The Why of the 737 Max
By now everyone has heard about the Boeing 737-800 MAX. Two of them crashed in a short time frame, and it is believed that a new automatic flight trim system is to blame. I’m not going to rehash everything floating about the news, since the Seattle Times actually does a decent enough job of it. In short, this is on both Boeing and the FAA, and both should get taken out to the woodshed over it, both criminally and civilly¹.
Now, first order of business: the why of all this. The 737 is a fun little airliner with a rich history. One bit about that history is that the 737-100 (the OG 737) was fitted with low-bypass turbofans. Low-bypass engines have a rather small maximum diameter, which allowed the 737 to have a very low ground clearance and short landing gear. When Boeing hung the larger, more modern high-bypass turbofans under the wings (the CFM-56), no one wanted to lengthen the landing gear or change the wing very much, since that would necessitate a whole lot more redesign than the (already considerable) work a new engine entails. Instead, trade-offs happened, and the nacelle was pushed forward of the wing and up, and the bottom of the nacelle was flattened, giving the engines the look of a chipmunk with stuffed cheeks². And still, the nacelle was a mere 18″ off the ground, and the landing gear have 12″ of vertical travel. Factor in wing flex during touch down, and if you aren’t careful, you’ll strike your engines on the deck and put your aircraft in the hanger for maintenance.
Regardless, that design has worked for a very long time. Now, back when I was in Propulsion Aerodynamics, we were working on the re-engine of the 737, and the newer engines are even of a larger diameter, and thus to avoid significant changes to the landing gear and wing, the nacelle was hung even further forward of the wing so it could be lifted even higher up off the deck. Problem was, as it got higher and further forward, the exhaust plume started impacting the wing aerodynamics in bad ways³. To relieve that, the thrust of the engine was angled down ever so slightly. Now, it’s important to remember that aircraft have three centers: a Center of Pressure, which is the point where Lift and Drag act through; an Aerodynamic Center, which can be thought of as the center of pitch; and a Neutral Point, which is where you want your center of gravity to be so the aircraft is stable. Moving the engine forward and up, and angling the thrust down changes the relationship between the Aerodynamic Center and the Neutral Point and makes the aircraft want to pitch up more than normal.
The MCAS system was designed to automatically counter that tendency by using the horizontal stabilizer more than normal for that aircraft. See the Seattle Times link for more details about MCAS. So far, none of this is bad; it’s just engineering trade-offs. The bad comes later.
Again, I won’t go over things that the article above discusses adequately, but I will make a few points I think it misses.
Regarding Boeing acting as it’s own regulator: This is something that has been going on for a while. Engineers and technicians at Boeing receive specialized training from the FAA so they can act as FAA Reps. The deal, as it was explained to me, was that in exchange for Boeing having the FAA reps in house, Boeing was not allowed to try and pressure those reps to let things slide, as the reps are legally responsible should they fail to do their duty4, and they can call their FAA contacts should the feel Boeing was getting pushy. And Boeing engineers are unionized. Keep those last bits in mind.
So, the FAA handing off duties to Boeing is not as nefarious as some make it out to be, at least not on it’s face. Doesn’t mean it can’t fail. As the 737-800 MAX was getting certified, Boeing’s chief rival, Airbus, was pushing it’s 737 competitor, the A320Neo, out the door as well. So there was a race to beat Airbus out the door and secure those contracts from airlines hungry for more efficient aircraft. From what I’ve read, part of the problem here is that the FAA management drank the Boeing management Kool-Aid and decided Boeing really did need to beat Airbus. This puts the Boeing FAA reps in a bind, because not only are they getting pressure from Boeing to push the timetable, they are also getting pressure from the FAA, who is supposed to be their 800 lbs gorilla to keep Boeing off their back.
Regarding the FAA, I have no idea what they were thinking. I suppose if I mentioned that the 737-800 MAX first flight was 01/29/16, and the first delivery was 05/22/17, one could compare those dates with other events occurring in the executive branch and draw some conclusions…
Regarding Boeing, I have a pretty good idea. IMHO, Boeing has serious management problems. First off, there is a culture of near-worship of executives and senior management. Lots of massaging of bad news and ass-kissing and the like. I mean, it’s bad. Along with that there is a lot of ‘managing up’ going on, where senior managers and executives spend more time focusing on the politics of their positions, and how good they look to the people above them and how those people view them, rather than focusing on what the people below them are doing, or saying. I’ve heard of multiple incidents where mid-level leadership was pushing the 1st and 2nd line managers to get things done faster, and those managers and their senior employees had to push back with the safety of the aircraft (i.e. if you make us do this faster, we won’t have time to check our work, and you put the safety of the aircraft at risk). Tack onto that the mantra of shareholder value over customer value.5
Anyway, both organizations have to own this.
