Hacker News new | past | comments | ask | show | jobs | submit login
Boeing altered key switches in 737 MAX cockpit limiting ability to shut off MCAS (seattletimes.com)
395 points by erentz 36 days ago | hide | past | web | favorite | 325 comments

What is the endgame now for 737 MAX planes? Every airline using them has had several weeks to totally reorganize to deal with these huge missing parts of their fleets.

Boeing keeps talking about fixing them and putting them back in the air, but I dunno. At this point, it should be agreed the fundamental design flaws are serious, and Boeing should have simply made a brand new plane, with much more modern controls and predictable maneuvering. Yes, pilots would have to be certified for these new plans, but that cost pails to the money lost from these grounded fleets.

I'd honestly like to see the 737 MAX taken out of service and Boeing simply ending this line. The old planes should be stripped for parts and as much recycled as possible. It's going to cost them a lot of money, and it should. Their mistakes lead to the deaths of two whole planeloads of passengers. Airbus, Bombardier and others will probably make a lot out of this disaster, and that's probably a good thing and will help competition in this small/narrow market.

> What is the endgame now for 737 MAX planes?

The bugs will be addressed and they'll still fly. Airlines have no choice, there's a limited capacity in the world for airplane construction, several thousands of orders on the books for the 737 and 320 waiting to be filled. What can an airline do? They can cut back some orders but not all orders.

> I'd honestly like to see the 737 MAX taken out of service and Boeing simply ending this line.

I have an alternate history fantasy where instead of going with the MAX and then trying to kill the C-series as they did, they instead bought into the C-series. Swapping the cockpit for a Boeing cockpit design. Built the -500 stretch of the C-series, and then used the C-series to replace the 737 line in the <165 pax market. And moved ahead on the 797/NMA for which they'd have a shorter version covering the 200-270 pax market as a pure passenger mover as it's proposed.

I'm not an engineer but what about:

A) Adding two more angle-of-attack sensors so a pilot can be reasonably sure of auto-adjust will work. Retrofitting those would be expensive, of course. B) Put the two buttons back the way they were and add a "light" indicator an angle-of-attack sensor failure. C) More pilot simulator training so pilots know what to expect in the unusual situation that the system fails.

I suspect the answer would be: "Even now we're not willing to bite the bullet and pay all the expenses we were dodging before".

Searching, it seems Southwest already did something like this (after the first crash, in fact). The problem might be that if Boeing does this on their dime then Boeing would be essentially giving every one of their "bargain" customers the features of their "luxury" customers, which I would speculate might be a vastly expensive proposition especially if it sets precedent going forward.


You need three redundant sensors for safety-critical systems, so that if one fails you know which one is failing. Airbus has three AoA sensors (and three of others as well) on their planes for this reason.

And it's worth pointing out that 737s already have two of these sensors, but don't use them both for MCAS (?!?!).

The A350 has 4 AoA sensors: I suspect it is a lesson learned from an A320 that had 2 AoA sensors froze in the same position, outvoting the only AoA sensor that was still working. In other words: failures are not always independent.

Wouldn’t they eventually all freeze at roughly the same position when the AoA doesn’t change for a while? Can’t they be heated?

They definitely are now. If you want to see what they look like, the channel AvE on YouTube tears one down (Search for BOLTR AoA) and discusses the mechanics. You can see what they suspect to be small cables for heating go up into the element.

The A350 has two types of AoA sensor - vanes and multifunction probes - which should reduce the chance of everything failing together.

They are heated now, after the Air France loss. This incident was also the reason for the MCAS system in the first hand: "Don't trust the pilot, regulate it into safety by your own".

Are you referring to AF447? According to the BEA incident report, the AF447 plane was already equipped with heating systems for the pitot probes and AoA sensors.

" Probe heating The probes that are installed on the aircraft are heated electrically to remove water by vaporisation when the aeroplane is on the ground and to protect them from icing in flight."

Reference: https://www.bea.aero/docspa/2009/f-cp090601.en/pdf/f-cp09060...

Right, I mixed that up. With AF447 the initial problem was not the AOA but the very common pitot tube icing, which renders the airspeed indicator useless, thus leading to wrong stall warnings.

Even if the pitot tube is heated (mandatory), very often airframe icing leads to a blocked static port, rendering even more indicators useless.


I still don't see how a frozen AoA sensor cannot be detected by the reduction in noise or correlation with other sensors (such as gyroscope or accelerometer).

The trick is to detect conditions like this with virtually zero false positives. Say the sensor fails one in 100,000 times and your algorithm has a 1/100 change of flagging a false positive in the case where the sensor is in fact working properly. Then the chance of a real failure successfully detected is:

    0.00001 * 0.99 = 0.0000099
The chance of a false alarm is:

    0.99999 * 0.01 ~= 0.01

    P(failure|alarm) =  P(alarm|failure)*P(failure)

                     =   0.99 * 0.00001
                        0.0000099 + 0.01

                    ~= 0.001

So alerts from your seemingly ok-ish algorithm will be false alarms 99.9% of the time!

Maybe you could have a pair of vanes. Each vane is physically limited to a portion of possible angles. Vane A would only work above say -10 degrees AOA and vane B below +10 degrees AOA. This would give you a regular test of both sensors when the AoA changes in normal flight. You have more bounding of correct values.

Majority vote is a very simple system to reason about. What you’re describing adds a whole bunch more complexity.

For the noise sensor scenario, is the sensor failing or is the ancillary (and single point of failure) noise sensor failing? What happens when you have a false positive like that and a false negative on another sensor?

For the correlation scenario, when you have two systems that disagree, how do you determine which one is failing? Are their precisions and tolerances sufficiently close that you’ll get a warning at a useful point in time?

It probably could, but you'd have to code for that, rather than expecting the majority of 3 sensors to always be right.

It is not certain that the 737 AOA ectually needs to be safety critical. You could just ignore the AOA data completely and divert. The pilot should still have sufficient instruments and training to land safely.

The problem is without MCAS and the AoA sensors that power it the 737MAX8 handles differently enough that it would be categorized as a different aircraft and require recertification of pilots. This happened because the 737 frame is relatively low to the ground and to increase fuel efficiency the only real option is a larger engine so Boeing pushed the engines up and forward. This changes the relation between the Center of Thrust and the Center of Mass on the plane causing it to have a tendency to pitch further up towards a stall when climbing so Boeing added the MCAS to make the new plane behave like the old plane by automatically performing the pitch down maneuver for the pilot.

This system is critical to the Max 8 remaining classified to 'fly the same' as the 50+ year old 737 air frame design so it's critical to pilots being certified to fly the plane at all. Ergo it is a critical system and needs more redundancy or the Max 8 needs to just have a new type certificate and pilots certified to fly it as well.

Boeing REALLY REALLY doesn't want to do this because it would require airlines to retrain their pilots to use it in their fleets making them less attractive to airlines. The whole fiasco is a confluence of 1) Cost of retraining pilots on a new air frame 2) need from airlines for a more efficient plane 3) the old 737 design not having any more room below the wing for a bigger engine (which is pretty much the main way we get more efficiency these days).

As long as safety is regarded as a luxury feature, these failures will continue to happen.

It’s very expensive, but not nearly as expensive as losing all their 737 Max orders.

The bugs will be addressed and they'll still fly. Airlines have no choice, there's a limited capacity in the world for airplane construction, several thousands of orders on the books for the 737 and 320 waiting to be filled

While true I don't think that airlines and regulators will go for it, if there's even the slightest risk of an additional accident. No matter what.

And Boeing's "communcation strategy" after the incidents doesn't really help to instill confidence in the plane.

Conversely I don’t see how they can’t be returned to the sky. Boeing has deep pockets and the US government will push behind the scenes to make sure it happens, regardless of whatever public statements they make. There is no way regulators will be able to keep this plane grounded simply on the ground of politics.

You're saying we literally can't stop our representatives/"regulators" from getting us killed anymore. Lovely.

Both accidents could have been avoided if the pilots knew about the changes in handling and in MCAS and how to handle it. So this is not the kind of flaw that would make a plane uncertifiable or unflyable. Combine that with Boeing’s strong lobbying efforts and importance to the US economy, it is a certainty the planes will fly.

The simple solution would be to just remove MCAS and take the certification as a new plane. Boeing might have to eat the retraining costs but it's got to be better than eating the cost of the planes should they be deemed unfit for purpose and Boeing sued by every airline to recoup the costs of the now useless planes.

There's also the possible hardware fix to add an additional AoA sensor and change the software to limit the total deflection allowed + add a way to disable the MCAS only while keeping the electronic trim. The plane itself isn't irredeemable by a long shot though.

> The bugs will be addressed and they'll still fly.

The engines are mounted incorrectly, so much so that Boeing believed pilots need the assistance of MCAS on take-off now.

The bug isn't with its algorithms, rather the need for MCAS to begin with. They can't "address" it. That's why I'll be very careful not to ever book a flight on a 737 Max, probably easier to simply stick to Airbus-only airlines: Jetblue, Alaska/Virgin, etc.

