Boeing’s 737 Max Debacle: The Result of a Dangerously Pro-Automation Design Philosophy?

The aftermath of two crashes of Boeing 737 Max jets shortly after takeoff has led to the global grounding of the airplane. Boeing has been forced to cut production, and even so, undelivered planes are piling up. Big buyers like Southwest American Airlines have been forced to cancel flights during their peak time of year as a result of taking their 737s off line. American lengthened its 737 grounding to June 5 and Southwest, to August 5 [Update: American sent a notice to American Aadvantage members that the grounding would last through August 19].

Even though Boeing is scrambling to fix the software meant to counter the 737 Max’s increased propensity to stall as a result of the placement of larger, more fuel=efficient engines in a way that reduced the stability of the plane in flight, it’s not clear that this will be adequate in terms of flight safety or the public perception of the plane. And even though the FAA is almost certain to sign off on Boeing’s patch, foreign regulators may not be so forgiving. The divergence we’ve seen between the FAA and other national authorities is likely to intensify. Recall that China grounded the 737 Max before the FAA. In another vote of no confidence, even as Boeing was touting that its changes to its now infamous MCAS software, designed to compensate for safety risks introduced by the placement of the engines on the 737 Max, the Canadian air regulator said he wanted 737 Max pilots to have flight simulator training, contrary to the manufacturer’s assertion that it isn’t necessary. Last week, the Wall Street Journal reported that American Airlines is developing 737 Max flight simulator training.

But a fundamental question remains: can improved software compensate for hardware shortcomings? Some experts harbor doubts. For instance, from the Spokane Spokesman-Review:

“One of the problems we have with the system is, why put a system like that on an airplane in the first place?” said Slack, who doesn’t represent any survivors of either the Lion Air or Ethiopia Airlines crashes. “I think what we’re going to find is that because of changes from the (Boeing 737) 800 series to the MAX series, there are dramatic changes in which they put in controls without native pitch stability. It goes to the basic DNA of the airplane. It may not be fixable.”

“It is within the realm of possibility that, if much of the basic pitch stability performance of the plane cannot be addressed by a software fix, a redesign may be required and the MAX might not ever fly,” [aviation attorney and former NASA aerospace engineer Mike] Slack said.

An even more damming take comes in How the Boeing 737 Max Disaster Looks to a Software Developer in IEEE Spectrum (hat tip Marshall Auerback). Author Greg Travis has been a software developer for 40 years and a pilot. He does a terrific job of explaining the engineering and business considerations that drove the 737 Max design. He describes why the plane’s design is unsound and why the software patch in the form of MCAS was inadequate, and an improved version is unlikely to be able to compensate for the plane’s deficiencies.

Even for those who have been following the 737 Max story, this article has background that is likely to be new. For instance, to a large degree, pilots do not fly commercial aircraft. Pilots send instructions to computer systems that fly these planes. Travis explains early on that the As Travis explains:

In the 737 Max, like most modern airliners and most modern cars, everything is monitored by computer, if not directly controlled by computer. In many cases, there are no actual mechanical connections (cables, push tubes, hydraulic lines) between the pilot’s controls and the things on the wings, rudder, and so forth that actually make the plane move…..

But it’s also important that the pilots get physical feedback about what is going on. In the old days, when cables connected the pilot’s controls to the flying surfaces, you had to pull up, hard, if the airplane was trimmed to descend. You had to push, hard, if the airplane was trimmed to ascend. With computer oversight there is a loss of natural sense in the controls….There is only an artificial feel, a feeling that the computer wants the pilots to feel. And sometimes, it doesn’t feel so great.


Travis also explains why the 737 Max’s engine location made the plane dangerously unstable:

Pitch changes with power changes are common in aircraft. Even my little Cessna pitches up a bit when power is applied. Pilots train for this problem and are used to it. Nevertheless, there are limits to what safety regulators will allow and to what pilots will put up with.

Pitch changes with increasing angle of attack, however, are quite another thing. An airplane approaching an aerodynamic stall cannot, under any circumstances, have a tendency to go further into the stall. This is called “dynamic instability,” and the only airplanes that exhibit that characteristic—fighter jets—are also fitted with ejection seats.

Everyone in the aviation community wants an airplane that flies as simply and as naturally as possible. That means that conditions should not change markedly, there should be no significant roll, no significant pitch change, no nothing when the pilot is adding power, lowering the flaps, or extending the landing gear.

The airframe, the hardware, should get it right the first time and not need a lot of added bells and whistles to fly predictably. This has been an aviation canon from the day the Wright brothers first flew at Kitty Hawk.

Travis explains in detail why the MCAS approach to monitoring the angle of attack was greatly inferior to older methods….including having the pilots look out the window. And here’s what happens when MCAS goes wrong:

When the flight computer trims the airplane to descend, because the MCAS system thinks it’s about to stall, a set of motors and jacks push the pilot’s control columns forward. It turns out that the flight management computer can put a lot of force into that column—indeed, so much force that a human pilot can quickly become exhausted trying to pull the column back, trying to tell the computer that this really, really should not be happening.

Indeed, not letting the pilot regain control by pulling back on the column was an explicit design decision. Because if the pilots could pull up the nose when MCAS said it should go down, why have MCAS at all?

MCAS is implemented in the flight management computer, even at times when the autopilot is turned off, when the pilots think they are flying the plane. In a fight between the flight management computer and human pilots over who is in charge, the computer will bite humans until they give up and (literally) die…

Like someone with narcissistic personality disorder, MCAS gaslights the pilots. And it turns out badly for everyone. “Raise the nose, HAL.” “I’m sorry, Dave, I’m afraid I can’t do that.”

Travis also describes the bad business incentives that led Boeing to conceptualize and present the 737 Max as just a tweak of an existing design, as opposed to being so areodynamically different as to be a new plane….and require time-consuming and costly recertification. To succeed in that obfuscation, Boeing had to underplay the existence and role of the MCAS system:

The necessity to insist that the 737 Max was no different in flying characteristics, no different in systems, from any other 737 was the key to the 737 Max’s fleet fungibility. That’s probably also the reason why the documentation about the MCAS system was kept on the down-low.

Put in a change with too much visibility, particularly a change to the aircraft’s operating handbook or to pilot training, and someone—probably a pilot—would have piped up and said, “Hey. This doesn’t look like a 737 anymore.”

To drive the point home, Travis contrasts the documentation related to MCAS with documentation Cessna provided with an upgrade to its digital autopilot, particularly warnings. The difference is dramatic and it shouldn’t be. He concludes:

In my Cessna, humans still win a battle of the wills every time. That used to be a design philosophy of every Boeing aircraft, as well, and one they used against their archrival Airbus, which had a different philosophy. But it seems that with the 737 Max, Boeing has changed philosophies about human/machine interaction as quietly as they’ve changed their aircraft operating manuals.

Travis also explains why the FAA allows for what amounts to self-certification. This practice didn’t result from the usual deregulation pressures, but from the FAA being unable to keep technical experts from being bid away by private sector players. Moreover, the industry has such a strong safety culture (airplanes falling out of the sky are bad for business) that the accommodation didn’t seem risky. But it is now:

So Boeing produced a dynamically unstable airframe, the 737 Max. That is big strike No. 1. Boeing then tried to mask the 737’s dynamic instability with a software system. Big strike No. 2. Finally, the software relied on systems known for their propensity to fail (angle-of-attack indicators) and did not appear to include even rudimentary provisions to cross-check the outputs of the angle-of-attack sensor against other sensors, or even the other angle-of-attack sensor. Big strike No. 3.

None of the above should have passed muster. None of the above should have passed the “OK” pencil of the most junior engineering staff, much less a DER [FAA Designated Engineering Representative].

That’s not a big strike. That’s a political, social, economic, and technical sin….

The 737 Max saga teaches us not only about the limits of technology and the risks of complexity, it teaches us about our real priorities. Today, safety doesn’t come first—money comes first, and safety’s only utility in that regard is in helping to keep the money coming. The problem is getting worse because our devices are increasingly dominated by something that’s all too easy to manipulate: software…

I believe the relative ease—not to mention the lack of tangible cost—of software updates has created a cultural laziness within the software engineering community. Moreover, because more and more of the hardware that we create is monitored and controlled by software, that cultural laziness is now creeping into hardware engineering—like building airliners. Less thought is now given to getting a design correct and simple up front because it’s so easy to fix what you didn’t get right later….

It is likely that MCAS, originally added in the spirit of increasing safety, has now killed more people than it could have ever saved. It doesn’t need to be “fixed” with more complexity, more software. It needs to be removed altogether.

There’s a lot more in this meaty piece. Be sure to read it in full.

And if crapification by software has undermined the once-vanuted airline safety culture, why should we hold out hope for any better with self-driving cars?

Print Friendly, PDF & Email

136 comments

  1. Fazal Majid

    Automation is not the issue. Boeing cutting corners and putting only one or two angle of attack sensors is. Just like a man with two clocks can’t tell the time, if one of the sensors malfunctions, the computer has no way of knowing which one is wrong. That’s why Airbus puts three sensors in its aircraft, and why Boeing’s Dreamliner has three computers with CPUs from three different manufacturers to get the necessary triple redundancy.

    Thus this is really about Boeing’s shocking negligence in putting profits above safety, and the FAA’s total capture to the point Boeing employees did most of the certification work. I would add the corrosion of Boeing’s ethical standards was completely predictable once it acquired McDonnell-Douglas and became a major defense contractor.

    1. Yves Smith Post author

      I beg to differ since it looks like you didn’t read the article in full, as a strongly recommended.

      The article has a section on the cost of fixing hardware problems versus software problems. Hardware problems are enormously costly to fix.

      The plane has a hardware problem resulting from Boeing not being willing to risk having to recertify a fuel efficient 737. So rather than making the plane higher off the ground (new landing gear, which other articles indicate was a non-starter since it would lead to enough other changes so as to necessitate recertification) and trying to fix a hardware problem with software. That has two knock-on problems: it’s not clear this will ever be adequate (not just Travis’ opinion) and second, it’s risky given the software industry’s propensity to ship and patch later. Boeing created an additional problem, as Travis stresses, by greatly underplaying the existence of MCAS (it was mentioned after page 700 in the documentation!) and maintaining the fiction that pilots didn’t need simulator training, which some regulators expect will be the case even after the patch.

      You also miss the point the article makes: the author argues (unlike in banking), the FAA coming to rely on the airlines for certification wasn’t a decision they made, but an adaptation to the fact that they could no longer hire and retain the engineers they needed to do the work at the FAA on government pay scales. By contrast, at (say) the SEC, you see a revolving door of lawyers from plenty fancy firms. You have plenty of “talent” willing to work at the SEC, but with bad incentives.

      1. Susan the other`

        Thank you for reviewing this. 700+ pages! I thought it was paywalled bec. so slow to download. The resistance to achieving fuel efficiency is front and center these days. One thing I relate it to is the Macron attitude of punishing the fuel consumer to change the market. Cart before horse. When the FAA sent down fuel efficiency requirements it might have been similarly preemptive, now in hindsight. There should have been legislation and regulation which adjusted the profitability of the airline industry via better tax breaks or regulations against aggressive competition. The safety of airlines would have been upheld if the viability of the company were protected. So even domestic protectionism when it comes to safety. And in so doing, the FAA/congress could also have controlled and limited airline use which tries to make up in volume for all the new costs it incurs. It’s a serious problem when you are so carefree as a legislator that you let the free market do it. What a mess. Quality is the first thing to go.

