Boeing's software fix, announced today, is to compare readings from both angle-of-attack sensors and disable MCAS if they disagree significantly. The obvious question is why they didn't do this in the first place?
One possibility is incompetence. But Boeing engineers are smart people, so I'm not convinced by this. The elephant in the room is the requirement to maintain a common type rating with older 737 models.
Suppose they did originally do what the fixed software does now, and disable MCAS if the AoA sensors disagree. The problem Boeing face is that with MCAS disabled when this occurs, the plane no longer flies like an older 737. They'd need to announce to the pilots an AoA disagree, and announce that MCAS was disabled. Now what? A pilot certified and trained on the older 737 would not know how the Max now differs from what they trained on. If they'd done this, they'd have needed to provide additional training, and this must have concerned Boeing management that it might jeopardize the common type rating. Hence it seems likely they didn't add the AoA sensor comparison for this reason, reasoning that it was unlikely to be a problem anyway. We now know that reasoning was flawed.
What does this mean going forwards? Will EASA and other CAAs refuse to certify the modified 737 Max under the same type rating as the older 737? This certainly seems possible. If they did require a separate type rating, this would likely kill 737 sales, regardless of whether the plane is now safe.
> One possibility is incompetence. But Boeing engineers are smart people, so I'm not convinced by this.
That's still a possibility. Stupid decisions can emerge out of smart people.
Boeing is huge, and what they develop is incredibly complex. There are a lot of people with differing level of competence, ethics, and goals.
For example (I am not saying that happened), the engineers designing MCAS didn't expect incorrect AoA data, thinking the checks were done elsewhere. At the same time, the "sensors" team thought that raw, unchecked data was expected. The integration guy didn't read the specs correctly (sometimes, it comes down to a single word), didn't catch that, and checked the OK box. His manager, focused on a more pressing issue took that as granted and it went to production.
It is possible that the engineers did an excellent work, but didn't question the specs they had. The integration guy is normally super reliable but he just had a bad day. And his manager handled the other problem beautifully and overlooked the MCAS/AoA because, normally, the integration guy is reliable. A series of small mistakes that ended up in a catastrophe.
There are a lot of safeguards but the complexity is so high that sometimes, something goes through. Especially if the company is under pressure.
I agree with you that this was ALL about keeping type rating. I wish the government would offer a whistleblower award to anyone inside Boeing who could prove that this was indeed true especially since it seem that that is how the software originally operated. Companies will do whatever it takes to drive sales and revenue and stock price. Employees don't want to raise their hand and get fired as they have families to support. A true whistleblower program with WITSEC level provisions for protection and monetary support would help cut this down. Once it happens once or twice companies are very disincentivized to continue down this road.
As I understand a simple software fix is not possible according to regulation.
The problem is as follows, as you described it partly: 2 sensors are not enough. If the MCAS is an important part for the flight safety, a simple redundant safety system is not enough. Because an airplane is not about functional safety but mission critical safety. In functional safety, if there is an error the safety function is triggered and the system is transferred into a safe state. But there is no safe state here. If the system is mission critical, then it is not safe to assume to switch it off in case of an error. That means for mission critical system we need at least 3 readings and with a vote can decide on which reading is most likely the correct reading.
If the MCAS would not be part of the mission critical path, then we could ask why is there in the first place? There must be reason why it was introduced.
I assume, it is not done by a simple software update, if there are only 2 sensors. It will be partly redesigned to fit the requirements and regulations. But of course, this will not be publicly announced. Think about the share price. They will maintain a communication that assumes that this is an easy (and cheap) fix, a software update.
> The problem Boeing face is that with MCAS disabled when this occurs, the plane no longer flies like an older 737.
The other problem Boeing faces is that with MCAS enabled the plane no longer necessarily flies like an older 737 - it can try to force its nose down unexpectedly.
> Suppose they did originally do what the fixed software does now, and disable MCAS if the AoA sensors disagree. The problem Boeing face is that with MCAS disabled when this occurs, the plane no longer flies like an older 737....
But it’s been reported that this was an option you could buy when you bought the planes. And the crashed planes didn’t have this option.
So if that’s correct, then any plane shipped with this optional package would require the recertification. But it appears they don’t either.
If they did it would show up as very suspicious and I’m surprised nobody has reported on it:
Here buy this plane without this optional package and you don’t need new training.