> The engines are mounted incorrectly, so much so that Boeing believed pilots need the assistance of MCAS on take-off now.

This overstates the issue. The engine mounting changes the flight characteristics enough that the MAX 8 needs to be flown differently in certain corners of the flight envelope. The MCAS was added to avoid having to re-train pilots or trigger a new type certification.

The engine mounting certainly does not make the plane unsafe.

> The engine mounting certainly does not make the plane unsafe.

I don't think this is a very...'precise' statement. what is "safe" in the context of aviation? If you had no MCAS, then this plane has a very bad propensity to stall. I hope we can both agree that's an unsafe airplane. You can't just say "don't do that [pull up too much] and then you're fine". The aircraft "wants" to pitch up too high and stall, which predicated the MCAS system itself. So to me, yeah the engine mounting (in and of itself) makes this plane quite unsafe.

Now, with a properly functioning MCAS it may be "safe", but when the MCAS is itself another point of failure, my opinion is that the aircraft is only safe on paper, while in practice it's just got too many hacks and kludges for it to be practically safe for the millions of safe flight hours that these things are expect to deliver.

No, it did not “have a bad propensity to stall”. That’s a very imprecise statement in the first place but if you take it to mean, it would try to stall during normal flight conditions, it’s definitely false.

Airbus aircraft are “safe” despite the fact that dual conflicting pilot input is averaged without stick feedback (see the Airfrance flight from Brazil). If electronics being used to fly the aircraft upsets you, you’re going to be in for a real shocker on any airbus.

So much ignorance and misinformation about this issue even on HN.

The parent comment and entire thread is 100% correct. There is nothing inherently unstable or unsafe about the MAX 8. It has a pitch-up characteristic that's mild compared to some other commercial jets like the 757.

The only reason MCAS was put on that plane was to allow the MAX 8 to share a type rating with the rest of the 737 family, to make it so that it handles like any other 737 despite the pitch-up characteristic.

Go ask any commercial pilot, go watch any of the commercial pilots on youtube who have commented on this, go look on stackexchange. The notion that the MAX 8 is inherently unstable, or unsound, or dangerous, is a laughable myth to anyone in the industry. I get that the news cycle is financially rewarded for fearmongering, but I really expected people who frequent HN to know better and do some cursory research into the topic rather than posting comments that perpetuate bullshit.

There are several major issues with what boeing has done, such as the alleged failure to reclassify MCAS as a critical system after flight testing. But instead of discussing these legitimate issues, public debate seems to have been directed towards a bullshit myth about the airframe being inherently unstable. This has been eye-opening and dispelled my notion that HN had above-average quality of discussion on technical topics.

That's not quite correct. When the aerodynamics of a plane was not designed to push forward the mounting of the engines, you have more reinforcement. That alone causes an uneven distribution for lift not accounted in the design itself. THIS is what causes the plane to nose up. But that doesn't mean stress is not put on the frame itself and mechanical parts that will be, on a daily basis, "abused" to the point of metal fatigue. You see, when it comes to aerodynamics, it's easy to test it on a simulator. And it seems boeing's 737 max passed with flying colors. Then, it had to fly. That's the moment when test pilots came to a conclusion that the design will not work. Boeing's solution was a software "fix" and it needed to relay on 1 sensor to pass certification.

So, what do you have? NO TRAINING on this airplane, a bugged software system, poor aerodynamics, poor design choice, stress on elevator, etc. The ethiopian airlines plane had such force that pilots were not able to manually turn the trim control wheel. Do you know how much force that plane had to have that the jack screw couldn't be operated manually? THAT is a severe design flaw. THAT is what is being investigated. Who is investigating Boeing? Boeing is investigating Boeing. Boeing on 5/7/19 admits it knew they had a severe problem but it can still be fixed. Who certified the fix? Boeing. But now the FAA is investigating that fix which was promised by April. Again, this is a severe design flaw with still many unknowns yet to be found.

you're concerned about "comments that perpetuate bullshit". To me, the real bullshit is that a computer drove 2 aircraft into the earth. If we're so mistaken about what happened here, maybe the boeing engineers are similarly mistaken about how flight control systems work. I think they're the ones who have "ignorance and misinformation", like how many AoA sensors are required. Or whether a vigorous elevator UP position from the stick should be ignored and in fact counteracted by an opposite stabilizer position. Tell me what perpetuates the arrogance in the software departments at boeing that the computer knows better than the human. Unlike the pilots, the computer has nothing to lose. Yet the computer won the final decision. But calling this out is just the "news cycle financially rewarding" ... something ?

It has a pitch-up characteristic that's mild compared to some other commercial jets like the 757.

Do you have any personal experience with or references for this claim?

Nobody who isn't an engineer wants is terribly interested in the argument that a model of plane that has killed 2 planes full of people recently is in anyone's opinion safe.

Personally I won't fly on one in my lifetime.

I'll leave the analysis of why to others to figure out why I fly on other airplanes.

Incidentally I have seen pilots argue that the max is inherently unsafe on this forum which is probably why people are reiterating it.

What is your area of expertise and what is your opinion?

You're missing the point of the post you're responding to. The poster is saying that the 737 MAX isn't inherently unsafe due to its aerodynamic configuration. The safety issue arose from the bungled MCAS system. This could be fixed without changing the airframe.

Actual engineers do care about the "why" since that's what matters. Otherwise don't bother flying on any aircraft since all models have crashed at some point.

Your second sentence is too glib. By just about any statistic you want to look at, the MAX-8 has an abysmal safety record. Probably worse than any other aircraft in revenue flight.

It's perfectly rational to look at the results, regardless of "why", and decide that the risk is just too great.

The 737-MAX with the larger engines turned the statically stable airframe into one that must use computers (eg MCAS) to make it dynamically stable which is a technique used on modern fighter jets but to my knowledge has never been applied to a passenger aircraft.

In this plane which is not "fly-by-wire" the pilots are part of the safety loop and are given a certain short amount of time to respond to an emergency.

Troubling to me is the footnote in the manual which there are times where the manual wheels for the trim require 80 lbs or 100 lbs or more of force. This amount of force would potentially preclude female pilots on these planes to handle these sorts of emergencies.

>The 737-MAX with the larger engines turned the statically stable airframe into one that must use computers (eg MCAS) to make it dynamically stable which is a technique used on modern fighter jets but to my knowledge has never been applied to a passenger aircraft.

This is completely false. The 737 MAX does not have relaxed static stability in the manner of a fighter jet. It just has different handling characteristics than earlier 737s at high angles of attack -- a region of the flight envelope that the pilot should never take the plane into in the first place.

Fighter jets of the kind you're referring to require continuous and precise adjustments of the flight control surfaces merely to avoid departing from controlled flight. This is absolutely not the case for the 737 MAX.

No, it did not “have a bad propensity to stall”.

Okay, how's: you can use thrust to pitch up a 737 beyond the authority of the elevator.

Airbus aircraft are “safe” despite the fact that dual conflicting pilot input is averaged without stick feedback (see the Airfrance flight from Brazil).

There is an aural warning (DUAL INPUT) on Airbuses with conflicting input.

> That’s a very imprecise statement in the first place but if you take it to mean, it would try to stall during normal flight conditions, it’s definitely false.

The precise wording would be that it is dynamically unstable, and the ball is with Boeing now to prove it's not the case. Also after all we discovered on the last weeks, Boeing better make a good case, or they won't convince anyone.

The US aviation industry is about to change. I don't know into what, but it's not in a stable situation.

The aircraft flies fine. MCAS is a stability control system that applies in certain cases (full power, high angle of attack) where the nose pitches up. It may lead to a stall but that's not what it's correcting for and it doesn't just happen during level flight. If the MCAS system was disabled then pilots handle it manually. Trim is not an exotic concept and just takes training and understanding of the operating characteristics.

Airliners are very safe. They're not in dynamic stability like jet fighters and don't need active measures at all times to stay airborne. Having sensors and systems that coordinate to keep the aircraft flying optimally to remove pilot load and increase safety margins is a good thing and has been in use for decades.

The problem here was a badly implemented system without redundancies and without enough training so that pilots were actually aware of the flight profile and MCAS. Also aircraft do not have millions of flight hours, they wouldn't reach a million even if they flew 24 hours a day for 100 years.

To me MCAS looks like an ugly software hack implemented to save money on redesigning a plane and re-training pilots. It brings several problems:

- it is difficult for pilots to understand how MCAS works, and how to diagnose failures. They are not programmers or engineers. And MCAS doesn't provide any debugging information about its work anyway. And pilots don't have time to analyze it.

- it adds new points of failure

- sometimes there are situations when automatic systems shut down and pilots have to control everything manually. With MCAS, they would have more things to look after. Pilots who got used to flying with autopilot are usually not comfortable with manual flight, and systems like MCAS only make things more complicated for them. An example is a recent crash of SSJ100 in Moscow where experienced pilots failed to land a plane manually after autopilot has turned off.

So I think that plane designers should be very careful with adding more automatic controls. Especially if their purpose is only to save money at cost of making place less safer.