      2. foppe

        reminds me of what was said about risk departments inside banks — deliberately lowly paid, so that anyone with skills would move on or easily be hired away. Was it you? Bill Black? Luyendijk? I don’t remember. Either way..

      3. Marley's dad

        I did read the article completely and I was an aircraft commander of a C-141A during the Viet Nam war and I am a degreed electrical engineer.

        Having flown the C-141A for several thousand hours I am very familiar with the aircraft pitching up almost uncontrollably. A favorite trick that C -141 flight instructors pulled on pilots new to aircraft was to tell the student pilot to “go around” (for the first time during his training) on an approach. The student pilot followed the flight manual procedure and started to raise the nose while advancing the throttles to full power. However, what wasn’t covered in the flight manual was the fact that a HUGE trim change occurred when the engines went from near idle to full power. To regain control, it took both hands (arms) to move the yoke away from your chest while running nose down trim. While you were doing this the airplane was trying to stand on its tail. On the other hand none of us ever forgot the lesson.

        The C-141 was not fly by wire; however all control surfaces were equipped with hydraulic assist and “feel springs” to mimic control feel without the hydraulics. The feel springs for the elevators must have been selected using a human subject like Arnold Schwarzenegger because (in my opinion) they were much stronger than necessary. The intent was to prevent the pilots from getting into excessive angles of pitch, which absolutely would occur if you weren’t prepared for it on a “go around”.

        What Fazal & V have said is basically correct. The max has four angle of attack vanes. The MAIN problem was that Boeing decided to go cheap and only connect one of the vanes to the MCAS. If they had connected two, the MCAS would be able to determine that one of them was wrong and disconnect itself. That would have eliminated the pitch down problem that caused the two crashes.

        Connecting that second AOA vane would not have created any certification issues and would have made Boeing’s claim about the “Max” being the “same” as previous versions much closer to the truth. Had they done that we wouldn’t be talking about this.

        Another solution would have been to disable the MCAS if there was significant counter force on the yoke applied by the pilot. This has been used on autopilot systems since the 1960’s. But not consistently. The proper programming protocol for the MCAS exists and should have been used.

        I agree that using only one AOA vane and the programming weren’t the only really stupid things that Boeing did in this matter. Insufficient information and training given to the pilots was another.

        1. d

          true thing Boeing should have had as man AOA sensors as the could have had and if one fails, the others would take up the slack, plus be a check on each other. thats on Boeing. while Boeing didnt stress the need for more trainning, they should have. but pilot training is done by the airlines, to the point that each one does it different, and has different rules for the same types. so its a money thing. even if it will cost both more in the end, which it will, they tend to only view the short term view only

          1. albert

            “… if one fails, the others would take up the slack…”

            But what constitutes a failure of an AoA sensor?
            How does an AoA sensor know it has failed?
            How is that failure relayed to the MCAS computer?

            It’s not rocket science, but it’s not simple either..

            . .. . .. — ….

            1. D

              Well if there are more than one and they don’t agree then don’t turn on the automation, since either there is bad sensor, or a fault on the wiring, either makes what the sensor reports as being unreliable

      4. flora

        Yes.
        second, it’s risky given the software industry’s propensity to ship and patch later.
        -this is one of the main themes in the Dilbert cartoon strip.

        the author argues (unlike in banking), the FAA coming to rely on the airlines for certification wasn’t a decision they made, but an adaptation to the fact that they could no longer hire and retain the engineers they needed to do the work at the FAA on government pay scales.

        -That’s what happens when you make ‘government small enough to drown in a bathtub’ , i.e. starve of the funds necessary to do a good job.

        My 2¢…. Boeing’s decision to cut manufacturing corners AND give the autopilot MCAS system absolute control might have been done (just a guess here, based on the all current the ‘self-driving’ fantasies in technology ) to push more AI ‘self-drivingness’ into the airplane. (The ‘We don’t need expensive pilots, we can use inexpensive pilots, and one day we won’t need pilots at all’ fantasy.) Imo, this makes the MCAS system, along with the auto AI self-driving systems now on the road no better than beta test platforms… And early beta test platforms, at that.

        It’s one thing when MS or Apple push out a not quite ready for prime time OS “upgrade”, then wait for all the user feedback to know where it the OS needs more patches. No one dies in those situations (hopefully). But putting not-ready for prime time airplanes and cars on the road in beta test condition to get feedback? yikes…. my opinion.

        1. Anarcissie

          It is interesting that a software bug that appears in the field costs very roughly ten times as much as one caught in QA before being released, yet most managements continue to slight QA in favor of glitzy features. I suppose that preference follows supposed customer demand.

          1. fajensen

            Well.
            If one has good QA then after a few years some bean counter will prove it’s worth with: “we never have any errors and manufacturing issues, so why do we need all this QA?”

    2. Kathryn Tominey

      I expect that system safety engineers spotted the terribly flawed approach including the choice to charge extra to get both sensors connected, and up plus ups to get more profits at the expense of safety. It was a mgt feature not a bug.

      Deceiving the FAA about important differences between the original submitted design and final. That was a feature not a bug.

      Reprehensible.

  2. Alex V

    Boeing, the FAA, and the airlines seriously screwed up the introduction of this aircraft so badly it cost lives. The article by Travis is however written by someone out of his depth, even though he has more familiarity with aircraft and software than the average person. There are numerous factual errors and misrepresentations, which many commenters (with more detailed knowledge of the subjects) on the article point out. One of the principles of aviation safety is to identify and fix failures without finger pointing, in order to encourage a culture of openness and cooperation. The tone of the article takes the opposite approach while trying to argue from (undeserved) authority. I agree with his critique that these incidents are a result capitalism run amok – that should, in my opinion, be separate from a discussion of the technical problems and how to fix them.

    1. Thuto

      If Boeing had adhered to that cardinal principle of openness, there might be no failure to fix via “a culture of openness and cooperation”. These catastrophic failures were a result of Boeing not being open with its customers about the safety implications of its redesign of the 737 Max and instead choosing the path of obfuscation to sell the idea of seamless fleet fungibility to airlines.

      1. Kathryn Tominey

        The engineers knew I guarantee it. There will be review comments & emails. They were just overruled by mgt concerned about their annual bonus. Hopefully the engineers put key material thumbdrives now tucked in safety deposit boxes.

    2. Knifecatcher

      Looking through the comments the complaints about the article seemed to be in one of three areas-

      – Questioning the author’s credentials (you’re just a Cessna pilot!)
      – Parroting the Boeing line that this was all really pilot error
      – Focusing on some narrow technical element to discredit the article

      The majority of comments were in agreement with the general tenor of the piece, and the author engaged politely and constructively with some of the points that were brought up. I thought the article was very insightful, and sometimes it does take an outsider to point out that the emperor has no clothes.

      I’d like to see a reference for your assertion that the “principles of aviation safety” preclude finger pointing. Unless I’m very much mistaken the whole purpose of an FAA accident investigation is to determine the root cause, identify the responsible party, and, yes, point fingers if necessary.

      1. Alex V

        This is one example:

        https://en.m.wikipedia.org/wiki/Crew_resource_management

        The general point I was trying to make, perhaps poorly worded, is that the only goal is to identify the problem and fix it, and not to focus primarily on assigning blame as vigorously as possible. Mistakes occur for many reasons – some of them nefarious, some not. Excessive finger pointing, especially before a full picture of what went wrong has been developed, fosters a tendency to coverups and fear, in my opinion.

        Regarding your other points, the technical details are vital to understand clearly in almost any aviation incident, as there is never one cause, and the chain of events is always incredibly complex. Travis’ analysis makes the answers too easy.

        1. skippy

          From what I understand the light touch approach was more about getting people to honestly divulge information during the investigation period, of which, assisted in determining cause.

          I think you overstate your case.

          1. Alex V

            This “light touch” approach is used throughout the aviation industry, all the way from initial design to aircraft maintenance, as the purpose is to make sure that anyone, no matter the rank or experience, can bring up safety concerns before incidents occur without fear of repercussions for challenging authority. It’s likely that this cornerstone of aviation culture was ignored at too many points along the way here.

            I am not defending Boeing, the FAA, or the airlines. Serious, likely criminal, mistakes were made by all.

            I however take issue with Travis’ approach of assigning blame this early and vigorously while making errors in explaining what happened. He especially attacks the the development process at Boeing, since software is his speciality, although he makes no claims as to having worked with real time or avionics software, aside from using products incorporating it. These are quite different types of software from normal code running a website or a bank. He does not, and can not, know what occurred when the code was written, yet makes significant declarations as to the incompetence of the engineers and coders involved.

            If he were leading the investigation, I believe the most likely outcome would be pushback and coverup by those involved.

            1. flora

              It’s likely that this cornerstone of aviation culture was ignored at too many points along the way here.

              I am not defending Boeing, the FAA, or the airlines. Serious, likely criminal, mistakes were made by all.

              I however take issue with Travis’ approach of assigning blame this early

              I don’t disagree with your description of how it used to be. However, since the FAA has reduced its regulatory role, and by extension given aircraft manufactures more leash to run with ideas that shouldn’t be followed, we’re left with the situation that large, potentially crippling tort lawsuits are one of the only checks left on manufacturer stupidity or malfeasance. Think of the Ford Pinto bolt-too-long-causing-gas-tank-explosions case. If the FCC won’t make manufacturers think twice when internal engineers say ‘this isn’t a good idea, isn’t a good design’, maybe the potential of a massive lawsuit will make them think twice.

              And this is where we get into pointing the finger, assigning blame, etc. I’m assuming there are good engineers at Boeing who warned against these multiple design failure and were ignored, the FCC was see-no-evil here-no-evil, and the MCAS went forward. Now come the law suits. It’s the only thing left to ‘get Boeing’s attention’. I don’t know if Travis’ is too early. It’s likely there’s been plenty of chatter among the Boeing and industry engineers already. imo.

  3. charles 2

    Training a pilot is building a very complicated automation system : what kind of thought process do you expect within the short timeframe (few minutes) of a crisis in a cockpit ? Kant’s critique of pure reason ?Somehow people seem more comfortable from death coming from human error (I.e. a bad human automation system) that death coming from a design fault, but a death is a death…

    The problem is not automation vs no automation, it is bad corner-cutting automation vs good systematic and expensive automation. It is also bad integration between pilot brain based automation and system automation, which also boils out to corner cutting, because sharing too much information about the real behaviour of the system (if only it is known accurately…) increases the complexity and the cost of pilot training.

    Real safety comes from proven design (as in mathematical proof). It is only achievable on simple systems because proofing is conceptually very hard. A human is inevitably a very complex system that is impossible to proof, therefore, beyond a certain standard of reliability, getting the human factor out of the equation is the only way to improve things further. we are probably close to that threshold with civil aviation.

    Also, I don’t see anywhere in aircraft safety statistics any suggestion of “crapification” of safety see https://aviation-safety.net/graphics/infographics/Fatal-Accidents-Per-Mln-Flights-1977-2017.jpg Saying that the improvement is due only the better pilot training and not to more intrinsically reliable airplanes is a stretch IMHO.

