1. They got it right this time
2. They didn't get it right (because it's not possible to get it right), but they are going to insist that they did because admitting that they were chasing a chimera all along would be the end of the company
The problem is that it will be very hard for anyone without very deep knowledge to determine which of these is the case. I don't see any way to tell a convincing story  about how the Max can be flown safely that does not involve re-training pilots to fly the plane "raw", i.e. where a human pilot is capable of flying the plane when the automation has failed, without any software covering up its native handling characteristics. That will require a new type certificate and re-training. That can make the plane safe to fly, but it will utterly destroy its economic model, so that is an unacceptable solution.
Boeing has already destroyed all of the credibility it once had. It insisted that the Max was safe to fly when it manifestly wasn't. They will again insist that the Max is safe to fly whether or not it actually is because their survival as a company depends on it. The problem is not that the plane may be unsafe. The problem is that, under the circumstances, there will be no way to know whether or not it is until the next one crashes.
To put it in perspective, in North America, American Airlines and United Airlines have each ordered at least 100 of the airframes. These airlines each operate several different fleet types of similar sizes that each require putting pilots through extensive training to move them back and forth. The economics of operating the MAX would be changed but I would imagine it’s still going to come out as cost effective when considering how much more efficient the aircraft is vs the older aircraft they’ll be replacing.
I certainly appreciate the skepticism of getting the product back out there without extensive training. I think even after its all said and done the pilots and pilots’ unions will heavily advocate for additional training to ensure these things are being operated safely.
A new type rating cannot use grandfather rights. There is plenty of stuff in this plane that is not permitted any more (like the door design over the wings). Those would be massive changes to the plane.
That’s just one example though and you’re likely right. The thing is though most of these systems have modern adaptations that could be applied. They just haven’t been because of the desire to keep it a 737. They’re things that can be changed/fixed whereas the aerodynamics of the design cannot be be changed easily.
Oddly enough that news bulletin says it's still a plug door which it clearly is not in the final design.
Overall the root cause I believe is generally weight of doors and evacuation time. I had a few conversations about this around the time the second accident happened and grandfather rights were brought up by people from the industry I talked to as an expensive problem for a new type rating.
"It is the only modern Boeing jet without an electronic alert system that explains what is malfunctioning and how to resolve it. Instead pilots have to check a manual."
But if Boeing can get out of this disaster with a few more AoA sensors on each airframe, some safety-critical software, some simulators, and some free training for the airlines to send their pilots to...they'd be fools not to do that. A fleet sitting on the ground for months is worth a lot more than some simulator time.
Yeah, but at this point that’s just going to mean Boeing ends up selling these things for less of a profit. There’s years of backlog of 737 MAX orders, and years of backlog of A320 Neo orders.
Airlines with orders in for dozens of MAXes in 2021 aren’t going to be able to switch those orders to Neos without incurring years and years of delays on delivery.
That means that if 737MAX requires a new type certification, then it requires in order to make business sense for airlines either (at a minimum) additional costly fragmentation of the airlines' employee pool, or more likely making plans to retire the fleet of planes that are classified under the prior "not as profitable body design" of type certification.
My source is hard to narrow down, I've been listening to the APG podcast show, where Captain Jeff (the not-as-good-looking Jeff) flies MD-80's for "Acme Airlines", I guess which is a major US legacy carrier who has been renamed to protect the innocent. It might have been something I heard here, or read online, and I am not a pilot, so willing to be called out by anyone who knows more than me, please feel free to chime right in here if you know different. I can't seem to find a source for this fact.
I think perhaps what I misunderstood might be, if there is no law or regulation that says you can't be type certified in multiple aircrafts at once, actually have to turn in your current type rating in order to get another one... (???)
... but that the practicality of maintaining multiple type ratings for a pilot makes it something basically so expensive or onerous as an Airline Transport Pilot, that it would be practically unheard of for someone to maintain two type rating certifications at once for any period of time. And it seems logical the same thus goes for airlines themselves. The Southwest brand of cheap flights was originally made possible by the fact that their entire fleet was made up of planes with just one type rating. The more type ratings that must be maintained, the less nimble and profitable the company will be.