Or buy it with the optional package and you need to learn about these new components we’ve added that may be disabled and undergo new training.
Yes it all comes back to the requirement from on high to not require any retraining or recertification even though they were delivering essentially a different airplane. Trying to simulate the feel of a different plane via software is adding a huge new layer of complexity and failure risk.
> If they'd done this, they'd have needed to provide additional training, and this must have concerned Boeing management that it might jeopardize the common type rating.
Yes. There were no simulators to train pilots (only 4 delivered up to now, vs. 376 planes delivered! -- by the way, the value of all MAX orders, including these still not delivered, is around 600 billion with a b dollars!) and if I'd guess the simulators can't simulate the plane behavior when MCAS is off. Because the selling point is "MAX behaves the same as the old one." Which is just not true.
> The problem Boeing face is that with MCAS disabled when this occurs, the plane no longer flies like an older 737.
The bigger problem is the MCAS was only added to fix a major design fault, where by the aircraft would automatically pitch up when accelerating.
So with the MCAS disabled, the aircraft then runs the risk of stalling when accelerating.
I don't understand how design engineers would ever think a software workaround would be a suitable fix for what appears to be a major aerodynamic design flaw.
According to Blancolirio on YT (a wholehearted thumbs up for his journalism, e.g. the video on atlas prime air is worth a watch, he currently flies as FO on the 777 I believe), there exists an angle of attack disagree light already in the 737max options sheet. There's also an option to purchase an AoA indicator dial, and he said one of the major us carriers did buy that option on their aircraft.
Agreed. I think what this may mean going forward is that the CAAs are going to have to consider demanding that the training specifications be designed around a scenario where some (as-yet-to-be-defined) subset of the smart systems are disabled, and if the airframe behaves differently in that configuration, it demands re-training.
I'm somewhat surprised acceptance criteria weren't already there. You don't plan for the common case when lives are on the line.
> If they did require a separate type rating, this would likely kill 737 sales
Would it, though? I'm genuinely asking because I don't know how much all this costs. Certainly certifying pilots for a new aircraft isn't free, and probably isn't cheap, but the MAX line promises significant savings in fuel cost. In the long run, would the latter outweigh the former?
This is pretty much it in a nutshell as far as I can tell. If the sensors don't agree, and MCAS switches off, then the pilots have to be ready to deal with the plane trying to pitch up and stall on their own.
When would that happen? Take off and go-arounds.
Pilot is coming in for a landing, something goes wrong (too much cross wind, plane on the taxiway, Etc.) what they do is they pull back on the stick and push the throttles up to max to get into a climb. If MCAS is disabled and the pilot hasn't trained to fly the plane without it, there is a risk it will pitch up and stall onto its tail. Not a good place to be.
"Boeing's software fix, announced today, is to compare readings from both angle-of-attack sensors and disable MCAS if they disagree significantly. The obvious question is why they didn't do this in the first place?"
Because you had to pay for the second sensor and the disagree light.
IIRC the two planes that crashed only had a single AOA sensor (the 2nd redundant one being only present in a premium add-on that those airlines didn't purchase), so this software fix would have not changed anything.
I was under the impression the "base model" only came with a single AoA sensor. Adding a second sensor and the warning light if they disagreed was an expensive upgrade that neither of the planes that crashed were equipped with.
This reminds me of The Slow Winter by James Mickens [0]
> "John was terrified by the collapse of the parallelism bubble, and he quickly discarded his plans for a 743-core processor that was dubbed The Hydra of Destiny and whose abstract Platonic ideal was briefly the third-best chess player in Gary, Indiana. Clutching a bottle of whiskey in one hand and a shotgun in the other, John scoured the research literature for ideas that might save his dreams of infinite scaling. He discovered several papers that described software-assisted hardware recovery. The basic idea was simple: if hardware suffers more transient failures as it gets smaller, why not allow software to detect erroneous computations and re-execute them? This idea seemed promising until John realized THAT IT WAS THE WORST IDEA EVER. Modern software barely works when the hardware is correct, so relying on software to correct hardware errors is like asking Godzilla to prevent Mega-Godzilla from terrorizing Japan. THIS DOES NOT LEAD TO RISING PROPERTY VALUES IN TOKYO. It’s better to stop scaling your transistors and avoid playing with monsters in the first place, instead of devising an elaborate series of monster checks-and-balances and then hoping that the monsters don’t do what monsters are always going to do because if they didn’t do those things, they’d be called dandelions or puppy hugs."