    Similarly, regarding cars, the considerable improvement in death per km travelled in the last 30 years cannot be attributed only to better drivers, a large part comes from ESP and ABS becoming standard (see https://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/811182). If this is not automation, what is ?

    1. Yves Smith Post author

      It looks as if you didn’t read the piece. The problem, which the author makes explicit, is the “ship now, patch later” philosophy that is endemic in software design.

      And it would be better to look at flight safety stats within markets. You have great swathes of the emerging world starting to fly on airplanes during this period. I’m not saying the general trend isn’t correct, but I would anticipate it’s to a significant degree attributable to the maturation of emerging economy air systems. For instance, I flew on Indonesia’s Garuda in the early 1990s and was told I was taking a safety risk; I’m now informed that it’s a good airline. Similarly, in the early 1980s I was doing business in Mexico, and the McKinsey partner I was traveling with (who as a hobby read black box transcripts from plane crashes) was very edgy on the legs of our travels when we had to use AeroMexico (as in he’d natter on in a way that was very out of character for a typical older WASP-y guy, he was close to white knuckle nervous).

      1. Marley's dad

        Garuda’s transition from “safety risk” to “good airline” was an actual occurrence. At one point Garuda and all other Indonesian air lines were prohibited from flying in the EU because of numerous crashes that were the result of management issues, that forced the airline(s) to change their ways.

      2. Yikes

        This * bullet point reading habit Majid and Charles 2 both exhibit is part of the problem too. Goes back much futher than the Challenger disaster, to several 3 near misses at total nuclear war by faulty defense systems, and probably beyond that.

        Managers (and readers) are often so quick to show their value that they go off half informed (half cocked) under this continual push to Pareto when everything is critical. Crapification strikes again.

    2. Darius

      ABS is an enhancement. MCAS is a kludge to patch up massive weaknesses introduced into the hardware by a chain of bad decisions going back almost 20 years.

      Boeing should have started designing a new narrow-body when they cancelled the 757 in 2004. Instead, they chose to keep relying on the 737. The end result is MCAS and 300+ deaths.

  4. Olga

    “There are numerous factual errors and misrepresentations, which many commenters (with more detailed knowledge of the subjects) on the article point out.”
    Not sure why anyone would mis-characterise comments. The first comment points out a deficiency, and explains it. There was only one other commenter, who alleged errors – but without explaining what those could be. He was later identified by another person as a troll. Almost all other comments were complimentary of the article. So why make the above assertion?

    1. Yves Smith Post author

      We have a noteworthy number of newbie comments making poorly-substantiated digs at the Spectrum IEEE piece. We’ve also seen this sort of non-organic-looking response when we’ve put up pro-union pieces when political fights were in play, like Wisconsin’s Scott Walker going after unions.

      1. AEL

        Travis does indeed play fast and loose with a number of things. For example, his 0-360 engine does *not* have pistons the size of dinner plates (at a 130mm bore it isn’t even the diameter of a particularly large saucer). MCAS is a stability augmentation system not stall prevention system and the 737 MAX wasn’t “unstable” it was insufficiently stable. The 737 trim system acts on the stabilizer not the elevator (which is a completely different control surface). etc.

        For the most part, it doesn’t affect the thrust of his arguments which are at a higher level. However it does get distracting.

        1. Harrold

          “the 737 MAX wasn’t “unstable” it was insufficiently stable”

          The passengers are not “dead”, they are insufficiently alive.

          1. Olga

            Thank you – I was beginning to wonder what the difference was between unstable and insufficiently stable. Not that this is a subject to make jokes about.

            1. JBird4049

              Not that this is a subject to make jokes about.

              Yeah, but sometimes the choice is to laugh or cry, and after constantly going WTF!?! every time I read about this horror, even mordantly grim humor is nice.

        2. Walt

          Yes, stabilizer trim on the 737 acts on the horizontal stabilizer, not the elevator or “pilots’ control columns.”

          As a former “73” pilot, I too find the author’s imprecision distracting.

        3. Deres

          As far as i know, the parameter for the action of the MCAS were greatly augmented after flight testing of stalls. This seems to means that a system originally meant as a “stability augmentation” effectively ended as a “stall prevention”. This would also explain why Boeing was confident originally on this subject, aeerodynamic studies hadn’t show a great effect. But it was too late to modify the hardware after flight testing without many delays. Aerodynamic studies would have to be remade, all the prototype modified and flight testing redone if you change the aerodynamics.

          A point worth noting, is that Boeing never proposed to simply inhibit the MCAS in all the plane but insist on proposing a patch of it. This shows that the MCAS MUST be implemented for the plane to fly safely thus that the plane is unstable in parts of its flight enveloppe contrary to the legislation.

  5. ChristopherJ

    Investigators pipe up, but my understanding of a proper investigation is: a. find out what happened; b. find out why the incident occurred; c. what can be done to prevent.

    The public opinion has already sailed I think, against the company. If negligent, adverse-safety decisions were made, the head people should be prosecuted accordingly.

    Yet, I feel this isn’t going to happen despite the reality that billions of humans never want to fly a boeing jet again. Why would you risk it? Toast and deservedly imho

    1. Deres

      The fact that the current Boeing management does not admit any errors works against them. They should have acted strongly after the first issues. But they persisted including after the first crash, then the second and also when the whole world grounded the plane. The american president had to intervene to force them to ground the plane in the States … Do you just realize their studdborness !!!

      I have also read that in contrary people from the Boeing management on this project have just well progressed in the company. In a correct company, the boss should have said publicly that when the mess will be solved, heads would rolls including his.

  6. Ape

    “Agile” “use-case driven” software development: very dangerous, takes the disruptive, crappification approach (under some hands) of trying to identify the minimum investment to hit the minimal requirements, particularly focusing on an 80/20 Pareto rule distribution of efforts.

    Which may be good enough for video delivery or cell-phone function, but not for life-critical or scientifically-critical equipment

    1. JeffC

      Many people here are assuming Boeing uses modern software-development methodology in spite of flaws that make such an approach iffy in this field. Why assume that?

      When I worked, many years ago now, as a Boeing software engineer, their software-development practices were 15 years behind the rest of the world. Part of that was sheer caution and conservatism re new things, precisely because of the safety culture, and part of it was because they did not have many of the best software people. They could rarely hire the best in part because cautious, super-conservative code is boring. Their management approach was optimized to get solid systems out of ordinary engineers with a near incomprehensible number of review and testing steps.

      Anyone in this audience worked there in software recently? If not, fewer words about how they develop code might be called for. Yes, the MCAS system was seriously flawed. But we do not have the information to actually know why.

      1. False Solace

        > Anyone in this audience worked there in software recently? If not, fewer words about how they develop code might be called for.

        4/16 Links included a lengthy spiel from Reddit via Hacker News by a software engineer who worked at Boeing 10 years ago (far more recently than you) which detailed the horrors of Boeing’s dysfunctional corporate culture at length. This is in addition to many other posts covering the story from multiple angles.

        NC has covered this topic extensively. Maybe try familiarizing yourself with their content before telling others to shut up.

        1. JeffC

          Excuse me? Are ad hominem attacks fine now? I didn’t tell anyone to “shut up” or contradict the great amount of good reporting on Boeing’s management dysfunction.

          I just pointed out that at one time, yes way back there, there was a logic to it and that the current criticism here of its software-development culture in particular seems founded on a combination of speculation and general disgust with the software industry.

          Whatever else I am or however wrong I may sometimes be, I am an engineer, and real engineers look for evidence.

          1. flora

            Thanks, JeffC.

            Standard, known, safety first coding is boring in the sense that disruption isn’t on the menu. And hurray for that. Car brakes, bicycle brakes are boring, too, compared to utltra-whatever improvements in engine and drive train design. But without a solid (boring) braking system no one would drive or bicycle faster than 5 mph. Braking (safety) is *not* an area ripe for *disruption*. Thank goodness.

          2. Yikes

            ad hominem attacks are fine, it’s ad hominem fallacy that are ill structured.

            Oh, btw, “Maybe try familiarizing yourself with their content before telling others to shut up.” isn’t either an ad hominem attack nor is it an ad hominiem fallacy. Saying we’re all stupid from time to time is accurate.

      2. d

        yes, doing so currently. and yes they want us to become agile. and while our software wont directly kill some one, it could make a huge mess, and maybe kill companies. but it is the current ‘fad in software, mostly cause its fast, and cheap. and sort of maybe might make it more reliable. and yes, companies dont really like QA, as they dont see the benefit (until there is that midnight call, that runs for several days, if not weeks). then they will ask QA why didnt you catch the problem? and even if we had, they had over ruled QA and it went out. but considering that the errors in the software werent really the problem, but the design of the hadware (1 AOA sensor??? on an airplane?? with over 100 people on board???)
        this is more systemic, the government at behest of industry let the industry take over more of the work, but seem to have skipped the responsibility part, plus the manufacturer took the short view, cutting corners on safety, and the airlines avoided cost by not doing training. so it seems no one really cared till the planes started crashing. which if you go back, you will find that just about every new plane has done since we started building them. along with just about every thing else we have made, but this time we took the shortcut. and will now pay for it for decades. and should

    2. fajensen

      I would not immediately blame “Agile” software development for this.

      To me it – “it” being why not more sensors, et.cetera – now that sounds in the direction of a very systems-engineering heavy, perhaps even leaning towards Fundamentalistic systems-engineering environment*.

      An environment where the software developers shall receive a detailed System Description, a Requirement Specification and a Test Specification (or maybe they get to deliver the latter).

      The design teams *shall explicitly not* receive any information outside of the formal requirements because that is deemed to be an impure way of working. Knowledge about more than the upstream and downstream interfaces is seen as (at best) an unhealthy distraction and it invites heresy, leading to “blurring of interfaces” and “requirements creep”. It also invites legal issues, especially if one is skirting the line on “legal”. One of the basic things taught to new developers is Never, Ever do patent research before implementing something :)!

      In such a world, the developers might even not know exactly what “context” their system will be operating in, they just know the stated requirements and works out how to fulfil them. Each team is only seeing a fraction of the system, and they are delivering “upstream” to integration teams, who deliver to integration teams, all the way up to some lead integration team, which has the overall picture, but not the component level details.

      In such a controlled environment it is easier for machiavellian decision-makers to cut corners on the systems design because the experts are safely ring-fenced in fungible design teams , and all systems-level information safely compartmentalised. “They” only really need to influence a few people on the conceptual design level and integration levels.

      Some combination of the Agile- and Systems Engineering- approach (where one is using system engineering methods to define the “boxes” and their interfaces, then “Agile” for ‘the insides’), is, IMO, not too shabby and this is what most organisations eventually will end up with doing after enough failures.

      —-
      *) I saw this in the 1980’s while working on a railway safety system, to be delivered by Siemens, where the developers got yelled at by a “Dr. Ing.” for asking what a “point” was. Since we were paying, we put an end to that quickly by putting all the developers and the “Dr. Ing”, to rub his nose in it, on the basic 2 week railway safety training course for new employees. It did not feel safe that the developers didn’t know what they were working with. This system was years late and when eventually delivered, never worked fully as specified.

  7. NN

    Moving the engines in itself didn’t introduce safety risks, this tendency to nose up was always there. The primary problem is Boeing wanted to pretend MAX is the same plane as NG (the previous version) for certification and pilot training purposes. Which is why the MCAS is black box deeply hardwired into the control systems and they didn’t tell pilots about it. It was supposed to be invisible, just sort of translating layer between the new airframe and pilots commanding it as the old one.