Yes, that's what I said. The artificial behavior would be fine if the pilots actually knew it was artificial and how it was being done. That lack of understanding and training is the critical error, made worse by a poorly designed system that failed too easily.

> The artificial behavior would be fine if the pilots actually knew it was artificial and how it was being done.

If I remember correctly, the behavior you promote as "fine" is forbidden by the regulators, and not accidentally.

If it’s prohibited then how was it certified?

> If it’s prohibited then how was it certified?

Without the active MCAS the plane would have not been certified because the behavior of controls is then not inside of the prescribed limits.

I was talking about the the artificial behavior, so if it was certified then it was deemed allowable to have a stability control system maintain the necessary behavior.

If the plane must have natural behavior, then MCAS would not allow it to be certified because it's artificial control.

Then I misunderstood your point, sorry.

The aircraft flies fine in most flight profiles, yes.

At high angle of attack, the MAX-8 is more unstable than pilots were trained to expect. And the MCAS has done an absolutely miserable job of fixing this. Worst case scenario bad: it caused the loss of two airplanes that, if the MCAS had never been added to the MAX-8, would have reached their destinations just fine.

Until the it flies predictably in every flight profile (including high AOA), it's demonstrably wrong to say "the aircraft flies fine." Maybe it will eventually "fly fine" but Boeing's got quite a bit of work to do first.

Alternatively just train the pilots on the behavior in the domain where MCAS would activate. MCAS main purpose is to lower the training requirements.

Not quite if I am to believe other HN comments. The thing MCAS compensates for is that, in certain cases, as you pitch up more, the pressure on the stick decreases. This feels to pilots like leveling out, which is dangerous. MCAS was designed to counter this.

The specific design of MCAS and not adding any new procedures, was to lower the training requirements. Specifically, anyone certified on the old 737 was still certified on the max.

If they had improved the interface of MCAS and changed the procedure for runaway trim, it would have required more training. However, without MCAS or another remedy for the 'decreasing stick pressure at increasing pitch' problem, the plane would not have been allowed to fly at all.

To clarify, since this seems to be a slight misreading of one of my comments.

The original one is https://news.ycombinator.com/item?id=19568158

and was written at night, so there's some loopy phrasing in there I never corrected. Let me unpack some of it to fit the context here.

The pressure applied on the stick itself does not change. Rather, the function of how much deflection you get out of the plane per unit force applied to the stick changes.

Design regulations state an airframe for which this curve at any point goes negative cannot be certified as a civil transport airplane.

That means, there should be no point in the flight envelope where the sensitivity of the controls drastically changes. It should be a predictable increase in force required to get more deflection, all the way to stall.

With the MAX without MCAS, this rule is broken at high AoA when the engine nacelles start making lift.

MCAS is meant to compensate for this necessary breakage by inducing some mistrim.

The effect of mistrim in that case is to cause the controls to require more force to induce those last few degrees of deflection, using the AoA sensor as the primary indicator as to whether the system should activate, in order to bring the curve into compliance.

The problem, as hinted by the response to my post in that thread, is that an honest to god stick-pusher would be more akin to the system you'd want for that. Adding the AoA sensor as a single point of failure is insane, due to the consequences should that sensor start spewing garbage data in normal flight.

Most of those are realizations I came to after stumbling across a Royal Aeronautics Society interview of D.P. Davies, a British test pilot for the ARB, the aircraft certification authority for the U.K., which I believe I linked in the comment.

At the time I wrote it I was in the midst of a deep dive into the more arcane aspects of control systems. I have some literature tucked away somewhere that I was referencing, bit I'd need to dig rather deep in my browsing history to recover all the context.

An interesting historical note: MCAS is similar to a system McDonnell Douglas implemented in MD-11's (LSAS, Longitudinal Stability Augmentation System) for the same reasons as Boeing eventually implemented MCAS: to be able to claim that the new aircraft flew just like the old MD-10.

Makes one wonder if someone brushed the dust off something that really shouldn't have been emulated again after the merger.

> This feels to pilots like leveling out, which is dangerous. MCAS was designed to counter this.

Pilots are trained extensively not to trust what motion feels like, and to use the horizon and instruments. An adjustment in stick pressure is not a notable new threat, they just need to be trained for the plane's behavior.

> An adjustment in stick pressure is not a notable new threat, they just need to be trained for the plane's behavior.

It seems that what you claim is "not a new threat" is actually forbidden by the regulations, because it was recognized to be a threat.

That’s the whole point: the MCAS was supposed to be cheaper/easier for the airlines than new training.

You wouldn’t be retrained to ignore cues from your senses and trust your instruments. That training happens when you’re young and getting your IFR ticket.

I'm just pointing out that "they just need to be trained for the plane's behavior" isn't on the table for the MAX-8. The contracts said it would have the same type rating, and therefore the MCAS, for better or for worse.

I'm not quite sure how that is related to beginner flight lessons. (?)

There are already lot of things that pilots have to keep in mind and look after. Learning how MCAS changes the behaviour of the plane makes everything more complicated.

> Also aircraft do not have millions of flight hours, they wouldn't reach a million even if they flew 24 hours a day for 100 years.

Most commercial planrs fly 3000 hours a year. There are about 400 787-Max planes built - that's a million flight hours per year already (if they weren't grounded...)

The engine mounting certainly does not make the plane unsafe.

The engine position exacerbates a problem already plaguing the 737 since the Classic. I think you're understating the problem quite a bit here.

> The engine mounting certainly does not make the plane unsafe.

Unless there is something about the magnitude of MCAS necessity that Boeing did not tell us yet.

Boeing's original stance of "stupid pilots should have followed runaway trim procedures" does not seem very consistent with actively removing a two-stage disable feature that already existed (and which, in hindsight, might have saved those lives). How desperate exactly were they to never ever let the pilots catch a glimpse off the real flight characteristics?

Why is this commenter grey in my thread? They are absolutely correct, and anyone who disagrees really needs to say why.

Alaska is Boeing, Virgin is Airbus, Alaska/Virgin is primarily Boeing...

And Bombardier and Embraer.

MCAS isn't even active during take-off: as long as the flaps are extended, it does not activate.

Did they change to require MCAS on take-off? Last I heard, MCAS was disabled at an altitude before 400 feet

Alaska was, before they bought Virgin, famously a Boeing-only airline! (And a 737-only airline at that!)

Yet Horizon Air currently operates two types of aircraft, the Bombardier Dash 8 Q400 turboprop and the Embraer 175 regional jet. They’re a 100% subsidiary of Alaska Air Group and Alaska Air puts its code on them.

I was gonna say... How could a Seattle-based airline be all Airbus?

> Airlines have no choice

Anecdotal: I know of at least one family that booked a trip on a non-Boeing airline, at additional cost, to avoid risking being on a Max.

Imagine that after the Max is back in service, that there is a serious incident in the first few months - it doesn't have to be fatal, just a close call of some kind - how many more customers will avoid the Max at all costs?

Count one more please. Searched for flight, saw Boing 737, no thank you! Paid premium for Airbus. That’s for three passengers.

You know the 737 and the 737 MAX are two completely different planes right?

I'm not going to fly on any 737, just in case the MAX bit gets truncated. Everyone I've talked to has expressed the same fear. I don't care if it's irrational or not - it's my life, and I'm not risking it on one of these stupid, cost-cutting planes.

Boeing 737-MAX is longer than previous iterations of 737.

And that means...?

You cannot confuse them because of the sheer size and shape difference.

The physical characteristics are not presented to you when booking your flight.

By the time you've arrived at the airport and see the MAX at your gate, it's too late and you've already paid your fare.

You can DDG specifications of your plane by model number and nay, they have to be unique per revision.

I'm choosing

1. to make certain I don't board one of these machines by mistake. I will not risk my life over this egregious comedy.

2. to vote with my dollars and punish Boeing and businesses that do business with Boeing, especially if they refuse to remove these planes from their fleet.

What Boeing committed here is leagues beyond the recent emissions scandals. It's criminal and the perpetrators should be afraid of the coming justice. This should honestly be as close to a company-ending event as one could imagine. We shouldn't treat this lightly, slap on the wrist, business as usual. This must never happen again.

Yes I do. But as the comment above says, I am not risking it, even though it is borderline irrational.

How do you know the plane model before you board? It's not shown when buying the ticket, it's not written on the ticket either.

You can avoid airlines that have the 737 MAX in their fleet (domestically, the biggest are United, Southwest and American). Whenever I fly I fly Delta, and I’ll never fly on a MAX because Delta doesn’t have any.

Some airlines do! Qatar and Emirates, I think.

but they rotate them quite a lot, don’t they?

i booked a boeing 787 dreamliner but ended up in a crummy 777 from a decade ago.

Delta showed me when buying online. Let me select seats too.

You can find that at https://flightaware.com just from the flight number...

It should be there among the flight itinerary data, often hidden behind an accordion or tooltip.

> Airlines have no choice, there's a limited capacity in the world for airplane construction, several thousands of orders on the books for the 737 and 320 waiting to be filled. What can an airline do? They can cut back some orders but not all orders.

