I posted this as a comment the other day in another Boeing and MCAS discussion.<p>In my research into the topic the saddest bit of information I've seen is the image of the black box data for the flight (the first crash): <a href="https://i.imgur.com/WJuhjlO.png" rel="nofollow">https://i.imgur.com/WJuhjlO.png</a>
You can see from the graph that in the final minutes and seconds, the pilot put insane amounts of force on the control column (aka the yoke) to try to pull the plane out of the dive - to save the 189 people on board. But no, MCAS was overpowering and lacked the documentation for the pilot to try anything else.<p>Also interesting to see is the amount of times the pilots bring the nose up, only for MCAS to kick in and force the nose back down. 26 times.<p>All data from this Seattle Times article, which was written before the second crash occurred: [1] <a href="https://www.seattletimes.com/business/boeing-aerospace/black-box-data-reveals-lion-air-pilots-struggle-against-boeings-737-max-flight-control-system/" rel="nofollow">https://www.seattletimes.com/business/boeing-aerospace/black...</a>
I really see this as a failure of the Systems Engineering process. With so many people unaware of the impacts of the changes, it’s up to the systems types to have the big picture view and make sure these sorts of things are taken into account.<p>Especially if as the article says a failure of the AOA sensor on the system would be Hazardous (looks like it was Catastrophic when paired with MCAS in retrospect), that would have made the functional Design Assurance level for this system DAL B, which adds enough rigour not only in the software development process but so much before you even get to that in terms of Safety Assessments and ESPECIALLY change impact analyses when the function changes.<p>For sure there may have been pressure from management to keep MCAS out of the manual but it’s not really up to he regulatory agency to be experts on the aircraft design, if things are being hidden by the company then I’d consider this bordering on professional misconduct on the parts of the engineers overseeing this work.<p>I say this as a Professional Engineer working as an aerospace systems engineer.
This whole plane sounds like any ugly hack. They slapped very different engines on an existing airframe. Then, when it inevitability exhibited undesirable behaviour, they tried to paper over the cracks. Then they hid this information from their customers, regulatory agencies and the pilots.<p>It makes me wonder if there are other issues with the Max that the public doesn't know about yet.<p>I hope a thorough review of Boeing's internal communications is already underway. If there is proof that these decisions were made for financial gain, they should face criminal charges.<p>IMO, whether it was greed or just general incompetence, Boeing has demonstrated that they are not responsible enough to self-certify their aircraft.
The day someone very high up the corporate ladder truly gets held responsible for this type of greed & negligence and will be put a way for a long prison sentence would be a good day for society. But I am not holding my breath...<p>But I hope that the CEO Dennis Muilenburg deep down understands he seriously fuxxed up real bad and every now and then is having a hard time falling a sleep in his $10M mansion knowing that he is ultimately responsible for hundreds of peoples unnecessary deaths due to his failed values as a leader.
How MCAS slipped through certification process was not the main issue (mistakes in complex products can happen). The main issue was Boeing not caring that MCAS was dangerous even after discovering it.<p>After the Lion Air crash, it was very apparent to Boeing that MCAS was not safe. This whole article focuses on how MCAS slipped through development+certification - but really even after Boeing new the dangers of MCAS, the MAX still was allowed to fly.<p>It was hidden and dangerous. Then it was open and dangerous but was still defended by Boeing. Damning.
Great article. But for me there's a huge question being left unanswered, like the elephant in the room:<p>Why did exactly did the engineers/test pilots feel the need to "enhance" the original MCAS with the new, more powerful version that worked at lower speeds? What did they know? I doubt they did it for the hell of it. And therefore, what has changed that that enhanced functionality is now no longer necessary, and it's fine that MCAS is being returned to its original, more subtle implementation?<p>These things just don't add up for me and Boeing's constant pronouncements that they did nothing wrong, everything was fine, and now they're fixing it so everything will be even more fine ring very hollow indeed. I would almost like to see everyone involved in this subpoenaed so the public can learn the truth of what, exactly, took place.<p>Until we have some answers, especially to my main one - what was so bad about the airframe's handling that it was necessary to massively increase the power of the MCAS system, but is now apparently not necessary anymore and it's fine for them to nerf it - I don't think I'll be flying on a MAX.
