Hacker News new | past | comments | ask | show | jobs | submit login
Boeing 737 Max Grounding Could Stretch into 2020 (wsj.com)
125 points by JumpCrisscross 42 days ago | hide | past | web | favorite | 135 comments

I think it's possible that the Max will never fly again. Its entire design was based on the assumption that it is possible to "undo" the effects of moving the engines with a "minor" software tweak and end up with an airframe that flies the same as a regular 737. That may not actually be possible. Boeing may have been aiming for a point in the design space that does not actually exist. But the business model for the 737 depends on its existence. So when the new software comes out, there will be two possibilities:

1. They got it right this time

2. They didn't get it right (because it's not possible to get it right), but they are going to insist that they did because admitting that they were chasing a chimera all along would be the end of the company

The problem is that it will be very hard for anyone without very deep knowledge to determine which of these is the case. I don't see any way to tell a convincing story [1] about how the Max can be flown safely that does not involve re-training pilots to fly the plane "raw", i.e. where a human pilot is capable of flying the plane when the automation has failed, without any software covering up its native handling characteristics. That will require a new type certificate and re-training. That can make the plane safe to fly, but it will utterly destroy its economic model, so that is an unacceptable solution.

Boeing has already destroyed all of the credibility it once had. It insisted that the Max was safe to fly when it manifestly wasn't. They will again insist that the Max is safe to fly whether or not it actually is because their survival as a company depends on it. The problem is not that the plane may be unsafe. The problem is that, under the circumstances, there will be no way to know whether or not it is until the next one crashes.

I’m not sure where the idea comes from that a new type certificate or even simulator training would destroy the program. If the MAX is found to be too different from the current 737 type rating and requires a trip to the sim for pilots then airlines are going to do it. Boeing will likely end up footing a good chunk of the bill but there is no way the 350+ airframes that are already built are simply going to be scrapped.

To put it in perspective, in North America, American Airlines and United Airlines have each ordered at least 100 of the airframes. These airlines each operate several different fleet types of similar sizes that each require putting pilots through extensive training to move them back and forth. The economics of operating the MAX would be changed but I would imagine it’s still going to come out as cost effective when considering how much more efficient the aircraft is vs the older aircraft they’ll be replacing.

I certainly appreciate the skepticism of getting the product back out there without extensive training. I think even after its all said and done the pilots and pilots’ unions will heavily advocate for additional training to ensure these things are being operated safely.

> I’m not sure where the idea comes from that a new type certificate or even simulator training would destroy the program.

A new type rating cannot use grandfather rights. There is plenty of stuff in this plane that is not permitted any more (like the door design over the wings). Those would be massive changes to the plane.

Source on door over wings? The brand new design A220 (Bombardier C-Series) has an over wing exit. I just couldn’t find anything in a couple of quick searches banning it.

That’s just one example though and you’re likely right. The thing is though most of these systems have modern adaptations that could be applied. They just haven’t been because of the desire to keep it a 737. They’re things that can be changed/fixed whereas the aerodynamics of the design cannot be be changed easily.

The 737 overwing exits have a non plug style door which are not permitted any more. It uses a few sensor inputs to engage a lock so you can’t open it during flight.

Do you have a source for this? From what I can find, the up-and-coming A220 has the same design[0] for the overwing exit as the 737, which was added in the 737NG redesign. Earlier 737s had plug doors: https://www.youtube.com/watch?v=2gZ22iQBlmc

0: https://rr-spotter.de/im-airbus-a220-300-von-air-baltic-nach...

Actually I misremembered. It was not the plug style that causes issues but the size of the exit. The change from the throw out door to the hinge version in the NG is apparently a change they made to satisfy JAA: https://www.flightglobal.com/news/articles/boeing-details-em...

Oddly enough that news bulletin says it's still a plug door which it clearly is not in the final design.

Overall the root cause I believe is generally weight of doors and evacuation time. I had a few conversations about this around the time the second accident happened and grandfather rights were brought up by people from the industry I talked to as an expensive problem for a new type rating.

The issue is probably the other doors. The 737 doesn't have any sort of gas assist to help in opening the main doors in an emergency.


The A220 is in service today, on Delta. I flew one this afternoon.

Today I Learned... Thanks!

The 737 Max "still" uses paper manuals for technical support and has a variety of features no longer found in modern planes.

"It is the only modern Boeing jet without an electronic alert system that explains what is malfunctioning and how to resolve it. Instead pilots have to check a manual."


This scares me far more than the MCAS issue generally to be honest. The fact that all this modern technology is being thrown out for economics and we’re basically building 50 year old planes en masse. It makes me very sad.

Oh boy... Wait till you learn about the backbone of our military air forces.

Requiring simulator training and a new type cert may have meant that the 373 Max was less financially competitive with the Airbus A320.

But if Boeing can get out of this disaster with a few more AoA sensors on each airframe, some safety-critical software, some simulators, and some free training for the airlines to send their pilots to...they'd be fools not to do that. A fleet sitting on the ground for months is worth a lot more than some simulator time.

> Requiring simulator training and a new type cert may have meant that the 373 Max was less financially competitive with the Airbus A320.

Yeah, but at this point that’s just going to mean Boeing ends up selling these things for less of a profit. There’s years of backlog of 737 MAX orders, and years of backlog of A320 Neo orders.

Airlines with orders in for dozens of MAXes in 2021 aren’t going to be able to switch those orders to Neos without incurring years and years of delays on delivery.

Not only you need to get the new certificate, you must do proficiency check every year for every type rating to keep them current, have recurrent training and check rides.

It's worse than that, as I understand it a professional airline pilot can only remain type-certified in a single type rating at one time.

That means that if 737MAX requires a new type certification, then it requires in order to make business sense for airlines either (at a minimum) additional costly fragmentation of the airlines' employee pool, or more likely making plans to retire the fleet of planes that are classified under the prior "not as profitable body design" of type certification.

My source is hard to narrow down, I've been listening to the APG podcast show, where Captain Jeff (the not-as-good-looking Jeff) flies MD-80's for "Acme Airlines", I guess which is a major US legacy carrier who has been renamed to protect the innocent. It might have been something I heard here, or read online, and I am not a pilot, so willing to be called out by anyone who knows more than me, please feel free to chime right in here if you know different. I can't seem to find a source for this fact.