In a world that had actually severe consequences for corporate negligence, regulators would force Boeing to let airlines cancel/change all orders, and compensate them for the 737 Max models they already shipped to them, as they cannot be flown safely. Boeing's behavior does not indicate that they are interested in properly fixing this problem as opposed to getting it certified via corporatism / the FAA allowing them to perform a big part of their own checks.

They won't fly if customers won't fly on them. The first part of the rehab will be renaming and rebranding the product to reduce customer stigma.

> Airlines have no choice, there's a limited capacity in the world for airplane construction,

No choice? It's a choice between risking passengers' lives and money. Be real about what the choice is.

If we're being real about the choice, then you also have to include the reality that many airlines would go under if they suddenly had to retire their MAX 8 fleet and weren't immediately able to replace them with other aircraft. A great many more people would have their lives severely impacted by the closure of a major airline than by a plane crash.

I think the 737 MAX should be properly re-certified as a new airplane once the "fixes" are implemented. The whole idea that you can significantly alter an existing airplane by mounting larger engines more forward, add new automatic systems, and still pretend that it's the same airplane, is flawed.

Could not agree more. This is the real “fix” once the plane is rendered safe ... if the regulators or Boeing can ever be trusted about thus airframe again.

The 737 MAX cannot be certified as a new plane so that is not an option.

Why not?

Because it has grandfathered rules that new planes don’t have it depends on. For instance no new plane design us allowed to have 737 style emergency exits.

Oh, that's bad. In that case, I expect we will see it forced through the regulatory pipeline, because Boeing is "too big to fail". This is not good, neither for us passengers nor for aviation safety in general.

Just add more doors.

There's no fundamental design flaw, the aircraft is sound. The problem came from using software systems to artificially make the plane behave like older designs to avoid entirely new training and certifications.

Even that would've been acceptable and similar systems are already in use in other planes but it was the inadequate info, redundancy, warnings and controls to disable the system that created the problem.

It's easily fixable but still a tragedy of greed and oversight that led to the situation in the first place.

> There's no fundamental design flaw, the aircraft is sound.

From what I have read, the new aircraft design had a habit of raising it's nose when engine power was applied, which put the plane into a situation where it might stall.

The MCAS was added to automatically detect this behaviour and stop the nose lifting.

So basically, without the MCAS, under certain scenarios the plane had a tendency to want to stall.

That does suggest the aerodynamic design of the plane is less than ideal and this could even be considered a design fault.

Lots of airplanes do weird undesirable things at certain points in the flight envelope. Airplane design is all about tradeoffs. There is nothing fundamentally wrong with the aerodynamic design of the Max.

There are serious flaws with a safety system (MCAS) which was added to prevent the need for more training and a new type rating for pilots who are already rated to fly the 737. This needs to be fixed.

All planes with under mounted engines pitch up under power. Some more than others. The MAX just happens to do it more than a traditional 737.

I don't think the problem is pitching behaviour.

The problem is the fact the MCAS is required to fix the pitching problem.

Boeing tried to fix the design issue with a workaround solution only to then find they had created another, even bigger problem.

>There's no fundamental design flaw, the aircraft is sound.

You can claim this because now all the FAA approvals for this planes, all tests need to be redone by somebody that we can trust. Sure they but larger engines, did they improved the supports, the bolts ,FAA "checked" this updates but can you trust them? the idea that MCAS is the only subsystem that must be fixed and checked is flawed, everything needs to be tested.

The fault here is complex and involves the architecture of the system, the sensors, and how the behavior mimicked the older designed which reduced the training required which meant pilots were not as aware of both the changed flight characteristics and the MCAS itself.

Sure the FAA definitely needs to be questioned as to how they let this through without enough redundancy and pilot awareness but the engines are not the problem and certainly not the supports and bolts. Those are things that are well-tested before it even gets to the FAA and having extreme paranoia about the industry doesn't help.

Why should I trust you or FAA that the engine, the engine mounts and all the new updates related to this larger engines were tested when we know from previous articles that hings were rushed and stuff like the fire suppression system was not OK and the engineer was changed because was objecting.

I imagine that putting a larger engine is not as easy, isn't a larger engine heavier? the forces larger? Don't you need to test the engine supports, the wings, all the related mechanical support structure.

Your theory that only MCAS is an issue is already false since it was found that without autopilot 2 humans don't have the physical force to control the plane , so probably a new requirement in the FAA should be added that with autopilot off 1 single pilot should be able to control the plane. You may say this is related to MCAS but6 it is obvious that this item was not in any checklist for things to test so even with a working MCAS but other emergency where autopilot would be turned off you would get in the same situation.

Part of the problem is that Boeing changed the trim increment AFTER the FAA certification without FAA knowledge. I'm surprised a configuration change like that was allowed and wonder what level they were analyzed by safety engineers.

So there's not just the design workaround but there seems to also be process gaps that contributed to the situation.

MCAS has absolutely nothing to do with maintaining commonality. An aircraft with decreasing stick force on approach to stall in its normal mode of operation would've never been certificated.

As I understand it, previous 737s did maintain stick force on approach to stall. The MAX, due to different engines, has decreasing stick forces when the lightly loaded, and/or with an aft center of gravity.

My simple solution? Disable MCAS, keep the stick trim switches as on previous 737s, and require MAXs to only fly with a forward CG. 2000 kg of forward ballast might work. Even better, reduce aft weight by increasing economy seat pitch (20 rows rather than 30 or so), thereby reducing aft CG :-)

Wouldn't both of those solutions undermine the advantage of the airframe, which is the fuel cost savings of the larger engines?

That said, I think seating pitch and spacing is definitely a conversation that needs to be had. I'm an average-sized guy, and I have a hard time with today's airline seats. I would hate to see what it's like for someone taller. There definitely needs to be more stringent regulation of airline seating to mitigate ever-vanishing personal space.

I don't follow. Flight stability systems are not new, even Airbus has them and even had similar issues before with their planes.

There's a difference between software stability controls and specifically emulating behavior.

I don't know which one you imagine MCAS to be but see [1]; specifically:

   MCAS is a longitudinal stability enhancement. It is not for stall prevention (although indirectly it helps) or to make the MAX handle like the NG (although it does); it was introduced to counteract the non-linear lift generated by the LEAP-1B engine nacelles at high AoA and give a steady increase in stick force as the stall is approached as required by regulation. ... This new location [of the engines] and larger size of nacelle cause the vortex flow off the nacelle body to produce lift at high AoA. As the nacelle is ahead of the [centre of gravity], this lift causes a slight pitch-up effect (ie a reducing stick force) which could lead the pilot to inadvertently pull the yoke further aft than intended bringing the aircraft closer towards the stall. This abnormal nose-up pitching is not allowable under 14CFR §25.203(a) "Stall characteristics". Several aerodynamic solutions were introduced such as revising the leading edge stall strip and modifying the leading edge vortilons but they were insufficient to pass regulation. MCAS was therefore introduced to give an automatic nose down stabilizer input during elevated AoA when flaps are up.
> Airbus

Airbuses operate in C* law (they are not positively stable) [2] and the stick is just that, a spring-loaded.... stick; it meets regulations by default.

[1] http://www.b737.org.uk/mcas.htm

[2] https://www.skybrary.aero/index.php/Fly-By-Wire

I think we're talking past each other. MCAS is stability control which a lot of planes have and is allowable to pass certifications.

However MCAS also makes the MAX behave like the older design which specifically led to the gap in training and controls over the system. If they just had stability control but without the emulation of behavior then there would be new training and certification, which is something they wanted to avoid but would've prevented these accidents.

There is no other modern airliner with a software bodge for static stability. No, Airbuses are not comparable (Airbus FBW control laws are _not_ for stability control) and they are (to the best of my knowledge) positively stable throughout the flight envelope in direct law.

Emulation is incidental. Redesigning the 737 with FBW is not something that Boeing would've considered, even for a moment.

It was certified though so it seems we agree that the stability control system was not robust enough and the training for it was not sufficient enough?

Is the cause for that just oversight then? And further exacerbated by similar behavior leading to even less training requirements?

it's not an anti stall system it's to satisfy an aerodynamic requirement that the force needed to force the nose up increase progressively with angle of attack.

At least that was my understanding.

I don't think there is anything fundamentally wrong with that. But when you have active systems for that rather than passive ones you're in a different design domain. Boeing was trying to pretend they weren't.

This is pretty far from my area of expertise but I if it was behaving as the older designs did then why did it crash?

As far as I can tell there are definitely some flaws, which seemed to have crept in as a result of the attempt to make them behave like older designs, but it seems optimistic to assume you can simply remove the flaws by sacrificing on that point.

It crashed because the system that was making it behave that way failed. The MCAS did not get correct data, did not react well, was not easily deduced to be the problem, and was not easily disabled.

Training and technical improvements can resolve these problems and it's ready to fly. If that's still deemed too risky then Boeing can remove the behavior modifications with training and certification as a completely new design. It was this cost that they were trying to avoid through emulation but clearly not done in a safe enough manner.

