> ...the F.A.A. outsourced key elements of the certification process to Boeing itself, and that Boeing’s safety analysis of the new plane contained some serious flaws, including several relating to the mcas.
This sounds insane. Is there a reasonable explanation?
I'm an aerospace engineer and I work in certification. This is par the course. The regulatory authority allows delegates to make findings of conformance w.r.t. airworthiness standards for aeronautical products. These delegated engineers have narrow specialties and are delegated for only specific ATA chapters or subsections. So Boeing will have a few delegated engineers whose only job is to certify Chapter 28 'Fuel Systems' components. These delegated engineers act as 'Design Approval Representatives' (DARs). They do this through something called an 'Organization Designation Authorization' (ODA). This is the regulators way of allowing some trusted individuals to make decisions on behalf of the regulator. This is often because these engineers are experts in their fields so they take on full responsibility. It's the equivalent of an engineers 'stamp' in civil engineering.
It's not necessarily terrible. Boeing obviously has a strong financial interest in safety. The Fight Club theory of managing an acceptable number of fatal mistakes really doesn't hold for the airline industry, because their failures are large and public, because people are inherently afraid of air travel, and because the investigation of plane losses tend to produce far more definitive results than car crashes.
This investigation seems to be turning against Boeing. They will survive, but it almost definitely will cost them far more than whatever they saved by cutting corners. There will also be changes to the certification process, and non-US authorities will take a hard look. Any new incident would become an existential risk for Boeing.
It's important to remember that a company like Boeing isn't a single person. People working on the certification process would usually have incentives that differ from the company as a whole: they do not individually reap the benefits of cutting corners, but bear the brunt of any mistakes, including moral responsibility, possible criminal charges, and an end to their careers.
Such schemes are employed in many industries. Usually, corporate structures and cultures prevent the sort of top-down pressure that people imagine being at play here. Threatening your safety engineers (fire marshals, data protection officers, etc) with job loss for doing their job would result in whistleblowers and lawsuits. It will be interesting to see how exactly this failed at Boeing.
I am not aircraft specialist, but I have seen similar things in IT/telecommunication.
I think this is competence issue. F.A.A don't have people and tech to really understand/analyse anything that is going on with modern plane.
More broadly USA specifically likes usage of contractors, some other countries at least try do have technical competence in govermental agency.
So that is mostly question, why F.A.A don't have third party, like Lockheed Martin, to audit Boeing, but that is probably against Boeing (and reverse situation Lockheed Martin) commercial interest (like trade secrets).
This is the way most engineering work is certified, actually. A standards bureau creates a standard, the engineering design organization follows it and self-certifies that they did.
Only in case of failure is the self-certification process checked for errors, usually by insurance investigators, because they have the most incentives to do so.
The visible examples of public failures investigated by public agencies are the exception, in my understanding.
Everyone these days want to 'delegate' work to someone else if permissible by law, and sometimes even if they are not, I guess. I have a feeling the report would come out with, 'due to lack of funding and experts, some of the work had to be 'delegated' to Boeing' etc...
> In October of 2017—six months after the 737 MAX was certified—President Donald Trump signed a law that allows aircraft manufacturers to press the FAA to give them authority over how they certify components considered to be low- or medium-risk items. And if the manufacturers can convince the FAA that something falls into one of those two categories, they could essentially have free rein over how they certify their craft as safe. [0][1]
It is not a reasonable explanation, but the explanation is that the FAA is underfunded. It cannot handle the work itself, and cannot afford to contract it out.
It is not realistic for the FAA to do all the work independently, but now it cannot even effectively audit the self-certification.