By the way, the bit about the FAA Union being critical of Boeing having FAA duties, I’d take that with a grain of salt. It’s a smaller Union wanting to boost it’s membership by essentially poaching people from the larger Boeing Union (SPEEA).
Now, onto my final point, the pilots. This is not victim blaming, per se, since I know those pilots did everything they knew how to keep those planes flying. The key here is “everything they knew how”. This is the issue; pilots are in demand across the world. It takes a lot of time and money to train a pilot, even if you get someone like a former military pilot, who already has the basics down. That is time and money the airlines don’t want to spend, and not a ton of people want to invest in6 since the working hours of a commercial pilot can be hard on families7. Places like the US and Europe can afford to shell out the time and money to competently train pilots. Not everyone can, but everyone the world over expects airplanes to fly them about. This means that less affluent countries are in a bind. They need pilots, but they can’t attract them from places like the US, Japan, and Europe, so they have to train them locally, and too often, they teach their pilots to fly the computer rather than how to fly the plane.
I mean, a modern airliner can almost fly itself. The pilot really just needs to taxi it out to the runway and wait for permission from the tower. The plane can, for all intents and purposes, take off on it’s own, climb to altitude, cruise to it’s destination by way point, and if conditions are good, land itself, whereupon the pilot taxis to the gate. Of course, all of that assumes good conditions. No bad weather, no unexpected air or ground traffic, no avians in the inlets, no faulty sensors to confuse the automatic systems, that kind of stuff.
So pilots get trained to basically let the plane fly itself, and if not enough attention is paid to what to do when the plane can’t fly itself. Now, lots of American pilots have encountered a dodgy MCAS, and they just shut the system off and logged the anomaly. I even saw a report that the Lion Air plane that crashed, on a recent previous flight, had problems with the MCAS, and the the pilots were at a loss. Luckily for them, a more experienced pilot was on board as a deadhead and told them how to turn the MCAS off. So the issue was known, and how to correct it was known, but it wasn’t known to everyone, and if you are largely trained to let the plane fly itself, then not knowing is a problem.
And it’s not like modern countries don’t suffer the same issue to some extent.
Ergo, at the end of this tragic chain is the fact that accurate documentation matters, adequate training matters, and no one can take short cuts to training pilots. And autopilots, while incredibly impressive, are not actually intelligent. They are only as good as their inputs and software allow. Only the pilots are intelligent, provided they are given the correct training and information.
[1] I’m not entirely confident any individuals will see the wrong end of an indictment, nor will the FAA actually get in trouble, but monies will be paid, and it’s going to hurt.
[2] The cheeks are actually stuffed with the engine auxiliary equipment: fuel pumps, oil pumps, generators, etc.
[3] Remember, the air over the wing is supposed to move faster than the air under it.
[4] AFAIK, they are still Boeing employees, and thus don’t enjoy the immunity government employees might.
[5] E.g. the fact that Boeing did not include a warning light (that the critical sensors were not in agreement) as a standard option in the cockpit; it was a add-on the airlines had to opt-in and pay for. I mean, WTF?!
[6] Figure the cost to become a commercial airline pilot is easily in the ballpark of $100K.
[7] My cousin flies for Southwest, his schedule is nuts, and he has 3 kids.
Photo by Gordon Werner 
The design engineers knew what this would do to static and dynamic stability. I hope the smart ones said no and walked away or left the company. The church of need is going to need better engineers.Report
Moving the engine and adjusting the trim doesn’t impact stability in some manner that would indicate engineering malpractice. The horizontal tail exists specifically to stabilize the pitching moment of the aircraft and it is perfectly acceptable to trim the tail a bit more if the pitching moment changes.
Now if the moment changed and they trimmed the tail to the stops rather than resize the tail, THAT would be engineering malpractice.
No, the failure was all in the MCAS.Report
I don’t understand why you mentioned the tendency of the aircraft to pitch up more than normal. That indicates something is going on with stability being different than what it was before.Report
“I don’t understand why you mentioned the tendency of the aircraft to pitch up more than normal.”
