufficient, resulting in flabbergasted and overwhelmed pilots.
Boeing, FAA, airlines... whoever is ultimately blamed in all of this, the crash has revealed some scary stories in regards to aviation - all for the sake of cutting costs because people demand to fly across continents for $100.
But the idea that they can learn the differences from the manual in a short car ride is ridiculous in the extreme.
As a daily driver of your own car, if you do own one, then it might be apparent how different they can be. I constantly switch between automatic Mercedes and BMWs.
Both have a near identical handle on the right side of the steering wheel. One turns on wipers (BMW), the other one shifts gears... (Benz). Imagine that on a plane with worse consequences than accidentally shifting into neutral when it rains.
They definitely did not do the proper training that was merited here, but the proper training is not and never was flying a large jetliner empty.
One would expect that X hours in a simulator help you adapt to a new aircraft type.
I didn't intend to demand economically stupid things like flying an large aircraft empty for training, just wanted to express that as a passenger I want my pilot to know their way around the machine that keeps me 10km above ground at 600km/h.
Just to clarify: you can udpate a simulator and recertifie it. e.g. in regard to the motion or visual systems etc etc. But to transform a simulator into another aircraft would be beyond economically sane.
According to Boeing, the FAA, the EASA, and various other regulators around the world, the 737 MAX is not significantly different to earlier 737s.
Nobody does that in a "live aircraft", that's what simulators are for (and the whole flight training curriculum, from the first lesson to being able to fly a commercial jet).
Then we read that the MAX was the "best selling model." It seems, based on the false advertising, that included not acknowledging the differences. Even the "less serious" ones:
"I had my first flight on the Max [to] ZZZ1. We found out we were scheduled to fly the aircraft on the way to the airport in the limo. We had a little time [to] review the essentials in the car. Otherwise we would have walked onto the plane cold. My post flight evaluation is that we lacked the knowledge to operate the aircraft in all weather and aircraft states safely.
The instrumentation is completely different - My scan was degraded, slow and labored having had no experience w/ the new ND (Navigation Display) and ADI (Attitude Director Indicator) presentations/format or functions (manipulation between the screens and systems pages were not provided in training materials. If they were, I had no recollection of that material)."
It just looks like they didn't even get proper simulator training in too many cases.
> State Reference : US
> B737 MAX First Officer reported feeling unprepared for first flight in the MAX, citing inadequate training.
From another comment below (a simulator industry insider):
> However, since the 737ng and 737 MAX are common type (meaning that in the eyes of the authorities, if you're licensed for one, you're licensed for both) customers aren't REQUIRED to get a 737 MAX sim granted that they already have a 737ng sim.
This is where the FAA could have intervened. Pilots consider them different enough to warrant training so it should have been clear for the FAA too. But they accept this compromise to allow companies to cut costs.
And the scary thing is that a new pilot will also get to train on an old NG sim before flying a (different) MAX plane. Unlike experience pilots, a new one would have little flying experience to fall back on and the FAA allows them to fly a plane after being trained on what might as well be a sim for a different plane.
Never going to happen. Modern aircraft are far too complex for anyone to have this sort of complete knowledge, let alone be able to use it properly in a crisis. This one reason, of many, that pilots work from checklists created by the manufacturer.
1) Software issues (e.g. MCAS), hardware issues (e.g. AoA sensors) -> Boeing responsible
2) Little to no training for 737 MAX, shuffling of known UI and UX of other 737 models -> airlines and Boeing responsible
3) Certifications for 737 MAX granted despite lack of sufficient training in addition to repeated warnings by pilots (your link!) -> Boeing and FAA responsible
> You have no idea what you’re talking about.
Plus you never blamed pilots themselves anyway. You said Boeing/FAA/Airlines which seems quite correct.
I'd just ignore that post.
Your reply was unnecessarily hostile and your downvotes are well-deserved.
Is there another way to view the text?