I think perhaps what I misunderstood might be, if there is no law or regulation that says you can't be type certified in multiple aircrafts at once, actually have to turn in your current type rating in order to get another one... (???)

... but that the practicality of maintaining multiple type ratings for a pilot makes it something basically so expensive or onerous as an Airline Transport Pilot, that it would be practically unheard of for someone to maintain two type rating certifications at once for any period of time. And it seems logical the same thus goes for airlines themselves. The Southwest brand of cheap flights was originally made possible by the fact that their entire fleet was made up of planes with just one type rating. The more type ratings that must be maintained, the less nimble and profitable the company will be.

It seems likely we're going to see more airlines going under as this story unfolds, either that or some kind of major bailouts. I don't even know if they make any insurance that covers this scope and scale of business catastrophe.

All of these things you point out about type ratings and maintaining currency etc etc miss the point.

The 737 MAX fleets will be big enough to justify the cost of maintaining a group of pilots that fly the MAX and a group that flies the 737NG. Just as they do now with multiple fleet types. If airlines were trying to just mix 30-40 of these in with the 737NG fleet the economics would break but when you’re talking a fleet of 100+ it starts working out. Of course it will end up making the economics worse than originally planned for but at this point what can you do? The A320NEO order book is filled for years so if you’re an airline CEO you’re stuck with the MAX.

As far as the airlines go none of them seem to be suffering significant financial damage yet. The pace of orders meant they were only going to have about 30-40 of these things by years end so they’re coping. It remains to be seen how it will affect them long term. DAL seems to have struck gold with the whole ordeal. As the only major US airline without the MAX they’ve increased capacity 2-3% more than planned and their recent Q2 shows it’s working out great.

> The A320NEO order book is filled for years so if you’re an airline CEO you’re stuck with the MAX.

I did not know this! Thanks for the added insight.

> It's worse than that, as I understand it a professional airline pilot can only remain type-certified in a single type rating at one time.

That's not my understanding: I think you can simultaneously be certified for multiple planes, however companies will only make you fly for one at a time, currently. My guess is that if the Max needs a new certification, it will create a whole new model given it is still really close to the NG (and basic 737, if they still fly), so it might be more convenient than risky (and costly) to allow pilots to be certified and fly on both, if really needed. Maybe this will not even be needed, because tons of companies use multiple types of aircraft already.

You can have as many type ratings as will fit on your certificate. Company policies limit pilots to one or two types at a time, depending on the company.

If it gets to this point, what is the probability that Airlines relax this policy?

> I think it's possible that the Max will never fly again.

Call me cynical, but I believe this is not possible. It may be upgraded, rebranded, recertified, and they may retrain everyone who may come anywhere near its cockpit, but they can't just drop the plane for three reasons:

1. They already sold too many. Those customers will want a refund, and will have a major loss of faith into Boeing. Unless there is a replacement plane to give but ...

2. They don't have any replacement. They don't have anything to put in that slot. And it's already a plane they had to rush because a) it's the main seller, and b) the competition (A320 Neo) is a very good plane in that slot.

3. Like said above, it's the major seller. It has how many thousands of orders and how many years of wait to get your planes already ? And nobody cancelled to move to airbus because they're just as backlogged. So neither Boeing, nor the airlines, nor the US government want it / can afford for it to disappear, they want it fixed, anyway possible.

Don't get me wrong, I believe in a perfect world it should be grouded forever and be remembered as a huge warning lesson, but this will never happen.

The real question is, why aren't Airbus and Boeing massively increasing their production capacity for those lines ? Feels like they've been been backlogged since forever, and it's only getting worse. I get that you can't create a new set of factory and their trained workers overnight, but we're talking decade here.

Alot of these problems seem to ultimately trace back to overconsolidation of these manufacturers. The possibility that passengers will be subjected to unsafe aircraft because Boeing is too big to fail is unacceptable. If they are unable to move fast enough to cope with the changing market, pethaps they should be split up.

Ultimately we may be moving toward a taxpayer bailout of Boeing. Instead of doing that why not take that money any fund grants to help rediversify the market?

They are only "too big to fail" because the safety standards for airline travel are so high especially considering their market size. Compare it to driving: the global airline market in 2019 is expected to be 856 billion USD [0] while the US new car sale market alone was 956 billion USD in 2019 [1] which does not include other markets, the energy to power cars, nor the labor costs for driving so the car industry is way bigger. This table [2] says airlines are 62 times safer per km traveled.

I don't see how you could have a competitive market like cars when the safety standards are an order of magnitude higher than driving and yet probably an order of magnitude smaller in size.

[0]: https://www.statista.com/statistics/278372/revenue-of-commer...

[1]: https://www.ibisworld.com/industry-trends/market-research-re...

[2]: https://en.wikipedia.org/wiki/Aviation_safety#Transport_comp...

Deaths per kilometer is not a good metric when comparing safety between methods of transportation. You'd rather look at deaths per journey, and suddenly car travel looks very safe.

It's also worth considering that car crashes are disproportionately caused by drunk and teenage drivers. If you are between 25 and 70, drive in the daytime and don't drink yourself you can beat the safety record of airlines! There's no need to argue for laxer airworthiness standards using bad statistics.

> Deaths per kilometer is not a good metric when comparing safety between methods of transportation. You'd rather look at deaths per journey, and suddenly car travel looks very safe.

Cars can travel extremely short ranges and extremely long ranges which skews their "journey" statistics as most people use them for short trips. Planes are only efficient at long ranges so "journey" statistics look bad but if everyone were to drive everywhere instead of fly, human fatalities would definitely go up.

Deaths per journey is absolutely dominated (edit: aka very low) by walking which is also completely uninteresting.

You can slice the numbers in many ways, but in truth you can only substitute similar distances between modes of transit. Aka you can’t substitute a 1km car trip for a 10,000 km aircraft trip. Making deaths per passenger distance the only meaningful metric.

> Deaths per journey is absolutely dominated by walking

I can't see how you came to this conclusion, I'd expect walking to be the safest by far on this per-journey accounting.

