Blame is a loaded word. Boeing assumed that pilots could be relied upon to recover from a MCAS induced runaway trim. Practice has shown that they can't. Whether Boeing or the pilots is at fault is, from a safety perspective, irrelevant. The bottom line is that an assumption was made, it was wrong, and a couple planes crashed. Using average pilots instead of highly experienced test pilots is a sensible step to prevent a repeat.
> Blame is a loaded word.
Boeing’s response to the accidents was to blame the pilots, there is precedent for this word in this situation.
> Boeing assumed that pilots could be relied upon
No, Boeing intentionally hid information from pilots. This is well known.
> Whether Boeing or the pilots is at fault is, from a safety perspective, irrelevant
No. If you want to fix the problem, you must know what the problem is. The cause may be irrelevant to the people who are dead, but it is absolutely relevant to solving the problem in the future especially from a safety perspective.
There are many, many things that went wrong:
1. The stuck AOA instrumentation on the plane.
2. MCAS not using redundant AOA information and being fooled by the stuck instrumentation.
3. Lack of clear indication of what MCAS was doing contributing to flight crew confusion.
4. Improper execution of the runaway trim procedure/checklist by flight crew.
5. Training shortcomings about MCAS in particular.
6. Operator / national regulator training shortcomings in dealing with runaway trim procedure.
If you remove any of these links in the chain, the crash is less likely to happen. Good risk management tries to improve all of them.
#5 that you mention is important. #4 / #6 are important, too -- jurisdictions that emphasized this training produced flight crews that did the right things and survived. #2 and #3 are most important, IMO, and even #1 deserves some thought (can the instrumentation be made better/more reliable?)
I say #2/#3 are most important because using training alone to fix a system that does tricky things at a difficult time is a band-aid, and is going to let some of the accident scenarios through.
Specifically it's the argument in the article that large disasters often have multiple causes. "Perrow says, Murphy's Law is wrong—what can go wrong usually goes right. But then one day a few of the bad little choices come together, and circumstances take an airplane down. Who, then, is really to blame?"
In large disasters, sometimes several not very likely simultaneous failures happen at the same time.
"The ValuJet accident is different. I would argue that it represents the third and most elusive kind of disaster, a "system accident," which may lie beyond the reach of conventional solution, and which a small group of thinkers, inspired by the Yale sociologist Charles Perrow, has been exploring elsewhere—for example, in power generation, chemical manufacturing, nuclear-weapons control, and space flight. Perrow has coined the more loaded term "normal accident" for such disasters, because he believes that they are normal for our time. His point is that these accidents are science's illegitimate children, bastards born of the confusion that lies within the complex organizations with which we manage our dangerous technologies. Perrow is not an expert on commercial flying, but his thinking applies to it nonetheless. In this case the organization includes not only ValuJet, the archetype of new-style airlines, but also the contractors that serve it and the government entities that, despite economic deregulation, are expected to oversee it."
But that's exactly what's disingenuous about the GP's claim. Many disasters do indeed involve a sequence of mistakes of different sorts but that's not really the case here. The situation with 737 max was one terribly system and the pilot's complete inability to stop this - inability that could have been anticipated and which was the product of the original bad design.
"His point is that these accidents are science's illegitimate children, bastards born of the confusion that lies within the complex organizations with which we manage our dangerous technologies."
This kind of disaster certainly can happen but the situation with the 737 Max was Boeing pushing an old design far beyond it's limits because of the threat of losing market share and regulators allowing this.
MCAS is a badly designed system, but many other stabiliser control failures could cause the aircraft to rapidly lose altitude. The solution is the same in all cases - flip the cutoff switches to disconnect automatic stab control and trim the stabiliser manually using the wheel on the center console.
The flight crews in both MCAS-related disasters showed serious failures in airmanship and a lack of understanding of the fundamentals of flight. They were taken by surprise by MCAS, but they should have been more than capable of swiftly handling that situation; their inability to do so is symptomatic of broader failings in the training and culture of pilots in many emerging markets.
ET302 tried this-- maybe slightly late, but MCAS is weird/sneaky. Still, it's hard to fault their response at this point.
They were unable to budge the trim wheel because of overspeed. They were barely climbing at Vmo. This left them in a difficult position.
Ideal response would be to reduce power (prevent overspeed), keep climbing at Vmo. During this, try to turn trim wheel. If necessary, once they had sufficient altitude, they could aerodynamically unload and trim. Instead they, for some reason, decided to turn the stabilator trim system back on (whoops 1), and then used it an insufficient amount to get trim to a reasonable place (whoops 2), and then left it on for MCAS to trigger again (whoops 3).
You accuse me of being disingenuous and immediately follow it with a false claim.
This is untrue. Stabilator trim can be turned off. Indeed, before Lion Air 610 the previous flight had experienced the problem and had dealt with it correctly.
Also, re-trimming using the trim switch disables MCAS for some number of seconds.
In the case of ET302, they turned the system off, but allowed the aircraft to overspeed and were, as a result, unable to retrim manually. Still, they had a positive rate of climb. It is only when they turned it back on in violation of training/checklist and inexplicably did not use it to retrim nose up that they were doomed.
> This kind of disaster certainly can happen but the situation with the 737 Max was Boeing pushing an old design far beyond it's limits because of the threat of losing market share and regulators allowing this.
I strongly disagree. I think it's a badly engineered system but things like this are part of the normal design refinement that happens when planes are stretched and iterated upon. The 737 has bad handling on pitch during departure; bigger, more powerful 737's have it worse, and it makes sense to fix this.
In this day and age, I'm suspicious and annoyed even small effort to improperly spread blame when that spreading serves powerful interests.
Either approach is wrong: just pointing to the pilot and saying "hah-hah error" without considering what led to the error is what aviation did for decades. "Crash less!" we said to pilots, and were surprised when things didn't improve much. But you can't ignore crew performance, either.
The crews that crashed did not do great. But if a system is regularly putting crews to the test in a way that requires high levels of personal performance to survive, that's a bigger problem.
And MCAS is more easily improved than the rest: we can more easily reduce the frequency and severity of that "testing" than we can improve all flight crews. But we shouldn't ignore the problems in crew decision-making, and the related training choices (e.g. not requiring crews to demonstrate handling of runaway trim in some jurisdictions).
Not necessarily fair since one didn't even know what they were up against, and the other was trusting a Boeing checklist that wasn't guaranteed to work, and only stood a realistic chance at working if the failure did not occur at a critical stage of the flight, where a currently undocumented maneuver could be performed. (The 'roller coaster' by which the pilot allows the plane to dive to unload the stabilizer so it can be trimmed)
>And MCAS is more easily improved than the rest: we can more easily reduce the frequency and severity of that "testing" than we can improve all flight crews. But we shouldn't ignore the problems in crew decision-making, and the related training choices (e.g. not requiring crews to demonstrate handling of runaway trim in some jurisdictions).