    And this yearning for pre-automation age, for directly controlling the surfaces by cables and all, is misguided. People didn’t evolve for flying, it’s all learned the hard way, there is no natural way to feel the plane. In fact in school they will drill into you to trust the instruments and not your pedestrian instincts. Instruments and computers may fail, but your instincts will fail far more often.

    After all 737 actually is old design, not fly by wire. And one theory of what happened in the Ethiopian case is that when they disengaged the automatic thing, they were not able to physically overcome the aerodynamic forces pushing on the plane. So there you have your cables & strings operated machine.

    1. Yves Smith Post author

      I don’t see basis for your assertion about safety risks given the counter-evidence in the form of the very existence of the MCAS software. Every article written on it points out it was to prevent the possibility of the plane stalling out when “punching up”. And as the article describes, there were two design factors, the placement of the engines and the nacelles, which led to it generating too much lift in certain scenarios.

      And your argument regarding what happened when the pilot turned off the autopilot is yet another indictment of Boeing’s design. This is not “Oh bad pilots,” this is “OMG, evidence of another Boeing fuckup.” This is what occurred when the pilots disabled MCAS per instructions.

      Have you not heard of purely mechanical systems that allow for the multiplication of force? It’s another Boeing design defect that the pilots couldn’t operate the flight stabilizer when the plane was under takeoff stresses. That’s a typical use case! And it was what Boeing told pilots to do and it didn’t work! From Reuters (apparently written before the black box detail revealed that the pilots could not control the stabilizers):

      Boeing pointed to long-established procedures that pilots could have used to handle a malfunction of the anti-stall system, regardless of whether the pilots knew MCAS existed.

      That checklist tells pilots to switch off the two stabilizer trim cutout switches on the central console, and then to adjust the aircraft’s stabilizers manually using trim wheels.

      And that’s one of they should worry about most, since that’s one of highest risk times for flight, and the plane should have been engineered with that scenario in mind. This raises the possibility that the inability of the pilots to handle the plane manually in takeoff also somehow resulted from the changes to the aerodynamics resulting from the placement of the bigger engines.

      This is his argument about how the reliance on software has led to undue relaxation of good hardware design principles:

      The original FAA Eisenhower-era certification requirement was a testament to simplicity: Planes should not exhibit significant pitch changes with changes in engine power. That requirement was written when there was a direct connection between the controls in the pilot’s hands and the flying surfaces on the airplane. Because of that, the requirement—when written—rightly imposed a discipline of simplicity on the design of the airframe itself. Now software stands between man and machine, and no one seems to know exactly what is going on. Things have become too complex to understand.

      1. NN

        I’ll cite the original article:

        Pitch changes with power changes are common in aircraft. Even my little Cessna pitches up a bit when power is applied. Pilots train for this problem and are used to it.

        Again, the plane already had the habit of picthing up and the changes didn’t add that. The question isn’t if, but how much and what to do about it. Nowhere did I read MAX exceeds some safety limits in this regard. If Boeing made the plane to physically break regulations and tried to fix it with software then indeed that would be bad. However, I’m not aware of that.

        As for the Ethiopian scenario, I was talking about this article. It says when they tried manual, it very well could be beyond their physical ability to turn the wheels and so they were forced to switch electrical motors back on, but that also turned up MCAS again. In fact it also says this seizing up thing was present in the old 737 design and pilots were trained to deal with it, but somehow the plane become more reliable and training for this failure mode was dropped. This to me doesn’t look like good old days of aviation design ruined by computers.

        1. JerryDenim

          You should read the Ethiopian Government’s crash preliminary crash report. Very short and easy to read. Contains a wealth of information. Regarding the pilot’s attempt to use the manual trim wheel, according to the crash report, the aircraft was already traveling at 340 knots indicated airspeed, well past Vmo or the aircraft’s certified airspeed when they first attempted to manually trim the nose up. It didn’t work because of the excessive control forces generated by high airspeeds well beyond the aircraft’s certification. I’m not excusing Boeing, the automated MCAS nose down trim system was an engineering abomination, but the pilots could have made their lives much easier by setting a more normal thrust setting for straight and level flight, slowing their aircraft to a speed within the normal operating envelope, then working their runaway nose-down pitch emergency.

          1. Deres

            The pilots were not flying a plane anymore but a Christmas tree full of blinking lights and audi warnings. Yes, they should have decreased power but remenber that the aircraft was going down quickly and the pilots had their two hands on the stick to counter that without results.

  8. lol

    Well versed but not having the expertise to properly address the technical details, I will refrain from such. Regardless and clearly contributory is the corporate capture of the FAA. When a regulatory agency embraces its regulatees as “customers” tragedy will ensue.

  9. John k

    Before the us grounded the max I checked what 737 version I was scheduled to fly, prepared to cancel change if it was a max. I will continue that approach after re cert for a couple of years. There are options, and it’s easy to check. Vote with my feet…
    Interesting to see how the public reacts. Those not paying attention can be the test dummies.

    1. JBird4049

      Interesting to see how the public reacts. Those not paying attention can be the test dummies.

      In the United States at least, the general public are the passengers, and not everyone has the time, money or the knowledge to find out what kind of plane they are flying on and to not take it.

      If you are tired, cranky, half brain dead, and the elderly and/or young relative is yelling, or throwing up, or walking away, or just complaining loudly in your ear, and you are stuck in TSA security hell with those… compassionate… screeners, and trying to get to the funeral, wedding, interview, hotel, Thanksgiving, or Christmas, the exact model of plane is like 100+ on the things to worry about, never mind you actually checking for.

      If you are someone who reads the New York Times, well yes that would be reasonable, but someone from the from Salinas just trying to get the family to the annual family Thanksgiving disaster, using Budget Air because that is all you can afford, not so much.

      Saying that the public should be responsible for not flying the 737 Max is just another mental tax rather like those self checkout lines, or the DMV permawaitlines, or about the constantly increasing corruption, and in this case, folly and general stupidity throughout the governmental, economic, and social systems. It becomes too much and then one has to ask what the various agencies, governments, political parties, and other organizations for? How I am I tasked with the responsibility to not take the wrong plane?

      Then again, all the safety checks in our society are being degraded and usually for money with the solution using given as personal responsibility instead of fixing those broken safety checks.

  10. none

    I didn’t like the IEEE Spectrum piece very much since the author seemed to miss or exaggerate some issues, and also seemed to confuse flying a Cessna with being expert about large airliners or aerospace engineering. The title says “software engineer” but at the end he says “software executive”. Executive doesn’t always mean non-engineer but it does mean someone who is full of themselves, and that shows through the whole article. The stuff I’m seeing from actual engineers (mostly on Hacker News) is a little more careful. I’m still getting the sense that the 737 MAX is fundamentally a reasonable plane though Boeing fucked up badly presenting it as a no-retraining-needed tweak to the older 737’s.

    There’s some conventional wisdom that Boeing’s crapification stems from the McDonnell merger in 1997. Boeing, then successful, took over the failing and badly managed McDonnell. The crappy McDonnell managers then spent the next years pushing out the Boeing managers, and subsequently have been running Boeing into the ground. I don’t know how accurate that is, but it’s a narrative that rings true.

    1. Yves Smith Post author

      You are misrepresenting the Hacker News criticisms, and IMHO they misrepresent the piece. They don’t question his software chops. And if you really knew the software biz, “software executive” often = developer who built a company (and that includes smallish ones). The guy OWNS a Cessna, which means he’s spent as much on a plane as a lot of people spend on a house. If he was a senior manager as you posit, that means at large company, and no large company would let an employee write something like this. He’s either between gigs or one of the top guys in a smallish private company where mouthing off like this won’t hurt the business. Notice also his contempt for managers in the article).

      He’s also done flight simulator time on a 757, and one commentor pointed out that depending on the simulator, it could be tantamount to serious training, as in count towards qualifying hours to be certified to fly a 757.

      They do argue, straw manning his piece, that he claims the big failure is with the software. That in fact is not what the article says. It says that the design changes in the 737 Max made it dynamically unstable, which is an unacceptable characteristic in any plane, no matter what size. He also describes at length the problem of relying on only one sensor as an input to the MCAS and how that undermined having the pilots be able to act as a backup….by looking at each other’s instrumentation results.

      The idea that he’s generalizing from a Cessna is absurd. He describes how Cessnas have the pilot having greater mechanical control than jets like the 737. He describes how the pilots read the instrument results from each side of the plane, something which cannot occur in a Cessna, a single pilot plane. He refers to the Cessna documentation to make the point that the norm is to over-inform pilots as to how changes in the software affect how they operate the plane, not radically under-inform them as Boeing did with the 737 Max.

      As to the reasonableness of Travis’ concerns, did you miss that a former NASA engineer has the same reservations? Are you trying to say he doesn’t understand how aircraft hardware works?

      1. Alex V

        A few points:

        He owns a 1978 Cessna 172, goes for about $70K, so not quite house prices, more like a nice Tesla, whose drive by wire systems he seems to trust far more for some reason.

        In regard to “dynamic instability” being unacceptable, this is a red herring. Most modern airliners rely on flight characteristic augmentation systems in normal operation, trim systems being the most common. Additionally, there are aircraft designed to be unstable (fighters) but rely on computers to fly them stably, to greatly increase manoeuvrability.

        In regard to Cessnas being single pilot planes, the presence of flight controls on both sides of the cockpit would somewhat bring into question this assertion….? Most 172s do however have only one set of instrumentation. When operating with two pilots (as with let’s say a student pilot and instructor) you would still have the issue of two pilots trying to agree on possibly faulty readings from one set of non-redundant instruments.

        1. Yves Smith Post author

          No, it’s a 1979 Cessna, and you don’t know when he bought it and how much use it had, since price is significantly dependent on flight hours. The listings I show it costs over $100K. A quick Google search says a plane with a new feel is closer to $300K. Even $100K in equity is more than most people put down when buying a house

          He also glides, and gliders often own or co-own their gliders.

          The author acknowledges your point re fighters. Did you miss that he also says they are the only planes where pilots can eject themselves from the aircraft? Arguing from what is acceptable for a fighter, where you compromise a lot on other factors to get maneuverability, to a commercial jet is dodgy.

          1. Alex V

            According to the registration it became airworthy in 1978, so perhaps that is the model year.

            https://uk.flightaware.com/resources/registration/N5457E

            Regarding fighters and instability, I’m not the one that stated it’s “an unacceptable characteristic in any plane, no matter the size”.

            I am completely on Travis’ side when it comes to the issues with culture and business that brought on these incidents. Seeing however that these affected and overrode good engineering, I believe it’s vitally important that the engineering is discussed as accurately as possible. Hence my criticism of the piece.

            1. Yves Smith Post author

              Had you looked at prices as you claimed to, Cessnsa 172s specify the year in the headline description. 1977 v. 1978 v 1979 on a page I got Googling for 1979.

              You are now well into the terrain of continuing to argue for argument sake.

      2. PlutoniumKun

        I agree with you that the article is good and the criticisms I’ve read seem largely unmerited (quite a few of those btl on that article are clearly bad faith arguments), but just to clarify:

        That in fact is not what the article says. It says that the design changes in the 737 Max made it dynamically unstable, which is an unacceptable characteristic in any plane, no matter what size.