It seems likely we're going to see more airlines going under as this story unfolds, either that or some kind of major bailouts. I don't even know if they make any insurance that covers this scope and scale of business catastrophe.
The 737 MAX fleets will be big enough to justify the cost of maintaining a group of pilots that fly the MAX and a group that flies the 737NG. Just as they do now with multiple fleet types. If airlines were trying to just mix 30-40 of these in with the 737NG fleet the economics would break but when you’re talking a fleet of 100+ it starts working out. Of course it will end up making the economics worse than originally planned for but at this point what can you do? The A320NEO order book is filled for years so if you’re an airline CEO you’re stuck with the MAX.
As far as the airlines go none of them seem to be suffering significant financial damage yet. The pace of orders meant they were only going to have about 30-40 of these things by years end so they’re coping. It remains to be seen how it will affect them long term. DAL seems to have struck gold with the whole ordeal. As the only major US airline without the MAX they’ve increased capacity 2-3% more than planned and their recent Q2 shows it’s working out great.
I did not know this! Thanks for the added insight.
That's not my understanding: I think you can simultaneously be certified for multiple planes, however companies will only make you fly for one at a time, currently. My guess is that if the Max needs a new certification, it will create a whole new model given it is still really close to the NG (and basic 737, if they still fly), so it might be more convenient than risky (and costly) to allow pilots to be certified and fly on both, if really needed. Maybe this will not even be needed, because tons of companies use multiple types of aircraft already.
Call me cynical, but I believe this is not possible. It may be upgraded, rebranded, recertified, and they may retrain everyone who may come anywhere near its cockpit, but they can't just drop the plane for three reasons:
1. They already sold too many. Those customers will want a refund, and will have a major loss of faith into Boeing. Unless there is a replacement plane to give but ...
2. They don't have any replacement. They don't have anything to put in that slot. And it's already a plane they had to rush because a) it's the main seller, and b) the competition (A320 Neo) is a very good plane in that slot.
3. Like said above, it's the major seller. It has how many thousands of orders and how many years of wait to get your planes already ? And nobody cancelled to move to airbus because they're just as backlogged. So neither Boeing, nor the airlines, nor the US government want it / can afford for it to disappear, they want it fixed, anyway possible.
Don't get me wrong, I believe in a perfect world it should be grouded forever and be remembered as a huge warning lesson, but this will never happen.
The real question is, why aren't Airbus and Boeing massively increasing their production capacity for those lines ? Feels like they've been been backlogged since forever, and it's only getting worse. I get that you can't create a new set of factory and their trained workers overnight, but we're talking decade here.
Ultimately we may be moving toward a taxpayer bailout of Boeing. Instead of doing that why not take that money any fund grants to help rediversify the market?
I don't see how you could have a competitive market like cars when the safety standards are an order of magnitude higher than driving and yet probably an order of magnitude smaller in size.
It's also worth considering that car crashes are disproportionately caused by drunk and teenage drivers. If you are between 25 and 70, drive in the daytime and don't drink yourself you can beat the safety record of airlines! There's no need to argue for laxer airworthiness standards using bad statistics.
Cars can travel extremely short ranges and extremely long ranges which skews their "journey" statistics as most people use them for short trips. Planes are only efficient at long ranges so "journey" statistics look bad but if everyone were to drive everywhere instead of fly, human fatalities would definitely go up.
You can slice the numbers in many ways, but in truth you can only substitute similar distances between modes of transit. Aka you can’t substitute a 1km car trip for a 10,000 km aircraft trip. Making deaths per passenger distance the only meaningful metric.
I can't see how you came to this conclusion, I'd expect walking to be the safest by far on this per-journey accounting.
Cars are the deadliest thing we have in modern society.