There is a debate to be had, but this is a naked propeganda piece. The crux of the article is based on:
“Among Boeing’s critics is Gregory Travis, a veteran software engineer and experienced, instrument-rated pilot who has flown aircraft simulators as large as the Boeing 757.”
... someone who uses flight simulators. This is not credible journalism.
I've read a variety of articles on this and they often said somewhat different things. What I've been able to gather about the timeline of events is:
1. The new engines on the MAX shifted the center of gravity forward (and I assume center of lift stayed the same).
2. Boeing was worried that #1 would cause the plane to nose up during high angles of attack (so, take off and landing?), and added software, MCAS, to pitch up to counteract this.
3. There's some confusion over when this software kicks in and how to cancel it (something about the trim controls not cancelling MCAS?)
4. Regardless of #3, this software seems to have confused pilots and the current belief is that MCAS was active when pilots didn't want it active.
5. ????
6. Planes crash.
Also, I've read about some concerns about the fact that the handling behavior changed so much but the plane wasn't reclassified as a different type. I'm still unclear about how classifications plays into this story.
My core point of confusion is, if MCAS is the culprit why isn't the solution to remove MCAS? Is tendency to pitch during high angles of attack unusual, and something pilots cannot be expected to counteract manually? I've only played sims like DCS and X-Plane (and not very much at that) but "nose goes up when I don't want it to, so I push stick forward" doesn't seem too complicated to me. Of course, I'm no pilot so I'm probably drastically oversimplifying the situation.
Well eetimes got some clicks, so job well done for the journalist who wrote this article about a blog post by some guy with experience flying large planes in a flight sim.
This article appears to be fairly thinly sourced. The one named source I can find appears to be a blog post by a fellow software developer who is an instrumented-rated pilot, however has flown airliners in simulation only. The article does not claim the source is a professional pilot or that they have ever flown the 737Max.
With due respect, I am not sure whether that counts as enough expertise to qualify someone’s opinion as news worthy?
This is Gregory Travis, who wrote the original article on which the EE Times article is based. If any of you have a specific question regarding my conclusions or how I got them or want to discuss any statements of fact, I'm more than happy to engage.
Wondering if Boeing will be able to recover from this in regards to keeping the MAX flying at all. I mean, I will always pick a different plane from now on - just not a risk I'm willing to take in the foreseeable future. Not sure if my stance is common though.
Really? My conclusion from this saga has basically been that the 737 Max is fine when flown by first-rate carriers (American, Southwest) and conversely that no plane is safe to fly with 3rd or 4th rate carriers in the third world (Lion Air).
Everything comes down to the Swiss Cheese - you're focusing on Boeing's hole, while I care more about the stack of holes that Lion Air maintained.
1) Like most people, I’m far from qualified to give aeronautical engineering advice, but as fly-by-wire technology gets more advanced, won’t this be the norm? ie: Airframes that are difficult to fly might always be more efficient, so have a computer do the hard part.
2) This part seems like the real damning misdesign:
Boeing offered the single angle-of-attack sensor as standard equipment, and charged extra for a second along with a “disagree” indicator that would allow 737 MAX pilots to “cross-check” a faulty sensor. Citing those decisions, another observer noted: “Who would design a system with a single point of failure?”
> Relaxed stability designs are not limited to military jets. The McDonnell Douglas MD-11 has a relaxed stability design which was implemented to save fuel. To ensure stability for safe flight, an LSAS (Longitudinal Stability Augmentation System) was introduced to compensate for the MD-11's rather short horizontal stabilizer and ensure that the aircraft would remain stable. However, there have been incidents in which the MD-11's relaxed stability caused an "inflight upset."
> Updates to the software package made the airplane's handling characteristics in manual flight similar to those of the DC-10, despite a smaller tailplane to reduce drag and increase fuel efficiency.
Maybe this isn't as new of a development as we think.
> “Who would design a system with a single point of failure?”
According to the original design, the MCAS was only supposed to adjust trim to a level that was easily overridden by the pilot essentially just pushing on the stick/adjusting the trim. If it had been implemented this way, sensor failure would not have been catastrophic and hence doesn't require redundancy. At some point this was either changed or implemented incorrectly so that MCAS had much more authority.