This is just poppycock, if you ask me.
MCAS was a desperate attempt to satisfy a prescriptive behavior requirement (FAR 25.173, demonstration of longitudinal stability) during which the plane should not experience slackening control forces all the way to the stall in a wind up turn, which non-compliance with would disqualify the airframe from certification under the grandfathered 737 type certificate and as a Civil Transport Airplane.
There would have been no need to consider the skill of the pilots if due diligence and proper redundancy concomitant to the actual hazards of the design had been done, which weren't due to management's pressure to get this damn plane flying on time at any cost.
Well, it did get them back to positive rate climb, didn't it? :P Just, dubious subsequent actions gave that back.
> This is just poppycock, if not straight up, grade A bullshit; no personal disrespect intended to you, fine sir.
Well, it is absolutely personal disrespect, and adding qualifiers amplifies rather than undoes it. A decent person should do better.
> There would have been no need to consider the skill of the pilots if due diligence and proper redundancy concomitant to the actual hazards of the design had been done, which weren't due to management's pressure to get this damn plane flying on time at any cost.
I already said MCAS is awful, kthx? At the same time, it's exposed that many air crews in developing countries don't know how to deal with trim runaway. And trim runaway happens: switches get stuck. So the other links in the failure chain should be dealt with, so that they don't conspire to bring down aircraft under other conditions.
In the Lion Air penultimate flight, the situation was handled thanks to a third pilot in the cockpit with no other responsibilities contributing extra attention and reasoning. This is not available on every flight, and should not be considered a proof of safe operability. The mental model of a pilot unconcerned with the immediacy of flying the plane is more accommodating to unconventional occurrences due to being removed from the majority of learned perspective.
>Also, re-trimming using the trim switch disables MCAS for some number of seconds.
It also resets the activation cycle, and increments the amount by which the trim is activated. Both these details were unknown to all pilots at the time.
>In the case of ET302, they turned the system off, but allowed the aircraft to overspeed
And did nothing wrong. Given the stage of flight the problem occurred, they left the throttle in exactly the position they should have. Addis Ababa is also a "hot & high" airport, meaning the engines were already in the uppermost range of their operating envelope anyway. Furthermore, when the AoA sensor went bonkers, that leads to an airspeed unreliable checklist due to bad AoA figures throwing off the airspeed indicators which are dependent on AoA being correct for calibration. The airspeed unreliable checklist requires advancing throttles to the appropriate setting for the current stage of the flight regime, which was climb out.
>...and were, as a result, unable to retrim manually. Still, they had a positive rate of climb. It is only when they turned it back on in violation of training/checklist and inexplicably did not use it to retrim nose up that they were doomed.
They turned it back on in the hopes that the electronic trim could overpower the aerodynamic load where they could not, they did not realize that closing the circuit would give at most five seconds before MCAS dove again. Also, by this point, they were out of checklist.
It is almost as if I've heard these arguments before. (I have. We discussed it long ago when most things were conjecture.)
Sibling poster is correct. We've worked through this, and the pilots really couldn't have done any better considering the amount of information there was out at the time.
Also, later on, Boeing also notified airlines that only the MAX 10 I believe should be used in hot and high airports. The MAX 8 could take off due to Addis Ababa's extra long runway, but it just goes to ram home how uncomfortable a margin the Engineering firm was with safety margins afterwards.
It's basic airmanship to know that if you are not in climb attitude, that high power is going to overspeed in anything slick. Combine that with "overspeed" alerts and you should maybe realize it's time to pull the power back.
> They turned it back on in the hopes that the electronic trim could overpower the aerodynamic load where they could not, they did not realize that closing the circuit would give at most five seconds before MCAS dove again. Also, by this point, they were out of checklist.
They turned it back on, clicked the trim switch briefly, and then left it alone, despite knowing they were way out of trim. Can you explain why this makes sense? Why turn it on and not get back to nominal trim?
Also, they were still climbing at Vmmo (or overspeed). It would have always been an option to climb a bit...
OK, we put bigger engines on. The 737 is kinda already sporty and easy to get the nose too high on departure. Now it's a little worse with bigger engines.
This is part and parcel for what happens when you stretch planes, adapt new engines, etc; there are minor, associated design changes you need to make to improve handling, etc. Software is a reasonable way to do it.
The criticality of this was badly misunderstood and mis-characterized.
You disagree with the statement that roughly the urge to avoid recertifying pilots caused Boeing to not mention MCAS even in manuals, leading directly to these deaths? Because from my pov, Boeing introduced a new failure mode (MCAS failure leading to intermittent forcing of the nose down) without any warning to the pilots.
Now maybe the pilots' standard training should have compensated, and there are obviously maintenance or training deficiencies, but Boeing also knew good and well they were selling planes to pilots with these existing training deficiencies. And should have designed a plane to be operated by real world pilots.
Very curious for your thoughts; thank you!
I think there were failures across the board. The fundamental analysis of MCAS was flawed: it was much less reliable than was thought, and failures of it provided a much more difficult situation for pilots than anticipated.
I suspect the analysis boiled down to "MCAS provides a little defense against getting the nose excessively high on departure; it shouldn't be necessary so no big deal if it fails. And the worst failure we can think of is like stabilator trim runaway, which everyone knows how to deal with."
This was compounded by the fact that many developing countries do not require pilots to demonstrate they can deal with runaway trim as part of a checkride and recurring training.
Not disclosing information about the system made the problem even worse-- and this is harder to attribute purely to being part of bad initial analysis.
I do not understand some of the aircrew actions, even in retrospect. If I am fighting pulling the yoke back-- I am going to have my finger on the trim switch to try and get rid of those control forces, even before I am thinking about the problem. This would have inhibited MCAS and retrimmed the plane. I think that Boeing assumed that this would happen. I am lazy and would rather not have to tug the yoke so I use trim a lot. :P
Actually, I have one thing to contribute, that I often think of whenever I read about an air disaster. Experts frequently say "why didn't the operators do logical thing X?", and I think there is a practically universal answer. Whenever something unusual goes wrong, it is likely to upset your existing logical model. You know either your logic is faulty or the inputs to your model are wrong, but which is it and how?
It's easy to say "just do A, B, and C as trained", but once jolted out of your mental context, you probably can't regain it in a few seconds or minutes before crashing. The impossible task is not to know the necessary actions according to the book, but regaining the trust that they are the right ones in the face of something unexpectedly violating your assumptions.
Developing a new logical model for reality is very difficult even for highly trained people, particularly under time constraints and life-or-death pressure. Or, even the meta-problem of knowing whether it is time to develop a new model of reality.
I have already stated that MCAS was a horrible screwup and failure in analysis and regulation. Any system that routinely puts people to the test requiring high performance to avoid death is bad.
That doesn't mean one should ignore the other weaknesses. Given that both the countries with crashes didn't require pilots to demonstrate coping with stab trim runaway as part of type training... and pilot understanding of the stab trim system under stress seems lacking... maybe that should be addressed too.