Using cloudflares DNS 22.214.171.124. Seems that does not work since a while.
A lot of blame to and from who is responsible for the problem, still no solution apparently.
The .is domain has been occasionally problematic.
What they could do is allow everyone in, but reveal each paragraph progressively by viewing ads right there between the paragraphs. Or feeding the meter coins.
Time delayed progressively revealed articles. Pay the fee to unlock all paragraphs.
Or they need granular payment, yes I would pay 1 cent for the next 10 paragraphs. But I don't want to create an account with the publisher to do that. Kind of how I don't sign up to the parking block company to buy a spot for 5 hours in their car park.
Yes it can sting when one's comment is downvoted, but the guidelines ask all of us not to react in the usual tedious and sarcastic ways. A better approach is to take a moment to reflect on what in your comment might have attracted downvotes; if you notice anything to improve in the future, note it; and if you don't, just move on.
You've unfortunately broken them again just now. It's explicitly against the guidelines to insinuate that people you disagree with are astroturfers. Would you mind re-reading https://news.ycombinator.com/newsguidelines.html and following them carefully when posting here? We don't need you to change your views, just express them within the limits specified. We have those limits because we're trying to preserve the commons for everyone.
I don’t care about downvotes, if I did I wouldn’t post my actual opinions here, I just found it silly that people were trying to bury a comment that wasn’t the standard doom and gloom and ignorance I see around the crash.
Interestingly as soon as I edited my post the downvotes stopped and I started getting upvotes so some people found the edit interesting. :thinking emoji:
If you care to hear from someone who has been part of this community since early days, too many people are able to vote on comments. They don’t lurk, they are attracted here from a controversial link and stick around, reflexively treating upvotes/downvotes as a disagree/agree button instead of interesting/not-interesting like it used to be. Maybe the eternal September has finally arrived for good, or perhaps I’ve drifted from the core values of your typical HNer while this site stayed the same or drifted in a different direction. Only you would have the traffic and usage stats to know. I’m curious what percent of active HNers have an account created within a standard deviation of mine.
-posted from my phone so forgive typos
If their maintenance crew and pilots were solely to blame, I would expect to see a good deal more Ethiopian planes crashing.
Of course, it could be (and maybe even is likely) that a properly trained maintenance crew won't let the AoA sensor fly in a bad state. And of course it could be (and maybe even is likely) that a properly trained pilot will be able to correct the issue in flight.
But that doesn't pass the blame. The truth is that Ethiopian pilots and maintenance crews seem totally capable of keeping the rest of their planes in the air. Why has Boeing made a plane that is so much harder for them to fly safely? Is there any argument that the MAX is easier or safer to maintain/fly than the other planes Ethiopian flies?
They had one last week.
Southwest, by comparison, has been flying since 1967. They operate over 700 aircraft, all of them 737s including the new MAX variant. They've never had a serious crash and in their history have had 3 deaths as a result of accidents or incidents.
It was the largest amounted the FAA ever fined an airline.
2. The sentiment that some pilots can figure it out and others can't so we need better screening/training to deal with faulty equipment is wrong-headed. Pilots shouldn't have to waste any of their attention during flight dealing with engineering failures. Furthermore they should be informed of any changes that are made to their equipment, which it seems Boeing didn't do when they updated the pitch override software.
The wild speculation presumably includes British and Australian authorities — who have exemplary safety records, are nobody’s fools, and are very definitely run by very very senior and experienced people — banning the planes.
ASRS reports describing similar incidents and complaints about insufficient training and incomplete manuals. It looks like Boeing was able to get 737-Max pass as 737-NG variant without good differences training and better manuals.
It seriously is a standard heads-up to alert you to any potential issues that might occur with the aircraft. Inoperative systems, etc.
Even in general aviation, if you look at the logbook and see this is the first time this aircraft has flown since an engine teardown, you want to be aware of that in the light of monitoring your engine's readouts. If you suddenly see that the oil pressure is dropping or something, that's something you would immediately want to take seriously. Recent maintenance can be the difference between "I'll have the mechanic look at that when I get back" and immediately taking corrective action.