Boeing offered the single angle-of-attack sensor as standard equipment, and charged extra for a second along with a “disagree” indicator that would allow 737 MAX pilots to “cross-check” a faulty sensor.
Unfortunately for the author that's not an accurate representation of reality. I'm a bit surprised as I thought that EETimes was a credible news source.
today i first time saw the 737 MAX frontal view. Initially i thought that it was that typical funny plane-themed photoshop. I kid you not, it is the real thing - https://i.stack.imgur.com/GFzcj.jpg
Just look at those nacelles. Deep breath. Look again. Take them in. Besides clearly visually screaming that this Frankenstein thing was quickly&cheaply slapped together and wasn't properly engineered and thus should just have never seen the light of the day, these nacelles obviously add more lift than normal symmetrical ones. So:
1. the engines placed more forward than pre-MAX 737 - that results in additional pitching up moment as the engines are below the centers of pressure, gravity, etc.
2. the engines are 2x higher-by-pass than pre-MAX 737 and thus the center of thrust is shifted even more forward and lower - as a result it adds even more of the pitching up
3. these asymmetrical nacelles generate more lift just due to the shape - and again due to the position of the engines that lift results in the additional pitching up moment.
Basically that thing just can't really fly steady straight, and looking at all this some people at Boeing decided that a bandaid software patch would just fix it. Sounds like it were the same people who did the "curl" fix in today Cisco story https://news.ycombinator.com/item?id=19508472 :)
I will not comment on (1) and (2) but (3) is wrong. I don't think that's even a 737 MAX on the picture.
737 was originally designed to be low to the ground to make it easier for ground crew to "bulk" load i.e. just throw stuff into the cargo area. The reason why 737 could be so low to the ground was that they were using turbojet[1] engines. Turbojet engines are very slim compared to new turbofan engines used on later 737 generations. When they moved to turbofan engines which have bigger diameter they needed to move them higher up from the ground. So they moved the engines in front of the wings. To gain even more ground clearance they moved accessory gearbox and fuel pump from underneath the engine to the side. That's why engine appears flat on the bottom. Obviously the engine is still round because the fan is round but the lip is flattened. All this allowed Boing to fit more efficient and quieter engines to 737 without extending landing gear. The shape itself does not generate much aerodynamical lift if any.
On the 737 MAX they actually extended the landing gear and it does not feature "flattened" engine shape any more.
This appears to be a thinly sourced article, based on a blog post opinion by someone who is a software developer and instrumented-rated (hobby?) pilot who has flown airliners in simulation only.
With due respect, not sure whether that constitutes enough expertise to to qualify and opinion as news-worthy?
It would be interesting if these kind of companies (aviation, car companies) were forced to publicly disclose the patch they are applying in order to fix a broken piece software.
Maybe then they'd be more careful because of the extra scrutiny and the potential leaking of secrets.
On the other hand, maybe then they'd patch as little as possible, although in this case, if a second patch would be required, a very hefty fine could be forced onto the company, or possibly force a full disclosure of all the relevant source code.
Maybe the Blockchain could be used for some accountability here, where hashes of the blobs of all the software in the system, including the secret one, could be used as a means to prove that only a specific section of a codebase has been altered.
Everything made in US has become extremely expensive. As a product manufacturer you have to pay a lot more than your Asian competitors. You can open an R&D subsidiary in Asia to reduce costs, but in very short time you will see your technology has diffused and now you have even more pressure from competitors.
More bugs and design faults. Growth, innovation, effectiveness, all in a shorter time. All with increasing costs.
And even more complexity, and more pressure. iCloud leaks, empty root password, reboot by WhatsApp message, Meltdown, Spectre, 737 MAX, etc.
As an example of the seriousness of approach to stall, buffeting and proper recovery (you don't fall out of the sky like a rock, but recoveries take hundreds and possibly a couple thousand feet), this two year old serious incident in a 747 involving inadvertent stall while entering a hold, just had its final report issued.
http://avherald.com/h?article=4a787699&opt=0
You can't really fix any hardware fault in software. The best you can do is a workaround, but the whole will never be as solid as a properly designed system would be.
The big question is ... who will trust the Boeing - FAA duo after this? The 777X is coming, there surely will be rather pointed questions from airlines, the EASA and more.
I think many do not understand typical practices of regulatory agencies. As a related example, what do you think the FDA requires in terms of genetically engineered foodstuffs? Many seem to think there's extensive oversight and safety testing. There isn't. They treat genetically engineered products and natural products identically. If a company has all their regulatory issues in order to market e.g. corn, they can cook up a new genetically engineered corn in the lab and bring it to market with literally 0 additional oversight necessary. All the FDA offers here is a completely voluntary consultation, and that in turn basically is little more than the company signing off on some checkboxes.
This leads to a bemusing and disconcerting run around.
Monsanto: "The Food and Drug Administration (FDA) is responsible for the safety and appropriate labeling of food and feed products grown from GM crops." [1]
FDA: "It is the manufacturer's responsibility to ensure that the food products it offers for sale are safe and otherwise comply with applicable requirements." [2]
Sound similar? It'll be the exact same story if/when a company inadvertently releases a harmful genetically engineered product. The assurance of safety provided by regulatory agencies is often illusory. As an aside, this is all clearly described on the FDA's page as well. [3] But the phrasing is designed to mislead consumers. They state repeatedly that it is unlawful to ship unsafe food to consumers without ever directly clarifying that they themselves never actually test the foods. Inventions go straight from Monsanto's lab to your plate. Obviously they have a major incentive to ensure their products are safe, but they have a long history of failing in that obligation yet remain a multi billion dollar company.
[+] [-] mhandley|7 years ago|reply
One possibility is incompetence. But Boeing engineers are smart people, so I'm not convinced by this. The elephant in the room is the requirement to maintain a common type rating with older 737 models.
Suppose they did originally do what the fixed software does now, and disable MCAS if the AoA sensors disagree. The problem Boeing face is that with MCAS disabled when this occurs, the plane no longer flies like an older 737. They'd need to announce to the pilots an AoA disagree, and announce that MCAS was disabled. Now what? A pilot certified and trained on the older 737 would not know how the Max now differs from what they trained on. If they'd done this, they'd have needed to provide additional training, and this must have concerned Boeing management that it might jeopardize the common type rating. Hence it seems likely they didn't add the AoA sensor comparison for this reason, reasoning that it was unlikely to be a problem anyway. We now know that reasoning was flawed.
What does this mean going forwards? Will EASA and other CAAs refuse to certify the modified 737 Max under the same type rating as the older 737? This certainly seems possible. If they did require a separate type rating, this would likely kill 737 sales, regardless of whether the plane is now safe.
[+] [-] GuB-42|7 years ago|reply
That's still a possibility. Stupid decisions can emerge out of smart people.
Boeing is huge, and what they develop is incredibly complex. There are a lot of people with differing level of competence, ethics, and goals.
For example (I am not saying that happened), the engineers designing MCAS didn't expect incorrect AoA data, thinking the checks were done elsewhere. At the same time, the "sensors" team thought that raw, unchecked data was expected. The integration guy didn't read the specs correctly (sometimes, it comes down to a single word), didn't catch that, and checked the OK box. His manager, focused on a more pressing issue took that as granted and it went to production.
It is possible that the engineers did an excellent work, but didn't question the specs they had. The integration guy is normally super reliable but he just had a bad day. And his manager handled the other problem beautifully and overlooked the MCAS/AoA because, normally, the integration guy is reliable. A series of small mistakes that ended up in a catastrophe.
There are a lot of safeguards but the complexity is so high that sometimes, something goes through. Especially if the company is under pressure.
[+] [-] snarf21|7 years ago|reply
[+] [-] PinguTS|7 years ago|reply
The problem is as follows, as you described it partly: 2 sensors are not enough. If the MCAS is an important part for the flight safety, a simple redundant safety system is not enough. Because an airplane is not about functional safety but mission critical safety. In functional safety, if there is an error the safety function is triggered and the system is transferred into a safe state. But there is no safe state here. If the system is mission critical, then it is not safe to assume to switch it off in case of an error. That means for mission critical system we need at least 3 readings and with a vote can decide on which reading is most likely the correct reading.
If the MCAS would not be part of the mission critical path, then we could ask why is there in the first place? There must be reason why it was introduced.
I assume, it is not done by a simple software update, if there are only 2 sensors. It will be partly redesigned to fit the requirements and regulations. But of course, this will not be publicly announced. Think about the share price. They will maintain a communication that assumes that this is an easy (and cheap) fix, a software update.