        My understanding (non-engineer, but long time aviation nerd) is that many aircraft, including all Airbus’s are dynamically unstable and use software to maintain stability. The key point I think that the article makes is that there is a fundamental difference between designing hardware and software in synchronicity to make a safe aircraft (i.e Airbus), and using software as a fudge to avoid making hard decisions when the hardware engineers find they can’t overcome a problem without spending a fortune in redesigns.

        Hard engineering ‘fudges’ are actually really common in aircraft design – little bumps or features added to address stability problems encountered during testing – an example being the little fore planes on the Tupolev 144 supersonic airliner. But it seems Boeing took a short cut with its approach and a lot of people paid for this with their lives. Only time will tell if it was a deep institutional failure within Boeing or just a flaw caused by a rushed roll-out.

        I’ve personal experience of a catastrophic design flaw (not one that could kill people, just one that could cost hundreds of millions to fix) which was entirely down to the personal hang-ups of one particular project manager who was in a position to silence internal misgivings. Of course, in aircraft design this is not supposed to happen.

        1. 737 Pilot

          There is not a single commercial airliner flying that is dynamically unstable. It is simply not possible for such an aircraft to be certified under current regulations.

          Some military tactical aircraft are inherently unstable which increases their maneuverability, and yes, they need the FBW systems to help manage stability issues.

          1. Deres

            As I have learn in engineer school, an advantage of the canard configuration of an unstable military fighter is that it is fullly responsible of the unstability. As it is a totally movable surface (not a fixed one), if you desactivate its controls, it aligns with the airflow and the aircraft returns to stability.

  11. Thuto

    I’m reminded of the famous “software is eating the world” quote by uber VC Marc Andreessen. He posits that in an era where Silicon valley style, software led disruption stalks every established industry, even companies that “make things” (hardware) need a radical rethink in terms of how they see themselves. A company like Boeing, under this worldview, needs to think of itself as a software company with a hardware arm attached, otherwise it might have its lunch eaten by a plucky upstart (to say nothing of Apple or Google) punching above its weight.

    It’s not farfetched to imagine an army of consultants selling this “inoculate yourself from disruption” thinking to companies like Boeing and being taken seriously. With Silicon valley’s obsession with taking humans out of the loop (think driverless cars/trucks, operator-less forklifts etc) one wonders whether these accidents will highlight the limitations of technology and halt the seemingly inexorable march towards complex automation reducing pilots to cockpit observers coming along for the ride.

  12. WobblyTelomeres

    “native pitch stability”

    Let me guess. The author prolly flies a Cessna 172. [checks article]. Yep.

    The 172 is one of the most docile and forgiving private planes ever. Ignore that my Mom flew hers into a stand of trees.

    1. Yves Smith Post author

      Ad homimem and therefore logically invalid. Plus reading comprehension problem. The “native pitch stability” comment was from Mike Slack, a former NASA engineer, and not Travis, the Cessna owner.

    2. Mel

      I think that the point is that there are aircraft that don’t take over the controls and dive into the ground. It’s possible to have these kinds of aircraft. These kinds of aircraft are good to have. It’s like an existence proof.

  13. Octopii

    No, not dangerously pro-automation. More like dangerously stuck in the past, putting bandaids on a dinosaur to keep false profits rolling in. AF447 could be argued against excessive automation, but not the Max.

    1. tegnost

      i think they are real profits. And the automation that crashed two planes over a short time span and it wasn’t excessive? Band aids on what was one of the safest planes ever made (how many 737’s crashed pre 737 max? the hardware problem was higher landing gear along with engines that were larger and added lift to the plane. MCAS was intended to fix that. It made it worse. I won’t be flying on a MAX.

    2. Deres

      In fact, in AF447, the automation immediatly detected incoherencies between its sensors and gave full authority to the pilots. But the pilots were unable to understand the complex situation and coordinate between them (at night in bad weather at extreme altitude) leading to them stalling the aircraft and not regaining control in the 3 minutes they had before crashing. This is exactly the inverse situation of the B737 MAX automation that does not detect sensors issues and acts in the back of the pilots.

  14. Carolinian

    Thanks for the article but re the above comments–perhaps that 737 pilot commenter should weigh in because some expert commentary on this article is badly needed. My impression from the Seattle Times coverage is that the MCAS was not implemented to keep the plane from falling out of the sky but rather to finesse the retraining issue. In other words a competent pilot could handle the pitch up tendency with no MCAS assist at all if trained or even informed that such a tendency existed. And if that’s the case then the notion that the plane will be grounded forever is dubious indeed.

    1. Yves Smith Post author

      This isn’t quite correct, and I suggest you read the article in full.

      The issue isn’t MCAS. It is that MCAS was to compensate for changes in the planes aerodynamics that were so significant that it should arguably have been recerttified as being a different plane. That was what Boeing was trying to avoid above all Former NASA engineer Mike Slack makes that point as well. Travis argues that burying the existence of MCAS in the documentation was to keep pilots from questioning whether this was a different plane:

      It all comes down to money, and in this case, MCAS was the way for both Boeing and its customers to keep the money flowing in the right direction. The necessity to insist that the 737 Max was no different in flying characteristics, no different in systems, from any other 737 was the key to the 737 Max’s fleet fungibility. That’s probably also the reason why the documentation about the MCAS system was kept on the down-low.

      Put in a change with too much visibility, particularly a change to the aircraft’s operating handbook or to pilot training, and someone—probably a pilot—would have piped up and said, “Hey. This doesn’t look like a 737 anymore.” And then the money would flow the wrong way.

      1. Carolinian

        I think you just said what I said. My contention is that the only reason the plane could ever be withdrawn is that the design is so inherently unstable that this extra gizmo–the MCAS–was necessary for it to fly. Whereas it appears the MCAS was for marketing purposes and if it had never been added to the plane the two accidents quite likely may never have happened–even if Boeing didn’t tell pilots about the pitch up tendency.

        But I’m no expert obviously. This is just my understanding of the issue.

        1. Darius

          From what I’ve read at related links in the last week, a significant element is common type rating. Manufacturers don’t have to go through expensive recertification if their modifications are minor enough, earning a common type rating. Thus, the successive incarnations of the 737 over the decades.

          I’m only a layman, but a citizen who tries to stay informed and devours material on this topic. The common type rating merry go round needs to stop. It seems at least that a new engine with a different position that alters the basic physics of the plane shouldn’t qualify for common type rating, which should be reserved only for the most minor of modifications.

        2. barrisj

          As one who has followed the entirety of the MAX stories as detailed by the Seattle Times aviation reporters, it all comes back to “first principles”: a substantive change in aerodynamics by introduction of an entirely new pair of engines should have required complete re-engineering of the airframe. We know that Boeing eschewed that approach, largely for competitive and cost considerations, and subsequently tried to mate the LEAP engines to the existing 737 airframe by installing the MCAS, amongst other design “tweaks”, i.e., “kludging” a fix. Boeing management recognized that this wouldn’t be the “perfect” aircraft, but with the help of a compliant FAA and a huge amount of “self-assessment”, got the beast certified and airborne——until the two crashes, that is. Whether the airlines and/or the flying public will ever accept the redo of MCAS and other ancillary fixes is highly problematic, as the entire concept was flawed from the kick-off.
          Also, it should be mentioned in passing that even the LEAP engines are having some material-wear issues:
          https://www.flightglobal.com/news/articles/cfm-reviews-fleet-after-finding-leap-1a-durability-i-442669/

    2. Deres

      If this was the case, Boeing would have just inhibit the function by parameter patching after discovering the issue. But they could not because the MCAS is part of the safety case to protect against an aerodynamic issue leading to a stall. If the Aoa auto increase that means that the airplane WILL stall if it reaches a Aoa angle well below its stall angle. Thuis MCAS cannot be inhibited otherwise they woudl have to say to the pilots that the maximum Aoa authorized is far smaller on the MAX than on the NG.

  15. b

    Th IEEE Spectrum piece is somewhat reasonable but the author obvious lacks technical knowledge of the 737. He also does not understand why MCAS was installed in the first place.

    For example:
    – “However, doing so also meant that the centerline of the engine’s thrust changed. Now, when the pilots applied power to the engine, the aircraft would have a significant propensity to “pitch up,” or raise its nose.
    – The MAX nose up tendency is a purely aerodynamic effect. The centerline of the thrust did not change much.

    – “MCAS is implemented in the flight management computer, ”
    – No. It is implemented in the Flight Control Computer of which there are two. (There is only on FMC unit.)

    -” It turns out that the Elevator Feel Computer can put a lot of force into that column—”
    – The Elevator Feel unit is not a computer but a deterministic hydraulic-mechanical system.

    – “Neither such [software] coders nor their managers are as in touch with the particular culture and mores of the aviation world as much as the people who are down on the factory floor, ”
    – The coders who make the Boeing and Airbus systems work are specialized in such coding. Software development for aircrafts It is a rigid formularized process which requires a deep understanding of the aviation world. The coders appropriately implement what the design engineers require after the design review confirmed it. Nothing less, nothing more.

    …and more than a dozen other technical misunderstandings and mistakes.

    If the author would have read some of the PPRUNE threads on the issue or asked an 737 pilot he would have known all this.

    1. Harrold

      And yet the fact remains that the 737MAX is grounded world wide and costing Boeing and airlines millions every day.

    2. Yves Smith Post author

      Given what has happened with Boeing manufacture (787s being delivered with tools and bottles rattling around in them), you have no basis for asserting how Boeing does software in practice these days.

      And you have incontrovertible evidence of a coding fail: relying on only one sensor input when the plane had more than one sensor. I’m sorry, I don’t see how you can blather on about safety and coders supposedly understanding airplanes with that coded in.

      JeffC who actually worked at Boeing years ago and said the coding was conservative (lots of people checked it) because they were safety oriented but also didn’t get very good software engineers, since writing software at Boeing was boring.

      1. b

        I’ve been doing IT for some 40 years now which includes several years of consulting at a sub-company of Airbus. I am quite familiar with the process of how such software gets produced.

        I also knew programmers who worked on such systems. They are not “very good software engineers” in the sense of some genius who creates a new computer language in a day. They ARE “very good software engineers” if you want a reliable, conservative implementation.

        The reliance on one sensor was a (business driven) aviation design decision, not a software implementation issue. Software engineers may consult on such issues but they do not make the decisions.

        https://www.washingtonpost.com/business/economy/boeings-737-max-design-contains-fingerprints-of-hundreds-of-suppliers/2019/04/05/44f22024-57ab-11e9-8ef3-fbd41a2ce4d5_story.html
        /quote/
        Boeing designed that software, known as the Maneuvering Characteristics Augmentation System (MCAS). But the lines of code underpinning this system and the physical box it runs on were programmed and built to Boeing’s specifications by a lesser-known company called Rockwell Collins, one of the hundreds of partners that Boeing relies on to assemble the 737 Max.
        /endquote/

  16. johnf

    I still have some trouble blaming the 737 losses, ipso facto, on using automation to extend an old design. There are considerably more complex aircraft systems than MCAS that have been reliably automated, and building on a thoroughly proven framework usually causes less trouble than suffering the teething problems of an all new design.

    At the risk of repeating the obvious, a basic principle of critical systems, systems which must be reliable, is that they can not suffer from single point failures. You want to require at least two independent failures to disturb a system, whose combined probability is so low that other, unavoidable failure sources predominate, for example, weather or overwhelming, human error.