There was a plane (Cessna iirc) nearby me that went down from a similar issue. When you change the oil there is a drain tube and some leftover oil tends to drip out all over the cowling. The mechanic apparently got in the habit of rolling up some paper towel and shoving it in the drain tube to absorb the drips. Well, this time he forgot to close the drain cock. It held enough pressure to take off apparently, then blew out in-flight and the engine seized. You gotta watch for that stuff, first person to fly an aircraft after a maintenance issue needs to be aware of it.
(immediately taking corrective action is safer but planes are complex and if you immediately turned around the first time an engine ran a little hot you'd never get anywhere. They have redundant systems for a reason, and if anything commercial airliners are even more redundant and even more willing to fly with inoperative non-essential equipment, because there's so much money on the line. Commercial airliners fly with equipment that's broken literally all the time, there is very probably broken equipment on any given flight you take... more like probably several pieces broken.)
Not to say that the pilots here didn't do everything right... we don't know yet either way. Boeing certainly has some 'splaining to do regardless, there are design flaws here that apparently have caused this problem to occur quite frequently. Just because you hope the pilots would have caught it doesn't mean you want to tempt fate repeatedly.
You're absolutely right. Unfortunately the crew read the logbook and saw an STS (speed trim system) issue written up. When flight 610's crew looked at the logbook, nobody outside the Brazilian authorities knew what MCAS was or to expect anything like it.
STS trims the stabilizer under different conditions than MCAS and typically trims in a counter-intuitive manner, conditioning pilots to non-intuitive trim adjustments in normal flight. STS can be turned off for the duration by applying pressure in the opposite direction on the yoke, MCAS cannot.
With that in mind, yeah, the crew on flight 610 had a malfunction at the front of their minds. Just not the kind that was going to transpire.
We probably don't assume that was malicious. But we might assume deflecting away from that as an issue to be malicious.
Similar for the fact that the system wasn't well described in the manual.
It appears that the AOA disagree alert exists on the plane but is an optional paid feature (!).
As a student pilot you're taught about unsafe low airspeeds instead, even though AoA can technically cause a wing to stall at any airspeed, and even though that memorized stall airspeed ($V_s1$) actually varies with factors like plane weight.
AoA is not considered fundamental in commercial aviation, but is considered fundamental in military aviation.
Of course, if your commercial aircraft has a tendency towards stall, that changes the calculus on how important AoA is..
ISTR that after a carrier catapult takeoff, Naval aviators have 10 seconds for AoA to get into the "green zone." Otherwise it's an automatic eject. Forgot where I read that and if it's only for specific aircraft types, though.
A control loop cannot do that, it is a stupid fact processor that we prefer to do one simple thing reliably than to venture off on inscrutably deep reasoning adventures. A general flight AI would be an entirely different beast than the arsenal of pilot assistance systems currently employed. And just two sensors, simply disengaging the control loop when they disagree, seem insufficient to me when we deemed the control loop necessary in the first place. And this is the easily overlooked bit here: disengaging the MCAS isn't the final step, then you still need to fly the plane that it's manufacturer did not trust pilots to safely operate unassisted by MCAS.
(a general flight AI able to do the sensor trust inference could be an interesting game of adversarial programming though: plug it into a flight simulator, then try to down it with the smallest set of simulated malfunctions and weather)
> It appears that the AOA disagree alert exists on the plane but is an optional paid feature (!).
Oh, that is just crazy. And considering that a bad safe record is just as damaging for Boeing as for the airline, it doesn't seem particularly clever to leave that choice to the customers. Do you have an easily digestible source for that?
Boeing standardised at two, even on the 787. And one of those is located where it is vulnerable to damage from a jetbridge.