Re reading I see it’s ambiguous. I meant denominated in a positive light.

Ok, but then you ignore serious injury caused by cars, which is around 20x more often than deaths. And something you don't really get with airlines.

Cars are the deadliest thing we have in modern society.

> The real question is, why aren't Airbus and Boeing massively increasing their production capacity for those lines?

Because it's expensive, and times where their market isn't going so well will be coming, and the company that hasn't spent billions on production capacity it can't utilize is better off. More production capacity doesn't even mean they sell that many more planes overall.

And nobody cancelled to move to airbus because they're just as backlogged.

You must have missed this news: https://www.nbcnews.com/business/business-news/saudi-airline...

Oh they can make it so they can sell the existing ones, the big question is if they'll be certified as a 737 or something else.

> The real question is, why aren't Airbus and Boeing massively increasing their production capacity for those lines?

Both receive absolutely massive subsidies from their respective governments, to allow them to price-cut the competition. The governments are not willing to increase those, hence limiting the amount of under-market-value products they can deliver to their customers.

Do you realize that Airbus is not bound to a single government? There is France, Germany, Britain, Spain...

Ha, I thought the funding would be less obvious than in the US. Amateurs, everywhere! :)

Forces are forces and any upwards force from the engines can be counteracted by the control surfaces as long as they have enough authority. Boeing's entire problem is trying to do all this with only two flimsy sensors, and compounded by them inexplicably ignoring one of the sensors. The original design was stupid as hell but there's nothing wrong with the general idea of what they are trying to achieve as long as it is implemented competently.

The A320 has "flight envelope protection" which does something much like MCAS except it is much more comprehensive because it is integrated with the fly-by-wire system and can use all control surfaces.

FBW on the A320 has many benefits such as better passenger comfort because it can use the control surfaces to take the edge off turbulence. You can get away with smaller control surfaces which then lowers weight, improves range, etc.

Airbus went through a lot of work to validate the safety of the FBW/Flight Envelope Protection -- if sensors fail, it goes into one of several degraded modes. Pilots are trained to recognize these modes and fly them.

Boeing has applied this technology to their large jets, but it's just sad that the most common Boeing jet by far, the 737, is a technological backwater. Boeing is talking about making a "New Midsize Aircraft" which has a questionable market, but so far as I can tell, their business plan is to be building a starship for NASA in 2070 but still be selling 737s.

Is it fair to say Airbus is better at FBW because they have more experience with it?

And they have an history with FBW-caused accidents.

Especially AF296 killed 3 people when they try to demonstrate the anti-stall capacity of the FBW during an airshow. Airbus modified the way the fbw control reclamation worked after this. After the Rio-Paris accident (forgot the flight name, it was AF too), they changed the way the degradation worked wehn sensor fails (i think now 3 different mode exists, and information is more visible).

Those incident killed people, and there is a chance that the first one was actually caused only by the manufacturer (the second one was 99% the pilot though, the remaining 1% was: better information, better sims and better gradation so that even new, tired pilot can't make this kind of mistake).

There have been plenty of accidents involving the failure of old analog control systems too.

FBW adds cyber-related failure modes, but it is hard if not impossible to make the traditional hydraulics, strings, springs and pully-based systems resilient against failures since the number of things you have to duplicate explodes exponentially.

That AF 296 was caused by FBW is more of a conspiracy theory than anything else. Even if it were true that the pilots applied TOGA power a few seconds before the investigation concluded they did, they were still flying way too low with engines at idle. Poor planning, pilot error.

Boeing's FBW is about as good as Airbus's FBW.

One big difference is that the pilot and co-pilot's yokes on a Boeing plane are mechanically connected to each other so they share the feelings. Airbus uses "sidestick" controllers which aren't quite as nice but are perfectly adequate.

Boeing, however, uses FBW only on their large aircraft, but not on the 737, which is their most flown aircraft. All Airbus planes are FBW, because their competitor to the 737, the A320 is FBW.

GA pilot here; I have no experience flying anything as large as a 737, but the relevant part is ... I fly manual controls (stick and rudder) with electric trimmers. Forces are forces, the trimmers should help you keep the controls at a force level that the regular pilot can still move it in normal flight. A fly by wire is the best solution for large planes with big forces on the control surfaces, but that means a re-certification program that Boeing tried to avoid. The wheel in the cockpit that pilots manually turn, no longer belongs there. It is like power steering on a large truck: you need it and it should be there.

AOA sensors should be helpers, should notify or alert, but never make decisions.

> Forces are forces and any upwards force from the engines can be counteracted by the control surfaces

Only if you ignore moments. [0]

[0] https://en.wikipedia.org/wiki/Bending_moment

The US government can save it, if it's possible to save it.

The government hires an independent contractor organization (I guess The Aerospace Corporation and NASA people and former-FAA people from the time the FAA had technical people, etc.) to do a blue ribbon commission style full analysis of the plane, at a huge cost in time and budget, and publishes the whole thing, scathing as it is to Boeing. Some people might get fired, in both Boeing and the FAA, but that doesn't matter.

The independent contractor organization gets carte blanche to declare any issues as "preventing certification", and to suggest any fixes, and oversee Boeing implement the fixes and the tests (what the FAA should have done). When they sign off that the plane is safe, the FAA signs off (as a formality, because we don't trust the FAA) and airlines based in the US start using the plane where jurisdiction allows (maybe only in US, maybe in friendly countries). After a while of no crashes, other jurisdictions will allow it and other airlines will buy/unground it.

Boeing pays the government for the work of the independent contractor organization, in equity I guess. The government holds the stock until the stock price rises after the fixed plane succeeds in the market, and then sells.

Note I know nothing about anything, so the above is fan fiction.

> The government hires an independent contractor organization (I guess The Aerospace Corporation and NASA people and former-FAA people from the time the FAA had technical people, etc.) to do a blue ribbon commission style full analysis of the plane,

Great idea, but I think Feynman died awhile back.

I think they can save it, but they are not going to be able to keep the common type rating with the old 737 and Boeing should quit trying to do so.

They need to put pilots through simulator training of both kinds of MCAS failure: (1) MCAS goes nuts and needs to be turned off, and (2) MCAS is not there to save you when you need it.