    This principle extends to the system’s development. The design and programming of a (reliable) critical system can not suffer from single point failures. This requires a good many, skilled people, paying careful attention to different, specific stages of the process. Consider a little thing I once worked on: the indicator that confirms a cargo door is closed, or arguably, that is neither open nor unlatched. I count at least five levels of engineers and programmers, between Boeing and the FAA, that used to validate, implement and verify the work of their colleagues, one or more levels above and/or below: to insure the result was safe.

    I bet what will ultimately come out is that multiple levels of the validation and verification chain have been grievously degraded (“crapified”) to cut costs and increase profits. The first and last levels for a start. I am curious and will ask around.

    1. Darius

      The MAX isn’t a proven framework. Boeing fundamentally altered the 737 design by shifting the position of the engines. The MCAS fudge doesn’t fix that.

  17. The Rev Kev

    My own impression is that there seems to be a clash between three separate philosophies at work here. The first is the business culture of Boeing which had supplanted Boeing’s historical aviation-centric ways of doing things in aircraft design. The bean-counters & marketing droids took over, outsourced aircraft construction to such places as non-union workshops & other countries, and thought that cutting corners in aircraft manufacture would have no long-term ill effects. The second philosophy is that of software design that failed to understand that the software had to be good to go as it was shipped and had little understanding of what happens when you ship beta-standard software to an operational aircraft in service. This was to have fatal consequences. The third culture is that of the pilots themselves which seek to keep their skills going in an aviation world that wants to turn them into airplane-drivers. If there is any move afoot to have self flying aircraft introduced down the track, I hope that this helps kill it.
    Boeing is going to take a massive financial hit and so it should. Heads should literally roll over this debacle and it did not help their case when they went to Trump to keep this plane flying in the US without thought as to what could have happened if a US or Canadian 737 MAX had augured in. The biggest loser I believe is going to be the US’s reputation with aviation. The rest of the aviation world will no longer trust what the FAA says or advise without checking it themselves. The trust of decades of work has just been thrown out the door needlessly. Even in the critical field of aircraft crash investigation, the US took a hit as Ethiopia refused the demands that the black boxes be sent to the US but sent them instead to France. That is something that has flown under the radar. This is going to have knock-on effects for decades to come.

    1. Susan the other`

      Beginning to look like a trade war with the EU. airbus, boeing, vw, US cars; but haven’t seen Japan drawn into this yet. Mercedes Benz is saying EV cars are nonsense, they actually create more pollution than diesel engines and they are recommending methane gasoline (that sounds totally suicidal), and hydrogen power. Hydrogen has always sounded like a good choice, so why no acclaim? It can only be the resistance of vested interests. The auto industry, like the airline industry, is frantically trying to externalize its costs. Maybe we should all just settle down and do a big financial mutual insurance company that covers catastrophic loss by paying the cost of switching over to responsible manufacturing and fuel efficiency. Those corporations cooperate with shared subsidiaries that manufacture software to patch their bad engineering – why not a truce while they look for solutions?

  18. voislav

    The whole 737 development reminds me of a story a GM engineer told me. Similarly to the aviation industry, when GM makes modifications to an existing part on a vehicle, if the change is small enough the part does not need to be recertified for mechanical strength, etc. One of the vehicles he was working on had a part failure in testing, so they looked at the design history of the part. It turns out that, similarly to 737, this was a legacy part carried over numerous generations of the vehicle.

    Each redesign of the vehicle introduced some changes, they needed to reroute some cabling, so they would punch a new hole through the part. But because the change was small enough the engineering team had the option of just signing off on the change without additional testing. So this went on for years, where additional holes or slits were made in the original part and each change was deemed to be small enough that no recertification was necessary. The cumulative change from the original certification was that this was now a completely different part and, not surprisingly, eventually it failed.

    The interesting part of the story was the institutional inertia. As all these incremental changes were applied to the part, nobody bothered to check when was the last time part was actually tested and what was the part design as that time. Every step of the way everybody assumed their change is small enough not to cause any issue and did not do any diligence until a failure occured.

    Which brings me back to the 737, if I am not mistaken, 737 MAX is, for certification purposes, considered an iteration of the original 737. The aircraft though is very different than the original, increased wingspan (117′ vs 93′), length (140′ vs. 100′). 737 NG is similarly different.

    So for me the big issue with the MAX is the institutional question that allowed a plane so different from the original 737 certification to be allowed as a variant of the original, without additional pilot training or plane certification. Upcoming 777X has the same issue, it’s a materially different aircraft (larger wingspan, etc.) that has a kludge (folding wingtips) to allow it to pass as a variant of the original 777. It will be interesting to see, in the wake of the MAX fiasco, what treatment does the 777X get when it comes to certification.

    1. Susan the other`

      The FAA needs to be able to follow these tweaks. Maybe we citizens need a literal social contract that itemizes what we expect our government to actually do.

  19. Matthew G. Saroff

    There are also allegations of shoddy manufacturing on the 787 at Boeing’s South Carolina (union busting) facility.

    BTW, I do not believe that the problems are insoluble, or as a result of a design philosophy, but rather it is a result of placing sales over engineering.

    There are a number of aerodynamic tweaks that could have dealt with this issue (larger horizontal tail comes to mind, but my background is manufacturing not aerodynamics), but this would require that pilots requalify for a transition between the NG and the MAX, which would likely mean that many airlines would take a second look at Airbus.

  20. vomkammer

    We should avoid blaming “software” or “automation” for this accident. The B737 MAX seems to be a case of “Money first, safety second” culture, combined with insufficent regulatory control.

    The root of the B737 MAX accidents was an erroneous safety hazard assessment: The safety asessment (and the FAA) believed the MCAS had a 0.6 authority limit. This 0.6 limit meant that an erroneous MCAS function would only have limited consequences. In the safety jargon, its severity was classifed as “Major”, instead of “Catastrophic”.

    After the “Major” classification was assigned, the subsequente design decions (like using a single sensor, or perhaps insufficient testing) are acceptable and in line with the civil aviation standards.

    The problem is that the safety engineer(s) failed to understand that the 0.6 limit was self-imposed by the MCAS software, not enforced by any external aircraft element. Therefore, the MCAS software could fail in such a way that it ignored the limit. In consequence, MCAS should have been classifed “Catastrophic”.

    Everybody can make mistakes. We know this. That is why these safety assessments should be reviewed and challenged inside the company and by the FAA. The need to launch the MAX fast and the lack of FAA oversight resources surely played a greater role than the usage of software and automation.

  21. oaf

    Yves: Thanks for this post; it has (IMO) a level-headed perspective. It is not about assigning *blame*, it is about *What, Why, and How to Prevent* what happened from re-occurring. Blame is for courts and juries. Good luck finding jurors who are not predisposed; due to relentless bombardment with parroted misinformation and factoids.

  22. YY

    I wonder how often MCAS kicked in on a typical 737MAX flight, in situation where the weather vane advising of angle attack was working as per normal. Since we are excluding the time when auto-pilot is working and also the time when the flaps are down, there is only a very small time window immediately after take off. I would venture to guess that the MCAS would almost always adjust the plane at least once. This is once too many, if one is to believe that the notion of design improvement includes improvement in aerodynamic behavior. The fact that MCAS could only be overridden by disabling the entire motor control of the trim suggests that the MCAS feature is absolutely necessary for the thing to fly without surprise stalls. There is no excuse in a series of a product for handling associated with basic safety becoming worse with a new model. Fuel efficiency is laudable and a marketable thing, but not when packaged together with the bad compromise of bad flight behavior. If the fix is only by lines of code, they really have not fixed it completely. We know they are not going to be able to move the engines or the thrust line or increase the ground clearance of the plane so the software fix will be sold as the solution. While it probably does not mean that there will be more planes being trimmed to crash into the ground, it does make for some anxiety for future passengers. Loss of sales would not be a surprise but more of a surprise will be the deliveries that will be completed regardless.

    1. Alex V

      MCAS was intended to rarely if ever activate. It is supposed to nudge the aircraft to a lower angle of attack if AoA is getting high to cause instability in certain parts of the flight envelope. An overly aggressive takeoff climb would be an example. Part of the problem is that a faulty AoA sensor resulted in the system thinking it was at this extreme case, repeatedly, and in a way that was difficult for the pilots to identify since they had not been properly trained and the UX was badly implemented.

      1. YY

        Yes I’ve heard that. But do not believe it, given how it is implemented. So I really would like to know how it behaves in non-catastrophic situations. If so benign, why not allow it to turn off without turning off trim controls? Did not the earlier 737’s not need this feature?

        1. Alex V

          In a non-catastrophic situation, and if functioning correctly, it’s my understanding it would felt by the flight crew as mild lowering of the nose by the system. This is is to keep the plane from increasing angle of attack, which could lead to a stall or other instability.

          It’s my understanding MCAS should be treated as a separate system from the trim controls, although they both control the pitch of the stabilator. Trim controls are generally not “highly dynamic”, in that the system (or pilot) sets the trim value only occasionally based primarily on things like the aircraft weight distribution (this could however change during a flight as fuel is burned, for example). MCAS on the other hand, while monitoring AoA continuously in flight modes where it is activated only kicks in to correct excessive inputs from the pilots, or as a result of atmospheric disturbances (wind shear would be one possible cause of excessive AoA readings).

          Neither trim nor MCAS are required to manually fly the plane safely if under direct pilot control and the the pilot is fully situationally aware.

          Earlier 737s did not need this feature due to different aerodynamic properties of the plane. They however still have assistive features such as stick shakers to help prevent leaving the normal flight envelope.

          Some technical details here:

          http://www.b737.org.uk/mcas.htm

          1. Alex V

            I’ve read a bit more… in regard to allowing MCAS to turn off without turning off trim, I have no idea why it was implemented as it was, since previous 737s allow separate control of trim and MCAS. More here:

            https://feitoffake.wordpress.com/2019/04/06/overview-of-many-failures-by-boeing-in-designing-the-boeing-737-max/

            This however still doesn’t change the fact that neither is required to fly the plane, given proper training and communication, both of which were criminally lacking.

  23. John

    IBG, YBG corporate decisions by people who will probably never fly in these planes, complete regulatory capture and distract with the little people squabbling over technical details. In China there would probably already have been a short trial, a trip to the river bank, a bullet through the head, organ harvesting for the corporate jocks responsible. Team Amrika on the way down.

  24. Synoia

    On the subject of software, the underlying issue of ship and patch later is because the process of software is full of bad practice.

    Two examples, “if” and “new”.

    If is a poor use of a stronger mechanism, FSMs, or Finite State Machines.
    ‘new’ is a mechanism that leads to memory leaks, and crashes.

    I developed some middleware to bridge data between maineframs and Unix systems that ran 7×24 for 7 years continuously without a failure, because of FSMs and static memory use.

    1. Anarcissie

      The problem of poor quality in software, like poor quality in almost anything else, is not technological.

        1. D

          while technology can be flawed, its not like bio technology isn’t.lots of road rage incidents prove that. But the hope is the technology helps. This time it looks like bio technology made erroneous decisions that lead to disaster.