It's building in a new control system and not telling the pilots about it that seems crazy to me.
Thanks so much for your thoughts!
Thank you for the discussion and questions!
I know that aerodynamic instability requiring continuous correction by fly-by-wire systems has become common on fighter jets because it's necessary to achieve some of the maneuvering characteristics necessary to make them competitive. These are, of course very different priorities from commercial passenger aircraft.
Has a jetliner been certified before the 737 MAX that is aerodynamically unstable in any of the tests that it's required to pass without control inputs made by the computer without direct input from the pilot, or in contravention of the pilot's input? I know Airbus is fond of its "do what I mean" system, but that in some circumstances, Airbus flight control systems revert to essentially emulating an analog airplane. Would their flight characteristics pass certification in that mode?
I don't know if Airbus would meet certification requirements in direct control law. I suspect not. Definitely not in mechanical control law.
Just like more conventional jetliners wouldn't meet certification guidelines without all of their control rigging, counterweights, and trim systems. It's just now tempting to make adjustments to those systems with software instead of fiddling with everything else.
Many airplanes require functional (electronic) yaw damping to be safe in various flight conditions, because of dutch roll. There are also e.g. electronic control feel systems in some aircraft that must be operational to exceed certain speeds and/or altitudes and not be excessively vulnerable to PIO, etc.
Is it harder than I'm imagining in big jets, or in specific aircraft due to peculiarities of their handling characteristics?
Aircraft with swept, low wings exhibit dutch roll worse than other types (e.g. airliners). It's also worse at high speeds and high altitudes.
Yaw dampers vary based on aircraft and flight regime to "attenuating somewhat that annoying-bouncing-back-and-forth-feeling in the back of an airliner during cruise (imagine how bad it would be without active damping!)" to "preventing an oscillation from building in 2-3 cycles to a point where it will cause structural failure".
Thanks for all your input in this discussion. I find both flight in general and the case of the 737 MAX fascinating. Previously the implementation of MCAS sounded absolutely insane to me, but I can mostly understand how they got there after reading your comments.
The people who built MCAS thought they were taming a 737 handling weakness that was worsened by the new engines. Again-- a normal kind of thing to have to work on when stretching jets.
Boeing has mostly avoided that. MCAS is kind of an unusual form of control augmentation as far as Boeing is concerned.
Automation definitely has directly killed people, though, too.
So is trimming the stabilizer.
Boeing was proven wrong by the two crashes but it's not a priori obvious that pilots wouldn't know to manually trim the stabilizer and then pull the cutout after MCAS kept kicking in.
It was climbing at Vmo; they could have pulled back the power to not let the plane overspeed, rather than exceeding Vmo.
Hopefully at Vmo they could move the trim wheel, but if not, they could wait until they had a few thousand feet more height, aerodynamically unloaded and trimmed.
> So they reenabled the electric trim, at which point MCAS jumped in again and everybody died.
They re-enabled the electric trim, and touched the electric trim switch a couple of times but left the plane far out of trim. I can't figure this out-- there's even an indicator that makes it obvious you're out of trim. Why re-enable electric trim and not really use it?
Then after a timeout after they pushed the trim switch, MCAS jumped in again and everyone died.
It's easy now to point the finger and say "Airmanship" when you know the innards of the damn thing. They had one airworthyness directive, and maybe a grand total of five paragraphs in the entire manual, plus a memory item checklist that didn't accurately reflect the detail of an MCAS failure. An MCAS failure is not continuous uncommanded trim. It's discrete pulses,
I appreciate the detail and effort, and you certainly speak as an experienced member of the industry; but pushing this off to the pilot's when there is so much that had to happen before the plane left the factory for them to be in that position is a bit much.
There is whistleblower testimony that the decision to not implement a multi-sensor MCAS was intentional to avoid the financial consequences of having to have pilots put in simulator time.
You can't sit here and say the pilots weren't good enough when the manufacturer went out of their way to make sure they could skulk a plane by regulators with the least amount of training humanly possible, safety be damned. To do so is not just mad, it's unconscionable. It's the very thing of insanity. A Catch-22 if I've ever heard one.
This is not the behavior I expect from someone whom I'll voluntarily talk to.
So again, what was improper? Especially ET302 where they absolutely did run the checklist rather immediately and by that time it was already in a mistrim situation.
A contributing factor to ET302 is that mechanical trim wheel rotation can be very difficult in some flight regimes.
A further contributing factor is ET302 left an unreasonable amount of power in and got to an overspeed situation, which makes rotating the trim wheel yet more difficult. Being trimmed a bit nose down should not kill you. It should be the kind of thing you experience in training.
> It's much more aggressive than the kind of runaway trim pilots are trained for.
Bullshit. A stuck stabilizer trim switch will run away much faster than MCAS, and this is the primary thing they're trained for. The problem with MCAS is that it's an insidious, intermittent runaway-- an unlikely failure mode for a switch.
But sure, add to my list that "the trim wheel is often very hard to rotate manually", and "the flight crew left the thrust levers nearly full-forward creating an overspeed condition".
>ET302 ultimately turned the electric trim back on which was their death knell, in violation of procedures.
No it wasn't, they'd run out of checklist, and were deep in "oh shit" territory.
>A contributing factor to ET302 is that mechanical trim wheel rotation can be very difficult in some flight regimes.
>A further contributing factor is ET302 left an unreasonable amount of power in and got to an overspeed situation, which makes rotating the trim wheel yet more difficult. Being trimmed a bit nose down should not kill you. It should be the kind of thing you experience in training.
It was absolutely not unreasonable given the environment and stage of the flight (initial climbout) and the fact that pulling power would have led to nose drop (the opposite of what the current desired tendency of the plane was). Also, the plane was suffering by definition airspeed unreliable which dictates advancing throttles to the appropriate throttle position for the desired state of flight and leaving them there.
And what training? Oh! You mean that training they should have had because MCAS was a two sensor system, and therefore required level D simulator time that never happened because the manufacturer decided to cut corners to make more sales of their "best selling plane of all time"? That training?
Or the one hour glorified PowerPoint training that never mentioned a single detail of a flight control computer algorithm, or the disabling of a trim override switch built into the yoke, or the changing of the functionality of the STAB TRIM CUTOUT switches on the console to degrade the granularity of control with regards to which systems were electrically isolated from the trim motors because a hidden AoA dependent control routine had to be allowed to run uninterrupted because to do so would jeopardize their competitive advantage/ability to generate shareholder value by disqualifying their airframe outright or severely delaying its delivery because regulators started asking really inconvenient questions? That training?
The training unacceptable because Boeing would owe USD 1,000,000 per airframe to one of their largest customers if they implemented their safety system correctly in accordance to engineering best practices? That training?