So long as Boeing refuses to capitulate, the grounding is going to go on, and the longer the grounding goes on, the more problems are going to be discovered, the more orders get canceled, etc.

It's not that simple. The 737max is the way it is because a ton of stuff is not certifiable today anymore but is grandfathered in since the 60s.

> because it's not possible to get it right

Of course it is. All jet airliners already have active augmentation to make them fly as if they do not have stability problems that can lead to crashes.


Dutch roll isn't a stability problem in the same way the problem that MCAS corrects for is a problem.

All aircraft experience Dutch roll. It's an inevitability.

Control stick force inversion on approach to stall is absolutely not an inevitable consequence of large aircraft design. Yaw dampers are specifically required as a labor saving device on civil transport aircraft with swept wings; but all pilot's are aware of Dutch Roll.

None were made aware of the failing behavior that MCAS corrects.

> Dutch roll isn't a stability problem in the same way the problem that MCAS corrects for is a problem.

It's still a stability issue that has led to fatal crashes because some pilots were unable to correct for dutch roll. Successfully countering dutch roll is an ongoing process, and a pilot may know all about it in his head and still be unable to correctly counter it with properly coordinated stick & rudder movements.

Dutch roll is no joke and the yaw damper is required and is critical equipment.

On the other hand, dealing with runaway MCAS is literally just turning a switch off on the console.

Again, every pilot knows about Dutch Roll; it may have caused problems before, but everyone knows about it, and as far as I'm aware, no one ever hid it's existence from pilot's for the sake of certification and sales.

No one was told about MCAS or the force inversions it was meant to correct ahead of time, or shared enough technical detail to ensure pilots know what to be prepared for. Major difference there.

>On the other hand, dealing with runaway MCAS is literally just turning a switch off on the console.

Which instantly decertifies your aircraft to be carrying passengers.

Look, I get it. That's paperwork talk! The thing still flies!

But we have to hold ourselves accountable to the silly whims of paperwork talk, lest we fall victim to Normalization of Deviance, who is a cold-hearted, stone-faced bitch.

> Again, every pilot knows about Dutch Roll;

Knowing about it doesn't help. They crash anyway. That's why there's a yaw damper as required equipment.

> No one was told about MCAS

That's true, but they were told about the stab trim cutoff switches to halt runaway trim, and the MCAS failure exhibits itself as runaway trim. The flight before the Lion Air crash had an MCAS failure, too, and the pilots simply switched off the stab trim and they landed safely. They did't know about MCAS, either.

> Which instantly decertifies your aircraft to be carrying passengers.

That isn't how certification works.

Boeing has certainly made many mistakes with the MCAS system, but the problem was controllable by pilots who remembered what the cutoff switches were for. This was proven in the first MCAS failure incident I mentioned.

>Knowing about it doesn't help. They crash anyway. That's why there's a yaw damper as required equipment.

They don't do it not knowing about and having experienced Dutch Roll, however, with a check pilot. We train for the unexpected, use technology as best we can to mitigate, and just have to have faith that after a certain point we've told the pilot everything they need to know, and leave them to do their thing. Regardless of whether Dutch roll has killed someone or not they knew about Dutch roll going into it. They knew yaw dampers were a thing. They knew how and when yaw dampers were active and why. Not so with MCAS.

>The flight before the Lion Air crash had an MCAS failure, too, and the pilots simply switched off the stab trim and they landed safely. They did't know about MCAS, either.

Walter, c'mon man. We've been through this before.

The penultimate Lion Air flight had 3 pilots, one with the luxury of paying attention to anything the other two actually flying the plane weren't; None of them knew what was going on, and to be frank, Getting it right for the wrong reasons just sets the stage for more disaster later. You can also look at the documentation regarding stabilizer runaway, and it is specifically described as a continuous uncommanded trim actuation.

MCAS isn't continuous, it's discrete. On for 10 seconds, off for five. While the procedures may be the same, an unprimed pilot being caught unawares by an aircraft feature completely foreign to them, and unelucidated in the documentation is liable to lose precious time if the failure happens at an inopportune time of the flight.

Also, throw in the failure of autopilot to stay engaged, and inability to lock the computer out without losing the trim switches, it's a losing proposition all around.

>That isn't how certification works.

I'll butt heads with you there. A type certification certifies a particular configuration of hardware and software to be flown in certain airspace for a particular purpose. While operational leniency is to be expected so a failure of a component not on the Minimum Required Equipment checklist doesn't ground planes at every little problem, I patently reject the proposition that having a type certificate granted, then experiencing a configuration change during normal operation that compromises the ability for the airframe to meet the prescribed criteria for being certified as airworthy does not discertify that particular instance of the alleged type from immediate airworthyness.

It is the configuration that is certified. Anything that meets that configuration within reason may be used for the certified purpose. Departure from said configuration warrants immediate remediation as quickly and safely possible. Generally that judgement call is by custom left to the pilots as to whether to continue or reroute for repairs.

If you lose a system required to use the plane for it's intended purpose in flight, then you should damn well be prepared to put that plane on the ground to get it fixed. Period. This type of thing isn't a game, and the more the industry treats it like one, the less inclined people will be to trust and utilize it.

> it's a losing proposition all around.

Obviously it's not as the pilots in the first incident turned off the stab trim and landed without further incident or difficulty, despite being totally unaware of MCAS.

10 seconds of the stab trim moving is a long time, and it's hair-splitting to say that isn't a runaway when it is uncommanded and moving things in an obviously dangerous direction. Short circuits can also cause runaway trim, and are often intermittent.

They do not have to know what is going on to conclude it's runaway trim and shut it off. The pilots are supposed to be trained for runaway stab trim. It's the WHOLE POINT of having the cutoff switches within easy reach on the console.

Just like if the engine is on fire, the pilot does not need to know why the engine is on fire, he just has to know how to operate the engine fire extinguishers.

Furthermore, the MCAS system was known after the first crash. Boeing issued an airworthiness directive about it, with instructions to use the cutoff switches.

So what is the reason the Ethiopian pilots were not aware of the MCAS system (it was all over the news, and Boeing had issued an airworthiness directive on it which is supposed to be sent to the pilots)? I don't know. I've never heard an explanation for it.