I think he should have written “previously” rather than “normal”. “Normal”, in this case, means “normal for the earlier versions of the 737”.Report
Yes, this. Thank you, DD.Report
You need to read the Seattle Times article, but the short of it is that the increased pitching moment was never the problem. The problem was that Boeing did not want to have to sell a plane with a new Type Certificate that would require new training protocols and simulator software. The wanted to be able to market to airlines that the MAX would fly like the previous generations of 737s, and they could start flying it immediately after delivery.
MCAS was how they planned to do that.Report
I should have been more clear above also, I wasn’t saying it was unstable, just what you were describing made it sound LESS stable.
There should have been two expectations:
a.)This thing flies stable and like a airplane with the computer off.
b.)This thing flies stable and like a airplane with the computer on.
It appears the problem was in b.
Maybe the other question is whether the pilots were within the operating envelope.Report
Actually, a & b are true. Airplane trim exists for a reason, so the pilots can adjust the stability in flight, should fuel, passenger, or cargo mass not be distributed evenly.
None of this is about the stability of the aircraft, and all about avoiding having to get a new Type Certificate. A new certificate requires that pilots go through training and get checked out and certified to fly the plane. The process isn’t difficult, especially for such a similar aircraft, but it’s still time and money the airlines would have to spend that they would not have to spend on the A320Neo (which has a longer landing gear and can easily hang a new, larger engine).Report
Something is off somewhere. From the articles it sounds like the MCAS was pushing the nose down (repeatedly?) when the pilots weren’t expecting it to engage? and they didn’t know how to deal with it when it did engage.
I don’t know how you can have a.) and b.) resolved and still have a related crash.Report
The MCAS was indeed pushing the nose down repeatedly, and it shouldn’t have been.
The pilots should have known that this was indicating a problem, and known the procedure for dealing with the problem; they didn’t because of insufficient training.
The “MCAS obviated the need for type certification” thing means that, as far as anyone knew, the 737MAX and the earlier 737 worked exactly the same and nobody *needed* new training. If the 737MAX had been considered a new type then anyone who wanted to fly one would have had to take a whole new training course (which would have told them all about the MCAS.)
I mean, if you want to say “the computer broke”, you’re right, but that in itself wouldn’t have made the airplanes crash. Failing to recognize that the computer was broken was what made the airplanes crash, and Boeing’s manuals didn’t tell anyone that the computer might break in that particular way.Report
@ Joe Sal – I think part of the issue is that the MCAS wasn’t intuitive to disengage, nor was its alarm something the pilots were familiar with. Reporting on the Lion Air crash seemed to indicate (at least based on outside radar tracking) that the pilots were fighting the aircraft as it went down. Based on that same reporting if the pilots couldn’t disengage the MCAS it was fighting their attempts to correct via the stick etc, which is what I am told any pilot is going to go to if the plane pitches down. All because the sensor feeding the MACS was faulty (which is where the first law suits are likely to land).Report
@joesal
Let’s say you’re a pilot. You know how to fly the older 737s. If you got into the MAX with the MCAS turned off and took off, you’d notice the nose wanted to pitch up more than expected given your experience with the 737. You would then reach over to the pitch trim controls, and add some HStab to bring the nose back down. Then you’d keep your eye on the pitch indicator to make sure she stayed level.
For an experienced pilot, easy-peasy lemon squeezy.
However, the fact that the MAX wants to nose up means it needs a new Type Cert, and all that entails.
So Boeing put in the MCAS system to automatically trim the pitch without pilot input, so the plane would fly like the older 737s, thus avoiding the new Type Cert.
Again, all is good, UNLESS…
The MCAS system is designed to only pay attention to sensor 0, and to basically ignore sensor 1 unless sensor 0 is in a recognized error state. If sensor 0 is not in a recognized error state but is nonetheless giving crap data, MCAS is going to automatically trim the aircraft wrong, which the pilot will notice and try to correct.
And this is where things go pear shaped, because the pilots knew to reset the system, but not to turn it off, and the reset function was crap (it reset the system, but didn’t zero out the trim, so the trim kept stacking).