Is this only me, or all this one-vs-two AoA sensor talk seems some kind of diversion from the real problem with this plane.<p>I mean, if one-sensor based MCAS failed twice so early in the life span of the plane model, what is the probability that a two-sensor model will fail pretty soon as well? The math should be simple, we have all data needed: combined hours flown by all planes of the type and number of failures (at least two known, which can help us to estimate a MTBF of the sensor).
<i>Boeing engineers did consider [MCAS activation due to failed sensor] in their safety analysis of the original MCAS. They classified the event as “hazardous,” ... could trigger erroneously less often than once in 10 million flight hours.</i><p>The incuriosity of all parties to an event categorized as hazardous is astonishing. Boeing says it's a system that's completely transparent to the pilot, and therefore there is no need to describe a failure that they say would be hazardous. What part of that passes a reasonable smell test? It's safe unless it fails, which would be rare, but if it fails people could die? But meh, it's rare so let's not even find out what would happen if it happened?<p>Boeing must be compelled to show their work for this probability computation, because it is clearly wrong. And both Boeing and the FAA have to answer why there's no mandatory testing of hazardous events. At least what does a simulator think will happen in various states of perturbed sensor data, and how does a pilot react when not expecting such an event?<p>Oh, and the part about depending on a single sensor is not, per Boeing, a single point of failure because human pilots are part of the system? That's a gem. The pilots are the backup? This poisonous form of logic is perverse.
This was premature automation caused by not fully understanding the context. Results in less friction at the cost of enabling a black swan. Bad trade off. The Viking Sky cruise ship that was 1 minute away from releasing its damage potential of about 1300 people. 4 engines stoped simultaneously to protect them selves. Risking the entire ship in one of Norway’s most dangerous waters during harsh weather. There are so many similar examples. Tank turrets self protecting and killing soldier during peace time. Automatic gearbox on military vehicle self protecting against overheating although vehicle is under enemy fire, but the sensor can’t know that.. we need to rethink how “security automation” should work. How do you know if an override is relevant? How to train the operator?
Whatever it's worth, this whole thing has traumatized me so much it makes me fearful of flying at all. But one thing's for sure, if I have any say, I'll probably never fly a 737 MAX again.<p>I'm sure there are many people who will do the same. In fact, every flight I do go on now, I check to make sure it is not a MAX.<p>I doubt there will be enough people who think this way that it would cause a problem economically for any airlines that carry this line, and I'm sure with time, people will forget, but I sure as hell will do my best not to.
"As part of the fix, Boeing has reworked MCAS to more closely resemble the first version."<p>Be very wary if pilot training is not part of the "fix" to getting the Max back up in the air. If MCAS is being "rolled back" then certain situations such as "The Max wasn’t handling well when nearing stalls at low speeds." come back.
> It never tested a malfunctioning sensor, according to the three officials.<p>That one popped out to me. Man. Lots to learn.<p>> Boeing continued to defend MCAS and its reliance on a single sensor after the first crash, involving Indonesia’s Lion Air.<p>Also...how? So many non safety critical services use a load balancer and at least a couple of servers because who can trust just one thing working perfectly all the time?
How would you design your bureaucracy so that this kind of thing can't happen? I see this type of failure all the time in organizations big and small. Sometimes things are just too complex to have an auteur that can understand the entire system and when every department strives to optimize for its specific goal shit can really hit the fan.
I've never understood why they make planes with 1-2 sensors for a crucial reading like airspeed.<p>Why not have 20 airspeed sensors of 5 different types? It's an obvious failure mode that your one sensor will fail and then the pilots and the computer will be left in a state of dangerous uncertainty about the situation.