Investigators including Boeing are going to have to determine whether or not this crew is properly trained and of course, Boeing is going to have to focus on whether or not they have a software or technical issue.
Crashes are always the nexus of a chain of unfortunately and unlucky events. I have no reason to suspect this crash is any different. The only thing I'm confident of is that no matter what the problem is, Boeing will make changes and pilots will receive additional training, and perhaps be required to do simulator time.
Once the 737-MAX is ungrounded I will have no qualms getting inside of one.
Yeah, but it doesn't take Nostradamus to make that prediction. If Boeing doesn't fix their issues, they won't sell planes.
So, say we blame the pilot for incorrectly deactivating the faulted system within a time-frame that allows for recovery; which I think is a silly thing to do : at what level of added complexity and extended abnormal checklists do we transfer the blame from the pilot being unable to follow a checklist thoroughly and quickly enough, to the airframe manufacturer for producing a product with so many potential failure vectors that were added primarily as a cost-savings or for-profit desire?
The 737 MAX is unstable inherently for the sake of mileage, to reduce the overall cost per ticket, and increase corporate profit. I understand the importance of cost/benefit analysis, but at what point are corporations liable for teetering towards the profit side at the sake of safety?
This is blatantly false. The MCAS system isn't running a PID control loop or anything like that. It's applying stupidly simple logic to its inputs and giving equally simple outputs.
At worst you could claim the aircraft is less stable than the original 737. But more specifically I'd say the 737 Max exhibits undesirable control behaviours at the approach to the stall. The MCAS system was required to make this behaviour certifiable.
But the new Boeing 737 Max planes exactly at that dangerous moment behave differently to the pilot's input than what the pilot was trained for, because these new planes have different geometry. They are new, but being sold as the "same old." Selling point: "no pilot's retraining needed."
Boeing of course knew that planes behave differently, but actively tried to hide that, as much as not even reporting and documenting to the pilots that there's a new device built-in ("MCAS") to "move the controls itself" differently than what the pilot would do based on this training.
Now, if the MCAS misbehaves, the pilot is supposed to recognize that the "moved controls" are undesired, manage to turn the MCAS off fast enough (even using a circuit breaker! according to the Boeing's explanation after the first crash), and then again rescue the plane which behaves differently than the plane for which he's trained to have built-in reflexes!"
The pilots are supposed to be trained in the simulators to be prepared for the behavior in extreme situations, not to have a new plane that behaves by-design exactly not as they are trained.
The way they were trained, when some undesired movement occur, their reflex reaction corrects the problem. Not so in this case. Their trained reflexes didn't help. Instead, the faulty MCAS continues. That's why even the circuit breaker step is mentioned. But even after turning the MCAS off, the plane still behaves differently because it is actually of different geometry.
All that can happen at the moment the plane is not high enough to be safe to do enough maneuvering instead of hitting the ground.
EDIT: responding to the answer under this post:
> you seem to be assigning a lot of weight to a very minor system
"I" seem? At this very moment there is a world-wide belief that what you name "very minor" issues lead to death of 350 people in only 5 months time-span, to the point of grounding all the MAX planes.
Also relevant: https://news.ycombinator.com/item?id=19398267
The 737 MAX is actually proof that even in the modern day, a basic grasp of philosophical principles is relevant.
Namely, being able to identify when a redesign of a plane becomes substantially different enough to no longer be the plane it was based on anymore.
The MAX blew past that line as soon as the system layout changed such that the pilot's mental models were no longer capable of accurately predicting the behavior of the plane.
It's a minor system. There is no firm evidence yet that it was responsible for this crash other than some ADS-B data which only really shows that the aircraft was having control difficulties.
Pilots are trained not to get near the stall. Unless something has gone seriously wrong an Airliner will never go near that region of flight in normal service. Most airliners have stall behaviour which is likely to enter a spin or otherwise difficult to recover from, that is why most are fitted with stick pushers which prevent a stall ever occurring.