[+] [-] Angostura|7 years ago|reply
The other problem Boeing faces is that with MCAS enabled the plane no longer necessarily flies like an older 737 - it can try to force its nose down unexpectedly.
[+] [-] avip|7 years ago|reply
[+] [-] erentz|7 years ago|reply
But it’s been reported that this was an option you could buy when you bought the planes. And the crashed planes didn’t have this option.
So if that’s correct, then any plane shipped with this optional package would require the recertification. But it appears they don’t either.
If they did it would show up as very suspicious and I’m surprised nobody has reported on it:
Here buy this plane without this optional package and you don’t need new training.
Or buy it with the optional package and you need to learn about these new components we’ve added that may be disabled and undergo new training.
It seems too obvious.
[+] [-] skywhopper|7 years ago|reply
[+] [-] acqq|7 years ago|reply
Yes. There were no simulators to train pilots (only 4 delivered up to now, vs. 376 planes delivered! -- by the way, the value of all MAX orders, including these still not delivered, is around 600 billion with a b dollars!) and if I'd guess the simulators can't simulate the plane behavior when MCAS is off. Because the selling point is "MAX behaves the same as the old one." Which is just not true.
[+] [-] jussij|7 years ago|reply
The bigger problem is the MCAS was only added to fix a major design fault, where by the aircraft would automatically pitch up when accelerating.
So with the MCAS disabled, the aircraft then runs the risk of stalling when accelerating.
I don't understand how design engineers would ever think a software workaround would be a suitable fix for what appears to be a major aerodynamic design flaw.
[+] [-] CraigJPerry|7 years ago|reply
[+] [-] osrec|7 years ago|reply
[+] [-] fixermark|7 years ago|reply
I'm somewhat surprised acceptance criteria weren't already there. You don't plan for the common case when lives are on the line.
[+] [-] kelnos|7 years ago|reply
Would it, though? I'm genuinely asking because I don't know how much all this costs. Certainly certifying pilots for a new aircraft isn't free, and probably isn't cheap, but the MAX line promises significant savings in fuel cost. In the long run, would the latter outweigh the former?
[+] [-] ChuckMcM|7 years ago|reply
When would that happen? Take off and go-arounds.
Pilot is coming in for a landing, something goes wrong (too much cross wind, plane on the taxiway, Etc.) what they do is they pull back on the stick and push the throttles up to max to get into a climb. If MCAS is disabled and the pilot hasn't trained to fly the plane without it, there is a risk it will pitch up and stall onto its tail. Not a good place to be.
[+] [-] melling|7 years ago|reply
Because you had to pay for the second sensor and the disagree light.
https://www.nytimes.com/2019/03/21/business/boeing-safety-fe...
[+] [-] B1FF_PSUVM|7 years ago|reply
I suspect a 737 Max is now as saleable as a Samsung Note 7 phone.
[+] [-] siwatanejo|7 years ago|reply
EDIT: alright thanks for the replies.
[+] [-] tw04|7 years ago|reply
[+] [-] sixothree|7 years ago|reply
[+] [-] csours|7 years ago|reply
> "John was terrified by the collapse of the parallelism bubble, and he quickly discarded his plans for a 743-core processor that was dubbed The Hydra of Destiny and whose abstract Platonic ideal was briefly the third-best chess player in Gary, Indiana. Clutching a bottle of whiskey in one hand and a shotgun in the other, John scoured the research literature for ideas that might save his dreams of infinite scaling. He discovered several papers that described software-assisted hardware recovery. The basic idea was simple: if hardware suffers more transient failures as it gets smaller, why not allow software to detect erroneous computations and re-execute them? This idea seemed promising until John realized THAT IT WAS THE WORST IDEA EVER. Modern software barely works when the hardware is correct, so relying on software to correct hardware errors is like asking Godzilla to prevent Mega-Godzilla from terrorizing Japan. THIS DOES NOT LEAD TO RISING PROPERTY VALUES IN TOKYO. It’s better to stop scaling your transistors and avoid playing with monsters in the first place, instead of devising an elaborate series of monster checks-and-balances and then hoping that the monsters don’t do what monsters are always going to do because if they didn’t do those things, they’d be called dandelions or puppy hugs."
0: http://scholar.harvard.edu/files/mickens/files/theslowwinter...