Nobody is claiming it's a game. Nobody is claiming Boeing doesn't need to fix the MCAS system. Pilot training is clearly inadequate if two sets of pilots did not use the cutoff switches. Something is wrong with the airworthiness directive system if they did not reach the pilots.

If the 737 were properly certified (without all it's grandfathered stuff from the 60s which wouldn't be certifiable today anymore) then I'd agree - the max would never fly again.

But at the end of the day, the FAA will let it fly again because it not flying might break Boeing's back and Boeing is essential as a defense company.

1) I mostly agree with your analysis 2) I don't think that admitting they were "chasing a chimera" would mean the end of the company, but... 3) I do think it would be the end of the current management's tenure, and that functionally means they will behave as if it would be the end of the company

I don't think it'll never fly again.

At worse, they'll have to have a separate type-rating and require pilots to go through further training to fly it.

The whole idea behind the plane was to skip full training and be qualified with a short hour long tablet training session.

That cost saving measure has now passed, so rather than scrapping the Max all together, pilots will just need the further training.

Boeing are already getting ready to rebrand it the 737-8200, so no, it'll fly again, there's too much money at stake.

> I think it's possible that the Max will never fly again.

I maintain that it will fly again, there will be a third high fatality crash related to MCAS, and then it will never fly as a passenger plane again. The existing planes will be repurposed as cargo planes. You heard it here first.

And a massive federal bailout of Boeing because it is critical to national security is well beyond inevitable at this point.

Would any of you refuse to fly in a 737 max once it returns? I think I’d have a hard time getting on one, rational or not. I’d probably want to wait a year or more to see how things go and then maybe I’d feel ok. This had made me nervous flying the Dreamliner as well. Hard to get over these fears.

Absolutely. After the first crash I made sure none of my future flights were on one, and all of the articles that continue to come out about the 737 MAX seem to indicate that Boeing is a cost-cutting safety-skirting company that can’t be trusted to not kill people. I’d gladly pay an extra $50 to not be a guinea pig for their fixes.

What would you do if your plane was swapped out? It's fairly common if one is late or maintenance issues, etc.

I'd prefer not to, since correcting runaway horizontal stabilizer trim requires pilots to manually turn control wheels that many pilots lack the arm and upper body strength to turn.

The plane has become too large to rely on muscles and mechanical linkages to move a primary control surface.

I won't get into one until I'm satisfied that there's both a technical fix AND pilot retraining. I currently don't expect both to ever happen.

I'll fly on them anytime.

Once the pilots understand that runaway stab trim can be immediately halted by throwing the stab trim cutoff switches on the console, which is what the pilots did in the first instance of an MCAS failure and landed safely, the airplane can be safely flown.

Current 737MAX, 1 AOA sensor. As long as the pilot has been through the simulator with a run-away MCAS.

I'm good if he remembers "stab trim runaway - throw the stab trim cutoff switch". Because that's all that's needed. That's what the pilots did the first time it happened with Lion Air, and they landed without further difficulty. (The LA crash was the second time it happened.)

I intend to avoid them until they get extensive testing and re-certification by an independent agency (e.g. not the FAA). I do not trust either Boeing or the FAA to do the right thing, the economic incentives are too high.

Fortunately Boeing is not going to allow FAA to unground it until EASA approves it too. Can you imagine if it were still banned from European skies but flying in the US? That would kill it for good.

Could there be a political element here? The more changes EASA wants in the name of safety, and the more delays they add, the more airbus profits.

The have a clear incentive to force Boeing to make it far far safer than any other craft in the sky, and if Boeing complains, nobody will believe them.

I expect that the MCAS will eventually be fixed.

What worries me is the series of newspaper articles about a corrupted safety culture at Boeing, e.g. about the Dreamliner and how QC were finding forgotten parts and wrenches in the airframe. Commercial pressures are always at odds with safety, but I had the impression that aircraft manufacturers had this under control.

And the scary part is if this could happen in the US, other manufacturers aren't necessarily better, but they haven't fucked up so badly as Boeing (yet?). It's shaken my faith in faith in the idea of air safety engineering, which was always seen as shining example of safety engineering - it might be that the systems have become too complex to be managed safely.

> Would any of you refuse to fly in a 737 max once it returns?

I won't fly on it myself.

I’d hope so given the clusterfuck of problems with these machines.

Right? The concern shouldn't be the timeline. I don't care about how long it takes, I care about how safe it is.

All this hand wringing about costs and stock performance and grounded planes seems like chasing the wrong goal to me.

> All this hand wringing about costs and stock performance and grounded planes seems like chasing the wrong goal to me.

It would be great if we could apply this same logic to longer term issues that also threaten our safety, such as climate change.

This all came out of Boeing wanting to maintain "type identity" (my own term) of the Max with previous 737s, to reduce Boeing's certification cost and schedule, and airlines' retraining costs and schedules.

I wonder how much of those "savings" has already been eaten, and at what date they are surpassed.

> "type identity" (my own term)

Isn't it just called "type certification"? Why create a new term for it?

Because I don't know the actual term, and I wanted to convey the thought and move on.

"common type" is what people usually use.

An aspect of this story I've not seen addressed (and if it has, please point me to references): commercial large-aircraft aviation has achieved an impressive safety record through a process of continued incremental safeety refinements, but in doing so it seems to have created several notable path-dependencies both locking in old designs and strongly resisting new ones, particularly in larger aircraft. The Airbus A380 and Boeing 787 Dreamliner are notable exceptions, and each has proved problematic -- the A380 being discontinued in 2021 (238 presently built), and cost overruns, delays, andconcerns with both aircraft. The 737 series has seen over 10,000 aircraft built since 1968 (compare against 1,551 for the 747, introduced the same year). Boeing's jet airframes fundamentally trace back to designs from the early 1950s (367-80), and its first cemmercial passenger jet, the 707, was only retired this year, having seen first service in 1958.

Airbus's 737 MAX competitor, the A320 neo/ceo, is based on the A320 series first introduced in 1986, with about 8,900 aircraft built.