  25. BillC

    In an email to me (and presumably to all AAdvantage program members) transmitted at 03:00 April 17 UTC (i.e., 11 PM April 16 US EDT), American Airlines states that it is canceling 737 MAX flights through August 19 (instead of June 5 as stated by the earlier newspaper story cited in this post).

    Eliminating introductory and concluding paragraphs that are marketing eyewash (re. passenger safety and convenience), the two payload paragraphs state in their entirety:

    To avoid last-minute changes and to accommodate customers on other flights with as much notice as possible before their travel date, we have made the decision to extend our cancellations for the Boeing 737 MAX aircraft through August 19, 2019, while we await recertification of the MAX.

    While these changes impact only a small portion of our more than 7,000 departures each day this summer, we can plan more reliably for the peak travel season by adjusting our schedule now. Customers whose upcoming travel has been impacted as a result of the schedule change are being contacted by our teams.

    I’m surprised this has not already appeared in earlier comments. Anybody else get this?

  26. Peak BS

    Now do Tesla & their bs Tesla Autonomy Investor Day please.

    It appears to have it all from beta testing several ton vehicles on public roads, (like BA’s beta testing of the MAX) to regulatory capture( of NTSB, & NTHSA as examples) and a currently powerful PR team.

    Apparently they’re going to show off their “plan” how one will be able to use their Tesla in full autonomous mode while every other OEM sez it can’t be done by the end of this year let alone within a couple decades as the average person perceives autonomous driving.

    Watch it live here at 11am PCT: https://livestream.tesla.com

  27. 737 Pilot

    First of all, I didn’t read the article, so I’m not going to critique it. There were some comments in the excerpt that Yves provided that I think require some clarification and/or correction.

    The 737 is not a fly-by-wire (FBW) aircraft. There are multiple twisted steel control cables that connect the flight control in the cockpit to the various control surfaces. The flight controls are hydraulically assisted, but in case of hydraulic (or electric) failure, the cable system is sufficient to control the aircraft.

    In both the 737NG and the MAX, there are automation functions that can put in control inputs under various conditions. Every one of these inputs can be overridden by the pilot.

    In the case of the recent MAX accidents, the MCAS system put in an unexpected and large input by moving the stabilizer. The crews attempted to oppose this input, but they did so mostly by using elevator input (pulling back on the control column). This required a great deal of arm strength which they eventually could not overcome. However, if either pilot had merely used the strength of their thumb to depress the stabilizer trim switch on the yoke, they could have easily opposed and cancelled out whatever input MCAS was trying to put in. Why neither pilot took this fairly basic measure should be one of the key areas of investigation.

    These comments are not intended in any way to exonerate Boeing, the FAA, and the compromises that went into the MAX design. There is a lot there to be concerned about. However, we are not dealing with a case of an automation system that was so powerful and autonomous that pilots could not override what it was trying to do.

    1. marku52

      Bjorn over at Leeham had this analysis:
      “the Flight Crew followed the procedures prescribed by FAA and Boeing in AD 2018-23-51. And as predicted the Flight Crew could not trim manually, the trim wheel can’t be moved at the speeds ET302 flew.”

      In other words, the pilots followed the Boeing recommended procedure to turn off the automatic trim, but at the speeds they were flying and the large angle that MCAS has moved the stabilizer to, the trim wheels were bound up and could not be moved by human effort.

      https://leehamnews.com/2019/04/05/bjorns-corner-et302-crash-report-the-first-analysis/

      They then turned electric trim on to try to help their effort, and MCAS put the nose down again.

      Also: Did no one ever test the humans factors of this in a simulator? At HP, when we put out a new printer, we had human factors bring in average users to see if using our documentation, they could install the printer.

      It is mind-blowing to me that Boeing and the FAA can release an Air Worthiness Directive (The fix after the Lion crash) that was apparently never simulator tested to see if actual humans could do it.

      1. JerryDenim

        Once again, not a Boeing apologist, but the Ethiopian pilots never laid a hand on the thrust levers after they set takeoff power. They were traveling at 340 knots indicated airspeed when they tried manually trimming the nose up, well in excess of Vmo (maximum airspeed) If they would have slowed to a more normal airspeed there’s nothing to indicate the Boeing procedures would not have worked. It’s highly unusual and counter-intuitive (for most skilled pilots accustomed to hand flying) to fly beyond Vmo, especially at a relatively low altitude when fighting a nose down pitch emergency. Speed always compounds any out of trim scenario. There appears to have been some pilot deficiencies involved which compounded the emergency caused by the faulty AOA vane and bad MCAS trim system design.

      2. 737 Pilot

        This might be difficult to appreciate for non-pilots, but trimming the elevator/stabilizer is one of those skills that should absolutely be second nature to an experienced pilot. You do it almost without thinking – if you actually spend time hand-flying the aircraft. You can’t help but feel the changing control pressures, and you are constantly trimming to relieve those pressures. The article you cite above, which I have read, speaks to the consequences of letting this aircraft get so far out of trim in the first place.

        MCAS put in 2.5 degrees of nose down trim in approximately 9 seconds. That amount of trim required about 37 spins of the manual trim wheel right next to the each pilot’s knee. If at any time during that 9 seconds either pilot had made a single, brief trim input, MCAS would have stopped its input. If either pilot then kept their trim switch depressed, they could have reversed the entire input made by MCAS. MCAS would have started again after a 5 second delay, but the pilot could oppose this input as easily as the first. Once back in trim, there are a couple of ways to then disable MCAS, the easiest being the cutout switches. Again, absolutely manageable.

        Boeing bears a fair amount of responsibility for the errors they made in the design process. However, and despite all the ink that has been spilt to the contrary, the 737 MAX is not an inherently unstable or dangerous aircraft. The biggest problem from this operator’s perspective is that the working of MCAS and its potential failure modes were 1) not disclosed to the operators and 2) were not particularly forgiving of crew inattention or error.

        In all this discussion of how Boeing fracked up, I think there is another story that is being missed. For various reasons, there is an entire generation of pilots that are being trained more as system operators than as pilots. They are very uncomfortable with turning off the automation and hand-flying the aircraft.

        That’s fine as long as you have a “system” that does not, at times, require an actual pilot. Maybe that will happen some day. However, when the automation fails, or worse, it often requires the intervention of an experienced pilot with the relevant skills to fly the aircraft without the assistance of any of the fancy systems. That did not happen in either of the MAX accidents.

        1. Carolinian

          Thanks for the comment. Would you agree that Boeing will face legal troubles over inclusion of such a poorly designed piece of automation (I’ve read there’s an FAA rule that systems that can crash the plane must rely on more than one sensor)?

          And care to comment on ways pilots benefit from automation?–in other words the reason all these systems exist in the first place? Is it true that modern airliners can land themselves if necessary?

          1. 737 Pilot

            Boeing is already facing legal challenges, but I’m not sufficiently versed in that subject to offer much in the way of comment.

            As to automation in general, the important point to remember is that it is merely a tool. As a tool, it can be used well in the right hands or used poorly in the wrong hands.

            As far as autoland capability, some aircraft can execute an autoland under the right circumstances, but that function can only be activated by the flight crew. The 737’s that I fly have an autoland system, but we do not use it at my airline. Instead, we use a Heads Up Display (HUD) to execute low visibility landings.

            1. ShamanicFallout

              To 737 Pilot- Have you flown a Max? Do/ did you find it much different than the previous generation of 737s?

              1. 737 Pilot

                I flew the MAX twice before it was grounded. In normal operations, I would say that it is different in the same sense that a current model Ford F-150 is different than the 2001 vintage F-150 in my driveway. Different instrumentation package, some switches in different places, some new features, smoother ride, but still drives like a F-150.

                That being said, there are some important differences, I think that both Boeing and the airlines who purchased the MAX did not put sufficient resources into differences training. I’m not in the group that thinks that MAX simulator training should be required, but I can appreciated their concerns.

          2. vlade

            I believe that a number (I’m tempted to write most, but not really sure) airliners can land themselves in most conditions. I do know that some European airlines have a mandate that every so often the plane must land (conditions permitting) using the automated procedure.

            If you’re sitting in front rows (up to about row 6) in short-haul Airbus (not sure about Boeing), you can tell whether you’re landing manually or automated. There’s quite a distinctive sound (3 beeps in row IIRC, haven’t flow that far up front for a while now) coming from pilots’s cabin that signal that the autopilot has been disengaged.

            I was curious about this, as the automated landings were often the gentlest I have experienced, so talked to my friend who’s a commercial pilot. He told me that how good the automated landing is depends on the real vs set up trim of the plane, and that while in theory the automated landing may be ‘optimal’ in lab conditions, on a busy airport (or one that has a short landing runway or other idiosyncracies) pilots will often do a landing that is “suboptimal”, but safer. It does chime with my experience that say landing on Heathrow (busy) or Wellington NZ (very short runway with sea on both ends, with strong winds/xwinds) was always bumpier than smaller, more “vanilla” airports.

        2. vomkammer

          Thanks for the comment. I agree with the content, although I would add one precision.

          The skills needed to fly a modern, automated aircraft are different from the ones needed to fly a classic one. The pilot needs to be trained to monitor the automatic systems, detect malfunctions and then taking control and flying without electronic assistance. A key element of this skill set is a good understanding of the system failure modes. Therefore, it is appropriate that the pilots training includes “system operation”.

          The captain of the Ethiopian crash was sufficiently experienced in classic aircraft (8,100h of fly time, with 1,400h on 737s), but not with the MAX automation. So, it can be argued that he actually lacked “system operation” skills, rather than classic flying skills.

          1. 737 Pilot

            Strongly disagree.

            One of the first things that the Ethiopian flight did after takeoff was to attempt to engage the autopilot, but it disconnected. He tried this two more times, and it would not stay engaged. He did this before he attempted any other kind of troubleshooting. He then demonstrated a lack of basic hand-flying skills that complicated any potential corrective action.

            The important point here is use of the autopilot is explicitly precluded in this circumstance. What I see is a pilot who was so automation dependent that he was unable to hand-fly the plane correctly AND manage the malfunction at the same time. He was simply overwhelmed. Keep in mind that the first officer only had around 350 hours total with only 200 hours in the 737 so was only of limited help.

            Automation dependency is a real issue in modern aviation. If the Captain’s 8000 hours of experience had been largely spent managing the automation instead of flying the aircraft, then his reaction to the initial problem (which was the AOA sensor failure, and not the MCAS) is understandable.

            1. 737 Pilot

              First sentence should read “One of the first things that the Captain of the Ethiopian flight did……”

          2. JerryDenim

            Count me as a second “strongly disagree” and that’s my professional opinion as a working airline pilot. All flight time is not created equal.