Should the FDA not approve drug studies funded by pharmaceutical companies? If that were the case, the world would be a far worse place. Of course there are drugs that gain approval that shouldn't, some of which get pulled. I am a patient currently on three psychiatric medications daily, with a history of four major depressions one of which resulted in a nearly successful suicide attempt when I was 29. I am also a 70-year-old retired neurosurgical anesthesiologist with 38 years of experience in academic and private settings. During that time, I published over 100 scientific research papers, many of which reported on the first human trials of experimental drugs later approved for general use in anesthesiology. As such, I had to get approval from our institutional review boards before beginning the studies, which when completed and written up were then anonymously reviewed by three experts before being published in major journals in my field. Even with such rigorous filtering, some fraudulent papers appear, sometimes on a major scale resulting in retractions of hundreds of publications, headlines, and resignation and firing of scientists (though criminal charges are very rare). Patients get harmed and even die as a result of these falsifications. But the balance is still much to the positive side. In the end, we assume that the great majority of people have a moral compass that points toward honesty. Otherwise, our society collapses.
Thanks for sharing your personal experiences, especially your history of depression. It’s not something that most people are willing to speak about because of the social stigmas associated.
The cynic in me thinks that society needs to reward honesty and/or disincentivize dishonesty instead of relying on personal ethics for most matters though.
A single sensor for an automated system that can control the flaps?
No redundancy on a system that can control flight. A system that is supposed to help avoid a stall scenario.
That alone is a crazy oversight, let alone differences between safety analysis and actual capabilities.
This stinks of truly awful management - the rules of the sky were written in boood. Ignoring them has shown serious consequences, because we already knew not to do this.
>A system that is supposed to help avoid a stall scenario.
This article doesn't get the point right. From this article it sounds like some optional "helper" system for pilots to avoid stall. Another article got it right, the plane itself is unstable because of big engines if the MCAS is not there to stabilize it. So its not some optional system, that the pilots would switch off when manually controlling the plane, its there for the plane to fly at all.
Per HN guidelines, I don’t usually comment on why I flag, but I flagged this: It’s little more than a recapitulation of the Seattle Times story which was posted and discussed here extensively already.
The 737 Max saga is certainly right in the HN wheelhouse, but it’s becoming difficult to pull signal from noise when so many articles with so little new information are rocketing to the front page daily.
This sounds a lot like regulatory capture [1]. It's becoming more and more clear that the institutions that were / are(?) great at ensuring the safety of the public have been undermined by special interest.
For a really striking example of regulatory capture, look no further than the FCC.
One way to make sure that regulatory capture does not happen, is to ensure that money is not part of lobbying. But that's another discussion.
Biggest losers with such incidents is the credibility of US government, government agencies, and institutions. Other countries used to rubber stamp approvals once a US institution had certified something. The nepotism, politicization, and corruption in such institutions is eroding the credibility and creating barriers and preferential treatment US companies and products used to receive worldwide.
FAA, FTC, US Treasury, US military all have lost credibility in recent years.
> - Understated the power of the new flight control system, which was designed to swivel the horizontal tail to push the nose of the plane down to avert a stall. When the planes later entered service, MCAS was capable of moving the tail more than four times farther than was stated in the initial safety analysis document.
> - Failed to account for how the system could reset itself each time a pilot responded, thereby missing the potential impact of the system repeatedly pushing the airplane’s nose downward.
This likely would not have been included in the simulator, right? So, even if pilots had be given more training, it would not have done much good. The system would still be acting different to the training.
Interesting... Are the commercial flight simulators using an actual physics / aerodynamic model with all the components -- or just empirical data and lookup tables / expectations? I suppose in the latter case, behavior is more likely to deviate from reality?
Airplanes don't have big red buttons that turn off all automation because it's always the wrong thing to do.
You can't press a button without understanding how it will affect the plane. How do you know the automation is at fault? Maybe there is mechanical damage and the only reason you're in the air is the automation? By the time you understand if the red button can be safely pressed, you understand what is generally causing the problem. So you can disable that specific automated system, which you can do today.
Also, automation is very very rarely at fault, it basically never happens. But accidents are often avoided, and many accidents would have been avoided, if pilots let go of the controls and let the automation and the inherent stability of the airframe return the flight to normal.
I can't think of a single time when that big red button is a good idea.
Boeing just recklessly didn't tell these pilots what to watch out for, what automated systems existed, and to save some money didn't include the basic safety equipment they needed.
The strong correlation between more automation and increased flight safety over the last few decades should be strong prior for continuing to increase it, current events non-withstanding. After all, since 1970 airline travel has increase 10-fold, while fatalities have decreased by the same factor. Combined, you risk of dying on any given flight today is just 1% what it was in the haydays of pilot jocks.
Contrary to what our instincts tell us, automated systems are potentially far saver than humans could ever be: You can take as much time as you need to think of the best reaction in every scenario; they will execute whatever best practice you come up with every single time without needing constant (re-)training, they don't drink, they don't suffer strokes, they don't get tired, etc.
The failures we have seen tend not to involve any errors in judgement by the automated system. Instead, they almost invariably result from faulty sensor input. For the 757 Max, the angle-of-attack sensor seems to have failed, and relying on input from just a single sensor seems catastrophically negligent.
Such failures cannot reliably be avoided by giving humans more control. With a sensor showing a large AOA and the "STALL! STALL!" alarm blaring, a pilot would take the same action MCAS took, at least initially.
For the two recent crashes, the pilots would probably have recovered. But they had the advantage of daylight and clear skies. At night, in bad weather, and even in the best conditions, hundreds of planes have crashed because the pilots suffered some sensory illusion. See, for but one example, https://en.wikipedia.org/wiki/Air_New_Zealand_Flight_901, which crashed into a mountain because the crew mistook it for an ice shelf. Air France 447 (https://en.wikipedia.org/wiki/Air_France_Flight_447#Accident) is even closer to the current crashes. It shows pilots taking manual control of the plane while fatally misjudging its attitude. There are many other examples where pilots get disoriented in, for example, clouds. The typical story is the plane coming out of the cloud inverted without anyone on board having noticed. Our sensory organs aren't equipped to measure complex movements in 3D: you can roll a plane without ever spilling the champagne glasses in first class.
Part of the problem with the Max is that it handles differently compared to the old 737, so a pilot used to flying a 737 isn't immediately ready to fly the Max. To quote a pilot on the issue;
"I think it is unconscionable that a manufacturer, the FAA, and the airlines would have pilots flying an airplane without adequately training, or even providing available resources and sufficient documentation to understand the highly complex systems that differentiate this aircraft from prior models." [1]
Unless you're confident flying that specific model of that particular plane just turning off auto-pilot is really dangerous. Planes aren't all the same, so "knowing how to fly" doesn't really work, especially on take-off and landing where the margin of error is very, very small.
My understanding is that there is a button on the stick to disable the autopilot if the pilot just wants to be maneuver. And a circuit breaker to really shut the thing down if there is something wrong, as it happened during the accident.
You don't want to disable everything at once, and put too much cognitive load on the pilot during the worst times. Especially not safety systems like MCAS is supposed to be.
But, I'm not sure if the concept of "full manual" is anymore relevant with modern passenger jets. Are they even flyable without any computer intervention or too unstable / have too complex flying charasteristics?
There was also a crash where the pilots turned too much off at once.
If you hava a lot of computerized equipment to help you you depend on the things that work. You want only that malfunctioning part off. Here the problem was that before Lion Air crash nobody but Boeing even new that MCAS existed, let alone turning deadly with the malfunctioning non-redundant sensor.
As a software engineer having to deal with OPS teams that are reluctant to push new software updates to production because according to them, well, most of the time developers introduce new bugs in new releases, so they rather stick with what they have.
Anyway, I would not want to be the software engineer in charge of the Boeing 737 MAX 8 new update. Imagine what will happen if there is another accident after the software update? Do you think the proposed software solution is enough?
[+] [-] 2T1Qka0rEiPr|7 years ago|reply
This sounds insane. Is there a reasonable explanation?
[+] [-] magnamerc|7 years ago|reply
[+] [-] matt4077|7 years ago|reply
This investigation seems to be turning against Boeing. They will survive, but it almost definitely will cost them far more than whatever they saved by cutting corners. There will also be changes to the certification process, and non-US authorities will take a hard look. Any new incident would become an existential risk for Boeing.
It's important to remember that a company like Boeing isn't a single person. People working on the certification process would usually have incentives that differ from the company as a whole: they do not individually reap the benefits of cutting corners, but bear the brunt of any mistakes, including moral responsibility, possible criminal charges, and an end to their careers.
Such schemes are employed in many industries. Usually, corporate structures and cultures prevent the sort of top-down pressure that people imagine being at play here. Threatening your safety engineers (fire marshals, data protection officers, etc) with job loss for doing their job would result in whistleblowers and lawsuits. It will be interesting to see how exactly this failed at Boeing.
[+] [-] ZWoz|7 years ago|reply
[+] [-] ovi256|7 years ago|reply
Only in case of failure is the self-certification process checked for errors, usually by insurance investigators, because they have the most incentives to do so.
The visible examples of public failures investigated by public agencies are the exception, in my understanding.
[+] [-] maypeacepreva1l|7 years ago|reply
[+] [-] xvf22|7 years ago|reply
https://www.seattletimes.com/business/boeing-aerospace/faa-e...
[+] [-] tim333|7 years ago|reply
[+] [-] vermontdevil|7 years ago|reply
[+] [-] marcosdumay|7 years ago|reply
There is a great deal of goal alignment between airplane designers, large air travel companies and safety regulators.
[+] [-] xvf22|7 years ago|reply
[0]https://arstechnica.com/information-technology/2019/03/boein...
[1]https://www.bnnbloomberg.ca/boeing-had-too-much-sway-checkin...
[+] [-] mannykannot|7 years ago|reply
It is not realistic for the FAA to do all the work independently, but now it cannot even effectively audit the self-certification.
[+] [-] gsich|7 years ago|reply
[+] [-] bookofjoe|7 years ago|reply
[+] [-] lgvln|7 years ago|reply
The cynic in me thinks that society needs to reward honesty and/or disincentivize dishonesty instead of relying on personal ethics for most matters though.
[+] [-] shakna|7 years ago|reply
No redundancy on a system that can control flight. A system that is supposed to help avoid a stall scenario.
That alone is a crazy oversight, let alone differences between safety analysis and actual capabilities.
This stinks of truly awful management - the rules of the sky were written in boood. Ignoring them has shown serious consequences, because we already knew not to do this.
[+] [-] Arwill|7 years ago|reply
This article doesn't get the point right. From this article it sounds like some optional "helper" system for pilots to avoid stall. Another article got it right, the plane itself is unstable because of big engines if the MCAS is not there to stabilize it. So its not some optional system, that the pilots would switch off when manually controlling the plane, its there for the plane to fly at all.
[+] [-] twoodfin|7 years ago|reply
The 737 Max saga is certainly right in the HN wheelhouse, but it’s becoming difficult to pull signal from noise when so many articles with so little new information are rocketing to the front page daily.
[+] [-] jeffrallen|7 years ago|reply
[+] [-] hydrox24|7 years ago|reply
[0]: https://www.seattletimes.com/business/boeing-aerospace/faile...
[+] [-] wpdev_63|7 years ago|reply
[+] [-] deugtniet|7 years ago|reply
For a really striking example of regulatory capture, look no further than the FCC.
One way to make sure that regulatory capture does not happen, is to ensure that money is not part of lobbying. But that's another discussion.
[1] https://en.wikipedia.org/wiki/Regulatory_capture
[+] [-] ReptileMan|7 years ago|reply
In that case they won't be swayed so easily by special interests.
There are people willing to work for the good guys for half the money, but not for order of magnitude less.
[+] [-] akg_67|7 years ago|reply
FAA, FTC, US Treasury, US military all have lost credibility in recent years.
[+] [-] trevyn|7 years ago|reply
[+] [-] JustSomeNobody|7 years ago|reply
> - Failed to account for how the system could reset itself each time a pilot responded, thereby missing the potential impact of the system repeatedly pushing the airplane’s nose downward.
This likely would not have been included in the simulator, right? So, even if pilots had be given more training, it would not have done much good. The system would still be acting different to the training.
[+] [-] dukoid|7 years ago|reply
https://en.wikipedia.org/wiki/X-Plane_(simulator)#Flight_mod...
[+] [-] rbanffy|7 years ago|reply
[+] [-] light_hue_1|7 years ago|reply
You can't press a button without understanding how it will affect the plane. How do you know the automation is at fault? Maybe there is mechanical damage and the only reason you're in the air is the automation? By the time you understand if the red button can be safely pressed, you understand what is generally causing the problem. So you can disable that specific automated system, which you can do today.
Also, automation is very very rarely at fault, it basically never happens. But accidents are often avoided, and many accidents would have been avoided, if pilots let go of the controls and let the automation and the inherent stability of the airframe return the flight to normal.
I can't think of a single time when that big red button is a good idea.
Boeing just recklessly didn't tell these pilots what to watch out for, what automated systems existed, and to save some money didn't include the basic safety equipment they needed.
[+] [-] matt4077|7 years ago|reply
Contrary to what our instincts tell us, automated systems are potentially far saver than humans could ever be: You can take as much time as you need to think of the best reaction in every scenario; they will execute whatever best practice you come up with every single time without needing constant (re-)training, they don't drink, they don't suffer strokes, they don't get tired, etc.
The failures we have seen tend not to involve any errors in judgement by the automated system. Instead, they almost invariably result from faulty sensor input. For the 757 Max, the angle-of-attack sensor seems to have failed, and relying on input from just a single sensor seems catastrophically negligent.
Such failures cannot reliably be avoided by giving humans more control. With a sensor showing a large AOA and the "STALL! STALL!" alarm blaring, a pilot would take the same action MCAS took, at least initially.
For the two recent crashes, the pilots would probably have recovered. But they had the advantage of daylight and clear skies. At night, in bad weather, and even in the best conditions, hundreds of planes have crashed because the pilots suffered some sensory illusion. See, for but one example, https://en.wikipedia.org/wiki/Air_New_Zealand_Flight_901, which crashed into a mountain because the crew mistook it for an ice shelf. Air France 447 (https://en.wikipedia.org/wiki/Air_France_Flight_447#Accident) is even closer to the current crashes. It shows pilots taking manual control of the plane while fatally misjudging its attitude. There are many other examples where pilots get disoriented in, for example, clouds. The typical story is the plane coming out of the cloud inverted without anyone on board having noticed. Our sensory organs aren't equipped to measure complex movements in 3D: you can roll a plane without ever spilling the champagne glasses in first class.
[+] [-] onion2k|7 years ago|reply
"I think it is unconscionable that a manufacturer, the FAA, and the airlines would have pilots flying an airplane without adequately training, or even providing available resources and sufficient documentation to understand the highly complex systems that differentiate this aircraft from prior models." [1]
Unless you're confident flying that specific model of that particular plane just turning off auto-pilot is really dangerous. Planes aren't all the same, so "knowing how to fly" doesn't really work, especially on take-off and landing where the margin of error is very, very small.
[1] https://www.politico.com/story/2019/03/12/pilots-boeing-737-...
[+] [-] GuB-42|7 years ago|reply
My understanding is that there is a button on the stick to disable the autopilot if the pilot just wants to be maneuver. And a circuit breaker to really shut the thing down if there is something wrong, as it happened during the accident.
You don't want to disable everything at once, and put too much cognitive load on the pilot during the worst times. Especially not safety systems like MCAS is supposed to be.
[+] [-] Yaggo|7 years ago|reply
But, I'm not sure if the concept of "full manual" is anymore relevant with modern passenger jets. Are they even flyable without any computer intervention or too unstable / have too complex flying charasteristics?
[+] [-] acqq|7 years ago|reply
If you hava a lot of computerized equipment to help you you depend on the things that work. You want only that malfunctioning part off. Here the problem was that before Lion Air crash nobody but Boeing even new that MCAS existed, let alone turning deadly with the malfunctioning non-redundant sensor.
[+] [-] j16sdiz|7 years ago|reply
[+] [-] arghwhat|7 years ago|reply
[+] [-] ethbro|7 years ago|reply
[+] [-] papashultz|7 years ago|reply
Anyway, I would not want to be the software engineer in charge of the Boeing 737 MAX 8 new update. Imagine what will happen if there is another accident after the software update? Do you think the proposed software solution is enough?