Because it's expensive, and times where their market isn't going so well will be coming, and the company that hasn't spent billions on production capacity it can't utilize is better off. More production capacity doesn't even mean they sell that many more planes overall.
You must have missed this news:
Both receive absolutely massive subsidies from their respective governments, to allow them to price-cut the competition. The governments are not willing to increase those, hence limiting the amount of under-market-value products they can deliver to their customers.
"EU rapped by WTO for $10bn a year Airbus subsidies
FBW on the A320 has many benefits such as better passenger comfort because it can use the control surfaces to take the edge off turbulence. You can get away with smaller control surfaces which then lowers weight, improves range, etc.
Airbus went through a lot of work to validate the safety of the FBW/Flight Envelope Protection -- if sensors fail, it goes into one of several degraded modes. Pilots are trained to recognize these modes and fly them.
Boeing has applied this technology to their large jets, but it's just sad that the most common Boeing jet by far, the 737, is a technological backwater. Boeing is talking about making a "New Midsize Aircraft" which has a questionable market, but so far as I can tell, their business plan is to be building a starship for NASA in 2070 but still be selling 737s.
Especially AF296 killed 3 people when they try to demonstrate the anti-stall capacity of the FBW during an airshow. Airbus modified the way the fbw control reclamation worked after this. After the Rio-Paris accident (forgot the flight name, it was AF too), they changed the way the degradation worked wehn sensor fails (i think now 3 different mode exists, and information is more visible).
Those incident killed people, and there is a chance that the first one was actually caused only by the manufacturer (the second one was 99% the pilot though, the remaining 1% was: better information, better sims and better gradation so that even new, tired pilot can't make this kind of mistake).
FBW adds cyber-related failure modes, but it is hard if not impossible to make the traditional hydraulics, strings, springs and pully-based systems resilient against failures since the number of things you have to duplicate explodes exponentially.
One big difference is that the pilot and co-pilot's yokes on a Boeing plane are mechanically connected to each other so they share the feelings. Airbus uses "sidestick" controllers which aren't quite as nice but are perfectly adequate.
Boeing, however, uses FBW only on their large aircraft, but not on the 737, which is their most flown aircraft. All Airbus planes are FBW, because their competitor to the 737, the A320 is FBW.
AOA sensors should be helpers, should notify or alert, but never make decisions.
Only if you ignore moments. 
The government hires an independent contractor organization (I guess The Aerospace Corporation and NASA people and former-FAA people from the time the FAA had technical people, etc.) to do a blue ribbon commission style full analysis of the plane, at a huge cost in time and budget, and publishes the whole thing, scathing as it is to Boeing. Some people might get fired, in both Boeing and the FAA, but that doesn't matter.
The independent contractor organization gets carte blanche to declare any issues as "preventing certification", and to suggest any fixes, and oversee Boeing implement the fixes and the tests (what the FAA should have done). When they sign off that the plane is safe, the FAA signs off (as a formality, because we don't trust the FAA) and airlines based in the US start using the plane where jurisdiction allows (maybe only in US, maybe in friendly countries). After a while of no crashes, other jurisdictions will allow it and other airlines will buy/unground it.
Boeing pays the government for the work of the independent contractor organization, in equity I guess. The government holds the stock until the stock price rises after the fixed plane succeeds in the market, and then sells.
Note I know nothing about anything, so the above is fan fiction.
Great idea, but I think Feynman died awhile back.
They need to put pilots through simulator training of both kinds of MCAS failure: (1) MCAS goes nuts and needs to be turned off, and (2) MCAS is not there to save you when you need it.
So long as Boeing refuses to capitulate, the grounding is going to go on, and the longer the grounding goes on, the more problems are going to be discovered, the more orders get canceled, etc.
Of course it is. All jet airliners already have active augmentation to make them fly as if they do not have stability problems that can lead to crashes.
All aircraft experience Dutch roll. It's an inevitability.