The training that would have to happen anyway after their hacked together design had already killed 400 people, increasing scrutiny, causing them to finally do analysis they should have done in the first place, but didn't, because they were too busy trying to financially engineer the company after absorbing the management that drove McDonnell Douglas into the ground?
I get it. You sound like a knowledgeable dude, but you also sound like someone who has absolutely not sat front and center, day in, and day out, as companies try to go through the wildest mental gymnastics to avoid being held responsible for complying with regulations that have a damn good reason for being there.
You know what? Those pilots might have made mistakes. But the entire job of an Engineering firm is to ensure that the opportunity for those mistakes to occur are as rare and infrequent as practicable, with a dash of practicality thrown in; at least enough to keep the bean counters and management from sweating bullets. That means clearly communicating details of safety critical systems, being willing to admit a system is safety critical, and putting your bloody books behind in priority to getting the job done right as much as is reasonably necessary.
I'm a hobbyist. I do Quality Assurance as my day job. I could see plain as day the issues and risks they would be taking. I sat down and calculated the bloody forces that would have to be applied to the screw jack to actuate against the airstream at those velocities, and the torque numbers I got without even factoring in the extra pressure from the elevators was well into the output range of an automotive engine. I could also tell, just from the press releases over the development years the type of culture they had slipped into. That complacency by management kills, and did kill people.
Those pilots were the very last thing between those people and that crater, and did everything to the letter to the moment they had to improvise, and even then, they went into it insufficiently informed on the particulars of their aircraft.
I've bounced the details of this entire event passed maintenance people, passed crash investigators, passed anyone who'll care to listen. Boeing did things that are pretty much universally amongst them considered "things no one in their right mind should do."
If you want to buy in to "oh, they just sucked as pilots", fine. I'll give you Lion Air, but Ethiopian Airlines has a stellar safety record, and can fly in American airspace. So they obviously can't be that bad.
Oh, almost forgot!
>Bullshit. A stuck stabilizer trim switch will run away much faster than MCAS, and this is the primary thing they're trained for. The problem with MCAS is that it's an insidious, intermittent runaway-- an unlikely failure mode for a switch.
I call Bullshit right back, sir, seeing as, just as you mentioned, MCAS manifests differently from the classical stab trim runaway. Something which could be cause for pause for someone expecting a continuous runaway.
Just because they weren't you now does not mean primary fault can or should be attributed to them.
They walked onto that plane, cocksure, and as full of enthusiasm as you would have on any day. Up until the point Boeing's reckless design decisions came to light, no one had a clue just how different the MAX was from the 737's every airline pilot is familiar with.
You want to trade places with them? Ask God. He may oblige. Then mayhaps 150 or so may still be alive. That doesn't change the fact Boeing created an unsafe plane, hid the fact/didn't analyze hard enough to determine that fact at the pressuring of management, and to add insult to injury, tried to firmly pin the blame on the pilots, your comrades. It isn't even the first time they've done it if you recall the nastiness of the rudder reversals in the 90's, and some of their difficulties getting the 727 certified in Europe back in the 60's.
I'm frankly shocked you're so willing to jump to Boeing's defense in light of the mountain of evidence that has hitherto come to light, considering it's you they want to pin the blame on to avoid taking responsibility for what they decided to do.
Good day, sir. I only hope people take the time to do their own research.
After you've spouted invective and abuse at me? I see you've edited it out since.
> > ET302 ultimately turned the electric trim back on which was their death knell, in violation of procedures.
> No it wasn't
Wrong. Boeing OMB, dated November 6, 2018:
"In the event an uncommanded nose down stabilizer trim is experienced... do the Runway Stabilizer NNC ensuring that the STAB TRIM CUTOUT switches are set to CUTOUT and stay in the CUTOUT position for the remainder of the flight."
Followed by an airworthiness directive requiring the immediate revision of flight manuals and familiarity of pilots with this OMB.
ET302 was 10 March 2019.
It goes on to state that you should neutralize trim forces before going to STAB TRIM CUTOUT.
"Electric stabilizer trim can be used to neutralize control column pitch forces before moving the STAB TRIM CUTOUT switches to CUTOUT."
I told you before that MCAS was faulty. It's the most important link in the failure chain, but it sure is unwise to advocate ignoring the rest of the links.
As I said to you elsewhere: "The crews that crashed did not do great. But if a system is regularly putting crews to the test in a way that requires high levels of personal performance to survive, that's a bigger problem." This summarizes my thoughts on this topic. MCAS should get fixed; Boeing should be found liable for the accidents; Pilots should be better informed about the systems on their aircraft... AND we've proven that pilots that don't get recurrent training and evaluation on stab trim issues do badly with them.
> I sat down and calculated the bloody forces that would have to be applied to the screw jack to actuate against the airstream at those velocities, and the torque numbers I got without even factoring in the extra pressure from the elevators was well into the output range of an automotive engine.
OK, and humans can exert torques on trim wheels with a handle "well into the output range" of an automotive engine, too, so you've established nothing.
You've still declined to answer my simple question in the other posts, too-- which I suspect is because you don't have an answer.
Your cite says Boeing said:
>The actions of the pilots played a role in the chain of events that caused the crashes
Which isn't blaming them and is factually correct in both crashes. The Lion Air pilots didn't disable electric trim and the Ethiopian air ones turned it back on. Those actions played a role in the crashes. Whether that makes the pilots responsible and at fault for the crash is a separate question.
>If you want to fix the problem, you must know what the problem is.
And, again, the problem (among other problems) was that the designer of the aircraft made assumptions about pilots that were incorrect.
Planes are going to get dumber, but there will be a lot more connected planes for remote troubleshooting/control
Literally no one disputes the importance of experience. But you keep throwing it out as relevant to LNI610 and ET302 without any explanation or causal connection. In the case of Colgan Air 3407, the two pilots had 5500+ hours of experience between them, each well over the current ATP experience of 1500 hours total time requirement, and yet the captain inexplicably, likely due to startle factor, pulled back on the yoke contrary to his training, and made the stall worse and the airplane unrecoverable. Who cares if 5000+ hour pilots know to drop flaps in an emergency if they get startled in a stall and make the stall worse by pulling back on the yoke!
Sustainable for what exactly? Being good enough to handle complex emergency procedures?
There will always be a more experience subset of pilots plus new ones coming in. They have the benefit of having two pilots (sometimes more) so they can even off the average experience in the cockpit.
Although newbie co-pilots have contributed to crashes in the past as well.
At the end of the day, this is the foundation of the problem.
I think MCAS represents a change for Boeing where it will start doing things without asking.
When an airliner goes down, the airline, the pilots union and the airline manufacturer all point fingers.
That is what happens. When Boeing says we should use "average pilots" there is subtly in the statement that assigns blame.
Boeing should have said, "we should use pilots who are trained through normal training procedures, rather than over trained test pilots."
That statement would not have assigned blame and OP is probably correct that the statement choice was intentionally designed to shift blame back to the pilots.