            If you read up on the Captain’s flight experience you will see he was a zero-hour Ethiopian Airlines Cadet School hire. He was placed in the right seat of a modern wide-body doing long segment flying for the first 6000 flight hours of his career. That type of flying is basically baby-sitting the autopilot and making radio calls for long flights (Up to 15 hours at a time) He would have been lucky to get two or three landings in a month and he probably totaled less than a minute or two of hand flying time each month. The typical civilian career track for a US airline pilot begins with flight instruction in small piston powered aircraft without any automation whatsoever. It wasn’t unusual for me to perform 10 landings in an hour when I was a primary flight instructor and I would fly about 25 hours like that, in one hour blocks, every week. After 1700 hours of grinding out flight time in one-hour blocks instructing, I worked my way up the career ladder, part 135 night cargo pilot, corporate turbo prop, then regional airline jet pilot for ten years, then a major airline. I’m 43 years old now with over 14,000 hours of flight time and I have never flown a wide-body (twin aisle) aircraft. I had 10,000 hours of flight time and almost 6,000 hours of Airline Jet Captain time before I ever touched an aircraft with auto thrust. The type of flying Captain Getachew was thrown into as a 20-year-old new hire cadet pilot isn’t an entry level position here in the United States but rather a cherry on top after at least a decade of professional experience and thousands of hours of flight time when the pilot has complete and total mastery of basic hand flying skills. The Ethiopian 302 Captain never had a chance to develop what you call “classic flying skills” because he was denied the opportunity to hand fly simple airplanes. As a result he was desperately dependent on automation to compensate for his lack of basic flying skills. By the time he upgraded to Captain on the 737 the die was cast and that’s why he made so many tell-tale automation management mistakes that revealed his dread and/or lack of skill hand flying, which ‘737 Pilot’ details in his comment. Things like attempting to engage the autopilot at an extremely low altitude while the stick shaker is going off and multiple instrument anomalies are present might seem unremarkable for non-pilots reading media accounts of aviation disasters, but for working professional pilots these actions are screaming red-flags.

            Understanding gleaned in a classroom is not the same as doing. Try reading a book on a technically demanding professional sport, like golf or surfing and then go out and try to keep up with the professionals in that sport that practice every day for many years and let me know well book knowledge translates to actually doing. Hand flying and hand flying reflexes are a pyschomotor skill which require specialized neural pathways which can only be built and maintained with practice and repetition. “Understanding” alone is not enough.

    2. JerryDenim

      Just to add to 737 Pilot’s point:

      https://www.quora.com/Does-the-737-Max-family-use-fly-by-wire

      While the author of the original article never expressly claims the Max is a ‘fly-by-wire aircraft’ he certainly describes a fly by wire control system and seems to be grouping the 737 Max together with other airliners that are fly by wire. The Boeing 777 and 787 are in this category but the 737 Max is not. All Airbus aircraft post-A320 definitely fit this criteria and generally with less pilot authority than Boeing fly by wire aircraft. The side stick control in an Airbus is connected to nothing but electrical wires. A far cry from the old-fashioned guts of the control system in 737 Max.

      https://www.linkedin.com/pulse/analysis-boeing-777-fly-by-wire-system-jaime-beneyto-gómez-de-barreda

      While I certainly won’t argue the 737 Max is a tortured airplane with some odd work-arounds, some of the author’s aerodynamic claims seem a bit exaggerated and alarmist as well. The MCAS automated nose-down trimming system was an absolutely unforgivable design flaw from an engineering and safety perspective, but aerodynamically I’m not convinced the Max is any more quirky than a 737-900ER. The Max may have been a mistake from a design perspective, but I haven’t read anything that would indicate the terribly conceived MCAS system can’t be fixed.

  28. stevelaudig

    The bureaucratic decision-making model is the same as that which gifted us with the Challenger ‘accident’ which was no accident.

    1. D

      Actually not the FAA made the choice to out source to manufacturers, that Congress who made that decision,

  29. ChrisPacific

    None of the above should have passed muster. None of the above should have passed the “OK” pencil of the most junior engineering staff, much less a DER [FAA Designated Engineering Representative].

    That’s not a big strike. That’s a political, social, economic, and technical sin….

    This is the thing that has been nagging me all along about this story. The “most junior engineering staff” thing is not an exaggeration – engineers get this drilled into them until it’s part of their DNA. I read this and immediately thought that it points to a problem of culture and values (a point I was pleased to see the author make in the next paragraph). Bluntly, it tells us that the engineers are not the ones running the show at Boeing, and that extends even to safety critical situations where their assessment should trump everything.

    One of two things needs to happen as a result of this. Either Boeing needs to return to the old safety first culture, or it needs to go out of business. If neither happens, we are going to see a lot more planes falling out of the sky.

  30. VietnamVet

    I want to reemphasize that all airplane crashes are a chain of events; if one event does not occur there are no causalities. Lion Air flight should never have flow with a faulty sensor. But afterwards when the elevator jackscrew was found in the full nose down position that forced the plane to dive into the Java Sea, Boeing and FAA should have grounded the fleet until a fix was found. The deaths in Ethiopia are on them. The November 2018 737-8 and -9 Airworthiness Directive was criminally negligent. Without adequate training the Ethiopian Airline pilots were overwhelmed and not could trim the elevator after turning off the jackscrew electric motor with the manual trim control due to going too fast with takeoff thrust from start to finish. With deregulation and the end of government oversight, the terrible design of the 737 Max is solely on Boeing and politicians who deregulated certification. Profit clearly drove corporate decisions with no consideration of the consequences. This is popping up consistently now from VW to Quantitative Easing, or the restart of the Cold War. Unless the FAA requires pilot and copilot simulator training on how to manually trim the 737 Max with all hell breaking loose in the cockpit, the only recourse for customers is to boycott flying Boeing. Ultimately the current economic system that puts profit above all else must end if humans are to survive.

    1. marku52

      Yes. Imagine if the first crash had happened in the US, and the black box indicted the MCAS. Plane would have been grounded immediately.

      But hey, it’s only brown people and “poorly trained” brown pilots. Well if Boeing doesn’t think those pilots are good enough, they are welcome to drop that market. Airbus would be happy to oblige.

      Boeing claims they design their planes to be flown by average pilots. Wait, aren’t one half of all pilots below average? How’s that supposed to work?

      1. fajensen

        But hey, it’s only brown people and “poorly trained” brown pilots.

        Don’t forget, “the other half” of Boeing is busy with designing, building and delivering systems that are being used right now to kill and starve thousands of brown people every year.

        The two “halves” of the business is joined at the management levels. The “helping more brown people getting killed is a core business” could, kinda, spread around in unwanted places?

        Like with bringing up the kids, “they do what we do, not what we say”, the QA and finish on planes going to brown people customers could be seen as less important since “we are always bombing some of them anyway”?

  31. baldski

    Thanks Yves for your comments. I thought the article was a great piece and the take away was that Boeing added the MCAS as a safety feature which ended up killing 300+ people.

    1. marku52

      It was not a “safety feature”. It was a feature that allowed Boeing to claim that the Max flew exactly as all other 737s, and hence no additional training was needed.

      In fact, it was an “anti safety feature” that only fattened Boeing’s bottom line….

  32. oaf

    Did the MCAS malfunction cause the throttles to be left wide open? Or was it something else that caused the aircraft to exceed it’s operational speed limit, which apparently resulted in such high loads on the stabilizer?
    Would the plane have been controllable with a different power setting?

    1. JerryDenim

      Flying more or less straight and level around 13,000 feet while the pilots struggled against the MCAS nose-down trim inputs without ever reducing the thrust to a more appropriate setting is what caused Ethiopian 302 to overspeed. They were overwhelmed and apparently habituated to relying on auto thrust to regulate their speed changes and energy state. Inattention, incomprehension, task over saturation, fixation on other items.

      “Would the plane have been controllable with a different power setting?” No one can say with 100% certainty since the aircraft is in tiny bits and all onboard perished, but from all indications the manual trim would have worked and the aircraft would have been controllable had the pilots (1.) reduced thrust/airspeed and (2.) not turned the automatic stabilizer trim motor back on after they disabled it. The 737 Max that crashed as Lion Air 610 had a near identical AOA vane failure situation, leading to uncommanded and unwarranted MCAS nose-down trim the day before on a different flight with a different crew. That crew disabled the stabilizer trim and controlled their airspeed allowing them to successfully trim away the nose-down control forces. They landed safely at their intended destination and minimized the nature and severity of their inflight emergency in the airplanes’s maintenance logbook, effectively laying a vicious trap for the crew of Lion Air 610 the next day. Point being though, basic pilot skills like thrust/speed management, hand flying skills absent automation, effective crew coordination, following procedures, and the ability to do all of these things under the stress of an emergency situation with malfunctioning instrument indications would have allowed Ethiopian flight 302 to escape the fate of Lion Air 610. Easy? No, absolutely not. Should it have been a survivable situation for professional airline pilots? Most definitely.

  33. JerryDenim

    I had some minor quibbles with some of claims made by Greg Travis, but overall I fully agree with your take-away:

    “And if crapification by software has undermined the once-vanuted airline safety culture, why should we hold out hope for any better with self-driving cars?”

    Exactly. If highly trained, experienced airline pilots can’t mange the automation on board their aircraft in what passes for “a highly regulated” industry these days, what hope does Joe Blow have of keeping his “disruptive” self driving Tesla, GM, Alphabet, or whatever brand car from killing him when the inevitable malfunction occurs?

    Very, very little, which is why I predicted Tesla’s “Autopilot” feature would be a disaster from the start and I have been very skeptical of claims of imminent autonomous technology that was the conventional wisdom a few years back. As a professional airline pilot familiar with the limitations and pitfalls of automation software and technology I knew just how many traps there would be for an untrained and unsuspecting public.

    There’s no way for humans to maintain the mental capacity and motor skills required for activities like driving and flying once they fully surrender those activities to machines. And once you do surrender those activities, the automation technology had better be 100% perfect and bullet-proof autonomous because humans quickly lose the ability to correct the machine’s mistakes in malfunction/failure scenarios.

    The Ethiopian flight crew’s failure to recognize and correct their overspeed state due to a stressful situation and a habituated dependence on auto thrust is a perfect example.

    1. vlade

      Actually, with cars it’s worse. While plane accidents get a lot of headline inches, they tend to have few ‘collateral damage’ casualties. With self-driving cars, I fully expect more “innocent bystander” casualties unless the whole road infrastructure gets total overhaul which would prevent pedestrians anywhere nearby roads.

    2. Carolinian

      On the other hand a car is a lot simpler than a jetliner and car pilots are a lot less competent and well trained than the airplane variety. When you see other drivers talking on their phones or even texting or blithely running stop signs you have to wonder if that vehicle wouldn’t be safer if controlled by a robot. Many thousands of people die every year in the US from car accidents and those are almost all “pilot error.” It’s worth remembering that one of the initial arguments for self drive is that fewer people would be killed.

      IMO much greater vehicle automation is inevitable as our roads become more crowded and the technology matures. It may not be soon however.

      1. vlade

        Unless you separate vehicles from pedestrians, you will face ethical dilemma – do you prefer to kill a car passenger, or a pedestrian?

        No-one will want to sit in a car that would prioritise pedestrians over passengers. And the backlash when an automated vehicle kills a kid to save a rich passenger will be massive (see Uber last year, and a number of people took that as the pedestrian’s fault, even though it was a SW decision). Apart from separation (which will be extremely costly in terms of infrastructure), there is no good solution to this.

  34. Pvt Pilot

    The 737 Pilot statements are words of experience. He could land in the Hudson river. That took skill and 8knowledge of your aircraft. Like he said, todays new pilots don’t have the skill to fly the plane without automation. To me, if you look at the big picture, 2 crashes out of how many flights? Both were foreign pilots. Tells you they were not truely a pilot that could fly the plane without automation. Not that 2 crashes are ok, but don’t put all the blame on the aircraft.

  35. Ron D

    I guess we won’t have any dogs in the cockpit to bite the pilot if he tries to touch anything, anytime soon.

Comments are closed.