Control stick force inversion on approach to stall is absolutely not an inevitable consequence of large aircraft design. Yaw dampers are specifically required as a labor saving device on civil transport aircraft with swept wings; but all pilot's are aware of Dutch Roll.
None were made aware of the failing behavior that MCAS corrects.
It's still a stability issue that has led to fatal crashes because some pilots were unable to correct for dutch roll. Successfully countering dutch roll is an ongoing process, and a pilot may know all about it in his head and still be unable to correctly counter it with properly coordinated stick & rudder movements.
Dutch roll is no joke and the yaw damper is required and is critical equipment.
On the other hand, dealing with runaway MCAS is literally just turning a switch off on the console.
No one was told about MCAS or the force inversions it was meant to correct ahead of time, or shared enough technical detail to ensure pilots know what to be prepared for. Major difference there.
>On the other hand, dealing with runaway MCAS is literally just turning a switch off on the console.
Which instantly decertifies your aircraft to be carrying passengers.
Look, I get it. That's paperwork talk! The thing still flies!
But we have to hold ourselves accountable to the silly whims of paperwork talk, lest we fall victim to Normalization of Deviance, who is a cold-hearted, stone-faced bitch.
Knowing about it doesn't help. They crash anyway. That's why there's a yaw damper as required equipment.
> No one was told about MCAS
That's true, but they were told about the stab trim cutoff switches to halt runaway trim, and the MCAS failure exhibits itself as runaway trim. The flight before the Lion Air crash had an MCAS failure, too, and the pilots simply switched off the stab trim and they landed safely. They did't know about MCAS, either.
> Which instantly decertifies your aircraft to be carrying passengers.
That isn't how certification works.
Boeing has certainly made many mistakes with the MCAS system, but the problem was controllable by pilots who remembered what the cutoff switches were for. This was proven in the first MCAS failure incident I mentioned.
They don't do it not knowing about and having experienced Dutch Roll, however, with a check pilot. We train for the unexpected, use technology as best we can to mitigate, and just have to have faith that after a certain point we've told the pilot everything they need to know, and leave them to do their thing. Regardless of whether Dutch roll has killed someone or not they knew about Dutch roll going into it. They knew yaw dampers were a thing. They knew how and when yaw dampers were active and why. Not so with MCAS.
>The flight before the Lion Air crash had an MCAS failure, too, and the pilots simply switched off the stab trim and they landed safely. They did't know about MCAS, either.
Walter, c'mon man. We've been through this before.
The penultimate Lion Air flight had 3 pilots, one with the luxury of paying attention to anything the other two actually flying the plane weren't; None of them knew what was going on, and to be frank, Getting it right for the wrong reasons just sets the stage for more disaster later. You can also look at the documentation regarding stabilizer runaway, and it is specifically described as a continuous uncommanded trim actuation.
MCAS isn't continuous, it's discrete. On for 10 seconds, off for five. While the procedures may be the same, an unprimed pilot being caught unawares by an aircraft feature completely foreign to them, and unelucidated in the documentation is liable to lose precious time if the failure happens at an inopportune time of the flight.
Also, throw in the failure of autopilot to stay engaged, and inability to lock the computer out without losing the trim switches, it's a losing proposition all around.
>That isn't how certification works.
I'll butt heads with you there. A type certification certifies a particular configuration of hardware and software to be flown in certain airspace for a particular purpose. While operational leniency is to be expected so a failure of a component not on the Minimum Required Equipment checklist doesn't ground planes at every little problem, I patently reject the proposition that having a type certificate granted, then experiencing a configuration change during normal operation that compromises the ability for the airframe to meet the prescribed criteria for being certified as airworthy does not discertify that particular instance of the alleged type from immediate airworthyness.
It is the configuration that is certified. Anything that meets that configuration within reason may be used for the certified purpose. Departure from said configuration warrants immediate remediation as quickly and safely possible. Generally that judgement call is by custom left to the pilots as to whether to continue or reroute for repairs.
If you lose a system required to use the plane for it's intended purpose in flight, then you should damn well be prepared to put that plane on the ground to get it fixed. Period. This type of thing isn't a game, and the more the industry treats it like one, the less inclined people will be to trust and utilize it.
Obviously it's not as the pilots in the first incident turned off the stab trim and landed without further incident or difficulty, despite being totally unaware of MCAS.
10 seconds of the stab trim moving is a long time, and it's hair-splitting to say that isn't a runaway when it is uncommanded and moving things in an obviously dangerous direction. Short circuits can also cause runaway trim, and are often intermittent.
They do not have to know what is going on to conclude it's runaway trim and shut it off. The pilots are supposed to be trained for runaway stab trim. It's the WHOLE POINT of having the cutoff switches within easy reach on the console.
Just like if the engine is on fire, the pilot does not need to know why the engine is on fire, he just has to know how to operate the engine fire extinguishers.
Furthermore, the MCAS system was known after the first crash. Boeing issued an airworthiness directive about it, with instructions to use the cutoff switches.
So what is the reason the Ethiopian pilots were not aware of the MCAS system (it was all over the news, and Boeing had issued an airworthiness directive on it which is supposed to be sent to the pilots)? I don't know. I've never heard an explanation for it.
Nobody is claiming it's a game. Nobody is claiming Boeing doesn't need to fix the MCAS system. Pilot training is clearly inadequate if two sets of pilots did not use the cutoff switches. Something is wrong with the airworthiness directive system if they did not reach the pilots.
But at the end of the day, the FAA will let it fly again because it not flying might break Boeing's back and Boeing is essential as a defense company.
At worse, they'll have to have a separate type-rating and require pilots to go through further training to fly it.
The whole idea behind the plane was to skip full training and be qualified with a short hour long tablet training session.
That cost saving measure has now passed, so rather than scrapping the Max all together, pilots will just need the further training.
I maintain that it will fly again, there will be a third high fatality crash related to MCAS, and then it will never fly as a passenger plane again. The existing planes will be repurposed as cargo planes. You heard it here first.
And a massive federal bailout of Boeing because it is critical to national security is well beyond inevitable at this point.
The plane has become too large to rely on muscles and mechanical linkages to move a primary control surface.
Once the pilots understand that runaway stab trim can be immediately halted by throwing the stab trim cutoff switches on the console, which is what the pilots did in the first instance of an MCAS failure and landed safely, the airplane can be safely flown.
The have a clear incentive to force Boeing to make it far far safer than any other craft in the sky, and if Boeing complains, nobody will believe them.
What worries me is the series of newspaper articles about a corrupted safety culture at Boeing, e.g. about the Dreamliner and how QC were finding forgotten parts and wrenches in the airframe. Commercial pressures are always at odds with safety, but I had the impression that aircraft manufacturers had this under control.
And the scary part is if this could happen in the US, other manufacturers aren't necessarily better, but they haven't fucked up so badly as Boeing (yet?). It's shaken my faith in faith in the idea of air safety engineering, which was always seen as shining example of safety engineering - it might be that the systems have become too complex to be managed safely.
I won't fly on it myself.
All this hand wringing about costs and stock performance and grounded planes seems like chasing the wrong goal to me.
It would be great if we could apply this same logic to longer term issues that also threaten our safety, such as climate change.
I wonder how much of those "savings" has already been eaten, and at what date they are surpassed.
Isn't it just called "type certification"? Why create a new term for it?
Airbus's 737 MAX competitor, the A320 neo/ceo, is based on the A320 series first introduced in 1986, with about 8,900 aircraft built.
Looking at development cost for these aircraft over the years (and considering failures including Boeing and Concorde SST) is instructive, all prices ~2001-2019 dollars (or other currency), launch date in parenthesis:
367-80: $149 (1954)
707: ? (1958)
737: ? (1968)
747: $7.2 billion (1968)
Boeing 2707 SST: ? (cancelled 1971)
Concorde: £7.67 (1976)
A340: $3.5 billion (1986)
A340neo: >$1.3 billion (2012)
787 Dreamliner: $32 billion (2007)
A380: €25 billion (2003)
737 MAX: $3 billion (2014)
That means delayed wage increases for pilots as an additional consequence for this debacle.
And there's still no suggestion in followups to this issue, including in this article, that the MAX will get different type certification that requires a separate type rating for pilots. It's restricted to software fixes/changes, and possibly a physical processor replacement.
Do we have any clues to the magnitude of this compensation? How long can it continue and Boeing stay solvent?
Semi-related, they also found the 737MAX cockpit voice recorder from the downed Lion Air plane. My guess is that this will turn into an indictment of the new anti-stall software. You couldn’t pay me any amount of money to board a 737MAX-8 until that system is improved.
Prior troubled models are reflown or rebranded and flown - of course after addressing the critical flaw.
The 737 Max’s flaw is that it doesn't really fly well and needs software to regulate it, and a human to override the software, which is just odd.
But the company’s complacency, self regulatory status, lack of empathy - probably because saying sorry has legal consequences for them, or they’re leadership really are sociopaths, or both - is what damns this line for good.
Will consumers really be so gullible this time or have more pressing needs for the cheaper flight that they ignore the model being flown?
I’m really curious
It's not really odd though.
One of the first A320 crashes (https://en.wikipedia.org/wiki/Air_France_Flight_296) was also influenced by computer doing opposite of what the pilot tried to achieve (pilot flying at extremely low altitude into the trees tried to pull up to avoid the trees, but computer was set up to ignore that and instead lower the nose first to gain speed, before pulling up, to avoid a stall).
The plane would have probably crashed even if the computer did what pilot commanded, but hey, my point is that computers override pilots these days, and it's not odd. It's probably for the good, overall.
> it doesn't really fly well
Actually, no. It's flaw is that it doesn't fly like previous 737's, and they need to make it do that.
The MCAS exists to prevent stick forces from inverting as the nose pitches up towards the stall angle. If the stick forces invert, it becomes easier to continue into a stall angle than to move away from it. Commercial airframes are required to never exhibit this characteristic as a condition of certification.
MCAS was Boeing’s idea of a solution to this; command the stabilizers down to provide counter force against the stick, making it harder for the pilot to pull into the stall than pull away from it at every point.
Even if previous 737s had never existed and the 737MAX as it exists today were for some reason an all new design, it would need the MCAS counter-force to get certified as air worthy no matter how much new training pilots got. It (claims to) solve a fundamental airworthiness requirement; it is not just there to “fly like previous 737s”.
The behaviour of the airframe is simply not considered commercially airworthy without it.
IMO, removing G-force sensor from the system should be looked into. I just can’t see any sane engineer agrees to do so. They used it to make sure system only engages on high G but will limited authority, now the system needs to engage with low G, but higher authority - they should’ve introduce another signal (air speed?), not remove one.
It is either incompetence or greed.
1. They did safety analysis based on the original design: what needs to happen for MCAS to misfire (both the g-sensor and the AoA need to be incorrect) and what happens if it does (it runs once, to maximum authority of 0.6 degrees). They concluded from this that the issue was “major failure” rather than “hazardous” or “catastrophic”, and that the design met the reqs for “major” (2 sensors involved here, and major only requires 1).
2. Much later, with the analysis already rubber stamped by the FAA, they discover the low speed issue with stick forces and decide they can modify MCAS to resolve this as well, by radically increasing its authority over the stabilizers (more deflection needed to generate the same force at lower speeds) and removing the gsensor (which wouldn’t trip at low speeds). (This also seems to be where they introduced running it in a loop? Although some things we’ve seen out of Boeing seem to indicate that they might have not understood at any point that this was the way the system was written, or at least anyone involved in any analysis never knew to consider that)
3. Again later, someone concludes that the changes meet their initial analysis classification requirements, because they’ve already done a safety analysis and concluded “major”, which allows for 1 sensor with no redundancy, which they continue to have.
Nobody seems to have noticed that they’ve now fallen into a circular reasoning loop — the system must be safe to “major” level because we previously decided the system was safe to “major” level. They look at whether or not the changes still meet the requirements for “major” failure, but neglect to re-open the analysis and decide whether “major” is still the correct classification of failure in the first place.
Probably this means 1, 2, and 3 were being done by multiple groups of people with poor visibility and communication between them. Someone was asked to check whether the new setup met the requirements for the failure analysis the FAA had approved, but there was nobody looking at the bigger picture question of whether the validity of that analysis still applied.
This is a standard pattern on most modern aircraft. Control is abstracted away by some computers, however—and as you said—the pilot can override the computers to more directly interact with the aircraft’s flight controls. Not an odd principle at all.
One way to do it is indirect linkage to control surfaces, and using the computer to generate the appropriate signaling to actuate the control surfaces in a more or less direct mapping of pilot intent to control surface output. Depending on design philosophy, more in depth envelope protection may be implemented, (see Airbus) but there's no given that says Fly-By-Wire must be able to countermand and pilot commands.
The other way Fly-by-Wire is used (and to me personally is an anti-pattern) is as a pilot/plane babysitter like MCAS. The plane should be free of bad aerodynamic behaviors so that even with total electrical system casualty, a passive glide and controlled landing is possible. Once MCAS is taken out of the picture, the MAX doesn't have that. It does not meat the full set of airworthyness regulations for Civil Transport Aircraft as laid out in FAR 25.173.
I understand some in the industry may scoff at having to comply with the directive as written, but it's now been clearly demonstrated what happens when you don't.
If it were envelope protection. It would serve the purpose of preventing you from getting into an untenable situation, regardless of your control inputs. MCAS doesn't. You can go all the way to stall with it, and it just keeps cranking down the trim to keep the control stick force curve from inverting.
It creates the piloting experience (look and feel) of 737 piloting, but introduces new and lethal failure States due to the lack of error checking, and graceful degradation of functionality.
There's other issues, but that's what sticks out to me.
To be clear, my categories of the different applications of FBW are built by the distinction between what it is trying to do. Take the F-16, or F-117 as an example of Fly-By-Wire making an unstable aircraft controllable versus Airbus control law system, which basically takes a stable airframe, and exposes a common user interface so similar control schemes can be used for physically different airframes.
The first variety has no place in Civil Transport. The second absolutely does.
Indeed at the sizes of aircraft we’re taking about the pilot is just not going to be strong enough without hydraulic or electric assistance.
It's kind of hard to do that with a computer if you've lost your electrics. Therefore either the system needs to be bulletproof, or you should have designed out the need for the crutch in the first place. Not gone and made a Frankenstein's monster of a plane.
Those wheels are already notorious for the punishment they can subject an errant kneecap to.
EDIT: Source: https://aviation.stackexchange.com/questions/61011/how-many-...
The triple redundancy only comes into play with systems with a severity of failure rated as catastrophic.
The MCAS system as originally designed was rated as merely hazardous. Which doesn't require redundancy. The decision to feed off of only one vane was intentional to avoid having to have pilots undergo level D simulator training as part of their type certification. Multi-sensor systems generally require Level D training.
See the 737 MAX Expose by 60 minutes, where the whistleblower testimony is first presented.
Somewhere inside Boeing there are decision-makers that lack ethics (or even long-term financial thinking). They need to be fired.
There's a Bloomberg article I've been trying to track down from back in the 2000's where a Boeing exec is quoted as saying that Boeing is going to undergo a financial transformation, part of which involved decreased "over thinking the box" and stripping all that wasteful effort (what engineers call the hard parts) from the process in order to bring Boeing into the mainstream as an optimized shareholder value generating machine.
This happened apparently shortly after the McDonnell Douglas merger as I understand it.
Specifically, because airlines wanted to save money on pilot training.