There are lots of other systems which can control trim on an airliner (the Mach trim system, the auto autopilot etc). Each of these have failure modes that can lead to a runaway trim situation.
The MCAS system is trivial. It may have a flaw which led to both of these accidents but it isn't the world is falling and Boeing tried to patch it with different software.
 They are flying airliners for a living, not small planes.
The AoA sensor, previously largely irrelevant in civilian aviation as posted by an earlier poster, became a deadly concern seeing as a malfunctionimg sensor pumping inaccurate data to a downstream control unit with seemingly no way to validate or reject incoming bad data would respond just as happily to a reading 20 degrees off of where it should be. That this happened in a manner completely foreign to someone thoroughly experienced with a 737 just exacerbates the risk. Especially when said response is no longer overriden in the traditional response in old airframes. This is a usability regression, and should have been explicitly documented.
You seem very convinced that MCAS is some trivial system when it is very clear physically and legally speaking that that +/- 2.5 degree stabilizer movement at the right time is what the air-worthiness certification is dependent on.
>on re-cert as 737, and failure to train
Just because the damn thing flies doesn't mean basic automation system architecture, design, and ethical principles stop applying. You do not make a decision for an operator/user and not communicate the importance to them ahead of time. Doing so fundamentally changes the nature of the device.
To put it another way:
>"If you change the working parts, you make a different machine."-The Protomen, Father of Death
Or if you prefer someone a bit more established here's Edward W. Demmings view on it:
>"Every system is perfectly designed to get the results it gets."
From which comes the corollary:
>"Given two systems, if one produces results irreproducible in the other, then the systems are not the same."
>On Software that has the potential to kill people
Has no one learned from the lessons of THERAC-25? How many more need to die before "hide interlocks in software and skimp on training" stops claiming lives?
I fight the attitude that leads to these types of poorly thought through decisions every day in far less life threatening systems. Seeing it happen in such a high stakes industry just makes it all the more painful to have to endure.
>on appeals to occupation/authority
You don't need a pilot's license to connect the dots. You just need time, the right skill set and exposure to engineering in multiple contexts, and enough exposure to human social dynamics to realize that the MCAS augmentation is exactly the type of innocuous looking change to have slipped through the cracks. When you're in the trenches developing highly complex systems, you are in a highly faith based environment in the sense that while you are working from empirical measurements and simulations you have to have faith that all the relevant questions have been asked and answered. Engineers frequently discount the impetus of Sales/Business pressure, then turn around and don't question the deadlines those commitments made elsewhere, and accept the consequences thereof (I.e. questions not asked/answered due to time constraints).
As I said before. I'm waiting for more data. Even if MCAS isn't involved, the above mentioned issues are gross failures of system implementation that need to be remedied or otherwise addressed.
I'm not arguing it's one and done, but even if it turns out leprechauns swarmed the plane en masse disassembling it in flight, enough information has come to light that anyone can see there has been some serious ball dropping going down; ball dropping so serious that uninitiated customers are speaking out in discomfort instead of simply "leaving it to the eggheads".
I am very vocal on issues like this. I have been told I have a knack for the highly technical subjects, the inquisitivenes to run down things I don't know, and a bullish propensity to follow the facts wherever they lead. I see it as my responsibility to ask and find answers to the questions others don't even know how to ask, and to present them as best I can so that others may understand and come to their own judgements. Hell, I even learn something every now and again.
If that is your definition of non-triviality then the ash tray in the toilet is also a non-trivial system since the certification is dependent upon it being there.
MCAS is only there to compensate for one part of the flight envelope where normal operations shouldn't be taking place.
Point being, without that system the aircraft would still fly. In fact Lion air wouldn't have happened without it.
Of course there could be a fault (beyond the nonsense of it not being triple redundant). Or it could be something unrelated to MCAS which is my own pet theory (partly based on the reports of pitch excursions with the autopilot engaged where MCAS is irrelevant).
A series of reasons
Actually, no, it's not funny.