This is a corporation putting a product on the market with a critical safety system that lacked redundancy and poor training given to pilots. Yes, there is blame to be placed here. Individuals who worked on the system aren’t the issue here, a greedy corporation is and I feel no sympathy for the company itself.
> when 400 people die for a company to save money
Let me take a step back and ask: Why?
Is it because we're vindictive, and demand blood? Or is it because this actually does something to help keep people from dying in the future?
If the latter is more important than the former -- which I hope is the case -- how can we trust that we're pursuing a course that improves the future of society while also using rhetoric to the effect of "when 400 people die for a company to save money"?
Consider, for instance: Part of reason for the company "saving money" is that it results in lower costs for planes, and ultimately lower airfare for customers who pay airlines' capital expenses, potentially resulting in fewer miles driven and fewer accident. Is reducing this statistical danger more or less than the danger of the planes? Quite possibly, it's not -- but using this rhetoric certainly won't help us find out.
More broadly the "omg greed" narrative, which -- to me, at least -- just doesn't make too much sense. If the corner-cutting that led to 737 Max problems is to be understood as a "greed" move, it's a pretty incompetent one, because Boeing is almost certainly out billions over the mess. People who seek to maximize profits for their own self-interest also seek to mitigate risk, for the same reason. I would suggest that a "hubris" narrative, or something similar, is probably more appropriate here.
If this is so, the remedies are entirely different, and the assertion that we MUST jail people, because it fits our "greed" narrative and whatever cognitive bias we drag into the picture, ensures that we will not remedy the problem effectively. This means people may die.
You don't send people to jail because of "greed", broadly speaking you might divide it into two categories: A) this specific person is a threat to society; B) this person did something morally unconscionable, irresponsible, negligent etc. The reasoning for following through with B is not merely vindictive, it's societal value is in sending a message that this behaviour is not OK! that is a preventative measure - "you must be morally responsible".
This is entirely applicable to this scenario: greed is NOT the problem, trying to make cheaper planes is NOT the problem, trying to beat the competition is NOT the problem - The problem is attaining those goals by gambling with peoples lives by cutting corners that significantly compromise safety, that is gross negligence.
... So yes! send the people responsible to jail, please show the next in line that this behaviour is not tolerated.
Incompetence and greed aren’t mutually exclusive.
If you take the word of all of the good engineers who were pushed out or quit in frustration over the financialization of the company after the McDonnall Douglas merger, then “omg greed” really does explain everything.
Note that this could have been (and was) predicted by anyone with half a brain:
“On some level, though, he saw it all coming; he even demonstrated how the costs of a grounded plane would dwarf the short-term savings achieved from the latest outsourcing binge in one of his reports that no one read back in 2002.*“
They lost big thus time, but they were winning big, with more orders than they could make.
When Boeing mgt declared that they 'no longer needed [to spend money on] senior engineers because these are mature products', and successfully pushed for the same type rating for a plane with deadly different handling characteristics (to save money on pilot training), both were explicit greed moves.
And yes, irresponsible managers who ignored the reality of physics and put their profits over the safety of passengers should go to jail for their criminally bad decisions.
From a practical perspective, however, Boeing making universal assumptions about pilot capabilities in life-or-death situations, utilizing new equipment that they were not trained on, is anything but irrelevant.
They needed to classify it as a ordinary trim problem because otherwise they would have needed to have testing for it, which would have meant acknowledging MCAS existed.
The evidence that it wasn’t just a normal trim issue is the second crash, which occurred when pilots already knew about the design fault. When it turned out that it wasn’t physically possible for a pilot to take the corrective actions.
Boeing is still trying to blame the pilots for their own decision to fraudulently sell an unsafe aircraft.
Your attempts to whitewash Boeing's negligence seems rather dishonest.
It boggles me how people can't put themselves in the place of someone in the latter situation. Like, even if you haven't crashed a plane, haven't you experienced something similar on a small scale? Haven't you observed other people with such problems?
It wouldn't have made a difference without the training for this specific MCAS issue. Highly experienced test pilots would have been equally unable to recover had they been flying the planes that crashed.
Normal runaway trim is easily handled, but the MCAS-induced runaway trip had the cockpit lighting up with all sorts of errors and warning lights and beeps. The only way to deal with this is to pick up checklists and start going through them... which you simply couldn't do because there was no time.
So using pilots selected at random from various airlines is a great idea and should be implemented, but it would not have prevented this situation. Only training might have.
The incidents of MCAS errors with US pilots who reported it to the FAA did result in recovery. But later cases did result in tragic accidents.
But when you make that statement, I don't think you're really imagining what it would be like to be on a plane like that. The above infographic shows what it is like. The plane was operating in an erratic manner.
I don't design planes, but does Boeing at least have a system that detects whether or not pilots are resisting against the controls?
This was specifically removed from the MAX to accommodate MCAS.
Or a good way to kill average pilots.
How about using highly skilled pilots, but failing a plane when anything unusual happens?
It's quite literally the most relevant talking point in this entire conversation.
In any system failure there is a chain of events that leads up to the ultimate failure, concentrating solely on Boeing's mistakes in these crashes overlooks all the other points at which they could have been averted:
1. In the Lion Air crash, there were some significant maintenance issues that lead up to the replacement for a failing AoA sensor with a used part older than the aircraft failing as well.
2. There were some significant failings in Crew Resource Management in the accident flights.
3. There appear to be issues in the pilots abilities to deal with unexpected situations. This is why simulator training exists, so that pilots can encounter unexpected issues and deal with them correctly.
4. The failure that lead to MCAS being activated also caused a whole ton of warnings to be activated, which may have been a situation Boeing was not expecting, and therefore did not put into the minimum baseline training they create.
5. The flight computer system and MCAS was implemented problematically, relying on one input because the expected control authority was very low, and then when that was not changed the system was not re-architected.
6. Boeing's designs reflect a US-centric expectation of pilots. In the US we expect pilots flying airliners to have spent at least 1500 hours flying before they can even sit in the co-pilot seat. In other parts of the world I have heard numbers as low as 240 hours, so pilot testing will need to reflect this going forward.
So we are expected to believe that Boeing never connected the dots between:
1. We design planes for US pilots
2. We sell planes abroad
3. Incidents abroad can ground an entire aircraft series
This makes them seem more incompetent, not less. It's not like they have no say in what's considered standardized training for the series.
From my understanding of the issue, Boeing just needs to stop the cost saving measures that led to needing software to stabilize an otherwise unstable plane.
The choice to make is how difficult you will allow features to be, and how many difficult features you will add.
The answer has to be at least moderately high to get the plane off the ground. If it's too high then you have a bunch of deaths.
It's okay to say Boeing went too far on the scale, but to say they never should have been on the scale is misguided. Intelligence of the operator has to cover for certain aspects of the design.
4. Which is not at all what happens with runaway trim. Also runaway trim that pilots are trained on is a consistent and relatively slow trim. The MCAS upset form is intermittant, and can be but isn't always, aggressive and comes with a ton of other data in the form of various instrumentation disagree warnings and possibly stick shaker going off which NEVER happens in a runaway trim situation.
6. Boeing's design and US-centric expectation of pilots didn't prevent US Air 427 from crashing. Literally everyone in the world expects pilots won't pull back on the yoke at stall. Yet these U.S. pilots did that. Colgan Air 3407, same thing, captain pulled back on the yoke during a stall making the stall worse, recovery impossible. Both accidents, each pilot had more than 1500 hours experience.
In US Air 427, the pilots aren't centrally blamed because the failure mode was a) caused by an airplane defect, a servo failure, b) the airplane's subsequent behavior was so abrupt and aggressive that the startle factor was pretty much not that surprising.
So why is it that the standard should be different for ET302 in particular? But also LNI043 and LNI610? Why would the blame not centrally be on Boeing even if the pilots made some mistakes, just like U.S. pilots have also made some mistakes yet weren't blamed as the proximate cause? And what mistakes did ET302 pilots make other than trusting electric trim being reenabled wouldn't immediately try to murder them?
Like I told you before: overspeeding the plane, preventing them from restoring the trim condition with the trim wheel.
I get that if you're not climbing as much as you'd like, it's tempting to have a ton of power in. But the maximum airspeed of the plane is chosen because there are undesirable handling characteristics -- like not being able to manually retrim, or even worse things like aileron reversal-- above it. At some point you need to pull back power.
If you're out of trim because of electric trim misbehaving, turning electric trim back on may not be the smartest thing, too.
And then I can't even understand what happens next: if you touch the trim switch, MCAS can't do stuff for awhile. If they're going to re-enable electric trim, why didn't they then fully fix trim with the trim switch? How is MCAS able to actuate and worsen the existing out of trim condition?
20+ degree down angle inside of three seconds. The negative G sent them to the roof. I'm a certified fight instructor, and I've never experienced negative G.
MCAS killed them.
No, but overspeed does.
> A power reduction for transport category airplanes always causes a nose drop a requirement of certification
Please cite. If you point to 25.173/25.175, note that it refers to trim speeds and return to trim speed, not power. The plane was climbing before crossing Vmo / power could be reduced to maintain Vmo and the current climb rate.
> I'm a certified fight instructor, and I've never experienced negative G.
What? You've earned a spin endorsement, then. You've experienced the little negative G (in most planes) as you tip and enter the incipient spin. It's fun. The first time I did it I said "oh shit" and let go of the yoke to grab my seat. :P Also kinda alarms me that if you're an instructor you've never pushed a little negative.
The reason that '427 pilots aren't blamed is that it's unclear that with perfect inputs that the plane was recoverable. We also excuse them a bit because the situation became unrecoverable in a matter of seconds since it manifested, instead of a longer time with the MCAS upsets.
This is wrong, it is unethical to approach engineering a system like this. In investigating these crashes, all the failures that lead up to the accident must be identified, all of the possible solutions must be explored. Sometimes its an easy fix, sometimes like United 173 we have to change the whole culture inside the cockpit to fix the problem (Cockpit Resource Management). Sometimes the solution wont show up until years later, so accidents from decades prior are used to formulate solutions to problems that had not been solvable until the right technology, either hard mechanical technology like hydraulic fuses, or physiological technology like CRM, comes along.
I feel like this attitude that there's only one thing to fix every time something goes wrong is why we see colossal fuckups in the software and infosec industries and I think that needs to change. System failures require systematic solutions, not just some quick fix or patch.
I like your approach: Pilot's failures caused the crash, and Boeing made an honest mistake. And you seem to think it would have been fine flying in the US. You do realise plane crashes and industrial accidents do happen in the US?
A safe system assumes they are operated by humans who are not infallible, and should not go up in flames from minor issues. Otherwise we must conclude Chernobyl reactor was a perfectly fine design.
Are we trying to solve engineering problems by getting emotional about them or something?
Your position seems to be that it was a combination of innocent engineering mistakes and substandard behavior by the pilots.
> The flight computer system and MCAS was implemented problematically, relying on one input because the expected control authority was very low, and then when that was not changed the system was not re-architected.
Do you have a personal stake in Boeing or something? Because you appear very biased indeed. There were several ethical breaches that resulted in these tragic catastrophes.
We can try to blame Boeing for the lack of this training, but Boeing cant force airlines to do anything but the type specific training. They cant force airlines to do recurring training, they in-fact rely on the regulators to setup structures to make sure this all happens.
I don't have a personal stake in Boeing, I have a personal stake in not dying because someone decided breaking one link in the failure chain was adequate.
* These would be the cases where the pilot crashes the plane on purpose, for which some airlines have dealt with systematically and with associated training on prevention.
My point is, there are a lot of technical and ethical oversights you are glossing over. There is a reason why all the 737 Max are grounded and have been grounded for months. These crashes weren't simply due to lack of pilot training. There were multiple ethical and technical oversights and negligence by Boeing that resulted in these tragedies.
Part of the debate is that Boeing told the FAA and everybody else that 'no special training' for the Max series was needed; just watch a couple-hour video or somesuch.
Options are not all tied to fees, the process of ordering an airplane is quite complicated because of the immense amount of customization each airline does before they even pay for the aircraft. Its unclear how much this option cost, if it cost anything.
The reason why AoA indication is an option is that it requires more advanced training for the pilots, some airlines provide this training and some do not. The airlines are the ultimate decider on how much training pilots will get, Boeing and the FAA can only set minimums.
How so? The assertion that average pilots must be use implies that average pilots were not being used and that because of this the testing is flawed.
I think the point is that an average pilot would have failed tests and exposed a flaw in their training but because they used above average pilots any flaws in their systems were mitigated or avoided by the pilots.
I think we'd all agree that if a pilot landed a fully functional plane, that they were certified to fly, without first deploying the landing gear then we'd question that pilot's abilities. The rationale for testing using average pilots is along the same lines. An average pilot can reasonably be expected to have a certain level of knowledge and ability, therefore all testing should be to expose the gaps between what they know and what's needed to pilot a new aircraft. Using a more experienced pilot closes or narrows those gaps.
This isn't true. If you follow the runaway trim procedure, you recover. Pilots in the US are required to demonstrate the runaway trim procedure as part of a type rating checkride.
Aggravating factors are, IMO:
1) Even well-trained aircrews getting a runaway trim condition on takeoff are not guaranteed to show the same performance as on their checkride day.
2) Not all jurisdictions require this demonstration.
3) The MCAS could fail in a way that could be surprising and not seem exactly like normal runaway trim (intermittency).
4) This test of "can you handle runaway trim?" was much more frequent than the normal causes of a stuck switch or actuator.
I think #3-4 is the big issue. While better trained crews could address the others, MCAS has the ability to fail in a way that it only does stuff when the crew isn't looking. There's nothing that can address this but system redundancy.
In the Ethiopian crash the crew followed the runaway trim check list but didn't recover. The issue seems have been that the aircraft was going to fast so they couldn't turn the manual trim adjuster. But that isn't mentioned on the runaway checklist (http://www.b737.org.uk/runawaystab.htm)
OK a different crew might have figured that and slowed down but not crashing should not be that tricky really.
Then they did A) re-enabled electric trim (and MCAS) B) while still low, C) touched the trim button for a second, and didn't adjust anywhere close to proper trim, and D) left electric trim/MCAS on.
Not to mention, from your source, the FCTM says:
> Excessive airloads on the stabilizer may require effort by both pilots to correct the mis-trim. In extreme cases it may be necessary to aerodynamically relieve the airloads to allow manual trimming. Accelerate or decelerate towards the in-trim speed while attempting to trim manually.
Whilst I tend to agree, this does seem a bit of a blame-shift/deflection, it does raise the area of pilot plane certification. Maybe, that is the area that needs to be addressed so pilots are more knowledgeable about the plane they are flying at a level beyond what is allowed now.
However this plays out, I'd say those who certify planes for use by pilots also need to do so on the basis of the "average" pilot and perhaps need to raise their standards more than pilots do.
I would of assumed that had plane had difficulty - that they had a hotline to somebody who was very knowledgeable beyond forcing pilots in a panic situation to RTFM. Which is kinda what the situation is now.
I don't think this is a fair characterization.
The runaway trim condition is not arcane knowledge. It's a standard part of pilot training and easily something the vast majority of pilots are well prepared to handle.
The issue with MCAS was that, while it was ultimately a runaway trim issue, it didn't look like it from the pilot's seat. The MCAS trim inputs were intermittent and came with no indication that the MCAS system was providing them. You also had throttle inputs and a whole slew of cabin warnings. The fact that the AoA disagree indicator was not standard shows just how little consideration was made to communicate to pilots.
Even with improved pilot training, I think a major crash was inevitable due to the nature of how the malfunction presents itself. More training doesn't make up for the obscure operation of MCAS or the fact that this failure occurs with very little time to react.
I'm in strong agreement that blaming the pilots is unconscionable. The pilots' action disabling the trim with the cutout switch, and then re-enabling it in a desperate bid to regain control of a badly-out-of-trim and overspeed aircraft speaks volumes. They were quickly put into a nearly-impossible situation and behaved reasonably, if ultimately incorrectly.
And that's basically the early Boeing rhetoric, and also from others like Langewiesche, talking about airmanship, the notion that some certified pilots really actually are incompetent they just so happen to be foreign pilots, etc. To whatever degree the average pilot is not getting the proper training, it's a call that the entire industry has an obligation to bring up the average pilot to the actual real world expected minimum level of competency, and stop this b.s. blaming of pilots as if there are different kinds of competencies for the same level of certification.
I further note, upon MCAS existence becoming public, U.S. based pilots got rather distinctly pissed off about being kept in the dark. That is not a reaction consistent with, yeah it'll be just like runaway trim, we can handle that, no big deal.
The boeing model, apart from MCAS, has traditionally been "the pilot decides"
Would this shift towards the airbus model (the plane decides)?
https://www.thestar.com/news/insight/2016/01/16/when-us-air-... (HN discussion: https://news.ycombinator.com/item?id=11230287)
https://www.theatlantic.com/business/archive/2016/02/the-inv... (HN discussion: https://news.ycombinator.com/item?id=11155889)
Also, the outcome of the flaw of averages was to make various parts of the plane adjustable. In the case of an air emergency, your response time is not adjustable, you either solve it or you die. The NTSB’s suggestion is to understand how normal people react to ensure both ergonomics and training are adequate.
In any case, recommending that testing be done with people less knowledgeable than the experts, who don’t instantly know the right answers, can likely only result in better outcomes, not worse.
- Either it’s Boeing’s fault for improper UX,
- Either it’s Boeing’s fault for pilot certifications not being stringent enough.
In either case, the aircraft manufacturer must improve. I think of it as an “integration test”, “let’s see how the pilot+plane integrate together”.
Not necessarily Boeing, btw. It could be Airbus. It could even be a move from the US regulator which advantages Boeing compared to Airbus depending on whether Airbus planes were tested with skilled pilots.
Somewhere, a skilled test pilot got those numbers in a pristine plane.
But mere humans in a real-world plane will typically not obtain them.
So I presume that you've witnessed any design or engineering firm that was able to deal with every 'idiot' within their problem domain?
I think OPs interpretation of the saying is more correct. The saying is bringing up the impossibility of designing something for everyone , not the deflecting of labor in some snarky way.
And I think it says something useful about the impossibility of the task. The domains we work in are all about the expected inputs and expected outputs, and it takes a special kind of imagination to come up with parameters outside of those.
Some of that trend miiight be correlation and not causation.
I don't think there is actual data on skill variance among professional airline pilots so I rather they just force testing on groups which are statistically more significant to get into crashes.
The point of the test flight is to push the plane as far as it will go. Practically all drivers, regardless of skill level, will lose control if you have them hydroplane a car. Race drivers will not. With a couple advanced driving classes suddenly most people will be able to handle a slide much better. There's a gap in experience, not talent. There is no such gap between any two normal drivers.
It's more akin to the reasonable person test in law. Meaning, a reasonably well trained pilot that is not considered significantly more expert than those around him or her.
Suppose you make a proposition to a person and they reject it based on some fallacious argument. You, an intellectual, kindly point out the fallacy in their objection. A reasonable person is one who takes this in and reconsiders your proposition. An unreasonable person is someone who doubles down and either offers different but equally fallacious arguments (if they just hate your proposition and are looking for an excuse to reject it, but wish to conceal that) or refuses to acknowledge their original fallacy (due to embarrassment, stupidity, or perversity).
"Hey, we need someone of your skill level to come in and fly some test planes"
The Max needs to ensure that 80% ("average" is too low a standard) of tested pilots recover the plane.
The other 20% take remedial classes.
The main problems from my limited understanding were: pilots didn't know the subsystem existed; they didn't know it had activated; they didn't know what it was doing; they didn't know how to turn it off.
Additional instrumentation could have addressed all these issues but would have been more expensive than what they actually did.
I'm into synthesizers, which run the gamut from bleep-bloop toys to movie-soundtrack in a box.
Mostly, synths are marketed like 'Not only can the Omnicron Neutron Wrangler produce any sound imaginable, it can produce more of them more loudly than the competition and audiences will surely be impressed by your mastery of its mind-bogglingly vast control surface.'
But the synths which end up being well-loved classics are not the ones with the biggest range or the most controls, they're ones with a decent range which is designed and calibrated well enough that it's hard to get a bad sound out of it - meaning they don't have too many abrupt phase transitions or nonlinear feedback loops that could cause you to suddenly lose control and turn an interesting complex tone into noisy garbage.
The well-loved classics you describe sound more like making a plane that's aerodynamically hard to lose control of... which is kind of a holy grail, but the MCAS design came after all of that was fixed by earlier design decisions.
Changing MCAS another dozen times and updating the manuals does nothing to prevent this from happening in new future system design.
If you can make a plane that saves an airline $1MM/year/copy but costs them $4MM extra and $500K/yr in training costs, you won’t sell as many as if it costs them $3MM extra and requires no retraining (or even $5MM/$0). Sometimes that difference is enough to make the project not viable economically.
Certification is incredibly expensive. The airplane I fly the most was built in 1997 on a type certificate (the basis of certification) originally approved in 1958. That’s incredibly common.
Passengers complain about terrible seats, terrible service, jam packed flights and then search for tickets on price as the overwhelming factor. It’s little surprise that airlines are competing mostly on price.
I’m not sure what you’re suggesting here as the solution to make it [pilot re-training?] “not a major economic driver”. It could be “reduce training costs for everyone” or “increase training costs for everyone” or something else.
Eg. A newly certified plane type can be produced for 15 years before requiring recertification to new standards.
In effect, this forces Boeing to come up with new designs, since the chances of old designs meeting new standards are low. It'll give them a big incentive to find ways to get the cost of certifications down.
Up to them if they choose to evolve the plane with the standards, or do a ground-up redesign every 15 years.
That is exactly what went wrong in the 737 MAX process -- the goal was achived by using political pressure to weaken the oversight.
With proper oversight, type-certificate extension is a sound process. Without it, no form of certification is effective.
It would certainly increase costs in the industry and might introduce discontinuities in the pilot supply, particularly during irregular ops (weather delays causing crew timeouts causing crew substitutions) when pilots of 2015-era narrowbody jet #7 can't fly the 2014-era narrowbody jet #7 because the type rating is different or we have to stuff into their brains the qualifications for both the pre- and post- and have them alternate recurrent training between the two types, which brings its own safety concerns as compared to sending the crew to only one type of recurrent every required period.
Alternatively, we might address that by giving a common type rating to the aircraft (such as with the 757 and 767, which share a common type rating [the pilot qualification basis] today despite being built on different type certificates [the aircraft certification basis]), which would allow for common recurrent training with just differences training across models/series.
The pre-MAX 737s tend to be remarkably safe because the inherent mechanical issues have been detected and fixed over billions of flight hours.
All that unlocked safety value didn't count for much.
To me, the thrust of the article is on making sure human factors are incorporated into flight certification process. As they highlight, although uncommanded MCAS input was part of the certification tests, it was only marked as a 'major' risk rather than more severe classifiers. This wasn't because of any phenomenal test pilots, but just because the FAA (rather than Boeing) guidelines behind the certification assume immediate assessment and diagnosis of the issue.
The report goes into a lot of depth about other human factors, for example, how transport-category planes should have straightforward highlighting of the primary issue since often the primary cause bubbles through various interconnected systems, and the main pilot response tends to be to identify the root cause under stress and then having to fix it.
To the extent I could re-summarize the report, I'd say "Plane Certification Processes Must Consider Real-World Scenarios And Factor Human Response to In-Flight Failures in Plane Design"
By that logic, aircraft certification should be based on the minimum qualifying pilot.
Turns out, when he's placed in a life-or-death situation, he finds some focus and skill, and is no longer the minimum man. So they have some ways to counter that tendency....
What's the average? 3.125
What's the median? 2
Life expectancy for example is calculated via median. Median income is generally used over average etc.
But in all seriousness, in no way shape or form should the testing be informed by the skill assessment of the test operator.
The analysis should be looking at the tasks that had to be performed during the test, whether they were properly identified by easily selected checklists, and quantitative measurements of the complexity and physical difficulty of the tasks.
If it comes anywhere close to a question of the skill or strength of the specific test-taker then something has gone terribly horribly wrong.
In old school UI testing you would do GOMS analysis which allowed calculating the difficulty of specific tasks based on the actual manipulations required to perform them. The skill of the particular operator is not generally a factor in these types of analysis.
The subtitle of TFA states;
> Safety board says FAA should embrace data-driven approach to assumptions about pilot responses
This is a much more reasonable statement. For instance, the maximum physical force required to perform the task must be an industry standard that pilots are all certified to be able to perform.
In this 1 in a million situation, 90% of tested pilots managed to follow the procedures to recover. Therefore the chance of a fatal crash is 1 in 10 million.
Let the manufacturer decide if they want to make the situation rarer or the training better to reduce the overall crash risk.
And in recent years the FAA hasn't required these tests as frequently. Why? Because even with all the preparation that goes into it, the mad-rush to the exits in a staged emergency, tends to be quite dangerous for the participants.
Eg. being told, "next we are testing what happens when MACS fails", whereas in a real life situation the pilot has to diagnose what has happened, recall the correct remedial action, then act on it.
Also were this test pilots had accessed to extra diagnose data where regular pilots were not provided even with a sensor disagree message
And then they do barrel rolls during the first public flight of your 707.
But now that we've got such accurate virtual cockpits, we don't have to worry about killing pilots as much.
In fact, this is a similar technique some actors use to make sure they know their lines cold -- no matter how well they can recite them with full concentration, can they still recite them while playing an intense video game? Because things will be so different on stage/set, it will be equivalently distracting.
I'm sure the intentions are good but shouldn't the goal here be to use the least qualified, but still qualified pilots for testing? After all if the average pilots are passing the test but the least qualified, but still qualified pilots do not then it is a matter of time before the next crash. Boeing sells their planes all over the globe and I suspect that the average and the mean could be quite a ways apart and that the least good but still qualified pilot still sits comfortably below either.
The current advanced qualification program in use at the airlines kinda is set up to test operational policies. All pilots of a fleet (essentially a random sample of abilities) go into the sim once a year and perform a check on what’s considered a ‘normal’ flight in the sim where anomalies are presented without being pre-briefed and the crew must over come them just as if they were out flying the line. The data is aggregated and problematic trends are identified and corrected.
Translate the same to new aircraft certification. Get the airplane basically ready and train some pilots in the sim. Just regular line pilots who will be flying the aircraft for their airline. Then spend an appropriate amount of time giving them realistic scenarios (without pre-briefing the anomalies) that test the boundaries of the aircraft performance and see how the human/machine interaction occurs and if there are problems that need to be addressed. In the case of the MAX, MCAS was a new system so scenarios to test pilot interaction with it would’ve been a requirement and I’m sure these issues could’ve been identified.
This already happens to some degree when airlines take delivery of a new aircraft. They make proving runs to hammer out any small bugs and get good real world data on fuel usage, performance, etc. My proposal is simply to expand the scope of proving runs in the sim with a good dose of abnormal operations using normal every day line pilots.
Which means that more than half would be below average!