The more complex you make the plumbing, as it were, the easier it is to clog it all up.
Plus, there have been instances where a majority Ocala sensors have frozen in the same position, and outvoted the last remaining functional one. At the end of the day, software can only be considered an automation aid.
The human pilot must be able to make a reasonably safe go of flying the plane alone. Even Airbus planes have this quality in direct law. They are still stable, there are just fewer safeguards to keep you from doing something daft.
And even with airbus' approach, there's a case to be made that overreliance on the computer to safely operate the plane degrades basic piloting skills through atrophy or complacency.
Roughly speaking, stick force is the amount of force the pilot has to to apply to the stick to achieve a given movement of the control surfaces.
As the airplane gets closer to a stall, you want to make it harder for the pilot to pull it fully into the stall, by increasing the required stick force.
If the stick force decreased as the airplane approached a stall, then the pilot would have to actively push the stick back into more stable flight.
Autopilot? Not necessary, pilots can fly themselves. Still, it is added for convenience (and its consequences, less mental burden, more mental capacity to do other stuff).
What hasn't been mentioned: the fact that MCAS repeatedly engages, over many minutes, whilst both pilots were repeatedly fighting the system, and the elevation-over-ground track was highly anomalous.
A major problem with automated systems is that few of them have any awareness that they are ever doing the wrong thing, operationg far outside the bounds of their own design, and will, in this case, fly a plane into the ground. If multiple pilot actions and flight track indicate disagreement, automation should probably disengage.
There are other problems with pilots, of course. AF447 was a failure of pilots, but one exacerbated by automated and fly-by-wire controls not revealing conflicting inputs by Bonin and Dubois. Germanwings 9525, and by appearances MA370 are among cases where a single pilot acting alone sabotaged or crashed a commercial passenger flight. See: https://www.huffpost.com/entry/pilots-crashing-on-purpose_n_... and https://en.wikipedia.org/wiki/Suicide_by_pilot
But outside notable hijacking incidents of 18 years ago, concerted efforts by multiple pilots are unheard of.
There are two AoA on the 737 Max, MCAS only used a single one (but switched every time you started the aircraft). Reporting in Seattle Times suggests that it was originally designed to use one AoA combined with a G-Sensor. The two in combination would trigger MCAS to make a small adjustment.
The problem is that the aircraft's actual design was failing to be "common type" compatible (i.e. no re-training). So they kept on expanding MCAS's usage to compensate. For low speed the G-Sensor didn't work, so was removed, and flight authority was increased.
More from the article:
> This original version of MCAS, according to two people familiar with the details, was activated only if two distinct sensors indicated such an extreme maneuver: a high angle of attack and a high G-force. [...] About a third of the way through flight testing in 2016, as first reported by The Seattle Times in March, Boeing made substantial changes to MCAS.
> The flight-test pilots had found another problem: The same lack of smooth stick forces was also occurring in certain low-speed flight conditions. To cover that issue too, engineers decided to expand the scope and power of MCAS.
> Because at low speed a control surface must be deflected more to have the same effect, engineers increased the power of the system at low speed from 0.6 degrees of stabilizer nose-down deflection to 2.5 degrees each time it was activated.
> On the stabilizer, maximum nose down is about 4.7 degrees away from level flight. So with the new increased authority to move the stabilizer, just a couple of iterations of the system could push it to that maximum.
> Because there are no excessive G-forces at low speed, the engineers removed the G-force factor as a trigger. But that meant MCAS was now activated by a single angle-of-attack sensor.
> One of the people familiar with MCAS’s evolution said the system designers didn’t see any need to add an additional sensor or redundancy because the hazard assessment had determined that an MCAS failure in normal flight would only qualify in the “major” category for which the single sensor is the norm.
“Boeing Co’s 737 MAX planes are unlikely to be ready to carry passengers again until 2020 because of the time it will take to fix flight-control software and”
Will this include giving back control of the stabilizer trim to the pilot.