[+] [-] SeaSeaRider|7 years ago|reply
“Among Boeing’s critics is Gregory Travis, a veteran software engineer and experienced, instrument-rated pilot who has flown aircraft simulators as large as the Boeing 757.”
... someone who uses flight simulators. This is not credible journalism.
[+] [-] manfredo|7 years ago|reply
1. The new engines on the MAX shifted the center of gravity forward (and I assume center of lift stayed the same).
2. Boeing was worried that #1 would cause the plane to nose up during high angles of attack (so, take off and landing?), and added software, MCAS, to pitch up to counteract this.
3. There's some confusion over when this software kicks in and how to cancel it (something about the trim controls not cancelling MCAS?)
4. Regardless of #3, this software seems to have confused pilots and the current belief is that MCAS was active when pilots didn't want it active.
5. ????
6. Planes crash.
Also, I've read about some concerns about the fact that the handling behavior changed so much but the plane wasn't reclassified as a different type. I'm still unclear about how classifications plays into this story.
My core point of confusion is, if MCAS is the culprit why isn't the solution to remove MCAS? Is tendency to pitch during high angles of attack unusual, and something pilots cannot be expected to counteract manually? I've only played sims like DCS and X-Plane (and not very much at that) but "nose goes up when I don't want it to, so I push stick forward" doesn't seem too complicated to me. Of course, I'm no pilot so I'm probably drastically oversimplifying the situation.
[+] [-] Luc|7 years ago|reply
[+] [-] rwhitman|7 years ago|reply
[+] [-] isquared23|7 years ago|reply
With due respect, I am not sure whether that counts as enough expertise to qualify someone’s opinion as news worthy?
[+] [-] GregTravis|7 years ago|reply
This is Gregory Travis, who wrote the original article on which the EE Times article is based. If any of you have a specific question regarding my conclusions or how I got them or want to discuss any statements of fact, I'm more than happy to engage.
[+] [-] kerng|7 years ago|reply
[+] [-] weyman|7 years ago|reply
[+] [-] kurthr|7 years ago|reply
[+] [-] mscasts|7 years ago|reply
I don't think any trip are, but if they are I will not fly that one.
[+] [-] DuskStar|7 years ago|reply
Everything comes down to the Swiss Cheese - you're focusing on Boeing's hole, while I care more about the stack of holes that Lion Air maintained.
[+] [-] CoolGuySteve|7 years ago|reply
2) This part seems like the real damning misdesign:
Boeing offered the single angle-of-attack sensor as standard equipment, and charged extra for a second along with a “disagree” indicator that would allow 737 MAX pilots to “cross-check” a faulty sensor. Citing those decisions, another observer noted: “Who would design a system with a single point of failure?”
[+] [-] kalleboo|7 years ago|reply
> https://en.wikipedia.org/wiki/Relaxed_stability#Unstable_air...
> Relaxed stability designs are not limited to military jets. The McDonnell Douglas MD-11 has a relaxed stability design which was implemented to save fuel. To ensure stability for safe flight, an LSAS (Longitudinal Stability Augmentation System) was introduced to compensate for the MD-11's rather short horizontal stabilizer and ensure that the aircraft would remain stable. However, there have been incidents in which the MD-11's relaxed stability caused an "inflight upset."
> Updates to the software package made the airplane's handling characteristics in manual flight similar to those of the DC-10, despite a smaller tailplane to reduce drag and increase fuel efficiency.
Maybe this isn't as new of a development as we think.
[+] [-] kalleboo|7 years ago|reply
According to the original design, the MCAS was only supposed to adjust trim to a level that was easily overridden by the pilot essentially just pushing on the stick/adjusting the trim. If it had been implemented this way, sensor failure would not have been catastrophic and hence doesn't require redundancy. At some point this was either changed or implemented incorrectly so that MCAS had much more authority.
[+] [-] inferiorhuman|7 years ago|reply
Unfortunately for the author that's not an accurate representation of reality. I'm a bit surprised as I thought that EETimes was a credible news source.
[+] [-] mehrdadn|7 years ago|reply
Relevant: https://news.ycombinator.com/item?id=19158562
[+] [-] wetpaws|7 years ago|reply
I guess we now have an answer to this question.
[+] [-] trhway|7 years ago|reply
Just look at those nacelles. Deep breath. Look again. Take them in. Besides clearly visually screaming that this Frankenstein thing was quickly&cheaply slapped together and wasn't properly engineered and thus should just have never seen the light of the day, these nacelles obviously add more lift than normal symmetrical ones. So:
1. the engines placed more forward than pre-MAX 737 - that results in additional pitching up moment as the engines are below the centers of pressure, gravity, etc.
2. the engines are 2x higher-by-pass than pre-MAX 737 and thus the center of thrust is shifted even more forward and lower - as a result it adds even more of the pitching up
3. these asymmetrical nacelles generate more lift just due to the shape - and again due to the position of the engines that lift results in the additional pitching up moment.
Basically that thing just can't really fly steady straight, and looking at all this some people at Boeing decided that a bandaid software patch would just fix it. Sounds like it were the same people who did the "curl" fix in today Cisco story https://news.ycombinator.com/item?id=19508472 :)
[+] [-] ihuk|7 years ago|reply
737 was originally designed to be low to the ground to make it easier for ground crew to "bulk" load i.e. just throw stuff into the cargo area. The reason why 737 could be so low to the ground was that they were using turbojet[1] engines. Turbojet engines are very slim compared to new turbofan engines used on later 737 generations. When they moved to turbofan engines which have bigger diameter they needed to move them higher up from the ground. So they moved the engines in front of the wings. To gain even more ground clearance they moved accessory gearbox and fuel pump from underneath the engine to the side. That's why engine appears flat on the bottom. Obviously the engine is still round because the fan is round but the lip is flattened. All this allowed Boing to fit more efficient and quieter engines to 737 without extending landing gear. The shape itself does not generate much aerodynamical lift if any.
On the 737 MAX they actually extended the landing gear and it does not feature "flattened" engine shape any more.
[1] https://en.wikipedia.org/wiki/Pratt_%26_Whitney_JT8D
[+] [-] kchoudhu|7 years ago|reply
If unstable airframes are not the norm, then the question we need to be asking is how the regulatory regime let an unstable airframe into service.
[+] [-] isquared23|7 years ago|reply
With due respect, not sure whether that constitutes enough expertise to to qualify and opinion as news-worthy?
[+] [-] qwertox|7 years ago|reply
Maybe then they'd be more careful because of the extra scrutiny and the potential leaking of secrets.
On the other hand, maybe then they'd patch as little as possible, although in this case, if a second patch would be required, a very hefty fine could be forced onto the company, or possibly force a full disclosure of all the relevant source code.
Maybe the Blockchain could be used for some accountability here, where hashes of the blobs of all the software in the system, including the secret one, could be used as a means to prove that only a specific section of a codebase has been altered.
[+] [-] novaRom|7 years ago|reply
More bugs and design faults. Growth, innovation, effectiveness, all in a shorter time. All with increasing costs.
And even more complexity, and more pressure. iCloud leaks, empty root password, reboot by WhatsApp message, Meltdown, Spectre, 737 MAX, etc.
[+] [-] cmurf|7 years ago|reply
[+] [-] mosselman|7 years ago|reply
[+] [-] jacquesm|7 years ago|reply
[+] [-] chx|7 years ago|reply
[+] [-] rjf72|7 years ago|reply
This leads to a bemusing and disconcerting run around.
Monsanto: "The Food and Drug Administration (FDA) is responsible for the safety and appropriate labeling of food and feed products grown from GM crops." [1]
FDA: "It is the manufacturer's responsibility to ensure that the food products it offers for sale are safe and otherwise comply with applicable requirements." [2]
Sound similar? It'll be the exact same story if/when a company inadvertently releases a harmful genetically engineered product. The assurance of safety provided by regulatory agencies is often illusory. As an aside, this is all clearly described on the FDA's page as well. [3] But the phrasing is designed to mislead consumers. They state repeatedly that it is unlawful to ship unsafe food to consumers without ever directly clarifying that they themselves never actually test the foods. Inventions go straight from Monsanto's lab to your plate. Obviously they have a major incentive to ensure their products are safe, but they have a long history of failing in that obligation yet remain a multi billion dollar company.
[1] - https://monsanto.com/company/commitments/safety/statements/a...
[2] - https://health.usnews.com/health-news/health-wellness/articl...
[3] - https://www.fda.gov/Food/IngredientsPackagingLabeling/GEPlan...
[+] [-] akvadrako|7 years ago|reply