ETA: Trim controls are different from stick controls. Think macro versus micro movements. The stick moves the airplane in a manner the pilot directs. Trim controls eliminate movements the pilots doesn’t want to happen.Report
Man that’s a kettle of fish:
“we got the engines to fit but it pitches up the nose more than previously”
“what do we do now?”Report
“The MCAS system is designed to only pay attention to sensor 0, and to basically ignore sensor 1 unless sensor 0 is in a recognized error state. ”
Further complicated by the fact that Sensor 1 is part of an option package that Boeing charges extra for and it isn’t installed on the baseline model…
(yes, really, an automatic system with full control authority depended on a non-redundant sensor!)Report
@densityduck
This is how I know the fault of this lies with the Boeing leadership, because there is no way an engineering team would allow an automatic control system to rely on a single sensor. Someone had to over-ride that objection, and the FAA had to be complicit in that decision.Report
An AOA sensor isn’t a critical flight instrument, at least it didn’t used to to be. Small aircraft don’t even have them, and Boeing probably first added one to run the stall warnings and stick shaker.
It’s an “informational” instrument, and only if a customer pays extra to have an AoA indicator in the cockpit.
So historically I think it would have been in a very different regulatory and development regime from things like an altimeter or airspeed indicator in terms of accuracy, redundancy, and reliability.
The shouldn’t have been allowed to use it for critical flight controls without revisiting a whole lot of issues to make it as reliable as everything else.Report
Of course they knew it, and they knew that the software would fix it, and they knew that properly-trained pilots could recognize and deal with failures of equipment, and this did in fact happen in every case but these last two.
Like, if you want to get mad at someone, get mad at the assholes in Boeing’s manual-writing department who decided that they didn’t need to put in anything about the MCAS because “too much information would just confuse people”.
Engineering tradeoffs exist, and you depend on them, which you may have noticed the last time you saw that your car is not actually a tank.Report
“your car is not actually a tank”
Well….the tradeoff was light armor for the big gun, so it’s all good. 😉Report
Thanks for this. I had heard the Daily podcast from the New York Times about how the larger engines had to be pushed forward and how that was also a problem. If I’m not mistaken, when the 737 came out in the late 60s, it was supposed to be a short-haul plane. But today, you can fly a 737 from say San Francisco to Hawaii. It’s becoming more of a mid-range plane. Should Boeing consider building “clean sheet” plane instead of using a frame that’s 50 years old?Report
Depends on your end game if you are Boeing. A clean sheet plane will be expensive to build, years to test and then get orders for. Airbus’ recent success not withstanding I think Boeing is gonna keep to planes it can sell, which means it will avoid clean sheets unless it has enough cushion to absorb the cost. I also think the flying public will eventually forget the 737 MAX debacle in a few years, lowering Boeing’s incentives dramatically.Report
“Should Boeing consider building “clean sheet” plane instead of using a frame that’s 50 years old?”
To be honest, the 737MAX pretty much *is* a clean-sheet plane, compared to the originals. Boeing has spent quite a lot of money convincing people that they’re the same.
Which is what the MCAS is all about, really; it’s a design feature that makes the 737MAX fly the same as one from the 1960s so that Boeing can say it doesn’t need recertification. (Which, again, is not a *bad* thing, so long as pilots are told that the feature might break and how to recognize when this happens and what to do about it…none of which seems to have happened.)Report
Correction: It flies the same as the 737 Next Gen, from the 80’s, not the 60’s.Report
The thing to keep in mind is the 737 is Boeing’s bread and butter. That plane keeps the company afloat (with the 777 the next most profitable, IIRC). Boeing is still hurting from the 787 issues (which is a whole different discussion, and a lot more technical in nature, but also the result of Boeing management having their heads firmly placed up some other executives ass), so it wasn’t looking to clean slate a replacement, it just wanted to make her more efficient.
Should the 787 start being profitable, maybe that will change. But I wouldn’t give up breathing or sex waiting for that to happen.Report
And it’s interesting that the 787 had issues with its lithium-ion batteries catching on fire, and it turned out that the FAA had farmed out the analysis of the qualification testing to Boeing, and Boeing didn’t do a good job of that analysis.
(Boeing was already doing the testing, and this is pretty standard, but the FAA also let Boeing write up the analysis of the test results and just signed off on that report, which is not standard.)Report
My understanding was that Boeing had looked at the battery manufacturers testing and decided it was sufficient. And from what I heard at the time, it sounded like it was. The did serious destructive testing on the batteries and they wouldn’t catch fire.
Too bad the manufacturer had QC issues…Report
The 737 has grown to fill the same performance niche as the original 707, in seats and range.
The LEAP 1 engines on the Airbus Neo are also almost dragging the ground, and were also moved forward, so it may suffer some of the same aerodynamic consequences. If it does, they probably did a better job of integrating the handling change into their flight control laws, as opposed to slapping a band-aid on it.
If Boeing wanted to commit to going full 707, I’d recommend they replace the LEAP 1B engine with a pair of podded Rolls Royce Pearl 15’s, a brand new engine that Bombardier is using on their new Global 5500 and Global 6500 business jets. The Pearl 15 has half the fan area and a little more than half the thrust of the LEAP 1B, but pairing them in a pod is workable, and RR is heavily pitching podded engines in the same series for a B-52 engine replacement.
The fan area would then be the same as the LEAP, but the height would be the same as the original JT8D’s on the 737-100 and 200, so the engine pod could slide back under the wing. ETOPS would go away because the plane would have four engines, and it would just be the new 707. The cost would probably be unaffected because the Pearl is half the cost of a LEAP.
The downside is a lower bypass ratio and slightly lower specific fuel consumption, but that could eventually be fixed by having RR come up with some duct work to run both fans run off of one core, making the world’s first single-core dual fan turbine.Report
Yeah, that’s gonna be a new Type Cert…Report
And twice as many engine controls to deal with.Report
So, Boeing’s future as a going concern might come down to whether or not the following is a true statement: Boeing knowingly delivered aircraft that included software, said software with one or more known failure modes that made the plane unstable. Right?
Once upon a time I ended up as the designated person to attend a meeting that was about three levels above my pay grade. They kicked me out when my mouth got away from me and I blurted, “If we wrote the real-time software with the same ethical standards you use to make the business decisions, we’d all be in jail.”Report
Part of the problem, and I shit you not*, is that Boeing refuses to accept that it is a software company. It continues to insist that it is an Aerospace Systems Integration Company.
The irony is, all the technical knowledge is at the lower levels. You could replace the bulk of the senior management and probably all the executives and the company would barely slow down.
*I have friends who write software for the company, and that is what they tell me the attitude of their senior management is.
ETA: Boeing is too big to fail. No way the US government lets the airliner market go to Airbus or China.Report
There’s a lot of that going around.
The IEEE ran an interesting piece some years back. GM needed a new hybrid transmission. When it was done, the final allocation of engineering time and money was two-thirds for the software for the embedded processor, one-third for the mechanical parts.
The F-35 fiasco where the Marines were ready to take delivery of planes even though the pilots wouldn’t be able to fire the gun for at least two years wasn’t a hardware problem. The gun was there, the trigger was there, but the software that would take notice that the pilot had pulled the trigger and fire the gun on her behalf was behind and that particular feature wouldn’t be included for two years. (Lockheed and the Pentagon rearranged the schedule and put firing the gun into an earlier release. No word on what other feature(s) were delayed to accommodate that.)
My state’s ability to implement changes in any of its public assistance programs is now limited by the time/budget to get the necessary modifications made to the software that handles things. The state doesn’t write the actual software, but is entirely dependent on that software to function. OTOH, it’s still cheaper and faster (and makes far fewer errors) than having many thousands more employees do the job manually and keep their training up to date.
My neighbor across the street recently bought a new car. The most expensive individual option, at $1400, was the software mod that got an extra 20 hp out of the engine with some loss of mileage but without violating the emissions standards.Report
And of course, since these companies, who continue to develop more and more software for their products, refuse to acknowledge that they now have major software divisions, they tend to not allocate sufficient resources to software development, nor enforce any kind of standard for that software (and just trust to the dev team to do so).
And honestly, our regulating agencies haven’t truly caught up to this reality either.Report
Part of the reason we haven’t is IT expertise is something we generally have to contract for, and in a Help Desk way. If we need coding experience for a project for a government system even that is contracted (often to someone else). Even our data centers and archiving functions are run by contract staff, since, ya know, government can contract stuff like that because its not inherently governmental.Report
This is the kind of thing that freaks me out about modern aviation. I am by nature a very nervous flyer. One of the things that has helped me get around my fear is learning more about the engineering of flying. What that doesn’t address is the combination of software issue and person inadequately trained to deal with said software issue.
IIRC Tammie Shults credited her post military commercial training for successful handling of the flight 1380 situation.Report
I fly a fair bit for work; along the way I read Cockpit Confidential and the section that was most interesting, reassuring and slightly terrifying was the section on MCAS and how Pilots relate to it… from the point of view of a pilot. On the one hand, wonder of wonders, the plane flies itself… on the other, increasingly a pilot’s first reaction (nowadays) is to focus on the automation system rather than grab control of the aircraft. Told from the point of view of a pilot, it seemed a little disconcerting.Report
In a lot of ways, this echos incidents like the Uber car that killed the jaywalker in Mesa, AZ.
I’m a big proponent of automation in vehicle operation. Self driving cars and trucks, self flying planes, etc. They are all a great way to counter human foibles with regard to vehicle control (exhaustion, ego, hubris, etc.), but none of these systems are quite there yet, they all have glaring limitations, and operators still need to, at the very least, know how to safely bring the vehicle to a stop.
And yeah, once the computer has control, when things go wonky, poor training tries to troubleshoot the computer, proper training cuts the computer out of the control loop.Report
Yeah, that was his primary point… pilots were too reliant on the automation to the point where their flying skills were no longer matched to the aircraft, especially in moments of crisis. Which in his telling meant that 99.99% of the time this was more than adequate… but it wasn’t 6-nines adequate. From his perspective it was a combination of awesome MCAS less training than would be optimal, but mostly the internalization that MCAS was the first and primary pilot (conterintuitively for a Pilot).Report
It’s actually an interesting parallel, because in the Uber incident they’d disengaged the automatic system…but didn’t tell the driver. As opposed to this issue, where the system was engaged but they didn’t tell the pilots…Report
One thing to keep in mind is that modern aircraft are rather difficult to bring down. For probably the past 50 years, excepting cases where the pilot (or other) willfully crashed the plane, every crash involved a failure cascade. Multiple things had to go wrong in sequence in order to bring the plane down and cause a loss of life. The critical systems on a plane have backups for the backups.
In this case, the failure began at Boeing, who failed to document things properly, resulting in (probably) incorrect software design requirements and inadequate pilot training (and a few other things I can think of, but those are the big ones). The FAA failed to catch Boeing’s mistake, or failed to insist Boeing correct the mistakes it caught, either way, the FAA failed to do their job. And finally, the two unfortunate airlines failed to properly familiarize all their pilots with the aircraft and train them to properly respond to that anomalous condition.
So, long failure cascade. And as aircraft become more complex and automated, the potential for this kind of information failure will need to get more attention.Report
Tangential point to some pilots being trained to activity the let the plane fly itself: I foresee a similar problem with mostly-self-driving cars. When the computer curls up in a ball and needs a human driver, it will be one with little experience driving called upon to deal with a particularly difficult situation. Good times ahead. Unless you buy the “drive by call center” model, which seems to me overly optimistic in oh, so many ways.Report
That won’t really matter because even an experience driver needs quite a lot of time to get their heads back into the control loop, and on the highway that time isn’t available. Resorting to manual control was the initial thought for the cars a few years ago, but they quickly discovered that the person in the driver’s seat goes into full passenger mode. They need five or ten seconds to re-orient before they’re useful.Report
Depends on the failure mode. Ground vehicles have the option of “come to a complete stop ASAP and wait for human intervention”.
Planes, not so much.Report
The notion that the driver will instantly take control in a developing emergency always was obvious bullshit.
What I have in mind is where the computer quits due to some difficult environmental condition such as weather or some particularly crappy layout in a city built for horses and buggies: conditions human drivers can handle, but only if they have mad skillz–which have totally atrophied because the computer does 99.9% of the driving.Report
That would work far better, and is similar to lane-control and other functions that fill the roll of the early auto-pilots in aircraft.
It still leaves a gap where the computer or the driver doesn’t realize the need to change modes in time to prevent a situation from developing, but erring on the conservative side might be adequate, such as not self-driving if the weather forecast includes the possibility of hazardous icing.
My issue with self-driving cars is that in taking the driver out of the loop, the only deep pocket left in the loop is the car company. The American light plane industry got sued almost into non-existence even when pilots were the entire control loop. I think cars have done far better in the courtroom because all the jurists driver cars. But that may make things even worse for a self-driving accident because all the jurists might think “A human driver like me would have NEVER have made that mistake.”