I am surprised that I haven’t seen anyone make the connection to “normal accidents” [1] yet, but feel it is quite relevant in this case.<p>[1] <a href="https://en.wikipedia.org/wiki/Normal_Accidents" rel="nofollow">https://en.wikipedia.org/wiki/Normal_Accidents</a>
All this talk about how mcas was not designed properly or how it could be prevented from failing is eroneous.<p>Good safe airplane design is about a neutral flying design without the need for complex systems.<p>This plane is fundamentally flawed because the engines are in the wrong position because the landing gear is two short to fit them in the correct position.<p>The test pilot was clear about very poor flying characteristics at slow flyong speeds requiring mcas to be more aggressive.<p>This plane should not be flying with this engine configuration as it fails the most fundamental principal of good aeroplane design of neutral handling.
Sounds to me like the main failure here is that Boeing went <i>too far</i> with optimising cost, in the sense that MCAS was not properly designed.<p>I'm certain correctly designed software can safely control critical functions, otherwise failure in a large category of aircraft systems would result in many more MCAS unrelated accidents.<p>This particular MCAS control philosophy seems to be a flawed control system. With reference to the the graph (link provided by obituary_latte):<p><a href="https://i.imgur.com/WJuhjlO_d.jpg?maxwidth=1640&shape=thumb&fidelity=high" rel="nofollow">https://i.imgur.com/WJuhjlO_d.jpg?maxwidth=1640&shape=thumb&...</a><p>With only one sensor being "looked at" at any time, and with the system not having the sense to know to stop commanding pitch down after 26 times with attempted pilot overrides, it would seem almost beyond belief that any competent team of on-the-ground engineers (as per Boeing) would not see that the system is flawed.<p>Would be interesting to see if this was the case, and how the likely good engineering decision was overridden by the commercial aspect.<p>With increased tech, comes increased scope for this kind of cost optimisation, and we must be careful in many more industries. Eg Automotive self driving cars.
This article reads to me like Boeing and the FAA have gotten their stories straight with each other and in naming names have settled upon someone who is no longer associated with either in an effort to take the heat off of both.
How confident is everyone on all the other changes to the 737?<p>They’ve found the MCAS issues, but with a procedure this lax I’d expect several other issues to have gotten through.
Empires destroy institutions.. they hollow them out until are barely cloths for one figure residing within. Proofing something to an institution is hard. Proofing something to one person is "easyish". The problem is not that one plane manufacturers internal culture allowed falling behind, but that this rot and decay bypassed controlling institutions, because these where hollowed out for empire reasons. You can not defeat this problem unless you solve the root node. Which are hidden deals instead of proper procedure replacing the physics of capitalism.
how is it that boeing still has not admitted fault? i guess they bet to get out through a loophole in the investigation result; investigation that they are part of i assume? something like "it was 1% pilot error" is enough to make a pr campaign from.
I'm surprised no one has mentioned Therac 25 or Normal Accidents yet.<p>For reference, the Therac 25 was a computer-controlled radiation therapy machine involved in several over-exposures due to replacement of physical controls with computer based ones without complete understanding of the interactions of the controls.<p>The Max feels very much like that. No one can really keep a whole aircraft in their head, much less a whole aircraft development project. We use computers for that, as well as mental heuristics. But if those computers and brains are not fed all the proper data and connections, they will not find the all the problems.<p>Additionally, there seems to be a lot of the tail wagging the dog. If this system is expected to perform according to X specifications, then by golly it will, and we will show that it does.<p><a href="https://en.wikipedia.org/wiki/Therac-25" rel="nofollow">https://en.wikipedia.org/wiki/Therac-25</a><p>Edit: Please don't take the above as absolution of Boeing. Someone (a lot of someones) really should have known better.
> a fundamental overhaul to an automated system that would ultimately play a role in two crashes<p>Are they STILL blaming the computer instead of the unstable air-frame after the engines were moved?
“After Boeing removed one of the sensors from an automated flight system on its 737 Max, the jet’s designers and regulators still proceeded as if there would be two.”<p>No, no, no. This is just more of shifting the blame from Boeing upper management. They couldn't use two Angle of Attack (AOA) sensors as when there was a differing reading there would be no way to know the correct reading, which is why MCAS used a single AOA sensor on the right-hand side.