The engines we placed in a far from ideal position because of low ground clearance making the plane not fly close to neutral that is a fundamental design flaw

Normal flight is flight is fine. The issue with the new engines was that the nacelles generated lift in specific scenarios at high-angle-of-attack which changed the pitch.

This doesn't mean the aircraft is fundamentally unsound, it's just a flying characteristic and can be managed just fine if the pilots knew about it and what the MCAS system was doing to counter it.

A aeroplane that NEEDS an added control system just to make it APPEAR to fly neutral is a design flaw.

Again it's only in specific scenarios, not level flight. And if control systems are not allowable then how was it certified at all?

Citation needed

Now imagine if Boeing had created a brand new design instead of the 737 MAX and it had some mysterious fatal flaw as well? Second System Syndrome is something every engineer should understand. There's just no good reason to suspect a brand new design would've been bug free or easier to debug than the 737 MAX.

The 787s or A320neos could start dropping out of the sky at any minute. Maybe their carbon fiber panels start disintegrating midair after some number of pressurization cycles. The 787s almost did drop out of the sky due to battery problems. Because of the complexity involved, the only hard proof of an aircraft's safety is many years of successful flying.

Other planes have had fatal flaws that took a lot more work to discover. The silver lining of the 737 MAX's MCAS problem seems to be that it is at least quite straightforward to fix, as far as aircraft bugs go.

IMHO Boeing should payout millions for each death they caused, fix the mistakes that caused them, reorient their culture towards safety first, and return the 737 MAX to service. If they work very hard and learn from this mistake there's no reason to think they can't regain the public's trust within a few years.

> There's just no good reason to suspect a brand new design would've been bug free or easier to debug than the 737 MAX.

A brand new design actually supporting the engines used would not have aerodynamic issues that place the airframe outside the limits set forth by regulations.

I think the point if the OP isn't that a new design would have the same flaw, but rather that it would possibly introduce many other flaws. I think the analogy to a full software rewrite vs fixing a bug in a battle tested software is relevant.

The larger point is that the 737 is a highly antiquated design by this point. The cockpit has screens that emulate old analog displays to maintain common type rating, even though much better ways of displaying that data now exist. The plane's controls are highly manual, which are a negative now that fly-by-wire and autopilots are mature and very good. Hell, the entire plane sits so low to the ground because it was designed to support a non-jetway use case (which is now non-existent), and as a result 737s are more susceptible to foreign object damage from debris sucked up off the runway.

The 737 is riddled through with legacy design features and needs to be put to pasture once and for all. And designing a replacement wouldn't be from scratch; there are plenty of other modern airliners to base a new one off of.

>so low to the ground because it was designed to support a non-jetway use case (which is now non-existent)

Complete bullshit. I’ve boarded/deplaned without a jetway in Beijing, SLC, JAC, and AMS in the last couple of years alone.

I meant to say "no ground support whatsoever". I've deplaned 737s and 320s on the tarmac recently too (at big airports), and they used mobile stairs. It's the stairs integrated into the aircraft itself that the 737 was designed around, and that's what's antiquated. Hell, just flying the stairs around with you is very fuel inefficient.

I think it's a little bit of everything (stairs, tech, loading/unloading) but the main reason prrrobably was being able to throw bags into the cargo hold without the need for GSE - the airstair could've easily been made taller.

It's not a "non-jetway" case, it's a non jetway and no airport stairs case and/or manual loading of cargo

An embedded staircase is an option on the 737

What regulations are you referring to?

Yes, it's true that it would be have been free from this specific MCAS issue. But what other issues would a new design have had? It's impossible to know.

It's also true that if Boeing had done a better job of implementing the MCAS design it would have been viewed as a triumph of software solving hardware problems.

Air France 447 crashed in large part because the pilot flying was incapable of handling the aircraft at cruise speeds without software assisting him. He thought the plane would stop him from doing something stupid but it didn't because the software failed in a somewhat similar way to the MCAS failures (sensor failure).

Airbus hasn't done anything to make their planes easier to fly at cruises speeds without software because software assisting pilots with complex flight characteristics is a fundamentally sound idea. The important thing is that the software actually works. Clearly the first version MCAS did not work reliably but there is no reason to believe that it couldn't work reliably.

Airbus uses software to enhance safety. MCAS is trying to fix a very specific and a potentially dangerous issue while keeping it from the pilots. So, I'm not sure if there's a good analogy there.

In both cases the software was designed to prevent the pilot from stalling the aircraft i.e. to enhance safety.

And yet hundreds of people died in Air France 447 because the pilot stalled the aircraft when sensor failure disabled the Airbus software without the pilot realizing it.

In the case of MCAS, people died because the Boeing software didn't disable itself due to sensor failure.

Definitely not the same issue but both examples of software-sensor-related fatal crashes.

Also note, Airbus has had issues where pilots are so used to the machine not letting them do something stupid, that direct law has caught them by surprise.

Automation creates complacency, which can be lethal when things go wrong.

They should also announce a new aircraft design, a full replacement that is from blank canvas. There might not be that many sales in the sector if the humans are going to take climate change seriously but we all know that isn't going to happen and that Boeing need a fresh design.

The fresh design could tackle problems such as noise in a new way in order to get new customers.

Well, for one thing, a new design would have to be recertified.

These planes cost at least $100 million each. They will fix them and get them flying again.

Yeah, but who is going to want to fly in one again? Even working in aviation in the past and knowing that they've probably nailed the issue, I'd still be less than keen.

Have you ever flown in a 737? I'll bet you have. Are you aware that at one point in the deployment of the 737 they had a "runaway rudder" issue [1] that caused two crashes and one near crash, and hundreds died from it? The 737 has flow millions upon millions of flights, safely, since then.

The problem will be addressed, and life will continue. It is tragic, and there will be major repercussions within the manufacturer and regulator but the design will be fine.

[1] https://en.wikipedia.org/wiki/Boeing_737_rudder_issues

Most people don’t even think about the plane they’re flying in. It will not be that big of an issue to continue using them unless some group actively tries to warn passengers about flying in those specific planes.

It seems like this is becoming a concern now - per: https://www.cnbc.com/2019/05/07/barclays-downgrades-boeing-s...

The primary reason for the downgrade being:

Barclays’ survey of airline passengers says many people will avoid the 737 Max “for an extended period” once the aircraft is flying again.

Here’s my thought experiment on that: if I booked a flight to my vacation destination and, at the last moment, I discovered that I’d be flying in a 737 MAX, would I cancel my trip or pay a considerable amount of moment to get all our tickets changed?

I very likely would not. Would you? Would others?

It’s one thing to answer a question of a pollster, it’s another to take concrete action.

For a year after it is reinstated, my answer will be "yes, I'm changing my flight". Doubly so if my wife and child are on the plane.

Why? Because I'd be so unbelievably pissed at myself if the plane nosed itself into the ground, at least for the time it took to impact.

I also vote with my money.

Simple answer? I won't be flying airlines that use the 737 Max. Stick to the NG or pick up some 320's. Between work and personal travel for our family, that's over $50k of gross revenue per year (we both travel a lot for work). Maybe nobody else cares? I'm betting there are more people like me and my wife.

As others have stated, I will not be booking a ticket on a 737 max, period.

Granted I might not be a typical discount shopper, I pick flights based on comfort, not price and have checked the aircraft/airframe I will be in for years.

However, I have a tough time seeing anyone I know taking a risk with flying the 737 max for a 10% discount in fares.

Typically, fuel costs to the airline can be estimated at 10-20% of the ticket price on domestic flights (5 gallons per seat per hour). 737 Max is advertised as providing up to 20% in fuel cost saving, which would bring the cost to 4 gallons per seat per hour. Which should not affect a ticket price by more than $4-6 per hour of flight.

Are you suggesting that people aware of the issue will be wiling to risk their lives for a chance to save $8-20 to their destination?

And to add to that very few 737 Max are in service right now, only 300 or so of 5000 orders have been fulfilled. These supposed savings are not yet factored into the price of most tickets, they are future reductions at best. And likely these will not even be reductions, just a way for carriers to earn more per seat.

You are not guaranteed to fly on the model of airplane stated when you buy the ticket. This guarantee would be highly impractical because the airline would only have a limited ability to supply a replacement plane when the scheduled one is unavailable. So if push comes to shove, airlines will stop telling you what model of airplane they plan to use at all.

And we – those of us concerned and those who like voting with our feet – will stop using airlines with 737 max aircrafts in their fleet.

Considering how many airlines have max in their fleet it's not a viable tactic

You typically can see the type of plane on travel sites. If this wasn't the case I would buy from one that did.

In the case that I for some reason couldnt determine it ahead of time I would complain emphatically enough.

there's a lot of services to look up what aircraft is typically flying the route for the airline you're buying tickets for. Or even simpler route: look up the fleet page before booking.

Yeah, they say that, but when they get their non-refundable ticket and see it is in an 737 MAX. How many do you think will sue their airline claiming a refund?

The airframe is listed at purchase. I won't be suing. I just won't be buying.

Wherein an extended period of time is effectively forever.

Many people just sort tickets by cheapest and choose that as their flight.