Looking at development cost for these aircraft over the years (and considering failures including Boeing and Concorde SST) is instructive, all prices ~2001-2019 dollars (or other currency), launch date in parenthesis:

    367-80: $149 (1954)
    707: ? (1958)
    737: ? (1968)
    747:  $7.2 billion (1968)
    Boeing 2707 SST: ? (cancelled 1971)
    Concorde: £7.67 (1976)
    A340: $3.5 billion (1986)
    A340neo: >$1.3 billion (2012)
    787 Dreamliner: $32 billion (2007)
    A380: €25 billion (2003)
    737 MAX: $3 billion (2014)
The possible exceptions are smaller aircraft development scaling up 9Embrar and Bombardier, notably), and possible entry by Chinese manufacturers (COMAC), each of which skewers the path-dependency risk from different angles

Clarifying; R&D budgets were million for the 367-80 and billion for Concorde.

I don't really care if it's flying in 2020. I'm not getting on one, and won't be flying any airline where there's a possibility of me ending up on one.

FTA: pushing back training for some current Southwest co-pilots on track to upgrade to captain

That means delayed wage increases for pilots as an additional consequence for this debacle.

And there's still no suggestion in followups to this issue, including in this article, that the MAX will get different type certification that requires a separate type rating for pilots. It's restricted to software fixes/changes, and possibly a physical processor replacement.

And they wanted to keep this plane in the air and the CEO was making calls assuring high level people of its safety instead of immediately recalling it and starting an independent investigation. With this many problems, it's frightening that they wanted to continue risking the lives of the crew and passengers.

Presumably Boeing will be compensating all airlines for the loss of use of these planes.

Do we have any clues to the magnitude of this compensation? How long can it continue and Boeing stay solvent?

My comments back in January (before the 2nd crash): https://twitter.com/davidu/status/1085881783319699458

""" Semi-related, they also found the 737MAX cockpit voice recorder from the downed Lion Air plane. My guess is that this will turn into an indictment of the new anti-stall software. You couldn’t pay me any amount of money to board a 737MAX-8 until that system is improved. """

I think whats different about the 737 Max versus other past troubled models of planes is the lack of empathy.

Prior troubled models are reflown or rebranded and flown - of course after addressing the critical flaw.

The 737 Max’s flaw is that it doesn't really fly well and needs software to regulate it, and a human to override the software, which is just odd.

But the company’s complacency, self regulatory status, lack of empathy - probably because saying sorry has legal consequences for them, or they’re leadership really are sociopaths, or both - is what damns this line for good.

Will consumers really be so gullible this time or have more pressing needs for the cheaper flight that they ignore the model being flown?

I’m really curious

> The 737 Max’s flaw is that it doesn't really fly well and needs software to regulate it, and a human to override the software, which is just odd.

It's not really odd though.

One of the first A320 crashes (https://en.wikipedia.org/wiki/Air_France_Flight_296) was also influenced by computer doing opposite of what the pilot tried to achieve (pilot flying at extremely low altitude into the trees tried to pull up to avoid the trees, but computer was set up to ignore that and instead lower the nose first to gain speed, before pulling up, to avoid a stall).

The plane would have probably crashed even if the computer did what pilot commanded, but hey, my point is that computers override pilots these days, and it's not odd. It's probably for the good, overall.

> The 737 Max’s flaw is that

> it doesn't really fly well

Actually, no. It's flaw is that it doesn't fly like previous 737's, and they need to make it do that.

Actually, if you’re going to correct someone with “Actually,”, you should understand the issue.

The MCAS exists to prevent stick forces from inverting as the nose pitches up towards the stall angle. If the stick forces invert, it becomes easier to continue into a stall angle than to move away from it. Commercial airframes are required to never exhibit this characteristic as a condition of certification.

MCAS was Boeing’s idea of a solution to this; command the stabilizers down to provide counter force against the stick, making it harder for the pilot to pull into the stall than pull away from it at every point.

Even if previous 737s had never existed and the 737MAX as it exists today were for some reason an all new design, it would need the MCAS counter-force to get certified as air worthy no matter how much new training pilots got. It (claims to) solve a fundamental airworthiness requirement; it is not just there to “fly like previous 737s”.

The behaviour of the airframe is simply not considered commercially airworthy without it.

That is my understanding as well. Not sure why a lot of folks are sticking to pilot certification idea.

IMO, removing G-force sensor from the system should be looked into. I just can’t see any sane engineer agrees to do so. They used it to make sure system only engages on high G but will limited authority, now the system needs to engage with low G, but higher authority - they should’ve introduce another signal (air speed?), not remove one.

It is either incompetence or greed.

It reads like broader organizational incompetence to me. From what I’ve seen:

1. They did safety analysis based on the original design: what needs to happen for MCAS to misfire (both the g-sensor and the AoA need to be incorrect) and what happens if it does (it runs once, to maximum authority of 0.6 degrees). They concluded from this that the issue was “major failure” rather than “hazardous” or “catastrophic”, and that the design met the reqs for “major” (2 sensors involved here, and major only requires 1).

2. Much later, with the analysis already rubber stamped by the FAA, they discover the low speed issue with stick forces and decide they can modify MCAS to resolve this as well, by radically increasing its authority over the stabilizers (more deflection needed to generate the same force at lower speeds) and removing the gsensor (which wouldn’t trip at low speeds). (This also seems to be where they introduced running it in a loop? Although some things we’ve seen out of Boeing seem to indicate that they might have not understood at any point that this was the way the system was written, or at least anyone involved in any analysis never knew to consider that)

3. Again later, someone concludes that the changes meet their initial analysis classification requirements, because they’ve already done a safety analysis and concluded “major”, which allows for 1 sensor with no redundancy, which they continue to have.

Nobody seems to have noticed that they’ve now fallen into a circular reasoning loop — the system must be safe to “major” level because we previously decided the system was safe to “major” level. They look at whether or not the changes still meet the requirements for “major” failure, but neglect to re-open the analysis and decide whether “major” is still the correct classification of failure in the first place.

Probably this means 1, 2, and 3 were being done by multiple groups of people with poor visibility and communication between them. Someone was asked to check whether the new setup met the requirements for the failure analysis the FAA had approved, but there was nobody looking at the bigger picture question of whether the validity of that analysis still applied.

>needs software to regulate it it

This is a standard pattern on most modern aircraft. Control is abstracted away by some computers, however—and as you said—the pilot can override the computers to more directly interact with the aircraft’s flight controls. Not an odd principle at all.

There's a difference there though. That's Fly-By-Wire in two different contexts.

One way to do it is indirect linkage to control surfaces, and using the computer to generate the appropriate signaling to actuate the control surfaces in a more or less direct mapping of pilot intent to control surface output. Depending on design philosophy, more in depth envelope protection may be implemented, (see Airbus) but there's no given that says Fly-By-Wire must be able to countermand and pilot commands.

The other way Fly-by-Wire is used (and to me personally is an anti-pattern) is as a pilot/plane babysitter like MCAS. The plane should be free of bad aerodynamic behaviors so that even with total electrical system casualty, a passive glide and controlled landing is possible. Once MCAS is taken out of the picture, the MAX doesn't have that. It does not meat the full set of airworthyness regulations for Civil Transport Aircraft as laid out in FAR 25.173.

I understand some in the industry may scoff at having to comply with the directive as written, but it's now been clearly demonstrated what happens when you don't.

IMO MCAS (the version properly respecified and reimplemented, of course) really fits in the "envelop protection" category (even if slightly pre-emptive), why do you classify it otherwise?

I don't qualify it as envelope protection, because it doesn't actually prevent you from doing something daft. This is a characteristic that seems to be common in every system I've heard of described as an envelope protection system. Though in a sense one could consider it one I suppose in the absence of a malfunctioning AoA sensor.

If it were envelope protection. It would serve the purpose of preventing you from getting into an untenable situation, regardless of your control inputs. MCAS doesn't. You can go all the way to stall with it, and it just keeps cranking down the trim to keep the control stick force curve from inverting.

It creates the piloting experience (look and feel) of 737 piloting, but introduces new and lethal failure States due to the lack of error checking, and graceful degradation of functionality.

There's other issues, but that's what sticks out to me.

To be clear, my categories of the different applications of FBW are built by the distinction between what it is trying to do. Take the F-16, or F-117 as an example of Fly-By-Wire making an unstable aircraft controllable versus Airbus control law system, which basically takes a stable airframe, and exposes a common user interface so similar control schemes can be used for physically different airframes.

The first variety has no place in Civil Transport. The second absolutely does.

FAR 25.173 says nothing about electrical failure.

Indeed at the sizes of aircraft we’re taking about the pilot is just not going to be strong enough without hydraulic or electric assistance.

The regulation doesn't, no, the technical details of MCAS as a piece of software necessary to maintain airworthyness however, demand the flight control computer be able at all times to work as designed to maintain the regulated condition of airworthyness. Namely, no control stick force inversions on approach to stall.

It's kind of hard to do that with a computer if you've lost your electrics. Therefore either the system needs to be bulletproof, or you should have designed out the need for the crutch in the first place. Not gone and made a Frankenstein's monster of a plane.

leaving out the discussion of how much force is required and how strong a pilot is, the hand crank for the stab trim has mechanical leverage. the pilot turns a crank that is geared to move a cable. the amount of leverage is determined by mechanical design. it could be geared to move a stabilizer on a plane N times as large...more turns though.

It still runs into problems where in general, the electronic manipulation is what pilots muscle memory develops around, and the more mechanical advantage is utilized, the faster the wheel turns in the cockpit during normal operation.

Those wheels are already notorious for the punishment they can subject an errant kneecap to.

Even if this debacle drives Boeing out of business, all of the expertise, factories, tooling, and designs still exist. Is there a realistic path forward that has Boeing ceasing operations, but transferring the assets to a new company with new management that can at least manufacture and support the airframes that don’t have massive problems?

Doesn't matter. I'm not going to fly with any 737.

A question I've been meaning to ask. I've always heard flight critical systems have to be at least doubly or triply redundant. Why was there only 1 pitot tube? It's clearly flight critical.

There are actually 5 pitot tubes on the Boeing 737[1]. There was only one Angle of Attack sensor. I don't know why for sure, but armchair speculation is that it was considered non-critical before the introduction of MCAS and nobody re-evaluated after.

1: https://aviation.stackexchange.com/questions/50797/why-does-...

There were actually two AoA sensors (on either side of the aircraft) each connected to different sides of the panel. The issue was/is what to do when they disagree (with respect to MCAS).

EDIT: Source: https://aviation.stackexchange.com/questions/61011/how-many-...

The MCAS subsystem in the active Flight Control Computer was only taking input from the AoA vane on that FCC's side of the plane, and not cross-checking with the other instrument.

The triple redundancy only comes into play with systems with a severity of failure rated as catastrophic.

The MCAS system as originally designed was rated as merely hazardous. Which doesn't require redundancy. The decision to feed off of only one vane was intentional to avoid having to have pilots undergo level D simulator training as part of their type certification. Multi-sensor systems generally require Level D training.

See the 737 MAX Expose by 60 minutes, where the whistleblower testimony is first presented.

Wow, so they could've easily made it safer with the hardware they already had onboard, but chose not to because money?

Somewhere inside Boeing there are decision-makers that lack ethics (or even long-term financial thinking). They need to be fired.

Yep. If I had to start looking, I'd start looking here:


There's a Bloomberg article I've been trying to track down from back in the 2000's where a Boeing exec is quoted as saying that Boeing is going to undergo a financial transformation, part of which involved decreased "over thinking the box" and stripping all that wasteful effort (what engineers call the hard parts) from the process in order to bring Boeing into the mainstream as an optimized shareholder value generating machine.

This happened apparently shortly after the McDonnell Douglas merger as I understand it.

Unless they were just acting completely reckless, which is hard to believe considering their previous safety record and the downside of failure, it's probably more complex than that.

My understanding (form my own reading, and a few other comments on this post), is that they needed to maintain the existing 737 type rating, so that pilots would not need to be retrained (this I knew), but also apparently changing the type would mean they wouldn’t be allowed to grandfather in some old, no longer permitted, design elements. This latter bit is new to me and I haven’t seen it mentioned elsewhere so maybe take with a big bowl of salt :)


Specifically, because airlines wanted to save money on pilot training.

Rather because Boeing wanted to remain "competitive" against Airbus' superior alternative by selling something that didn't exist, namely the factually different plane which would be certified as "the same".


Could they have had multiple sensors, but then fed them through software that determined which one(s) to tell the pilot about, without requiring the additional training? Like perhaps if they had 2 AoA’s on each side, and the software would take a reading that was agreed upon by 3 of the 4 sensors, and would alert the pilots to a failure of the system if 2 agreed and 2 disagreed.

The problem there is you don't train for when everything works. You train for when things don't work.

The more complex you make the plumbing, as it were, the easier it is to clog it all up.

Plus, there have been instances where a majority Ocala sensors have frozen in the same position, and outvoted the last remaining functional one. At the end of the day, software can only be considered an automation aid.

The human pilot must be able to make a reasonably safe go of flying the plane alone. Even Airbus planes have this quality in direct law. They are still stable, there are just fewer safeguards to keep you from doing something daft.

And even with airbus' approach, there's a case to be made that overreliance on the computer to safely operate the plane degrades basic piloting skills through atrophy or complacency.

My next question would be are they adding a third? Everything I hear sounds like a software update rather than the more expensive hardware changes.

There is no need to add a third. The software update make MCAS to use both existing angle of attack sensors, and if they disagree MCAS will be disabled and a warning indication will be shown.

Then you risk a stall. If MCAS is non-essential why not remove it completely? And if it's essential, then you need >2 sensors to ensure it can operate all the time.

MCAS is not essential. It exist to make the airplane behave like the older B737.

This just isn't true. MCAS was added because it is a safety requirement that stick forces strictly increase. You don't want the thing to start stalling itself.

I think you mean decrease — pulling back should become less effective as you enter a stall.

Stick force doesn't refer to how effective any stick movement is.

Roughly speaking, stick force is the amount of force the pilot has to to apply to the stick to achieve a given movement of the control surfaces.

As the airplane gets closer to a stall, you want to make it harder for the pilot to pull it fully into the stall, by increasing the required stick force.

If the stick force decreased as the airplane approached a stall, then the pilot would have to actively push the stick back into more stable flight.

Not everything that is non-critical should be removed.

Autopilot? Not necessary, pilots can fly themselves. Still, it is added for convenience (and its consequences, less mental burden, more mental capacity to do other stuff).

As many people have noted: AoA sensors, not pitot tubes.

What hasn't been mentioned: the fact that MCAS repeatedly engages, over many minutes, whilst both pilots were repeatedly fighting the system, and the elevation-over-ground track was highly anomalous.

A major problem with automated systems is that few of them have any awareness that they are ever doing the wrong thing, operationg far outside the bounds of their own design, and will, in this case, fly a plane into the ground. If multiple pilot actions and flight track indicate disagreement, automation should probably disengage.

There are other problems with pilots, of course. AF447 was a failure of pilots, but one exacerbated by automated and fly-by-wire controls not revealing conflicting inputs by Bonin and Dubois. Germanwings 9525, and by appearances MA370 are among cases where a single pilot acting alone sabotaged or crashed a commercial passenger flight. See: https://www.huffpost.com/entry/pilots-crashing-on-purpose_n_... and https://en.wikipedia.org/wiki/Suicide_by_pilot

But outside notable hijacking incidents of 18 years ago, concerted efforts by multiple pilots are unheard of.

MCAS uses AoA (angle of attack) not Pitot Tube.

There are two AoA on the 737 Max, MCAS only used a single one (but switched every time you started the aircraft). Reporting in Seattle Times suggests that it was originally designed to use one AoA combined with a G-Sensor[0]. The two in combination would trigger MCAS to make a small adjustment.

The problem is that the aircraft's actual design was failing to be "common type" compatible (i.e. no re-training). So they kept on expanding MCAS's usage to compensate. For low speed the G-Sensor didn't work, so was removed, and flight authority was increased.

More from the article:

> This original version of MCAS, according to two people familiar with the details, was activated only if two distinct sensors indicated such an extreme maneuver: a high angle of attack and a high G-force. [...] About a third of the way through flight testing in 2016, as first reported by The Seattle Times in March, Boeing made substantial changes to MCAS.

> The flight-test pilots had found another problem: The same lack of smooth stick forces was also occurring in certain low-speed flight conditions. To cover that issue too, engineers decided to expand the scope and power of MCAS.

> Because at low speed a control surface must be deflected more to have the same effect, engineers increased the power of the system at low speed from 0.6 degrees of stabilizer nose-down deflection to 2.5 degrees each time it was activated.

> On the stabilizer, maximum nose down is about 4.7 degrees away from level flight. So with the new increased authority to move the stabilizer, just a couple of iterations of the system could push it to that maximum.

> Because there are no excessive G-forces at low speed, the engineers removed the G-force factor as a trigger. But that meant MCAS was now activated by a single angle-of-attack sensor.

> One of the people familiar with MCAS’s evolution said the system designers didn’t see any need to add an additional sensor or redundancy because the hazard assessment had determined that an MCAS failure in normal flight would only qualify in the “major” category for which the single sensor is the norm.

[0] https://www.seattletimes.com/seattle-news/times-watchdog/the...

There are two AoA sensors but only one used for MCas because someone pushed the idea that by using 2 it would require extra training so let's go for the least redundant solution

Obviously redundancy is better. But some allowance can be made for pilot skill to work around a problem. For example, a loss of airspeed at cruise should not cause a disaster. The pilot can select a know good thrust/pitch setting and use other data (such as engine performance). There will always be this kind of failure that needs a workaround rather than complete redundancy. The risk is possibly in how pilots interpret and respond to that information.

There’s five sets of pitot tubes on the 737...

Aftbt corrected me above. There was only one angle of attack indicator specifically.

There were two, but IIRC only one was ever used at a time.

IAG must be very proud of their order by now...

How to put a positive spin on the 737 MAX disaster. The reason it 'll take to 2020, if ever is no-one would want to ride in one.

“Boeing Co’s 737 MAX planes are unlikely to be ready to carry passengers again until 2020 because of the time it will take to fix flight-control software and”

Will this include giving back control of the stabilizer trim to the pilot.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact