"There are far too many aerodynamic bandaids that are permitted to pass the current standards. Not just this particular airplane, but a whole bunch of airframes. If the basic aerodynamics won't pass without the pushers, pullers and now AOA induced changes to primary and secondary controls then a new design of the wing platform should come into play."
The way I interpret this, is that the plane should never have gotten the green light to fly.
Pilots have been pushing back hard on the narrative that this was simply pilot error.
The crux is that safety agencies never mandated training on these new systems, and new procedures weren't created with them in mind. Worse still procedures from older models of the same aircraft (such as automatic overriding of auto-trim) were removed without re-training on that either.
Lion Air had to repair the AOA sensor multiple times (replace, then flush), but a single sensor failure should not bring down an aircraft; and if the AOA sensor is that safety critical then why did Boeing put two of them instead of three (i.e. for cross-checking readings)? Either it wasn't safety critical and Lion Air's actions are reasonable, or it was and Boeing cut costs on safety.
So the justifications blaming either the pilots (who didn't get training, because safety agencies told them it wasn't needed) or maintenance (who were repairing a non-critical sensor that turns out to be safety critical) are weak.
If the AOA sensor is safety critical they need three, rather than two.
The inherent problem with two is if one is feeding false data, you don't know which one, whereas if you have three (or more; but an odd number) you can cross-check the data and drop the faulty one.
It is a very common strategy already for commercial aviation and is called "voting logic."
> A more reliable form of voting logic involves an odd number of three devices or more. All perform identical functions and the outputs are compared by the voting logic. The voting logic establishes a majority when there is a disagreement, and the majority will act to deactivate the output from other device(s) that disagree. A single fault will not interrupt normal operation. This technique is used with avionics systems, such as those responsible for operation of the Space Shuttle.
But the real crux here is: Is the AOA sensor safety critical or not? If it can fail-safe then they can likely continue as it is currently designed. But if its failure state can cause an aircraft crash, then it becomes a safety critical component.
It's a bit more complicated than that even. The 737 was originally designed for a very different mission than it's being used for right now. If you find pictures of the original 737-200s they look very different from the MAX line of today. It was built in an era when it was assumed that 707 and soon after 747 class airliners would serve the hubs and then smaller 737s would serve the small regional airports. As such the 737 was designed with VERY low ground clearance such that it could offload without a ramp and generally be serviceable at these types of low infrastructure airports, hence the lack of wheel doors, the ovoid engine inlets and the generally low stance.
Fast forward to today where airport infrastructure is much more developed and these small/medium size airliners are being pressed into front line service including intercontinental routes. The aircraft has changed drastically to accommodate these changes through the years, enough that it may be time for a clean sheet design. They've changed just about everything on the air-frame from the fuel load/cabin length/wing to the avionics to make this all work.
Now, the other side of that coin is with systems. In theory this should be fine, but obviously isn't. It's hard to differentiate bandaids from regular systems and if either fails then safety is compromised. Obviously the amount of unnecessary systems should be minimized but as time goes on more systems WILL be added to gain the rewards of automation, which is a good thing. As such, we need to educate pilots on ALL of the systems, and rigorously test them before they enter service.
Additionally, if you do as the pilots want and achieve very high aerodynamic stability through the air-frame instead of stability control systems (fly by wire essentially) it reduces the aerodynamic efficiency of the airliner, particularly with current conventional designs.
>if you do as the pilots want and achieve very high aerodynamic stability through the air-frame instead of stability control systems (fly by wire essentially) it reduces the aerodynamic efficiency of the airliner
It's crazy to me that that would be an acceptable compromise.
Fly-by-wire means the control surface actuators are connected to cockpit controls electronically rather than with hydraulic lines or metal cables; it's not necessarily related to stability and control augmentation system.
With regard to the other point, I don't think anyone is advocating for very high aerodynamic stability. That would be a B52 carrying nuclear weapons. It was designed to be extremely stable and forgiving. That being said, you don't want to rely solely on stability augmentation for trimming an airliner.
It reminds me of Air Canada flight 143, the pilots lost both engines and power. yet they were able to land the plane safely on an abandoned airport. I'm not sure if that would be possible with a 737 Max.
Yes it would. There are backup systems to keep things working even with both engines dry (ram air turbine etc). In fact, if you really want to stretch our a glide, all those automated systems are probably a good things. They will keep the aircraft more perfectly trimmed for a glide than the pilots ever could by hand.
If the electrical failure is severe enough to lose control authority, it seems just as likely that a hydraulic system would have failed. These planes are just too large to operate the controls mechanically, so in practice there is just as much to fail in a hydraulic system as electrical control, since both require power.
That is what the RAT is for, alternative electrical power. If the entire electrical system is down, ie electrons no longer flow anywhere anyhow, then everyone is doomed. But that is up there with the tail falling off. The are no backups for the wings/tail either.
When I say stability control, we're not generally talking about unstable or "relaxed stability" airframes where the system failing would cause a pitching moment to accelerate rather than converge and the aircraft would tumble and disintegrate. From an efficiency and handling standpoint, this would be ideal, but it's only used in tactical military aircraft where the crew can bail if there's a problem.
In most cases, we're talking about preventing stall in a swept wing aircraft. Swept wings are necessary to cruise efficiently beyond ~300mph at high altitude so they have to stay obviously, however they have VERY poor stall characteristics. As such, we have to do some things to prevent the aircraft from stalling such as playing with trim, using a stick pusher, etc.
> Swept wings are necessary to cruise efficiently beyond ~300mph at high altitude
Layman here, but 737, 747, etc. don't have swept wings, right? So they all cruise inefficiently... but are in fact stable... which is the opposite of what you wrote earlier? Sorry, I'm just really confused.
You're picturing a fighter jet or something with severely swept wings. Do an image search - 737s, 747s, et al do indeed have gently swept back wings. They don't stick straight out at 90 degrees like aircraft from the piston era.
I like the LAX screensaver on Apple TVs—you can pick out the more organic/bird-like curve of the newer generation carbon fiber 787 planes from the old ones. I’ve never thought about it, but they do look less stable.
From a stability perspective there's likely no difference insofar as the stall response will be bad regardless. You can have complex wing geometry that stalls gracefully, for instance carbon general aviation aircraft have similar traits but require much cleaner stall response for certification generally.
BTW since it's been tossed around a lot, good stall response is when the whole wing stalls at the same time and both wings tend to stall together, therefore you get a clean lurch downward in a straight predictable line. Bad stall response is one part of one wing stalling before the rest such that the wing drops and the plane has to be fought to avoid a spin or if extreme enough, a tail slide or extreme side slip.
Obviously stability has to be achieved through fly by wire tech. Doing it through natural aerodynamic stability is a waste of resources of insane proportions as such airframes induce more drag and burn more fuel. If this sounds too scary for people in a forum of software developers it only puts a shame on our profession, from ourselves.
The software itself isn't necessarily the issue, though- it's also all the sensors and actuators involved.
Suppose, for instance, that an aircraft needs more yaw stability.
There's all sorts of design choices that could be made, but consider either A: a larger vertical stabilizer or B: automatic application of the rudder to damp oscillations.
The vertical stabilizer here is essentially a bit of metal. We know very, very well what can go wrong with bits of metal. Fatigue, corrosion, manufacturing defects, bad repairs... But, in 2019, we've pretty much figured out the failure modes of big bits of metal on an aircraft, and we generally know how to prevent and/or minimize them.
Now, the dynamic stabilization approach. We'll need gyroscope data (from the IRS, probably), a software model of flight dynamics (which almost certainly already exists and is running), and possibly faster servo valves for the rudder actuator.
This can work! We can formally verify that the control system we've created damps oscillations throughout all normal flight regimes. The gyroscopes are already redundant and well-tested. And you might not even need the faster servos.
Problem is, now avionics failures are even scarier. Will the stabilization here still operate when you get dropped into secondary mode? Probably not- so now, in unexpected situations, pilots need to keep in the back of their minds that yaw oscillations are more possible, that they may need to damp them manually, etc, etc.
Now you throw in some extra factors- turbulence, IMC (which would probably make detecting those oscillations manually that much more stressful), and trying to solve whatever problem dropped you into secondary mode in the first place... and you have something a bit concerning!
A bit of metal won't do that to you. We can make much better estimates of a bit of metal's reliability, and its failures are also less correlated- they aren't much more likely to crop up when you already have another problem.
Well military jets have been doing exactly that - maintaining stability through software on inherently unstable planes that would break up even in straight and level flight in a split second if computer crashes - for 40 years now. And Boeing builds both kinds of planes so they have the experience.
No one knows better than software engineers how difficult it is to make inherently reliable software and how much complexity can add to the difficulty of making reliable software.
That said, the cost of not using latest fuel efficient airplane would indeed be huge and the actual reliability of modern aircraft is very high and has been increasing over the years in which fuel efficiency also increased.
Sometimes, human can hit on a formula that produces objects that satisfy all the given parameters more fully rather than compromising on any of the requirement. But it's quite plausible that these formulas cannot be milked forever - thus the "Max" may be the point where tradeoffs stop working.
Could you clarify your assertion that it would be massively more expensive?
A quick look at the numbers suggests that a 737 MAX 8 is about 10% more efficient on fuel burn compared to a 737 300. That is not "massive" in my book and I'm more than happy to pay a little bit more per ticket if it means a higher safety margin.
Did you mean something older and less efficient than a 737 300?
such airframes induce more drag and burn more fuel
As a curious bystander, I assumed using fly by wire tech to achieve stability would involve using control surfaces, which increase drag by their nature. How would an airframe that's naturally stable and doesn't require control inputs burn more fuel?
It's more about preventing a stall with a swept wing which is needed to achieve high mach numbers.
That said, an easy (but different) case to visualize is a traditional tailplane. The center of gravity on an airplane is in front of the wing so it wants to pitch down slowly. The tail pushes DOWN in the back to keep the nose up. Nose heavy planes are stable and forgiving but you induce drag because the wing needs to supply some lift just to counteract the tail which is producing negative lift. If you move the CG backward, you get less stability because the airplane wants to pitch up/down more violently with a control input but you have less negative lift from the tail.
That’s a great explanation, even if it is oversimplifying.
We don’t build planes with training wheels anymore because the performance cost was too high. Planes are still the safest way to travel even without the training wheels.
I don’t think 737 MAX 8 pushes the envelope too far. I think they screwed up on re-training the disengage, and they may have screwed up on redundancy by only using a single AoA sensor, but I also am guessing the latest crash has absolutely nothing to do with trim.
There are two alpha vanes on 737s, including the MAX 8, that measure angle of attack. Also we don't know the exact source of the error (in the Lion Air case; in the Egyptian Airlines case we don't know at all). The vane itself could be the source or some other part of the system.
The ovoid engines were a result of high bypass engines being added on the 300. The low bypass turbines on the older models was much smaller. These were then removed on the max because the engine was mounted higher and further forward on a low profile pylon.
Maybe? Let me leave you with one other tidbit though. Beyond the requirements, airframe changes, and added electrical stuff, to fly the 737s you need a type rating and that rating is basically an education on all systems and procedures for the airframe. Boeing worked hard to make all aircraft from the 200 through the MAX fall under one type rating so if you get certified to fly an old low bypass 200, you can hop out, walk across the tarmac to a MAX and take off with another load of passengers. Obviously almost nobody runs the 200 anymore but the later aircraft are all still operated in some capacity and having one rating to rule them all makes it cheaper for small operators with mixed fleets to afford the training costs. In doing this, Boeing had to make the basic "UI" for the aircraft all the same, regardless of model. I'm not typed in the 737 but from what I've heard, it's resulted in a lot of user flow and documentation idiosyncrasies, particularly in the MAX lineup which could be part of the issue here. All that said, the trim motor disconnectors have been in the same place for most of the aircraft's history I'm told and hitting them would have likely prevented the Lion Air accident.
Trump tweeted that planes have become too complicated and that the old and simple form is much better.
His tweet sounds dumb but there is some truth in it.
As you say, planes and procedures have become very complicated. And I think there are only two options: making planes simple again which make them less efficient or let computers fly the plane and make the interface simple(r).
If you look at the rockets of SpaceX then you can say they are the extreme form of fly by wire and very instable when it comes to aerodynamics. But computers can land them within centimeters when they fall out of space.
So maybe that will be the future. Planes that are very efficient instable flying 'rockets' that are controlled by computers.
> His tweet sounds dumb but there is some truth in it.
There really isn't. Automation is part of what has made flying safer over the years. Also, compare the cockpit of an Airbus with e.g. an old B737, the 300 series for instance. The Airbus cockpit is much simpler, in the sense that there are less gauges and knobs for the pilots to be concerned about. Automation has, over all, made things simpler and safer.
It's far from clear-cut that the way automation is happening is advisable, however conservative it might appear to be, and I'm sure you'd agree that there are many confounding variables that make it difficult to say just what is responsible for the trajectory of aircraft safety. There's not much of a control group of advanced modern aircraft which omit automated features.
Stick pushers go all the way down to the PC12 (a single engine turboprop). Honestly there is no putting that genie back in the bottle. Getting benign stall behaviour out of a highly efficient wing is very difficult.
"the plane should never have gotten the green light to fly."
this is an overstatement. airframe fuel efficiency is a undoubtable good thing vis a vis climate change, costs, etc. Obviously they've reached a point were the aerodynamic profile of a modern, efficient airframe is difficult to control via manual pilot input alone in some scenarios. This was the case for stealth technology with fighter/bomber designs.. the B2 for example has no vertical stabilizer and would not be controllable at all without fly-by-wire. Of course pilots will lament complexity and the loss of manual input. Regardless, the FAA wanted MCAS in the 737Max. Augmenting human input in the face of instrument failure and possible human failure is an extremely hard problem and uncharted territory for the industry. Doesn't at all mean its a not a worthy goal or that the designers or regulators had ill intent or negligence.
That's not really the problem with the B737 MAX though. It's not inherently unstable like e.g. a fighter. The issue is that they had to fit the engines in front of the wings, and this will create a significant pitch-up if thrust is added abruptly, e.g. in a go-around.
To counteract this they introduced the MCAS system. They would not have needed this if they hadn't "retrofitted" big engines on an old airplane design, but instead started from scratch. The B737 MAX is not really a modern aircraft, but a heavily modded old design.
The problem here isn't that a 737 MAX style design is inherently unstable. The issue is that the larger engines really needed longer landing gear and other significant airframe changes, but due to demands from Southwest that it remain within type-certification for the 737 (to avoid the costs of pilot retraining) some unfortunate compromises were made that affected the aircraft's behavior.
You can design an aircraft just like this that won't have those characteristics. You'll just need to pay to get it certified and then airlines will have to pay to train their pilots. Instead, Southwest wanted the band-aid fix, and Boeing obliged them.
An aerodynamically sound redesign to accommodate the high bypass engines would have been just as fuel efficient as the version with confusing software band-aids.
If it is cheaper to invent something like MCAS than to properly adapt the airframe, then maybe the processes that would be used for the latter are ripe for some efficiency optimization.
When I see cockpit videos, the pilots tell each other what they do / run checklists together... Does the MCAS do the same, i.e. announce "stall risk detected, increasing stabilizer trim by 2.5 degree to xx degree"?
Inattention to autopilot modes has killed before. So much focus is put on pilots recognizing and confirming flight mode annunciator mode changes (such as change of autopilot or autothrottle state) has been put into place to stop that kind of accident.
The lack of feedback from the MCAS system is probably the killer here.
How am I supposed to know that MCAS is operating, and how do I know when to hit trim cutoff switches to override it? You don't want to ever be asking "what the heck is the airplane doing now?". Watching the trim wheel to check if it's spinning nose down all the time isn't going to work.
The Lion Air pilots were not even aware of the existence of the MCAS system, because Boeing at the time did not include any information about it in its manuals.
The behavior would be similar to runaway stabilizers, though, for which B737 pilots have memory items to perform (turn off the trim). This would have solved that problem. However, several other warnings and alerts, like stick shaker, might have been going off at the same time, making the situation chaotic and problems hard to diagnose.
An additional problem is that if it fails (the MCAS) the airplane is low, in full thrust during take-off and the pilots have zero room for error as the airplane is trying to dive into the ground (as in the LionAir flight).
Reading the posts there is a lot like listenning to 'retired generals' on <insert entertainment "news" network here> who haven't seen action/training in decades talk about modern tactics, equipment, and situations as if they magically have been informed by companies/players in the field they left (hint: they haven't).
I'd rather wait for formal investigations (e.g. NTSB-style) before jumping to any conclusions.
IDK how things are in your sphere, but in the context of where I live, I have watched overseas travel go from bougie luxury to something everyone can do over the last 20-25 years.
Since airlines have an oligopoly, fares are not based on the cost to the airline but on the price on the supply and demand curve that yields maximum profit. In other words, the maximum price that enough people are willing to pay. If there were more competition in the market the price would be closer to the airline's actual cost.
Reduced fuel is done with an upfront investment. Which always makes me wonder, since every penny of the investment money goes to researchers, facilities and material which themselves aren’t more economic in emissions than fuel itself, then does it really save on emissions...
I interpret this as an indication that the United States policy and law is run by Wall street and is corrupted. Boeing didn't want to develop a new airplane, cut costs, and doesn't want to lose money, so the FAA is not allowed to ban the plane
So this isn't just banning from airports, this is banning from their airspace? That's then more or less a total grounding of them in Europe.
As an example, Norwegian (who has 15 of them) said they weren't grounding them as late as this morning, but now they'll have no choice. They use them mainly for their medium flights between scandinavia and southern europe (Nice, Budapest, Tenerife etc). No way they can do that without flying over Germany and France. It wouldn't be very good optics if they swapped their MAX'es to domestic use to free up regular 737's for flying over the continent either.
It looks like Norwegian is already asking its 737 Max flights to return to their departing airports, at least according to this recent screenshot I found on reddit [1]
Wow. This is pretty ridiculous considering all three of these planes seem to have been closer to their destination than the origin, making it safer to just finish the planned flight.
Both incidents have been in the first few minutes of flight and this is also a 'long term safety' thing. They're relatively safe to fly still.
On the other hand, if your plane gets stuck in a foreign country the bill just for parking the thing could be massive. Better to get it back while you still can.
Eventually the bill can get so high that it doesn't make financial sense to still attempt to claim to be the owner. As of January there was a McDonnell Douglas MD87 in Madrid thats abandoned. Three 747 were sold for scrap in 2017 after they were abandoned at Kuala Lumpur.
> From the effective date and time of this AD, do not operate the aeroplane, except that a single
non-commercial ferry flight (up to three flight cycles) may be accomplished to return the aeroplane
to a location where the expected corrective action(s) can be accomplished.
So they are allowed to be ferried in certain situations.
The MCAS problem cannot occur when flaps are deployed, and it happens when flaps are initially retracted. So if it hasn't happened by now, it's not going to.
I was on a Norwegian plane once going from Oslo to London, 3/4 into the journey, just before descending into Gatwick, we got told the plane is turning around due to fault on the plane. So deflating when you are nearly home. The pilot did a good job calming everyone down and explaining it was a minor fault, two duplicate sensors were showing different values, but still, enough to recall the plane.
So basically another 1.5h flight back to Oslo, a few hours wait, then on a replacement plane (thank god) with another flight back to London. A long day.
I can, however, understand it. As with this 737 Max-8s they did not want the plane grounded in an airport where they don't have a full service centre with parts etc. Had it only been a few years later we could have continued as they made Gatwick one of their major hubs with probably full stock of parts.
Though I do have a rule of preferring flying out from an airport with a "local" airline, as they are quite likely to have parts and chances of spare or frequent incoming planes to shuffle around to.
I had the same experience with an Easyjet flight, which departed from the Easyjet hub (also Gatwick) and returned there.
The pilot strongly implied that had I been on the British Airways flight, we'd have continued to the destination: BA would have flown their spare pilot + spare plane + repair crew out.
I speculate we’ll see more airspace closures once countries give enough time to avoid stranding their nationals.
I wonder if, say, Germany, waited until its planes had to chance to land before closing their airspace, while other countries/companies, like Norwegian got caught by surprise.
The closest thing to a German 737 MAX are 15 owned by TUI, which seem to all be based in the UK.
There hasn't been much fleet renewal in the German market in recent years, just lots of consolidation (it's actually a bit of a lottery to buy a ticket in advance due to all the bankruptcies)
A potentially interesting tidbit from Norwegian's Wikipedia page:
> Diversion to Shiraz, Iran December 2018
> A Norwegian Boeing 737 MAX suffered an unspecified technical failure over Iran in December 2018. The pilot made a precautionary landing at Shiraz Shahid Dastgheib International Airport without incident. Spare parts required to make the aircraft airworthy were not available in the world outside the United States, which has prohibited exports of technology to Iran. Two months later, the almost-brand-new aircraft remained stranded in Shiraz and subject to seizure by the Iranian government.[86]
> On 22 February 2019 the plane was ferrried from Shiraz to Stockholm as DY8921
That seems like a disincentive to buy American aircraft.
If you're a reasonably sized international airline, it seems like a reasonable possibility that you'd have to (or want to) land in a territory that the US in unfavourable toward. Why take the risk?
And whats more, even the Russian jets are 'not russian enough' so Iranians could buy them[0].
"The US approval for the transaction was needed, as Sukhoi aircraft contained more than 10% (22%, according to state news RIA) of American-made parts."
Maybe, but in the specific case of an Norwegian airline, it seems less likely there would be a 'mismatch' of interests, with the rest of Europe, compared with the US.
And I thought Europe were lifting their Iran sanctions? They're trying to get a non USD payment system sorted so they can continue trade after the US pulled out of a deal.
> In the Iran case, there are similar sanctions from the EU
Nope, since the 2015 nuclear agreement with Iran, Europe has no sanction against firms that commerce with Iran. However, since USA pulled out of the agreement, USA threatens european firms that commerce with Iran. The agreement is however still in place.
This is somewhat true, but to be fair there are only a few countries the US and it’s allies don’t do business with - as long as you don’t land in Iran or North Korea you’d be in pretty good shape.
Many of those countries are friendly (extremely so) to the US. For example, the US is perfectly happy to ship aircraft parts (and even fully functional military aircraft) to Afghani buyers; they just give non-binding advice to US citizens that traveling to a war zone is maaaaaybe not the safest idea.
Austria also closed the airspace for 737 max planes, while not the largest country in Europe together with France and Germany that adds quite a bit of extra detour coming from Norway.
Indeed. Norwegian is doing this because the optics now force them to do so, not self-assessment of the risk. They, and the Norwegian Civil Aviation Authority, failed in that regard.
Do you have a reference to confirm that this was a knee-jerk/optics reaction, out of interest? (definitely curious to see how airlines/authorities are reaching these decisions)
The MCAS system and the way it was introduced sound a little like a patch, and slightly haphazard.
While training & runbooks and procedures are important, take-off is a busy time, and the Max-8 is (afaik) intended to operate very-nearly-like a standard 737, so it's not inconceivable that pilots wouldn't have time or intuitively know how to handle this situation.
Ultimately any vehicle/software/tool is going to be safest when the responsible designer makes it intuitive and reduces the possibility of failure cases rather than adding workarounds or runbooks to patch over them and/or disclaim the liability.
Anyway, it seems like it could be early to strongly assign blame or critique until we know how serious the issue is.
I've seen a number of people pointing at this likely being more an issue with untrained pilots than the plane itself. EI, the flight crew on the crashed planes may have had considerably less experience than the minimum requirements most major airlines and all US airlines set for flying these planes.
This seems like corporate PR blaming "3rd world pilots" and am not sure it's such a smart move. If your plane requires substantially different handling & the interface does not accommodate it, it seems to me the problem is not the pilot.
It seems more likely that the plane suffers from some elemental design problems that were insufficiently patched over to pass inspection in order to protect the already invested capital.
Norwegian Air and Norwegian authorities had the same information (or indeed lack thereof), but did not act until now. Given the known similarities, and the lack of data that rules out a problem with the B737 MAX, the responsible thing is to err on the side of caution.
"very nearly like" is also extremely dangerous when it comes to risk prevention.
People are pattern-matchers, and if 99% of flying the plane is the same except the part that will kill you if you don't do it the new way--well, people will do it the old way and die. That's infinitely more true in an emergency situation where you tend to fall back strictly on training and instinct.
If you want to jar people into different behavior, the interface needs to be different as well. Otherwise it looks like the same old contract.
I think many of us kind of know this from GUI/API/whatever design, but there's no reason jet planes would be any different.
>Do you have a reference to confirm that this was a knee-jerk/optics reaction, out of interest? (definitely curious to see how airlines/authorities are reaching these decisions)
Considering that pretty much any criticism can be dismissed with "better safe than sorry, also everyone else was doing it, we had to consider the optics" it makes perfect sense to step in line and ground them like everyone else. Not doing so would just be stupid when there's near zero downside to the people making the call.
It's like highway traffic. Sure you can obey the letter of the law but when everyone else is doing something drastically different your exposure to risk is minimized if you just do what they do whether it's right or wrong.
At least it’s not the country bound and determined to prop up the brand at all costs. If it was 2 A320s that went down, you can bet we’d be banning them instantly in the states.
> "[...]do not operate the aeroplane, except that a single non-commercial ferry flight (up to three flight cycles) may be accomplished to return the aeroplane
to a location where the expected corrective action(s) can be accomplished.".
Doesn't this just say the 737 MAX can be flown only to undergo future maintenance that'll resolve whatever the current issue is, unless another notice is posted clearing it?
It's meta-derailing; instead of directly attempting to derail, you just post something along the lines of "Well this won't be investigated properly because others put forth ${original derailing argument}". Of course, usually no "others [ever] put forth".
At the gym today, on all the TVs, the media talking heads were crucifying the FAA for being "unsafe" or playing fast and loose with passenger safety (for not grounding the planes).
I've always held the FAA in high regard, and think they do a good job. Are they really being negligent here? Or is the media just looking for something to spark outrage?
Can anyone with more specific knowledge of aircraft safety weigh in?
Two crashes in 6 months and there's only 350 planes in existence is a pretty bad safety record that is probably on par with Tupolev.
The US can tacitly blame "third world" pilots all they want, but with 300 people dead already, I think it's important for the FAA and Boeing to say exactly what is going on, especially since the planes are in use in the USA.
There is a debate over if the plane's hardware, software, or pilots are at fault-- either the planes should be grounded or the exact protocol should be published all over for the world to know, since it is the passengers' lives at stake.
The Boeing Max 8 entered service in May 2017. Assuming a linear deployment rate, the 350 planes in service have seen an average life of 10 months. Assume 4 flights/day, that's 420,000 flights so far. 2 have gone down. A best estimate of the likelihood that a plane goes down (MLE), p = X/n = 2/420,000 = 1/210,000 ~ Binomial(n=420,000, p=P(crash)). According to the Economist [1] the likelihood your plane goes down generally is 1/5,000,000. So based on the fact that the plane crashes had similar characteristics, the Boeing Max 8 is 25X more dangerous than a regular plane.
25X is the difference between surviving a commute on a bicycle vs a car [2].
EDIT: The Economist source that estimates a plane's p(crash) is questionable, for a passenger plane. If anyone wants to dig into this further, I found this source too: http://www.baaa-acro.com/crash-archives
> 25X is the difference between surviving a commute on a bicycle vs a car
Meaningless and misleading comparison at best.
According to numbers released by Boeing [1] itself, the original 737 designed back in 1967 had a hull loss of 1.75 per million flights, the 737 NG designed in the late 1990s to early 2000s had a hull loss rate of 0.27 per million flights. So Boeing 737 had a 7X less likelihood to crash as the results of 30 years of improvements. 25X difference is going to send the highly unsafe 737 MAX design back to the WWII level. Now think again whether WWII era aircrafts with similar crash likelihood should be allowed to carry passengers in huge volume in 2019.
You number proves one thing and one thing only - FAA has the legal and moral obligations to ground all those highly dangerous 737 MAX immediately.
If I have an upcoming flight on a MAX 8, can I sufficiently compensate for any increased risk by taking the train to the airport instead of a 25km Uber drive?
Given the uncertainty about p(crash) that I mention, then to satisfy confidence limits, you should wear a styrofoam helmet for the full duration of your trip. And post a photo.
This is excellent data and calculation work. I really appreciate it!
I have a suspicion that if you were to remove all instances of terrorism and look at the crash rate of Boeing vs Tupolev, almost all Boeing planes would be way better except for the MAX 8.
The FAA and Boeing need to investigate this, but you can't make such statistical inferences, since you simply don't have enough data points. There could be no more crashes for the next few years with those 350 planes.
The FAA and NTSB are very good at what they do, one of the very few examples of government services that work well together with industry, give them some time.
The MAX8 fleet has been operational for about six months. Assuming 3 flights per day: 350 * 6 * 30 * 3 = 0.189 million flights.
To estimate the probability of two accidents, we can use a Poisson distribution with x = 2 and μ = 0.189 * 0.39 = 0.0737
P(x=2) = e^(-μ)μ^x / x! = 0.25%
I.e your gut feeling is correct (if my math is correct, that is). If one uses the estimate from a sibling comment of 1 crash in 11 million fights, the probability decreases further to 0.01% Actually the correct calculation is:
1 - P(x=0) - P(x=1) = 0.26%
since we are looking for the probability of there being more than one plane crash -- not just the probability of there being exactly two plane crashes.
Might also be worth considering P(2 Crashes | N Miles across 350 planes where at least one operator has incompetent maintenance), because that might not be all that different from P(1 crash | N Miles across 350 planes where all operators properly maintain their planes)
Look at things like Alaska Airlines Flight 261 [0] - safe airframe, deficient maintenance, plane loses all pitch control and impacts ocean. Yes, this still means that Boeing needs to improve things - single points of failures are never OK on a plane - but it also doesn't (IMO) mean the plane is fundamentally unsafe without those fixes.
I highly doubt there have been 11 million airliners manufactured, though - and that's what the 348 number is.
If we assume that the average MAX 8 has been in service for a year (first delivery was a little less than 2 years ago), and conducts 4 flights a day, we get this [0] - a mean of 1/250000. Still worse than 1/11000000, but only by a factor of 50 instead of 50 thousand.
Depends on your assumptions, but safe aircraft will crash making the first data point meaningless as you are choosing it at the starting point. Second, you are not just running one trial on one design but many trails on many designs.
I suggest you try the math as the odds are reasonably high.
This changes if you start talking about crashes since the first commercial flight, but those are again different numbers.
The statistic looks appallingly bad to me viewed as a poisson process. If you had thousands of planes with zero crashes over decades would you consider that as zero data points?
You just can't have more data points, because flight travel is too safe.
And no, the FAA is not really that good, general aviation pilots die all the time from negligence and the FAA doesn't enforce the rules when pilots violate them (in particular low altitude flying).
General aviation is actually quite safety focused. The entire culture is centered around safety; a large amount of private pilot training time is dedicated to the subject; human factors in particular. Go to any fly-in breakfast and talk to the pilots and inevitably at some point during the conversation you'll hear something about being a safe pilot.
That being said, the government gives general aviation pilots a fair amount of freedom once they get their license. There are rules and they are enforced; particularly when violations put the general public at risk. But there's also recognition that it's quite possible to regulate GA out of existence like a lot of other countries have, and that has pretty negative consequences in terms of pilot availability for other purposes. Therefore, regulations scale with the amount of danger the public is exposed to.
For example, ultralight aircraft (single place, <254 lbs, <=5gal fuel, <=55kts) are virtually unregulated; the idea being that they're so small and light that they aren't much danger to others. LSA/sport (1-2 place, <=1320lbs, <=120kts) are regulated; require a license and inspections but less stringent than a private license, and so on. Private licenses can't be used for commercial purposes, and generally speaking more training and endorsements or ratings are required for eg. aircraft with multiple engines; those that are >=12,500 lbs, those that land on water, those that have old-school landing gear, etc. etc.
I would liken GA enforcement to be somewhat like motorcyles. Lots of people die on motorcyles and we see bad behavior all the time, but we don't look at law enforcement and say they're doing a bad job. You're simply operating a platform with a higher probability of death than a car or truck when you do screw up.
Except when necessary for takeoff or landing, no person may operate an aircraft below the following altitudes:
(a)Anywhere. An altitude allowing, if a power unit fails, an emergency landing without undue hazard to persons or property on the surface.
(b)Over congested areas. Over any congested area of a city, town, or settlement, or over any open air assembly of persons, an altitude of 1,000 feet above the highest obstacle within a horizontal radius of 2,000 feet of the aircraft.
(c)Over other than congested areas. An altitude of 500 feet above the surface, except over open water or sparsely populated areas. In those cases, the aircraft may not be operated closer than 500 feet to any person, vessel, vehicle, or structure.
(d)Helicopters, powered parachutes, and weight-shift-control aircraft. If the operation is conducted without hazard to persons or property on the surface -
(1) A helicopter may be operated at less than the minimums prescribed in paragraph (b) or (c) of this section, provided each person operating the helicopter complies with any routes or altitudes specifically prescribed for helicopters by the FAA; and
(2) A powered parachute or weight-shift-control aircraft may be operated at less than the minimums prescribed in paragraph (c) of this section.
Better safe than sorry. For example if a plane crashes in the first flight should we just ignore it because it is statistically insignificant ? 2/350 seems like a fairly good number to ground the plane and do an investigation. In general this is good for aviation industry because next time Boeing will not cut corners as it has so far.
I agree, in my eyes it is debate between "the plane is not safe to fly by anyone"
and
"the plane is safe to fly with additional training, when given"
If the 737 MAX planes remain in the air in the USA, Boeing and US Govt are de facto saying "third world pilots clearly just don't understand how to fly our planes".
If they ground the planes, they de facto admit there is an actual safety issue.
> "the plane is safe to fly with additional training, when given"
If that is ultimately the conclusion, then it still gives the FAA and EASA a black eye, since they allowed the aircraft update without additional training for MCAS.
Best case scenario for Boeing is that the Ethiopian Airlines crash turns out to be something else. If it is MCAS related Boeing, the FAA, and EASA amongst others that green-lit the update without training have a lot to answer for.
> "the plane is safe to fly with additional training, when given"
Here's the thing. The additional training is not strictly necessary. The same procedures pilots are already trained for in previous models should have saved the aircraft. Unless investigations turn up a new problem.
Of course, one could argue that, by disclosure changes to the system, that the pilots would be able to react faster. But that's not really for us to decide.
It feels to me like Air France Flight 447 [0] - there was a flight computer behavior that the pilots didn't know about, but nonetheless following normal procedures would have prevented the crash. (For AF 447 that would have been "point the nose down to recover from a stall", for Lion Air 610 it was "check the trim wheel - you know, that thing that moves right by your knee - if pitch control is abnormal") Unfortunately, as we add more and more safety systems to planes people seem to be forgetting how to compensate for when the systems fail...
Actually, "de facto" is in contrast to "de jure", meaning "in law" or more generally "officially". If they leave the planes in the air, then whatever the offical reason, they are de facto asserting that there is no (significant) problem. (Grounding them on the other hand could just be considered a excess of caution, so at most it asserts "We aren't sure there isn't a problem.".[0])
0: Which action, if either, is definitive might differ if the stakes weren't inconvenience vs death, or if the FAA openly didn't care.
True randomness does not preclude clusters of events. In fact that's the nature of random events.
Not saying I think these are completely random. But since we don't even know the cause of the Ethopian crash yet, who's to say? The causes may very well be unrelated.
The FAA is not an agency that should be assuming something is safe by default. It is an agency that should be assuming something is unsafe by default and demanding the manufacturer prove it is safe.
If it's random chance, Boeing should be able to prove it is random chance. Until then, the FAA should ground them.
Both crashes happened soon after takeoff (6 and 13 minutes) and Boeing seems to think that they know where the error is (stall in high angle-of-attack) and have a fix in pipeline. FAA is taking calculated risk.
How is the FAA responsible for crashes outside of its jurisdiction? There haven’t been any 737 Max 8 crashes in the US. I can’t speak for Ethiopian, but Lion Air and Indonesia in general have a pretty bad safety record. Lion Air was removed from the EU safety blacklist in 2016. In 2013 another Lion Air 737 (not the Max 8) crashed into the ocean near Bali. Lion Air has had pilot test positive for crystal meth (2012). Lion Air has had multiple major incidents with various 737s over the past years.
The Ethiopian Air copilot only had 200 total hours of experience. In the US, you need an ATP certificate with a minimum of 1500 hours to even be a first officer.
Before we start throwing sand at the FAA, why not ask how a 200 hour pilot gets into the copilot seat of an airliner. Let’s also ask why Lion Air failed to fix a problem with the airspeed indicator. During a previous flight the day before the crash, the pilot reported a problem with the airspeed indicator and deactivated the anti-stall system. Lion Air didn’t fix the problem and the airplane crashed the next day. But that’s Boeing’s fault? Lion Air is a shit airline with a horrible safety record. Southwest Airlines uses only 737s and you can count their major incidents on one hand and their fatalities in over 47 years? Just 1.
Lion Air fatalities? Hundreds over multiple incidents. Ethiopian Air? Much safer than Lion Air, but much less safer than Southwest. Ethiopian has a fleet of 108 airplanes and Southwest has a fleet of 754, including 35 Max 8 planes — yet not a single incident despite flying an order of magnitude more frequently than those other airlines.
Air Canada has 24 8 Maxes in the air as does American. Along with Southwest, that’s hundreds of flights per day without incident, but then there is a crash with some third world Lion Air plane where maintenance is provided with proverbial duct tape and Ethiopia Air who has a student pilot as the first officer? Perhaps instead of grounding specific airplanes, we should ground specific airlines, because it’s clear than Ethiopian and Lion Air ought not be flying until they can figure out the basics such as maintenance and pilot training.
Even if all this speculation of yours is true, it's still the FAA's and Boeing's problem.
These supposedly awful third world pilots and aircraft engineers have somehow been managing to fly earlier models of the 737 for decades, but when they upgrade to the MAX variant somehow two of them crash in quick succession?
That either indicates that these two events are freak accidents, or that the MAX shouldn't have the same type rating, the latter of which is on the FAA and Boeing.
There is a long history in aviation of putting safety in front of profits. And what Boeing and the FAA have the appearance of right now is putting profits in front of safety. So you're seeing trust being burned, and other government regulators standing away from the fire to avoid their own citizen trust relationship from getting shredded in the process.
Is it fair? Maybe not all of it. But I think it's completely predictable.
"News" today is a "for profit" enterprise and they will take advantage crises and public outrage to bolster their bottom lines when the opportunity arises... it's nothing personal, it's just the nature of the beast.
Its easier for everyone to just cover their ass and err on the side of caution. If another accident happens politicians would be held accountable.
For the US its harder because they have a stake in Boeing and they don't want to damage them.
Honestly why not ground a few hundred planes just to be safe? It doesn't bother the Netherlands or Singapore. There are other aircraft, nobody is running out.
It could be an EU-USA economic war. We’ve seen the Being competition won over the A380, which had to be abandoned. Maybe any excuse to ground a Boeing airframe and incur costs to owners makes Airbus look better. It doesn’t have to be lobbying, it could be a natural inclination.
It’s mean, but I’m not surprised, given the money in the game, that Europe is acting up much faster than FAA for a Boeing airframe, and the opposite for an Airbus/DC airframe.
1) The direct comparison to the A380 is the Boeing 747 which is being phased out as well. It's not a rivalry that put either of them out, just realities of modern air travel.
2) McDonnell Douglas (maker of the DC planes) is now owned by Boeing and was an American company.
American and Southwest Airlines are still flying the Max 8/9, and are refusing refunds (Southwest/American) and charging change fees (American) for customers concerned for their safety.
I don't understand this logic. They are essentially risking their entire company over the safety of this plane. If something happens now they'll be driven to bankruptcy at record speed.
One thing to note is that both American and Southwest's 737 Max aircraft are configured differently to those flown by most other operators, with regards to the display of AOA indicators and the "AOA DISAGREE" warning light. These features are optional and the fact that they are not present on Lion Air's aircraft may have contributed to that crash.
That would mean Southwest strongly believes the lack of "AOA DISAGREE" caused the crashes, so they are safe to continue flying their fleet. If so, they should come out and say it.
Right now, 737 Max Fleet is the deadliest plane per mile that is in the air [1], by a wide margin. Maybe it's an anomaly and the rate is much lower, but by the same reasoning, it could be worse. I'm not flying on one, and my opinion of Southwest and American is at a new low.
.. the MAX aircraft has 17,000 recordable parameters and Southwest has compiled and analyzed a tremendous amount of data from more than 41,000 flights operated by the 34 MAX aircraft on property, and the data supports Southwest's continued confidence in the airworthiness and safety of the MAX. ... SWAPA also has pushed hard for Angle of Attack (AOA) sensor displays to be put on all our aircraft and those are now being implemented into the fleet. All of these tools, in addition to SWAPA Pilots having the most experience on 737s in the industry, give me no pause that not only are our aircraft safe, but you are the safest 737 operators in the sky.
> That would mean Southwest strongly believes the lack of "AOA DISAGREE" caused the crashes
No, that only means that they believe this will improve pilot's situational awareness. You don't need that feature to override uncommanded trim.
Until the FAA says the aircraft is unsafe, your opinion of these airlines is misplaced. They went beyond what's legally required and added an additional safety feature.
Southwest exclusively flies 737s. They have one of the largest pilot corps for that type. The airline has good safety and maintenance records.
While I understand your point and appreciate your knowledge of the situation, I’m left with the idea that while the rest of the world is grounding these planes until more is known Southwest is flying them anyway. The only motive I can see for them to do so is money.
What’s the non-monetary harm in grounding until more is known? They are a small percentage of their fleet.
Southwest are extremely experienced with the 737 in general and have specifically trained on MCAS and its potential failures on the MAX.
Southwest have been flying since the 1960s, and have I think a total of (3) fatalities. No relation or association to them but the operator and their training matters. Southwest are by any measure one of the safest airlines in the world.
One thing that I keep rolling over in my head is right now it wouldn't appear that the pilots should have been been able to fly without instruments when they crashed. And both crashed apparently due to the pilots being unable to control pitch.
Two lost aircraft. Both new. Both with the same symptoms. Under conditions you would not expect to lose an aircraft.
Optional deconfliction UI for flaky angle of attack sensing? That's a indictment of the standard deliverable. Is this option free or do you have to pay for it?
...which also crashed. It was bumping because it was too long and the pilots couldn’t feel when they touched down. I think it caused 2 crashes.
Which is a lot, considering DC-9 and DC-10 are known for all sorts of crashes, including losing the same door 4 times for the same reason, each time with deaths. Ah, and who doesn’t remember the Concorde crash. Provoked by bursting a tyre on a piece lost by a DC-10. The airplane that literally falls into pieces.
I may not have this correct, but here is the FAA, a branch of our government not temporarily grounding the Max 8 - looks like the government is protecting a (mostly) US company. Flip this around and we are putting a lot of pressure on allies like Germany to not use ‘dangerous’ Chinese 5G infrastructure.
I guess it is natural for governments to promote local industries but the cynical me thinks that corporations have captured our government so they don’t act in the public interests.
According to the head of the Norwegian civil aviation authority, interviewed live on radio right now, the ban is EU-wide as of a couple of minutes ago.
Does anyone know if there is a material difference between the MAX-8 and the MAX-9? All the banning seems to be specifically for the MAX-8, but should they consider banning all MAX series aircraft? I realize the crashes themselves were MAX-8, but the difference between them seems not significant?
The 737-700, -800 and -900ER, the most widespread versions of the previous 737NG,[10] are replaced by the 737 MAX 7, MAX 8 and MAX 9, respectively[61] (FAA type certificate: 737-7, -8, and -9[8]). The 737 MAX 8 entered service in May 2017,[2] and the MAX 9 entered service in March 2018.[62] The MAX 7 is expected to enter service in January 2019, followed by the MAX 200 later in 2019, and the MAX 10 in 2020.
Given this only seems to be afflicting MAX8 craft in terms of material evidence, my guess is they won’t ground the whole series unless/until another MAX craft goes down.
AFAIK the avionics on both variants are the same. A pilot who is (properly!) trained and type-rated on one should be able to effortlessly use the other.
The only difference, again AFAIK, is the passenger and cargo capacity, length, and the range.
The 737 type rating (training/licence addon required) covers pretty much the entire family of 737s from the 200 to the max.
The avionics are the same but because the planes have substantially different air-frames, the software parameters and possibly some functionality will differ. It's not unreasonable for differences in these flight parameters to be a factor.
Honestly, it goes even further than that. The generally accepted theory in the Lion Air incident is that a system caused MCAS might be one of the major causes of the accident.
Basically, the larger/more powerful/further forward engines on the MAX would cause the airplane to behave differently to other 737 variants in some situations, and MCAS is designed augment pilot input and allow the pilots to fly the planes as they would have flown other 737s (and allows pilots to fly MAXes under the same type ratings as previous 737 models). However, in edge cases (in the case of Lion Air, erroneous sensor input) the airplane might do something totally different from other 737 variants. Evidently Boeing didn't even require pilots to be told about MCAS, because all it (supposedly) does is make a MAX feel like an older 737.
Just two days ago, people were poo-pooing China for doing the same exact thing, referencing political interference, protectionism, and setting all sorts of other ill deeds at the doors of their regulators.
The FAA has always been very pro-active about grounding planes that are unsafe. The airlines operating these aircraft do not benefit by continuing to fly them if they are un-safe. Between the cost of the loss, public image etc. it would not make economic sense.
Given the trade tensions the US has with both China and the EU and the fact that both are offering competing products (Airbus more so), this sounds like more of a political move. In the case of the EU, the WTO ruled that Airbus was illegally subsidized by the government that has now banned a Boeing aircraft while it has the green light to fly in the US.
As swampy as the US government is, the EU has it's fair share of payoffs etc.. I expect this to further heat up the trade war.
The engines are larger than previous models and had to be moved forward, which causes it to (potentially) stall, so they implemented an anti-stalling mechanism called MCAS which relies on a particular sensor, which can malfunction potentially. They also didn't inform pilots that this system even existed which means they have trouble diagnosing the problem and will potentially only make it worse by trying other things.
Of course that's all speculation since we don't know much about this particular crash, but that's the main issue with them.
Note that the engines were moved forward because there's not enough ground clearance for bigger engines due to the grandfathered 1967-specified short undercarriage...
Bascially MCAS is a hack to cover a problem raised by trying to save money by pretending it's the same as a 52-year old airframe. Instead of just saying "let's do this properly ” and certificating as a new design with appropriate design features.
Minor nitpick. It's not that the engines directly cause stalls(EDIT: of course if you pitch up too much you will stall at some point). Is that they can cause some unintended lift in some flight configurations. So MCAS is supposed to pitch down (by trimming) to keep the attitude under control
Boeing's main argument is that the procedure for dealing with runaway trim is completely unchanged compared to other planes, so this shouldn't require any additional training.
I understand their reasoning, but it seems odd to not even inform that there was a change, so that this would be more on top of the pilots minds. It's even worse that the system engages as soon as flaps are retracted. Since 737's usually take off with at least some minimum flaps, and retract them soon after take-off once enough airspeed has been attained (but while the plane is still at low altitude), this is quite dangerous. Pilot workload is high at this stage and there is limited altitude to recover.
That said, since this issue is on top of everyone's minds, and US carriers have added the optional safety indicators, we are unlikely to see a crash any time soon. Pilots will be jumping to the override switches at any sign of trouble.
Didn't Boeing also market the plane as an evolution of the 737 that doesn't require retraining? So pilots with experience on the 737 can automatically fly the 737 Max?
Yes, but there are always going to be minor changes during each revision. Before the MAX there were the -600, -700, -800, and -900 series 737s. Before that, the -300, -400, -500 series. Each set will invariably have a few things that pilots will have to be aware of. In this case, Boeing didn’t alert pilots to the new MCAS system, which is a giant failure on their part.
It’s not yet known if this latest crash is in any way related to the first (although I have several outstanding wagers against this being the case).
It sounds really stupid for Boeing if you put it that way.
I can imagine it looks good on the marketing material, 'no pilot retraining required!', but as far as I understand from all the analysis so far, it's actually not that hard to disable the new MCAS system and prevent a crash. As a pilot you only need to know it is there, and what happens if it somehow fails.
I would be surprised if they had sold even a single plane less if they advertised it as 'very minimal pilot retraining necessary'.
> I would be surprised if they had sold even a single plane less if they advertised it as 'very minimal pilot retraining necessary'.
That might be enough for the plane to need a separate type certificate, meaning hundreds of millions of dollars expenses for Boeing to get it certified, and full new-type pilot training costs for every airline to fly the aircraft. (Plus, time, and ongoing crew management to juggle pilots certified on one but not the other.)
> As a pilot you only need to know it is there, and what happens if it somehow fails.
You don't even have to know it is there. All you need to know is "hey, auto trim is acting very funky today and I'm having to fight it. Better override.". And hit two switches.
> I would be surprised if they had sold even a single plane less if they advertised it as 'very minimal pilot retraining necessary'.
They were likely afraid that it would require a new type certificate.
From what I understand, there were design decisions that were reworked to be more similar and keep the same type class as a requirement of customer 1, Southwest Airlines who is a major consumer of the max 8.
I also wonder about the engineers involved, what they think about the system and whether it was created expressly for getting around retraining, realizing late into the project that the changes to the in-flight behavior of the plane may have been too much.
Also if an airline is going to have to retrain pilots, they might also look at completely different manufacturers (e.g. Airbus) and play them off against each other to get a better deal.
The linked article also mentions the plane was smoking, and fire was coming from the engines. This is new information to me that I think is being overlooked, because if MCAS was enabled erroneously, it's unlikely the plane would have caught fire. The Lion Air Max 8 wasn't reported to be smoking/on fire.
If something else made the engine(s) catch fire and become inoperative, and the MCAS system enabled correctly due to low airspeed/stall conditions, but was fought by the panicked pilot(s) resulting in an unrecoverable stall, it's an entirely different story.
I hadn't heard that, but that's exactly why he says (in his latest video and here) to avoid too much speculation, because there are other things that could go wrong under similar conditions. Takeoff and landing are the most risky parts of a flight so it's no surprise that if there is going to be an issue, it would be during takeoff.
Regardless of the cause of the Ethiopian crash, I think this whole affair has put into stark relief how much of a bodge job the 737 MAX is. It's the culmination of decades of revamps and modifications to a fundamentally outdated design, and the result is an aircraft that simply isn't very good. It's the aviation equivalent of the great edifices of legacy code that so many HNers will be familiar with from their day jobs.
The bottom of the engines are a mere 40cm of so above the ground when the plane is on the runway. Hence the tight fit and need to move the engines forward so they would fit. Then the auto-fix-the-stall software isn't something the pilots are told about.
They didn't come up with a common sense solution, doing so would have costed many billions for a new airframe with longer legs for the landing gear. This is how I understand the problem, coming from a design compromise and organisational groupthink.
Clearly this is my armchair speculation however I suspect there will be lessons to be learned from this that run along the lines of the 'Vasa' rather than the 'Comet'.
The Vasa story crops up on HN from time to time, it was a top heavy Swedish ship that sank after launch in light winds many centuries ago. The spec had changed with more gun decks added and groupthink drove the 'pride of the fleet' project forward. The launch date happened and it sunk.
Your link seems to indicate that the spec hadn't changed, that was just speculation that was disproved on inspecting the wreckage, and it turns out the design was basically bad in the first place, due to very tight safety margins and the poor understanding of engineering a ship at the time.
Are there any statistics available for how often there has been a need for a pilot to disengage MCAS?
If we speculate (e.g. before the facts are in) that this was similar in cause to Lion air incident, then I would be curious to know how often AoA sensor has malfunctioned and|or MCAS has otherwise gone haywire and pilots have needed to revert to manual control during the two years of service MAX8s have had.
The Lion Air plane that crashed had suffered from the exact same failure on its previous flight, though obviously the pilots managed to recover from that one.
As you say, most of the speculation seems to focus on MCAS in combination with faulty sensor data. While, as a layman, pilots being unfamiliar with MCAS seems like a reasonable explanation, doesn't this theory still require 2 planes in 6 months to have faulty AOA sensor data? That seems unusually high to me as well. I haven't really seen any comments on that.
It does not seem too surprising to me. Sensors fail all the time on planes. The AOA sensor seems like a particularly good candidate for failure given the design.