Boeing could simply rebrand the plane. Take ‘MAX’ out of the name, call it a 737-8. I think most people have absolutely no idea what model of plane they’re flying on anyway.

That is a despicable, and dishonest thing to do, and there are people who are more than happy to act as repeaters to make sure people know Boeing's NewPlane (TM) is just a rebrand of the MAX, with a healthy dose of "this is how stupid Boeing thought you were."

Such a move would be ill-advised.

Minor quibble - but no airline actually pays that much. A rough rule of thumb is around 50% of "list" price. In the real world, they're around USD$50-60m each.

Your point still stands, of course.

Any other answer here is insane. They’re too expensive to write off.

This would be nice, but both airlines and Boeing are too big to fail so it won’t happen.

Airlines need their airplanes, and if boeing would recompense them for the lost planes they’d be instantly out of business.

Conversely, the carriers cannot just write off a significant part of their fleet and buy new ones, which wouldn’t show up for years anyway.

> Boeing keeps talking about fixing them and putting them back in the air, but I dunno.

More than that - they're continuing to manufacture them. There's quite a few of them stacked up at KPAE, just sitting there waiting for their software updates, all painted in customer livery. (They're not even manufactured at PAE; they're ferried there for storage.)

> but that cost pails to the money lost from these grounded fleets

They did not think - it'd ever happen. The shortcuts were taken for bringing 737 max quick to market.

Might be usable as freighters like the DC-10s?

Airbus, Bombardier and others will probably make a lot out of this disaster

I don't think so. Traditionally manufacturers and airlines never argue about a security incident of the competition. I only know of one issue were this unwritten rule was not respected.[1]

[1] https://en.wikipedia.org/wiki/Trump_Shuttle

It's rather weird to ask a huge number of mostly-good airplanes to be thrown away for PR reasons, rather than fixing them.

(Not to mention that these planes have never crashed in most countries, even with an admittedly serious bug.)

>(Not to mention that these planes have never crashed in most countries, even with an admittedly serious bug.)

In... Most countries? That's such a weird standard to hold an aircraft to. Even very serious aircraft issues before typically only resulted in crashes in a handful of countries!

Did I read that wrong or do you want 100+ of the 200ish countries in the world to have experienced a 737 MAX crash before scrapping the MAX?

Just putting the safety record into context.

Actually, I think if the planes can be fixed (and I'd be shocked if they couldn't), the two crashes before the fix will no longer be relevant for assessing safety.

You're putting the safety record into chauvinist context, to be exact. An AoA failure is sufficiently rare for it to have only occured in a couple of occasions in - shockingly - only a couple of countries.

Okay, I probably should have calculated the number of successful flights to avoid this. But, nowhere did I say any country is better than any other. That's your inference.

I can help with that -- the MAX is suffering hull losses per flight completed at a rate about 100x that of comparable planes like the A320. Totally off the charts.

It’s such a weird statistic to use though. One crash takes a really long time to recover from in that score. So even if the 737 Max was magically fixed tomorrow, the score wouldn’t change.

> One crash takes a really long time to recover from in that score.

As it should be. That's how important safety is. Boeing brought this on themselves by letting a second airplane crash before responding properly.

It's not remotely a strange choice when it represents the current most reasonable prediction of risk.

If it were fixed tomorrow at that point we could discuss how it effects risk in the future.

Hundreds of people died. It should leave a long-term impact on Boeing's safety record. It should take them a long time to recover and regain trust.

What was your original motivation to bring up the country aspect?

This isn't a valid way to put it into context. It doesn't matter which countries the planes crashed in; the causes were the same and lives lost are lives lost. And air travel is so globalized these days that one crash anywhere can kill citizens of dozens of countries.

Yes, it doesn't matter which two countries it was, but it's fine to point out that many airlines in many countries didn't see these problems. The planes flew in many places every day with no trouble.

You are calling me out over nothing. This is uncharitable, to say the least. Why make trouble?

There were "only" two instances (which killed >300 people) before the plane was yanked from the air entirely. That means that, roughly speaking, it was only going to happen in two countries at all, or one really unlucky country. So there's no use in pointing out that it didn't happen in many more countries, because that would have required dozens more accidents with tens of thousands of deaths, which was simply never in the cards because the planes would've been yanked long before then. So there's no use in pointing out that it didn't happen in many countries, because that never would've happened.

You're explaining my own reasoning and then telling me how I'm wrong.

Talking about countries is just another way of saying that the plane was flying in many places all over the world and the risk of accident, despite these horrible accidents, was never very high. As you say, would never happen.

The risk of accident was very high relative to other airliners, by more than an entire order of magnitude. I'm still not sure what point you're trying to make here.

it’s not just pr reasons. they tried to hot patch this airplane design with software, and now they are hot patching that fix. it seems it is a fundamentally flawed design that they tried to hide and get away with rather than doing the right thing. i know i don’t want to fly on a 737 max ever, and this whole ordeal with boeing and the faa has made me less confident in the airline industry as a whole.

your parenthetical still shows some finger pointing towards “poor” countries’ pilots and ignores the number of crashes and reports for as young as this plane is and the numbers in use.

The fix taking a while to get right is not evidence for "fundamentally flawed".

You have a strange idea about how to assess risk. It's like faults are somehow contagious.

> It’s like faults are somehow contagious.

They are. If 737 MAX was rushed to market and this is the first issue we become aware of, how many more are hidden?

If Boeing makes a habit of rushing planes to market without certification, how many more ticking time-bombs are flying around?

The notion that you can fix an aerodynamic stability problem in software by making a software program mimic the flight characteristics of an older plane is fundamentally flawed. And the notion that we can just patch the system later if it turns out you did it wrong is dangerous. You're betting with human lives that this time you've got it right.

Why is it fundamentally flawed?

There’s no question that Boeing’s implementation had major issues, but there is IMO a higher burden of argument(?) to declare that a fundamental inevitability.

This could simply be a case of Boeing incompetent/reckless/...

Pilots are highly trained. They go through many hours of simulated flights. After an incident like this, any pilots still flying a MAX will be drilled on this specific failure. If you start to see pilots refuse to fly it, that’s when you should worry.

Aviation adapts to problems and it always has. Southwest installed additional gear on their planes to help prevent this when the first plane crashed. It’s not far fetched that companies in countries with lesser regulations might skip out on training or plane enhancements that would lessen the chances of this problem.

> After an incident like this ...

Clearly, that didn't happen, or a second MAX wouldn't have crashed under very similar circumstances.

> Southwest installed additional gear on their planes to help prevent this when the first plane crashed.

Southwest ordered the MAX with an AoA indicator; it wasn't retrofitted.

> ... to help prevent this ...

It's questionable whether the AoA indicator would've made a difference. However, an AoA disagree alert that is standard in the previous 737 gen was "accidentally" made part of the AoA indicator extra feature set on the MAX, and the AoA disagree just _might_ have made a difference. [1]

> It’s not far fetched that companies in countries with lesser regulations might skip out on training or plane enhancements that would lessen the chances of this problem.

An AoA indicator is not mandatory anywhere in the world.

[1] https://www.aviationtoday.com/2019/05/06/boeing-angle-of-att...

I doubt that. Pilots get used to flying on an autopilot and often make mistakes when they have to control everything manually. Recent example is a crash of SSJ100 in Moscow where the pilots failed to land the plane manually when the computer turned off.

If you make controls more complicated, pilots will make more mistakes in critical situation.

>It's rather weird to ask a huge number of mostly-good airplanes to be thrown away for PR reasons

Welcome to the internet where other people's money doesn't matter.

I don’t know about you, but in my real-life other people’s money doesn’t matter either.

I don’t see another way Boeing can begin to regain public trust.

A brand new design would probably introduce more serious flaws than an interation of a mature design, so I am not sure it would be safer.

In term of public perception, it is a PR disaster but not unprecedented. The DC-10 went through a similar rocky start where passengers just wouldn't want to board it. But after the flaws were fixed it turned out to be quite reliable.

> A brand new design would probably introduce more serious flaws than an interation of a mature design

As evidenced by the ever-crashing 787s and A350s.

The 787 was rushed through as well with the same modern Boeing safety culture and we were merely lucky that none of the flaws discovered in the 787 were bad enough to cause fatal accidents before they were rectified. Read up on its battery issues if you want an idea of what could have gone wrong.

I rather had the exploding engines of the A380 in mind, the flaming batteries of the B787, but we can also talk earlier B737 (rudder, rivets on early models), DC-10 (cargo door), C-5 (door lock), A340 (freezing pitot tubes) etc.

The 737 rudder hardover wasn't discovered until the mid-to-late 90s, a long, loooong time after the 737 entered into service. That does not quite speak to the benefit of a mature product (how mature is 'mature'?). Case in point: the 737 trim wheel and pitch trim assembly. The deficiencies of their design were put on full display in 2018, because of MCAS. Why do you think it is that (other) modern airliners do not have a stabilizer runaway non-normal checklist? There's a whole host of issues that are inherent to the 737 precisely because of how... mature it is. I think there's probably a crossover point, when a design ceases to be mature and becomes obsolete.