That problem must have existed before we had cars, but who would sue a horse breeder?Report
it always amazes me that people think “come to a complete stop as immediately as is practical” will not be the legally-mandated response of auto-drive vehicles to ambiguous situationsReport
Another thing to consider is whether or not the Type Certification requirements need revisiting. All of this was to avoid getting a new Type Cert. Was the change in pitch characteristic truly worth a new Type Cert? I’m not entirely certain it is. Change the landing gear or the wing, sure. But making a change that can be easily trimmed out…?Report
From what I’ve read, the requirement for MCAS didn’t come out of engineering, it came out of flight test, and that the full-down authority given to MCAS was only required in a very small corner of the flight envelope that the aircraft would probably never encounter.
It could be the case that the managers in charge of flight test were just establishing their institutional authority to dictate new requirements, or it could be that they were rightly very conscientious about safety and weren’t going to let engineering try to slip one past them. In any event, either engineering was overly optimistic or flight test was overly pessimistic.
Either way, the requirement came after the MAX was flying, which means it was very late in the certification process, and that might explain why it seems more like a band-aid.
I was in a long discussion about the MAX in a blog post at Transterrestrial Musings, which is run by aerospace engineer who writes for a bunch of different outlets. The discussion covered a lot of different issues.Report
The requirement may not have come out of engineering, but engineering had to design and sign off on a automatic control system that was only using one sensor, and engineering would not have done that unless they had assurances that the system was a corner of the envelope kind of system.
Now if that kind of information was never properly conveyed to the software developers…Report
Or if it were agreed-upon that A) the MCAS was for flight characteristics only and wasn’t a safety feature and B) in the event of alpha-sensor failure or MCAS overcorrection, the system could be disabled without making the aircraft uncontrollable, and C) the symptoms of MCAS malfunction and the proper procedure to respond were clearly made known to pilots of the 737MAX.
Part “C” didn’t happen, apparently.Report
The NYT is reporting that simulator recreations of the MCAS failure gave pilots 40 seconds to figure things out and respond.
That’s a lot of time, if you know what to do.
It’s not a lot of time if you are wondering WTF is going on and have no idea how to make it stop.Report
Principle of Least AstonishmentReport
More bad news for Boeing. A Southwest 737 Max being flown to storage just declared an emergency and landed at Orlando International. story.
The pilots reported an engine problem.Report
Curious if the author’s pilot cousin agrees with the “modern airplane can almost fly itself” assertion now that there are such sophisticated autopilots. I’ve followed another blogging pilot for years and years and he always screams about what a silly trope this is.Report
And I was an engineer for Boeing.
But note my list of exceptions to a plane flying itself.
A modern jetliner can, in good conditions, execute key portions of the mission profile on it’s own. Those portions vary from model to model, but are usually the three primary portions; namely climb, cruise, and descent. Some planes can also assist a great deal during take-off and landing, almost to the point that it seems the plane could do such things on it’s own.
But I wouldn’t bet my life on that. Neither do most pilots.
Autopilots are nice, but they are not a substitute for a properly trained pilot.Report
Haven’t there been demonstrations of the software flying the plane from the point where it was on the runway for takeoff, across the country, and then until it was down and ready to leave the runway after landing? Or am I misremembering?
A previous neighbor in the house behind ours ran the United flight simulator in Denver. After the Sioux City thing, where the plane lost all the hydraulics and the crew was left flying with the throttles and still almost landed the sucker, they added that scenario to the simulator. He said that the longest anyone kept the simulated plane in the air was five minutes, compared to the almost 45 minutes the crew accomplished in real life. I wonder how well contemporary software would do?Report
There have, but I don’t recall the conditions of the simulations.Report
I wonder what those who say that the concept of the free market, because it allows competition to push firms to deliver better and more efficient products and services rather than rest on their established market successes, must govern all of our economic policies, would say about the effect of introducing a new competitive impulse into the pre-A320neo equilibrium.Report
The effect of introduction has a great deal to do with the history of the governments regulation in both training and proofing of the design up to the current iterations.
People can mention free markets, but it doesn’t mean anything if it is not a free market.
The design paths in a free market typically show the innovations occurring earlier and the integration of the innovations on a more incremental basis. (even if there is a big design leap, there is a pressure to make the leap perform as well or better than the previous)The fact that there wasn’t a intermediate sized engine and a evolving wing design to integrate the innovation may be indicators that the process is rather rigid.
Also there needs to be something mentioned here about the government picking winners and losers up to the point the productions sources are few, maybe even singular (at a nation state level) at this point.
( I was hoping someone else would have chimed in on this already.)Report