I think most people don't realize just how much stuff can be broken on an airliner and it still deemed safe to fly. And it happens all the time.
Sure, airliners might fly all the time with a missing seat number or a broken overhead bin. They're big, complex machines. But if you're implying that it's routine to fly with broken sensors, then no. That's not true.
If yesterday's Post Reports podcast [0] is anything to go by, there's also an issue with the autopilot refusing to give back control to the pilot in some situations because of what you just mentioned, on the basis that it would spare their clients the associated pilot retraining costs.
Picture being at the wheel of a self-driving car, with an obvious crash looming, and the car refusing to let you, the driver, take back control and steer the wheels or step on the brakes.
So much speculation is going on. The angry mob has already concluded that the MCAS must be the cause. Greedy Boeing was too cheap to redesign the plane and made a cheap software hack to fix it. Sneaky computers are overriding the decisions of the poor helpless pilots. The FAA is too incompetent to certify aircraft, etc etc.
Based on what I read, the truth is a lot more complicated. The MCAS doesn't work the way most people seem to think it does. Maybe it is a factor in the crashes. We don't know that yet.
The fact that the safety record of the 777 was near perfect before 2014 honestly makes me more concerned about what happened to MH370 if it's an inherent fault.
We still don't know why MH370 went down, and when MH17 was shot down over Ukraine some other airlines had already diverted flight paths away from that area due to the conflict.
I don't think you could say Malaysia Airlines was at fault for MH17, but it's hardly a good example of a null hypothesis. Since e.g. if BA was operating the same flight at the time it wouldn't have been anywhere near Ukraine.
Crashes are useful data because they surface otherwise unknown or poorly understood failure modes. In that sense it is like a zero day vulnerability. It suggests that all aircraft of this type have an unpatched issue. And the best way to think about the problem is with thorough technical analysis of the issue itself.
Indeed: in the aviation world the philosophy is that things have to be proven safe [1] to be allowed to fly, rather than proven unsafe to be banned. In that regard, two similar crashes a few months apart is enough to worry of a design flaw. And if it was just two unrelated pilot errors, the planes will be allowed to fly again quickly.
[1] To a reasonable extent, of course, nothing can ever be proven 100% safe.
The more I read about flight systems and protocols (and I am absolutely a layman when it comes to this), the more it seems like it's very rarely solely isolated to one component.
The hardware, software, and human systems are so intertwined that it likely involves all 3, even if the route cause can be isolated to one.
That being said, there hasn't been much specific information about the cause released yet, that I've heard.
Problem is, if they've added so much automation that trained pilots cannot determination the proper course of action 100% of the time, the system is at fault.
"You don't have to do anything, the plane will fly itself. Unless there's a catastrophic emergency. Then you better remember everything you haven't practiced from 18 months ago" seems like a failed implementation.
That's definitely a mischaracterization of what the airlines do. Anyone that has been in a cockpit of a plane knows that you fly by checklists.
There's a checklist procedure for almost any scenario they will run into (of course not every). This exact issue was seen by other airlines and the pilots followed the checklist procedures to safely regain control of the plane as expected.
In theory, these checklists are optimized to resolve these issues and regain control as quickly as possible while ruling out other causes. It is very rare the correct course of action for the pilot differs from the checklist procedure.
There is 0 expectation that the pilot should remember everything. Pilots are trained specifically to communicate with each other to go through these checklists as quickly as possible.
That being said, there is a major concern that this issue will popup while taking off and being too low to the ground to properly follow procedure in time to recover control of the aircraft.
Chicken and egg problem. How does the pilot know that the automation is malfunctioning? The pilot has to go through their mental checklist and make the realization that intervention is necessary to prevent catastrophic results. All this while in critical take-off situation.
Apparently, the plane thought all was well, just needed to point the nose of the plane down a wee bit.
And yet it is precisely because Captain Sullenberger did not follow protocol, in the moment, that he was able to save the lives of everyone aboard flight 1549. It was only determined afterwards (obviously) that he made the right call.
Many pilots in similar situations would have made the wrong decision. As a passenger you are not necessarily going to get someone of Sullenberger's quality. And it is possible that automation could help in this kind of situation. It could provide an estimate of glide distance. It could use spatial data to identify crash landing sites, avoid populated areas, and design an optimal landing profile. All in a fraction of a second. Of course this kind of failure is so unusual that it is probably not worth designing the automation to deal with it.
I mean, initially pilots were not informed this system existed. Certainly the assumptions that went into that decision seem to match up with what the person above you is describing.
In theory (not saying I agree), the "regain control checklist" is very similar before and after this change which is apart of why they did not see a need to communicate this until after the 1st crash.
Reviewing the video below - it appears to still line up with this. He doesn't mention the actual memory items changing. His explanation is the pilots starting using the wrong memory items because of information overload.
Example - They could have been going through the stall memory items instead of the runaway vertical stabilizer memory items.
That appears to be contradicted in this video which was linked above, around the 8:45 minute mark, it's a different set of memory items ("Runaway stabilizer") which should be enacted in the case this system was coming into force outside of a stall situation.
The problem is information overload to pilots. And the pipeline how commercial pilots are trained also changed. 50 years ago a lot of pilots were having military backgrounds and training. So they were having more experience with shit going down the drain situations.
That is literally how Tesla and some otber players started car automation. With the same predictable results. A human just cannot stand on standby in perpetum. Either the human must be in control or out of the loop.
Standng by in a Tesla and standing by in an airplane are two very different things. You cannot compare them.
When a typical civilian passenger plane throws everything up and yields control to its pilot, the pilot gets 10+ minutes to fix it, helped by a copilot, mountains of checklists and a direct audio line to air traffic control.
Nothing to do with the 5s you maybe get when your Tesla yields.
The general idea is that there is an auto-trim system meant to stop the plane from stalling. But when it gets bad data from a faulty sensor it tries to crash the aircraft (short version). Pilots, all pilots, are trained to recognize this and override the system, but this aircraft requires them to do some things slightly differently. Specifically, they have to shut down the system rather than manually work against it. Difficulties arise where there is a disconnect between what the pilots think is happening, what the systems think and tell them is happening, and what the aircraft is actually experiencing. So this is an interaction between an automated system (software) a potentially faulty sensor (hardware) and pilot training. It is a complex problem that will take a while to fully understand and solve.
One amelioration would have beem a simple "MCAS ACTIVE" announcement every time it activated. That would have eliminated a lot of checklisting and guesswork in moments of high stress.
"What the hell is happening?"
"MCAS ACTIVE"
"Flip the cutouts!"
Why that wasn't mandated by the FAA I have no idea. Instead the pilots are expected to systematically analyse the options whilst trying to stay airborne.
This is a very succint explanation of what's happening here (in the Lion Air case, anyway). Not sure why you're being downvoted - perhaps the claim that this is a "complex problem".
HN is slowly walking towards facebook culture. People up/down vote things they like or dislike, with the goal of disappearing opinions with which they even mildly disagree. Valid points and thoughtful discussion are increasingly unwelcome.
Lol. Thanks for the downvote all below. Thanks for proving my point about the change of behavior.
How do we know the software works in all conditions, as described?
We don't know it had anything to do with pilot training until the investigation is actually finished. To say it's pilot training is pushing Boeing's narrative.
Also training issue - according to a commentator on Radio 4 this morning, the conversion training for this aircraft is a 90 minute course run on an iPad.
The speculation I've seen is around a change to the autopilot system which pilots ave been struggling with:
> Following the Lion Air crash, US aviation authorities issued an emergency directive to carriers to update flight manuals with information on what to do when the aircraft’s anti-stall system is triggered by erroneous data from what’s called an “angle-of-attack” sensor. The flight system can react to that data by pointing the plane’s nose sharply downward. Boeing, meanwhile, directed airlines to a checklist in manuals for stabilizing the aircraft. Pilots said the crash and the directives that followed were the first time that they were made aware of these changes to the flight system.
> Traditionally the fly-by-wire systems have at least 3 AoA sensors, which each "vote" on the output value.
That way, if you have one faulty sensor, it gets outvoted.
That would make sense, but unfortunately it's not the way they're actually implemented. Several incidents with Airbus aircraft were due to one AoA sensor's faulty input being allowed to trigger uncommanded pitch down events, instead of the one faulty sensor being outvoted by the other two.
A software update that was scheduled for distribution (iirc) in January, so already late. As a software practitioner, this scares the living shit out of me. Already late software, now pushed for a deadline-driven release... This can't end well.
I would think the software is relatively simple and that the fix, as it's described, is more smoothing inputs and limiting outputs. Or course the combined software that flies a plane is enormous and incredibly complicated, but I'm talking about a relatively small component of that whole. The program reads sensors and actuates surfaces to correct what it incorrectly registered as an abnormally high angle of attack but was, in reality, a misbehaving sensor. The new program, from what's described, tries to figure out the right value even if the sensor disagrees, and limits the output to avoid large corrections. Along the programs, they also need to write new documentation, operating and maintenance manuals, issue corrections for flight simulators and so on.
It's also not the first plane to crash because of software reading bad data from bad sensors. Or the last.
The FAA isn't passing the smell test. If both previous crashes happened with US carriers taking off from US airports, you better believe the FAA would ground these boeing max jets.
>> If both previous crashes happened with US carriers taking off from US airports, you better believe the FAA would ground these boeing max jets.
You're not wrong. But do you think the EU banning them couldn't possibly have anything to do with who makes them or the competition between Airbus and Boeing? Even as a secondary factor?
If it turns out to be gross negligence by Boeing, I wouldnt like to be the US taxpayer when this blows up and goes to court. Because the US gvt is not going to let Boeing go bankrupt, so guess who's gonna pay in the end b/c Boeing tried to save a few bucks.
Either not widely reported or lost in other confusion, that I find important about Lion Air, from the first article:
Indonesian crash investigators have said the 737 MAX involved in the crash has flown with unreliable airspeed information in the last four flights.
That very well could make identification and corrective action for the problem more difficult. And then, there is in fact a different behavior in the MAX with MCAS in normal operation that pilots weren't made aware of, and results in this central question in the 2nd article:
How should [pilots] know that pulling on the Yoke didn’t stop the trim?
In previous 737's, pulling on the yoke does stop trim, but that's contrary to the point of MCAS which is why it has different behavior, but it's a behavior pilots aren't aware of and haven't trained for; and both Boeing and the FAA have been saying 737's all have the same behaviors and flight characteristics. And that becoming clearly not the case is really pissing everyone off.
Naive me would expect that these are typically lease agreements whereby the OEM promises an SLA with compensation if they have to take the aircraft out of service for design issues? If they don't do it that way, why not?
First, because taking aircraft out of service for design issues is incredibly rare (less than once a decade across all kinds of passenger aircraft).
Second, because airplane manufacturers have a significant amount of negotiating power, combined with airlines very often not being in a great financial position: Boeing certainly wouldn't want to be liable for storage costs and the logistics of getting a fleet of planes back to a central facility if an airline went bankrupt, for example. Leases also get legally interesting when the assets involved move internationally on a daily basis...
I wasn't proposing that any of that and I'm not sure it's relevant (e.g. in this case it's a software update that can be done without moving the plane); I agree they wouldn't want to take over a dead airline, and such an agreement doesn't get the incentives right. But it's common for OEMs to take the hit for things that are their own fault, if it isn't legally required.
And the rarity of the incidents plus Boeing's asymmetric knowledge of them would favor Boeing being a guarantor. And remember, I just said the design issues. Obviously the airline would be expected to take hits from e.g. FAA groundings from their own maintenance failures.
Edit: That leaves asymmetric bargaining power in your reply, but I don't see OEM aircraft competition as being so monopolized that they wouldn't compete on "hey this company makes us bear the costs of their design problems but this one doesn't".
Only one airline has a fleet of more than two dozen 737 MAXs (of any variety) currently: Southwest (and that's only 5% of their fleet). There are essentially no airlines with large fleets of them yet, which makes this relatively easy for them to deal with.
That said, "relatively easy" is still a comparative: aircraft are frequently leased and having any out of service will be costing the airline a lot of money.
Depends on how big the airline is, what percentage of its fleet consists of max 8s, etc.
Generally, planes like this have high operating costs, and usually are kept in the air pretty much constantly to be able to make a profit. Having one grounded potentially means losses of hundreds of thousands of dollars a day.
IANAL, but I would not want to deal with the headache of underwriting whatever plan you're thinking about. Who would they be buying this insurance from? What specifically could it be protecting against?
Seems much more likely that they'd need to seek restitution against the producer of the planes through civil court channels. "You sold me a faulty plane/didn't explain what your product did well enough and now you need to refund my money" but on a multi-million dollar scale.
Insurance for loss-of-use is quite common (edit: in other industries—no idea for aviation), though it's normally (AFAIK) for natural disasters and other random occurrences. I wonder how the purchasing contracts between Boeing and the carriers are structured—perhaps they have a warranty that would do something similar.
The black box has been recovered. The data is probably being recovered as we pontificate. Within the next 48-72 hours I expect someone will know definitively if the MCAS system was even active, and if trim was a factor in this crash.
Given that this significant data point is hours or just a couple days away, isn’t it prudent to get the data before grounding the fleet?
If the jet had been brought down intentionally, should the FAA have grounded the aircraft? Crashes like this are so incredibly rare, and on a new aircraft perhaps the easy decision is to just ground it. But shouldn’t that require actual evidence on the cause of the crash?
Witness accounts are of the plane trailing smoke and debris, but I don’t trust those at all. I feel like given that we will know definitively if trim was a factor in the crash so soon, a decision should only be made once that is known.
There are a number of aircraft leasing companies who I'd imagine are fairly heavily leveraged. I don't suppose anyone knows if it's Boeing or the purchasers who are left on the hook for this sort of thing? How about for aircraft that haven't yet been delivered, or options?
It's gonna be the hell of a legal battle between Boeing, the leasing companies, the flying companies, the governments, the purchasers, the owners, the loaners and the insurances.
The 777 is the second-safest aircraft in the world, next to the Airbus A340. The 787 is on track to demonstrate a similar safety record (in terms of fatal incidents).
Those were produced pre-FAANG, Boeing probably paid comparatively better then. Do the smartest software engineers flock to Boeing in 2019?
I think the relatively low pay and status of software engineers outside of the Bay Area is a huge risk to society. We are going to start seeing it show up in interesting places.
Not sure why you're being downvoted. There has been a brain-drain from industry and academia because FAANG and the Bay Area have been providing software engineers with much better compensation, even with the cost-of-living factored in.
Some companies can't compete, and many others just refuse to compete.
I work at a FAANG company, and I feel the same way. I don't mean that as a criticism of my coworkers. It's just a different ethos. Not only are no lives at stake, but all copies of the software are visible and modifiable at will. How's that system doing? Oh, it's slow because this part was tuned incorrectly? Boom, pushed a fix. People come to rely on it. They rely on it so much that anyone who emphasizes prevention too much will get dinged for moving too slowly.
It's actually a valid POV for that environment, but it has been difficult for me to adjust. I'm sure it's even harder for them to adjust the other way, to an environment where you don't even know who's running your code until they report a catastrophic failure. Prevention hardly seems like a waste of time then.
> Do the smartest software engineers flock to Boeing in 2019?
Many engineers don't get rewarded for 150 IQ smarts. They get rewarded for hustle. (Whether in a startup, or at FAANG, you can have an incredibly successful, and lucrative career, without being incredibly technically capable.)
When you're working on safety-critical aerospace code, Boeing doesn't, and probably shouldn't give two shits about your hustling skills.
As of writing, FAA still refuses to protect the safety of passengers flying with American airlines.
Completely disregard public safety to just protect the financial interests of a single private company, when this is systematically carried out by a tax funded bureau which was actually created to safeguard the safety of the public, how this is is not corruption? How this is not the text book definition of corruption at the highest level?
Will FAA fight so hard to ignore public concerns and safety if the aircraft were built by other countries?
How are pilots expected to know how to fly the plane absent a type rating which was obviated by the now disabled software abstraction via setting stabilizer trim to cutoff?
And what is this mandatory software update MCAS needs? If it's safe, why does it need an update?
Regarding the FAA's lack of willingness to ground the Max 8's:
Are we looking at a lack of leadership in the org? The current head is acting administrator as a result of a failure of the Trump administration to appoint a new head in the wake of the previous administrator's planned exit on Jan 6 of last year.
I don't know anything about Mr. Elwell one way or another, but not all deputies are there with an eye towards taking the top job.
The more I think about it the less likely I think the most recent crash will end up being attributed to the MCAS system.
Why? Because with what we know now I could have prevented the Lion Air crash. Any airline flying these planes would have been criminally negligent to have not issued guidance to all of it's crews pointing out the system, the potential danger and the workaround. Any pilots who've gone through their annual sim time will no doubt have had a trim-runaway situation thrown at them.
I obviously have no data beyond what has been released to the public but I'd be unsurprised to here this was completely unrelated.
Honestly, I'm not sure what's wrong with that statement. There is plenty of president for aircraft which went through special airworthiness investigations, the MU-2 for example, and came out the other side without fault.
https://www.airlinepilotforums.com/safety/120514-ethiopian-7...
It all comes down to this:
"There are far too many aerodynamic bandaids that are permitted to pass the current standards. Not just this particular airplane, but a whole bunch of airframes. If the basic aerodynamics won't pass without the pushers, pullers and now AOA induced changes to primary and secondary controls then a new design of the wing platform should come into play."
The way I interpret this, is that the plane should never have gotten the green light to fly.
More info about the MCAS here: https://theaircurrent.com/aviation-safety/what-is-the-boeing...