(Engines on newer models can be - and usually are - iterations of older designs. The A380's RR engines are built on the same platform as the Tristar's, introduced in 1972!)

It has been fascinating to watch layer after layer peel back around all of this.

Bad design decisions forced from chasing the bottom dollar, optional, critical safety features with the warning indicator and now these switches.

> Boeing declined to detail the specific functionality of the two switches

That's also interesting- I assume they are in CYA mode and wouldn't discuss anything that could be sensitive to the current investigations in any point. I wonder how hard the Seattle Times had to work to get manuals for the MAX.

I hope the loss of life is vindicated in the end.

I hope there are lessons learned from this but I fear our culture of quarterly profits and lack of real punishment for companies and their directors will result in nothing drastic happening.

One of the lessons learned is that the FAA is no longer a credible institution.

Gotta love deregulation. How many institutions are left? Any? CFPB, EPA, HUD, Interior are all run by people that don’t believe in their missions. It’s all about undermining from inside. Who protects the public when private rights of collective action are forbidden by arbitration agreements and the government has been captured by private interests?

The Nuclear Regulatory Commission is doing just fine in their function.

True, but I also doubt we'll see new nuclear facilities in the US any time soon.

Some of these applications have been withdrawn, but there are in fact some in flight.


> In flight

Hopefully, their planes don't need MCAS ;)

I don't know - a lot of those nuclear plant applications seem to stall ;)

[Citation needed]

EPA has been a joke for at least two, I want to say three, administrations now. Now they're just a joke that doesn't impede business quite so much.

Explain. What about it has made it a joke?

Its head, Andrew Wheeler, is a former coal lawyer. That tells you all you need to know.

Bit separately, I know people in DC who work in this field and they say the same thing.

> Gotta love deregulation.

I dunno, I see it as the opposite: regulation (apparently) made it impossible to just train pilots on this one new feature, instead requiring a full recertification of both the airframe and the pilots, which is incredibly expensive and unnecessary relative to what was actually required to save lives.

So one way of looking at is is: regulation caused perverse incentives that ultimately got people killed.

That’s such a roundabout way of thinking that I’m not sure whether you believe it yourself.

You’re basically saying that because shitty people don’t want to follow safety regulations we shouldn’t have them.

You should always consider incentives when thinking about regulations. Especially roundabout, second and third order consequences. Those are the ones that get you.

Having safety in mind doesn't make something unambiguously good, fit for purpose, or free of net-negative consequences. The specific content of rule determines that.

A different way to look at this is: does this particular perverse incentive justify reduced regulation so that it can’t happen anymore.

Even if your assessment is valid, you’d likely be throwing away the baby with the bath water if you’d cut regulation to avoid it.

I would think it would justify additional regulations to allow for something like "upgrades" to existing certifications instead of the binary (full recertification|pretend plane is identical) standard we appear to have today that resulted in the 737 Max tragedy.

Is that less regulation? More regulation? I don't know, and I doubt it matters if it's "less" or "more" since the goal is fewer dead people, not passing an ideological Turing test.

> Is that less regulation? More regulation?

You are suggesting stronger regulation of some aircraft ('upgrades', as you rightly say), without weakening regulation for any other aircraft. So it's certainly 'more regulation'.

> I doubt it matters if it's "less" or "more" since the goal is fewer dead people, not passing an ideological Turing test.

It's a political question, so there's at least some question of ideology. Full-bore libertarians would doubtless find some way to oppose your suggestion.

You said regulation caused perverse incentives that ultimately got people killed. It would be more fair to say that a loophole in the regulations, caused the perverse incentive.

Gotta love deregulation.

Remind me, when's the last time we had a major fatality incident in the US domestic passenger airline business?

And how does that compare with the prevailing state of affairs before "deregulation?"

Difficulty: answer with numbers, please, rather than insults, downvotes, or political attacks.

Colgan Air 2407 was in 2009. Comair 5191 was 2006. Both, like most airplane crashes, were substantially pilot error. (Both of these were primarily pilot error.)

Weather forecasting has gotten much better in the years since deregulation. We’ve also been operating a mostly-jet fleet, which has larger inherent performance margins than the turboprops (and, worse, pistons) before them. And we have decades of experience about how pilots kill airplanes to inform operations and regulations.

It’s not clear that airfare deregulation either hurt nor helped airline safety in the US. US-flag air carrier ops are extraordinarily safe and I believe the FAA makes a positive contribution to that outcome.

> Remind me, when's the last time we had a major fatality incident in the US domestic passenger airline business?

Doesn't really matter much. Incidents in aviation that can happen on continent X could usually have happened on any continent.

A good counterexample: in the Lion Air case, at least one planeload of passengers came within a hair's-breadth of disaster prior to the fatal crash. The pilots figured out what to do in time, in part because a third pilot was available to RTFM while the other two flew the airplane. However, that crew not only didn't take any action to remove the aircraft from service, they apparently didn't even bother to leave a Post-It note on the dashboard.

The regulations we have in place here in the US -- to say nothing of our airlines' own policies -- would have kept that aircraft grounded until the problem was diagnosed and addressed.

He didn't RTFM actually. They performed Crew Resource Management, and he was able to focus his attention on controls the other two pilots didn't have time to manage. Hence noticing the trim wheels running amok.

Good point, I was just echoing some of the earliest news accounts there. Those stories came out before it became apparent that the flight manuals didn't actually have much useful information on the subject.

Agreed. Hopefully there is a big shake up and lots of people are sent home without pay. Nothing else could salvage it.

Boeing declined to detail the specific functionality of the two switches

It seems like that's really the crux of the problem. They made changes that they didn't feel it was necessary to tell their customers about. Just another step along the "I know you bought this product from us, but it's still our product at the end of the day" timeline that we're stuck on.

Further, I'll bet that it transpires that no one entity inside Boeing is really to blame for this mess. The engineers in charge of the AOA indicator subsystem didn't know that someone else in the company was going to drive a safety-critical component from it. And that engineering group may not have realized that the AOA data they were getting came from only one of the two sensors. My guess is that Boeing not only hid this information from their customers, they hid it from themselves.

The problem will have to be addressed at the top, but I don't agree with those who say that blaming, firing, or jailing the CEO is going to be helpful. The culture that allowed this to happen will have grown organically over time.

When a culture becomes this defective, the top people need to end their careers in disgrace. This provides the necessary context, clearance and incentives for others to pick up the pieces and make substantial reforms.

Actually what it provides is the necessary context for fear-based decisionmaking, misallocation of resources, metastatic bureaucracy, R&D stagnation, and ultimately departure of talent.

There is a reason why the aviation industry focuses on fixing the problem rather than the blame. A witch hunt makes everybody feel better in the short term but provides no guarantee of actual forward progress.

The problem here is corporate greed and willfully blind governance. It’s not a technical issue.

I think their safety system analysis made the connection MCAS is potentially hazardous as previously reported by the Seattle Times

So a lot is known at this point:

1. The A320neo caught Boeing completely off-guard;

2. The threat of the likes of American Airlines (already a mixed Airbus/Boeing customer and the largest airline in the world) placing a large A320neo order for regional aircraft operations scared the bejesus out of Boeing management;

3. For airlines like Southwest that are pure 737, the prospect of adding a plane that didn't share a common type rating with their existing fleet would complicate their lives and make them vulnerable to a sales pitch from Airbus; and

4. The development cycle for a completely new body was too long for many customers as it would arrive several years after the A320neo.

I don't think any of this is in dispute so the constraints for Boeing were to design a more fuel-efficient plane that shared a common type rating with the 737. To get there:

- They added newer, more fuel efficient engines. These changed the flight characteristics so they had to be moved;

- These engines moving made the plane more vulnerable to a stall situation. To counter this, they added MCAS, which would point the nose down when the AoA sensor told it the nose was too high;

- Standard configuration had 2 AoA sensors but MCAS only ever read from one;

- There was a safer configuration as an optional extra purchase;

- Telling airlines and pilots about this and providing overrides risked the common type rating.

I don't believe any of this is in dispute. It is widely believed, but not yet proven, that the primary cause of both fatal crashes was a runaway MCAS that drove the planes into the ground. It's also believed that with proper training a pilot may have been able to counter this (as happened the day before the Lion Air crash with a pilot in the jump seat).

Now what I find interesting is the response people have to all this. Some claim this is a fundamental design flaw that puts a shadow over the plane. Others believe it will be corrected and everything will be fine.

I'm firmly in the first camp: the plane CLEARLY flies differently to a 737. An automatic system, with no triple redundancy, was required to correct the flight characteristics of the plane.

I'm no expert but it seems to me the plane is fundamentally flawed at this point.

    >  the plane CLEARLY flies differently to a 737[...]
There's no such thing as "a 737". A 737-600 is 31 meters long[1], and a 737-900ER is 42 meters. Both share the same type rating with the MAX[2], and have the same 36 meter wingspan.

That's going from a length:span ratio of 0.86:1 to 1.17:1, you think those sort of airframe changes don't make for a plane that flies differently?

Maybe the whole notion of a "common type rating" is foolish, and pilots should need to re-train from scratch for the smallest of changes. Change the paint job? New type!

There's a lot of "the engines moved!" discussion around the 737 MAX which seems to be ignorant of decades of significant airframe changes not impacting type, to little apparent ill effect until now.

1. https://en.wikipedia.org/wiki/Boeing_737_Next_Generation#Spe...

2. https://en.wikipedia.org/wiki/Boeing_737_MAX#Specifications

I think it's all about how far off the mean you are.

Consider cars: You can get most full-size sedans with either four or six cyliner engines, manual or automatic transmission, and regular or sporty suspensions. That's potentially eight different sets of handling characteristics. But they're all going to be in a fairly narrow cluster of "this still drives pretty much like a Camry." When you decide "instead of the six-cyliner engine, let's drop in a 700 horsepower turbocharged V8", it's no longer anywhere near that cluster.

The question is whether a Camry with that V8 engine is as different from the less powerful of a Camry variant as it is from a Ford F-150. That's what the type rating is about.

The 737-100 had 62 kN of thrust, the 737 600-900 up to 120 kN[1], that whole line (and beyond) shares the same type rating.

1. https://en.wikipedia.org/wiki/Boeing_737#Specifications

> These engines moving made the plane more vulnerable to a stall situation.

I don't think this is correct. A lot is being made about the engine move with regard to aerodynamic behavior, but it doesn't seem at all outside of the bounds of what is considered standard. Pilots report that a similar 'light stick feel' at high AoA is already present in aircraft like the 757.

It's not that the aerodynamic change was worse or better, it's simply that it was a change at all. MCAS was there to satisfy the type rating. MCAS is not anti-stall.

The crucial mistake appears to be the extreme failure mode of the system; it is permitted to input high stabilizer trim angles without limit. Without any kind of restriction, the failure goes from annoying (pull up on flight stick + fiddle with stab control until you solve it) to the deadly crashes we've seen where pilots are in extremely tricky situations.

The fix could be as simple as making MCAS cutout in the case of an AoA disagree (no real hardware changes here) as well as limiting the input of extreme trim angles.

> It's not that the aerodynamic change was worse or better, it's simply that it was a change at all.

It seems you are correct [1]:

> MCAS is a longitudinal stability enhancement. It is not for stall prevention (although indirectly it helps) or to make the MAX handle like the NG (although it does); it was introduced to counteract the non-linear lift generated by the LEAP-1B engine nacelles at high AoA and give a steady increase in stick force as the stall is approached as required by regulation.

[1] http://www.b737.org.uk/mcas.htm

> MCAS was there to satisfy the type rating. MCAS is not anti-stall.

MCAS's only observable intervention is to push the nose down to prevent stall, which means it is by definition anti-stall.

Boeing says MCAS is an acronym for "Maneuvering Characteristics Augmentation System", but a better name for MCAS is "Machine Controlled Anti Stall".


While the effect of pushing the nose down is an all-too observable effect, that its purpose is stall prevention is not directly observable.

According to this article[1], the intended purpose was to restore the back-force needed to put the airplane in a stall, as the effect of the new engines was to make the control feel lighter at high AofA. The article also discusses the certification requirements with regard to acceptable handling characteristics.

FWIW, Boeing CEO Dennis Muilenburg is quoted in [2] as saying that "When you take a look at the original design of the MCAS system. I think in some cases, in the media, it has been reported or described as an anti-stall system, which it is not. It's a system that's designed to provide handling qualities for the pilot that meet pilot preferences.

"We want the airplane to behave in the air similar to the previous generation of 737s. That's the preferred pilot feel for the airplane, and MCAS is designed to provide those kinds of handling qualities at a high angle of attack."

Of course, the elephant in the room not being mentioned here is whether Boeing's primary motive for replicating the handling characteristics of earlier versions of 737s was an overriding concern with avoiding pilot training.

[1] https://leehamnews.com/2019/02/15/bjorns-corner-pitch-stabil...

[2] https://www.businessinsider.com/boeings-ceo-on-why-737-max-p...

One of the requirements for an airplane to receive a certification is that the pilot needs to put more and more pressure on the stick to achieve higher and higher angle of attack. If at some point the airplane starts to pitch to higher AoA without extra pressure from the pilot, that's a big no. Reason: otherwise it would be all too easy to inadvertently enter a stall condition.

Boeing 737 MAX without MCAS violates that requirement (caused by the lift generated by large engine nacelles in front of the wings). MCAS is indeed designed to restore that required back-force. Back-force that is required to prevent stalls.

I suppose one could debate whether the stall prevention effect of MCAS is direct or indirect. But I don't think it's debatable that it is designed to comply with a certification requirement that's intended to help prevent stalls.

You have a point, though, from what I have read, I do not think the airplane would become unstable prior to the stall, merely less statically stable than its predecessors.

Boeing may be denying that MCAS has a stall prevention purpose only because to say so might put it in the critical systems category, requiring additional training. If so, this would apply as much to the fix as it does to the original version. To acknowledge that it has a stall prevention function might require an additional AofA sensor as well as additional training.

The MCAS may not have been designed as an anti-stall system, but that doesn't necessarily mean it functioned according to design. The possibility for multiple activations integrates the control response, converting feedforward control into a closed loop (it will continue to act on the trim until the AoA decreases). Somewhere a decision has been made about a control system without requisite knowledge or understanding of the consequences, and this made it through design validation, testing and certification. That is highly disturbing, as there is no certainty that MCAS is stable in any circumstances where the pilot is making manual trim adjustment.

> It's not that the aerodynamic change was worse or better...

Having the control get 'lighter' (more sensitive to increased back-force) as one approaches the stall is definitely an undesirable characteristic, as it increases the risk of a distracted pilot stalling. While a change in the opposite direction might have been problematic (insofar as additional training is a problem), the way it actually goes is more likely to prompt the FAA to require something be done about it.

> There was a safer configuration as an optional extra purchase;

Forgive me if I'm missing something but these extra options are AoA cockpit indication and AoA discrepancy alert when two sensors disagree.

They don't alter software, MCAS would continue relying on just one sensor regardless of this indication. It's just an extra bit of information for pilot's decision making.

Sounds to me like another hack over the hack hardly adding much extra safety.

How hard would it be to add two more sensors to every plane? I'd imagine insanely expensive but this is clearly the ideal solution in addition to whatever patches they can do via software and existing hardware/controls in the whole plane.

These planes cost nearly $100M each; how can adding another AoA sensor the size of your hand be that much in the grand scheme of things? https://i.kinja-img.com/gawker-media/image/upload/t_original...

Note that the 737 already has two such sensors, but only consults one at a time for MCAS, so there'd be a software change required in addition to adding a new sensor.

I'd just imagine coordinating with every airport and airport mechanic team to go through this process, have some integration work with the MCAS which has to be done very carefully and thoroughly. Everything is more expensive when you have a super high level of risk management and are working with large bureaucratic organizations like airlines and the FAA.

But yes it's certainly not impossible sounding. It's like a minor recall where the planes get fixed on site.

Hundreds of people are already dead because of this. It's the very minimum they can do to prevent more deaths. Whatever the cost is of adding another sensor will be less than the cost of another crash.

Surely they can predict the expected/likely value of an AoA sensor with all of the other telemetry available to an aircraft computer. Surely in combination with software fixes to ensure that both sensors are factored in, they could augment with that computed value to pick a sensor in the case of disagree.

If the needed telemetry is already exposed to MCAS, it could all be fixed in software.

MCAS will fly the aircraft into the ground, and has already killed >300 people. These sensors are safety-critical and should not be cheaped out on. A software-only fix is not good enough when the standard in the industry is to have triply redundant systems for safety-critical systems. This is one of those things we learned at the cost of a lot of blood.

This doesn't solve the problem completely. What if two of the sensors fault the same way? What if the computer turns off, will the pilot be able to do what MCAS does, manually?

Maybe it would be better just to use old time-tested design instead of saving small money at the cost of safety.

One thing that appears concerning in the series of articles being written about the 737 Max incidents is that they suggest a culture at Boeing of speed/cost over safety.

Now we can assume that the Max won't re-enter service until this issue is completely solved (I'm sure regulators will be extra-scrupulous here and customers will want cast iron re-assurance).

However, is anyone going over all the other safety decisions and changes made to other Boeing models over the period of the Max development?

It seems unlikely that this was an isolated incident of rushing things for commercial benefit...

I'm actually wondering if the 737 MAX will make it back into service. Every single one of these planes will need to be flow back to one of their maintenance centers (like the one south of Seattle) and undergo retrofits.

Hopefully it will result in Bowing being required to make this a new plane and a lot of pilot re-certification. If it does return to the market, I wonder if they'll be forced to rebrand it. It's obviously not a 737.

Bugs tend to appear in Poisson law of probability: 2 big bugs immediately, 2 others a few weeks later, but that means there are hundreds of them to discover over a period of 5 years (until the D-check).

So, in all probability, we don’t even know the list of fatal flaws even yet!

It's a 737 with lower engines.

The flaw is using software to fix a hardware issue.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact