Why would anyone be scared to fly on the most scrutinized plane in history? I certainly don't care. All of the pilots flying the MAX would now receive even more in-depth training on the quirks of the new systems.
Chances of critical incident are practically zero. 180 countries have re-certified the plane and design changes were made as well.
If you don't trust the FAA or the 179 other authorities, how do you step on ANY plane?
Additionally, you don't trust the MAX yet you trust Boeing (you didn't mention their other planes)? If Boeing is negligigent, it's unlikely it's limited to a specific product. How can you then trust maintenance programs and spare parts provided by Boeing for the Dreamliner for example?
If Boeing is incompetent, trusting the Dreamliner but not the MAX is irrational.
Pilots are trained in dealing with stabilizer trim runaway. The first crew to encounter the MCAS problem followed it (turned off the stab trim system), and landed safely. The second crew, on the same airplane, did not and crashed. (They never turned off the stab trim system.)
Boeing followed this up with an Emergency Airworthiness Directive, which was distributed to all MAX crews. It included a 2-step process for recovery.
The EA crew did not follow that procedure:
"Initially, higher control forces may be needed to overcome any
stabilizer nose down trim already applied. Electric stabilizer trim can be
used to neutralize control column pitch forces before moving the STAB
TRIM CUTOUT switches to CUTOUT. Manual stabilizer trim can be
used before and after the STAB TRIM CUTOUT switches are moved
to CUTOUT."
This does not absolve Boeing of the design flaw in MCAS where it only read data from one sensor, had too much authority, and would repeatedly engage after the pilot countermanded it.
You obviously know way more than I do about this, so maybe I completely misunderstood but what I saw on one of those YouTube videos by a 737 pilot was something like that before MCAS when you got a runaway trim situation and followed the procedure and got trim back to normal and had the trim system turned off, most of the time you could turn the trim system back on and the problem would not come back. Runaway trim was usually due to some transient problem that would be gone after the system was turned off and on.
In those cases where the problem does come back it is not any worse so you can just try again. You might go a whole flight doing this if you are getting enough time between the problem recurring for restarting the trim stab system to be less annoying than not having it.
With MCAS, if I understood correctly, it would add a bias to the trim that was not reset when you restarted the trim system. Each cycle of turning it off and back on that was harmless pre-MCAS would increase that bias until you reached a point where the trim down bias was more than you could counter.
This wouldn't matter for the flights that crashed, because they didn't get to the turn it off stage, but it seems likely it would have eventually happened to some crew that did follow the procedure including the emergency directive.
The impression I got from this, and from watching many episodes of "Air Emergency", is that there is the official way to operate a plane as documented by the manufacturer, and then the unofficial way that pilots actually use that comes from combining the official way with the pilot's mental models of how the systems work to cover what can actually be done. So if the official way says to turn something off, but does not say "and then keep it off until a mechanic checks it out", and the pilot's mental model says that it is safe to turn back on, then they might turn it back on.
MCAS invalidated the mental model pilots had for the stab trim system, but the MAX-specific training they got and the emergency directive after the first crash did not do anything to tell pilots that their model was invalid.
When documenting a system and training people to use it, you really need to take into account the mental model they will have of the system. It is their mental model that people actually use to guide their interaction with the system.
The second flight totally did get to the turn-it-off stage. They turned it off multiple times. Unfortunately, during that process, they neglected to manage their throttle, leaving it at near full takeoff thrust the whole time, and reached a very high speed. Thus, while they could turn off MACS, they were unable to manually restore trim with MACS off due to the strong physical forces on the stabilizer. There was probably a recovery path for them where they lowered speed, then corrected the trim manually, but they didn't see it.
I have no idea if this person knows what they are talking about, either in total or for any particular bit of information. Also, why create a filter between me and the original report - a great benefit of the Internet is disintermediation.
Personally, I find original reports from experts to be much more clear than the attempts of others to digest them for me. To write clearly, you need to know what you are talking about. The better you know, the more clearly you write.
I mean, that's all well and good, but assuming that your pilots will correctly diagnose and correct a failure of a new system that may or may not have similar symptoms to existing emergencies is still a really poor practice. If MCAS had been designed to command a continuous forward pitch moment until the AOA excursion had resolved, it would have very accurately resembled a pitch trim runaway following an AOA probe failure. As it was, it clearly didn't have a strong enough resemblance.
Safely operating a poorly designed aircraft can be done, but it starts with explaining the deficiency in exhaustive detail in a bold typeface in a prominent place in the operating manual, with clear warnings to avoid certain flight regions, and a well-documented emergency procedure. For example:
MCAS FAILURE:
If you experience repeated momentary uncommanded nose-down pitch excursions.
1. Conduct RUNAWAY PITCH TRIM procedure.
2. Do not reset pitch trim circuit .
Unfortunately that would have required new training.
Runaway stab trim is very easy to diagnose. The airplane pitches, the two big wheels on either side of the console start spinning, and there's a loud clacking sound.
The MCAS failure exhibited as runaway trim.
> it clearly didn't have a strong enough resemblance.
I disagree. The trim randomly and repeatedly coming on and driving the pitch down is runaway trim.
> a well-documented emergency procedure
Like this one distributed to ALL 737MAX crews:
Boeing Emergency Airworthiness Directive
"Initially, higher control forces may be needed to overcome any
stabilizer nose down trim already applied. Electric stabilizer trim can be
used to neutralize control column pitch forces before moving the STAB
TRIM CUTOUT switches to CUTOUT. Manual stabilizer trim can be
used before and after the STAB TRIM CUTOUT switches are moved
to CUTOUT."
...after their poorly designed system caused a plane crash.
If you have a 737 type rating and can speak to type-specific training standards I would love to be educated, but the defining characteristic of runaway trim failures that I've experienced is that the trim keeps going in one continuous motion until it can't go any further or you manually shut off the system. A momentary, uncommanded attitude change would initially make me want to troubleshoot the autopilot, rather than the trim system. This is exactly why you have to describe new systems and their failure modes in detail, even if they have elements in common with and use the same emergency procedures as existing failures.
I do not have a 737 type rating. But I did work on the 757 stabilizer trim system and gearbox design for 3 years. I know what runaway stabilizer trim is, and have been through the failure mode analysis on the 757 trim system.
> the defining characteristic of runaway trim failures that I've experienced is that the trim keeps going in one continuous motion until it can't go any further or you manually shut off the system
Runaway trim is the trim coming on when it isn't supposed to. It could be continuous, it could go it fits and starts, it could come on randomly. The corrective action is the same - turn it off.
This is why the trim cutoff switch is prominently there on the console within easy reach.
Waiting until it can't go further, i.e. it runs into the stops, is just not a good idea as by then the airplane may be in an extreme pitch position which may not be recoverable.
> ...after their poorly designed system caused a plane crash
The LA crew never turned off the trim system, despite restoring normal trim with the electric thumb switches 25 times.
The previous LA flight experienced the same MCAS malfunction, and after restoring trim a couple times, turned off the stab trim system. They then proceeded to their destination and landed normally. They did not know about MCAS, but they did know that runaway trim is dealt with by turning it off, which is a memory item.
The MCAS system was poorly designed. But a contributing factor to the crash was the pilots not following proper procedure in response to runaway stab trim.
I am not a pilot, so take the following as you will:
1. if I suspected an autopilot malfunction, I would turn it off and fly manually and let the maintenance people figure it out.
2. if I experienced runaway trim, I would turn off the trim and fly without it as much as possible, again letting the maintenance people debug it.
In general, I am not going to debug a flight critical system at 30,000 feet that is malfunctioning if I can fly safely without it.
I agree that Boeing made a big mistake in not disclosing the existence of MCAS and how it operated.
In all seriousness, I would enjoy talking about commercial aircraft trim system failure modes over a beer sometime.
For what it's worth, while I agree with your technical definition of a trim runaway, every time I've seen it in the sim or real life it's been a single, continuous event moving from steady-state flight trim to an extreme. I'd be willing to bet a few beers that this is what most pilots are trained to expect from a trim runaway, and what B737 crew see in the sim while getting type rated. I'm not disagreeing that if the LA crew diagnosed it as a trim failure and performed the EP correctly they would likely still be alive, and I'm also not arguing that they were an exceptionally good or even average crew.
I'm arguing that you can't really fault a below-average-but-still-acceptably-competent crew for not diagnosing the failure of a system they couldn't have reasonably been aware of as a trim problem on an otherwise perfectly functioning aircraft. There are plenty of atypical emergencies that require the crew to "do some pilot shit" to get the plane back safely on deck, but an easily foreseeable single-sensor failure shouldn't be one.
We'll probably just have to agree to disagree about how likely an average crew would be to treat this as a trim failure, but I like to think we can still agree that the likelihood was unacceptably low for commercial aviation safety standards.
I don't mind at all having a friendly disagreement. No problem!
I can't really imagine erratic operation not considered as a failure. After all, if you're coming in to land you wouldn't want the stab trim coming on uncommanded even for a second. As far as the 757 Flight Controls group was concerned, an intermittent failure in the trim system was unquestioned cause for immediately disabling it.
Two independent computers controlled the automatic stab trim. They were custom computers, designed by two groups that weren't allowed to talk to each other. They used different CPUs, different algorithms, and different programming languages. The computed commands were run through a comparator. If they differed, both computers were instantly electrically isolated from the trim system.
How Boeing evolved from that ethos to relying on a single sensor, I cannot understand.
BTW, these ideas have trickled into my approach to writing software, often engendering spirited debate with me against the world :-)
I claim credit for the term "defensive programming". It was the title of a talk I gave long ago. I'd never seen the term applied to programming before, and have seen it often sense. Unfortunately, I have since lost the contents of my talk. I don't even remember which conference it was at, there have been so many.
I work on the avionics side of the industry and really enjoy when I run into your posts in discussions. You explain things to people not in the industry much more eloquently than I could.
While I'm not in my company's fly-by-wire group currently, I have been in the past.
> Two independent computers controlled the automatic stab trim. They were custom computers, designed by two groups that weren't allowed to talk to each other. They used different CPUs, different algorithms, and different programming languages. The computed commands were run through a comparator. If they differed, both computers were instantly electrically isolated from the trim system.
Current thinking in fly-by-wire software is a little different. There have been studies performed that showed nearly all software issues at this level are due to a misinterpretation of requirements. These misinterpretations were shared between the different software teams, leading to the two different units outputting identical (though incorrect) commands which would pass through the comparitors. So in essence you're doubling your development cost for no actual safety benefit. I can see if I can dig up those studies if you'd like. It will take a while, though, since almost everyone at my company is already on vacation for the year.
I'm simplifying what follows a little as I'm not sure how in depth I can get on our hardware design. What we do now is essentially run the same fly-by-wire software over multiple computers. These computers must have a mix of CPUs, including having differing endianness. If a single computer miscompares the comparitor turns that computer off. If more end up failing, the system falls back to a much simpler failsafe mode without a CPU in the loop where the flight controls in the cockpit are interpretated directly by the electronics that drive the actuators.
Thanks for the information. I can understand misinterpreting the requirements - after all, the requirements themselves are a form of programming, and getting the requirements clear and bug free is a major endeavor.
Heh, I think I did a poor job of expressing myself. You're absolutely right that an intermittent/erratic trim operation is a failure, and potentially a serious one. I'm thankful that you, as a flight control engineer, are as concerned about it as you are (for hopefully obvious reasons). Out of curiosity, how probabilistic is your failure mode analysis? I'm wondering what the relative likelihood of an intermittent uncommanded actuation compared to the neutral-to-extreme runaway failure that most pilots expect. I've never been in a sim where the operator console had trim failure options other than "stuck at current position" or "runaway to extreme limits," but I wouldn't be surprised if they should've included other failure modes.
Yeah, that seems like an eminently reasonable way to design a trim system. I don't think the MCAS concept is fundamentally unsound, but it blows my mind that they didn't design it with that kind of mindset.
Oh man, I wish more software was built to the standards of aerospace control system best practices...
I don't remember the numbers, but one had to show that the likelihood of failure was less than 1 flight in XXXX where XXXX was a very large number.
> I wish more software was built to the standards of aerospace control system best practices...
I am much more ambitious. The Deepwater Horizon disaster, the Fukushima nuke plant failure, the Toyota acceleration failure, etc., are all designed with an utter disregard for lessons that aviation learned long ago. To wit:
1. a failure of one subsystem shall not propagate to another (zipper effect)
2. a failure of one subsystem shall not compromise the whole
3. once any such failure is detected, that subsystem shall be assumed to be compromised by demons, and must not be allowed to continue
4. you cannot educate people into not making mistakes
5. if you punish people who make mistakes, they will conceal mistakes instead of being forthcoming about fixing them
Those principles have strongly influenced all my engineering work since, and I've tried to propagate them among my colleagues (with mixed results).
For example, the good old `assert` in software. Asserts are to detect impossible states, and hence if an assert trips, the software is in an unknown state, and what it will do next is unpredictable. Therefore, an assert must go directly to jail, not pass Go, and not collect $200.
I get pushback all the time on this,
1. people use assert()'s to validate input
2. people insist that their program can continue operating after an assert trips
3. people insist that their program cannot be allowed to fail, and that they are capable of predicting what their program will do next
It is the pilots' responsibility to READ, UNDERSTAND, REMEMBER and FOLLOW any Emergency Airworthiness Directives sent to them. Flying an airplane is not a joke. Pilots who are unwilling to do this should turn in their pilots' wings.
Crashes are usually due to a combination of factors. Boeing certainly shares considerable blame for the poorly designed MCAS system.
More issues:
1. how did a defective AOA sensor get past checks and be installed?
2. how did a defective AOA sensor pass inspection tests on the airplane?
3. why was the LA flight allowed to fly, when the previous flight experienced stab trim runaway?
4. why was the LA flight crew not informed of the anomalous behavior on the prior flight?
Air travel is made safe by addressing all factors that led to an accident.
The second design flaw is manufacturing stretched airplanes in the first place, which are hacks in general. Even as an amateur one can see that the proportions are off without understanding anything else. They look ugly and fly ugly.
The stretched cargo version of the MD-11 had many issues and accidents, particularly during landing.
While there is something to the notion that if it looks like it will fly it will fly, remember that the general configuration of modern airplane design took many, many years to settle down on. Even the Wrights got it wrong (putting the stabilizer in the front made it unstable).
The notion of swept wings, that seems so natural today, was a very long time in coming, for another example.
For a third, the aerospace people keep finding ways to make the wings more efficient. Notice the winglets on the wingtips? Those are fairly new.
I don't work for nor hold stock in any airline or aviation manufacturer, I can just adequately judge risks.
You are the one who thinks 180 separate, independent regulators colluded to protect a company at the risk of the people they are supposed to protect. Any argument against the MAX has to be against the regulators as well as Boeing itself.
Why is the Dreamliner acceptable and the MAX is not? Same company manufactured and maintains them, after all.
> Why is the Dreamliner acceptable and the MAX is not?
I remember [1?] hearing that Emirates threatened refusing 777s & 787s from one of Boeing's plants due to repeated quality control issues. Have not tracked the issue.
> 180 separate, independent regulators colluded to protect
Not necessarily. But if 180 _independent_ bodies were effectively independent, one of them would probably have found issues with the max. But they are not operating effectively independent.
So I imagine your position is that the software industry should swear off products altogether when they have a serious bug, right?
Did you make a conscious effort to rid yourself of OpenSSL after Heartbleed? After Heartbleed, OpenSSL received mountains of extra funding as well as unprecedented scrutiny.
Guess what happened after the MAX disasters? Extra funding and unprecedented scrutiny. In fact, no plane has been scrutinized more.
That's not what was being talked about. Sure, it's the safest aircraft out there, but that's like saying "the safest car". No-one is going to go and seek out the safest car, maybe stay away from unsafe ones, but as long as the general level of safety is high, people will fly on anything.
The problem here is just simply ethics. Boeing did a bad thing, therefore I will refuse to use this plane. If enough people think similarly, Boeing will be punished harshly by its clients, as airlines see that the plane is not profitable due to its public image.
The problem is not about if the MAX is the safest airplane now. If Boeing can get away with it like that then it lowers the general airplane safety in my opinion. Now that Boeing has designed an airplane by cutting corners to safe money (even though it did cost them a lot, the government saved them), then this means that other airplane manufacturers must also cut corners to stay competitive.
You seem to be labouring under the illusion that airliner manufacturing is a competetive industry. But i'm not aware that Boeing has any real competitior other then airbus. The phrase "to big too fail" looms very large and is very real here. So no, this won't have an adverse affect outside of Boeing. The real problem is the culture that allows such a disaster and then, worst of all, tries a cover up. With the full aid of a government regulator (for heavens sake!). To the entire world. Apparently not afraid that being caught out would have worse consequences. A massive public breach of trust and hints of corruption. The way the FAA was the last country in the world to ground the MAX, it makes the US look like some 3rd world dictatorship.
> If Boeing is incompetent, trusting the Dreamliner but not the MAX is irrational.
The 787 has its share of problems, but at least it's newly designed and has to conform to the latest safety regulations, not an over 50 year old design like the 737 MAX. If it wasn't such an old design, the odd placement of the engines which couldn't fit under the wings and therefore the "workaround" for the issues caused by this odd placement (MCAS) would not have been necessary...
Boeing has never made an airliner that was fully dependent on computer assistance. They have no heritage in this domain and apparently don't care enough to pay for capable testing. It will always be risky to fly these no matter how much scrutiny is applied.
Chances of critical incident are practically zero. 180 countries have re-certified the plane and design changes were made as well.
If you don't trust the FAA or the 179 other authorities, how do you step on ANY plane?
Additionally, you don't trust the MAX yet you trust Boeing (you didn't mention their other planes)? If Boeing is negligigent, it's unlikely it's limited to a specific product. How can you then trust maintenance programs and spare parts provided by Boeing for the Dreamliner for example?
If Boeing is incompetent, trusting the Dreamliner but not the MAX is irrational.