Given the option, would anyone choose to book a trip on one of these new Boeing aircraft rather than anything else? I know I wouldn't, my family wouldn't, and none of the friends or co-workers I've discussed this with would.
Something tells me airlines are going to be making it even more difficult to determine which aircraft you'll be flying on when you book a ticket. As far as I know they're not required to tell you, nor are they required to use the aircraft listed at the time of booking (they can swap it at the last minute if they want).
Even though this model has big design flaws and a relatively bad safety record, the absolute level of risk is still pretty low. I knowingly expose myself to larger risks in my day-to-day life. So I won’t lose any sleep over booking a flight on this type of plane.
Obviously you'd choose the safer plane if it's equally convenient. But if the absolute risk is low and there's no other plane at the same time, or the alternatives cost 2x as much, it's reasonable to be willing to fly on a more dangerous plane.
I would be very hesitant to get on a MAX, but we take unnecessary risks all the time. Getting in a car, having a beer, etc. are all activities that carry risk. Ultimately it's "will the hassle of avoiding the MAX be worth the benefit of not getting on one?" and for a lot (probably the vast majority) of people the answer is no.
Of course we take risks, but every rational human being does so in accordance to receiving some perceived value, reward, or return out of it. As it stands right now, there is literally no reason to take a MAX flight, unless you just absolutely had to get somewhere and it was the only flight available to you (unlikely).
One potential case I could see is the price of MAX flights drop low enough so that price conscious consumers decide the risk is now warranted. But that hasn't happened yet. Thus, no reason to take the unnecessary risk at this time. Future factors may change this equation.
> However the method, it's far more likely to injure you than flying on a 737 MAX.
That depends. If you take a bus to go to the airport and it takes you an hour to get there, then your flight also lasts an hour (for simplicity's sake), you are almost 3 times more likely(on average) to die during the flight than you are during the bus ride [0]. In terms of number of journeys by plane and bus, for the same number of journeys you are 27 times more likely to die in a plane accident.
People repeat the "plane is the safest way to travel" mantra, but it's only true in terms of nr. of km traveled.
Don't tell me that when people tout the safety of air transport they're using deaths per billions of km rather than per (billions of) journeys. Journeys is the important metric, surely!
The median bus journeys is probably about 20 minutes long since intercity journeys are probably dwarfed in number by city busses, so I'm not sure per journey is the best metric here. Per hour or per KM seems better, or possible take a weighted average of all three.
This is a great argument that I'd never heard before. Never knew about the per-hour statistics either.
All that being said, it sounds like one can "control the level of risk" by taking a bus instead of driving/Uber/Lyft/taxi to the airport, but choosing to do the latter is an example of "taking on any unnecessary risk when you don't have to [which] is not a wise choice". And yet it is a completely reasonable thing to do.
Measuring the risk of travel in terms of hours seems largely pointless, unless I'm missing something. It equates an hour bus ride with an hour plane ride, which are not interchangeable, so it makes sense that the associated risks are also not interchangeable.
You could account for the additional time it takes to go on a bus to adjust for the longer duration of risk, but at that point it seems like you're just approximating for risk per km.
I think it makes a lot more sense to look at risk per time, because it's basically the same thing as risk per trip, and that's what I really care about.
If you tell me I can fly to Mars in a few days on a brachistochrone torchship and it's safer per mile than any other mode of transport, you may be right, and a few days cooped up in a cramped cabin might be a small price to pay for such an exotic vacation destination, but that risk calculus is really very misleading. The distance involved is so vast that per mile it could be an absurdly low figure by any terrestrial standard while still carrying an absurdly high (by the same standards) risk of death during the trip.
In other words, if the odds are e.g. 1 in 10 that the trip will kill me, I don't give a shit how low the risk per mile is.
This seems like a mode of comparison that's disconnected from actual utility. The distance comparison lets me consider a scenario like "I live in Washington, DC. I want to go to New York. I can choose to either get there by plane or car, and I want to know which is safer." This seems like a real, sensible thing to contemplate.
The time comparison is "I live in Washington, DC and want to go... to wherever it is that happens to be an hour away from me by whatever mode of transport I happen to be using (so, either New York or someplace outside of Baltimore) and I want to know which is safer"... but I can't for the life of me fathom why the second is a tradeoff anyone would actually be forced to consider. People generally travel with the objective of getting from some specific place to some other specific place.
Most people do, in fact, have specific travel time expectations for specific kinds of trips. Going away for a long weekend? Probably you're thinking 1-5 hours, whether you're driving or flying. A week or two? Maybe 5-10 hours. Going to the store? 5-15 minutes. Physical distance doesn't matter at all, because it's abstracted away by the transportation technology. All we care about is cost (time and money), availability of destinations, and risk; and since distance doesn't matter, it really can't be risk per distance that we care about.
In practice, no mode of transportation anywhere near as risky per time or per trip as my Mars example is ever going to become mainstream. The point of it is to demonstrate how absurd risk per distance is as a way of getting at a practical and meaningful assessment of travel risk, and we have to go outside of existing mainstream transportation options to see that absurdity because all the existing options must be extremely low risk by any measure or they wouldn't exist. The majority of consumers won't tolerate 1 in 10, 1 in 100, or even 1 in 1000 odds of death per trip.
I think there are actually two modes of deciding this, and the two different calculations make sense for each mode.
Sometimes you need to be in a specific city - say, a work trip, or public event, or life event etc. Then, the question you want to ask is "which vehicle will take me there in the safest manner", and plane will likely win (assuming large distance).
Other times, you are deciding on a vacation destination. Here you often have a more-or-less fixed time budget, but a flexible destination, and the question can become "what is the safest trip I can take that will last between, say, 5-10h?" ( I could get to NY by plane, or to Vienna by train, or to the Golden Sands by car in roughly that time). In this case, trains and other mass transports besides planes may well win out in safety.
This assumes that people decide the destination before deciding the mode of transport. In my experience this isn't true, specifically with the 737 MAX. I had a 4-night trip booked with my family to Seattle from San Francisco on a 737 MAX and cancelled it when all that shit went down. Rather than driving that weekend to Seattle we drove to Yosemite because I wasn't going to drive 12 hours to Seattle. In terms of total travel time (time to drive to airport, check in, and fly) the travel time was about the same to Yosemite as to Seattle but the mileage was obviously much less.
People travel to places because it is tractable to get there in a reasonable amount of time.
In the 17th century, I would walk to my local knife sharpener. In the 21st century, I can take a train to Soho to visit a superior specialist.
Both trips take a few hours via two different modes of transport. The fact that one covers more distance is immaterial. They are comparable by the fact they can both be completed in an afternoon.
(Ironically, our modern era provides a third option: cycle to the local specialist. Cycling with a bag full of knives — even blunt ones — is way too risky.)
> In other words, if the odds are e.g. 1 in 10 that the trip will kill me, I don't give a shit how low the risk per mile is.
The average distance to mars is about 225 million km, so that would be one accident about every 2,2 billion km or 0.45 deaths per km, which is a bit deadlier than buses and 9 times as deadly as planes. Gives some perspective on how save planes actually are.
You might want to check your figures- 1 death/2.2e9 km is 4.5e-10 deaths per km. The 0.45/km figure is way out, for that to be the case there would need to be roughly 1.1billion deaths per 2.2 billion km.
This approach really only makes sense if you're traveling for fun. If you need to get to a particular place then risk per time is absolutely not the same as risk per trip, because the distance you need to travel is fixed.
If you need to go somewhere with a realistic choice between e.g. driving and flying (which seems quite rare), risk per distance is fine for choosing one or the other via risk per trip. But the implication of it being a realistic choice is that the travel times are comparable, meaning risk per time will also be comparable, and risk per time has the benefit of not producing absurd answers for edge cases like my Mars example.
Every new world-shrinking transportation innovation has changed the distribution of things in the world and increased the distance society expects us to travel on various kinds of "required" trips. That's because time and money are more important than distance in deciding whether a trip is worth it.
If you're taking trip, you can reduce your likelihood of death by either choosing your transportation to and from the airports or choosing your airplane for the flight itself. Given how bad the crash rate of 737 MAX was, it would be prudent to focus on choice of airplane, rather than choice of grand transportation.
The correct comparison isn't "airplane vs. bus" it's "A320 instead of 737 MAX vs. bus instead of car".
> Measuring the risk of travel in terms of hours seems largely pointless, unless I'm missing something.
Again, it depends on what you're trying to measure. If you're trying to quantify the risk of dying by accident at a certain hour, what activity you are doing in that hour is highly relevant.
If you are trying to quantify the risk of dying by accident while going from A to B, then it's not (that) relevant.
> If you're trying to quantify the risk of dying by accident at a certain hour, what activity you are doing in that hour is highly relevant.
and this is an irrelevant measure, because by that logic, most people sleep for about 8hrs a day, so the chance they die in their sleep is high!?
You measure risk _only_ against what it rewards you. Otherwise, why take the risk at all? Therefore, measuring the risk of air-travel has to be accompanied by a comparison to bus-travel (or rail and/or boat), and measurement should be by distance travelled.
Other than that one time JetBlue ran a shuttle flight from one end of LA to the other for a publicity stunt, it don’t think this comparison makes sense. An hour bus ride isn’t a substitute for an hour plane ride.
Nutrition epidemiology is a largely failed endeavor, so there's not much to be learned from someone's diet unless they're eating lots of trans fats or refined sugar on a regular basis.
The average American is eating about 5 pounds of HFCS weekly, since fat in processed food has been replaced with corn syrup, which is subsidized by the US govt.
That is why nobody is fat in fotos from the 1960's, but most people are obese in fotos today.
Coincidentally, this affects air crew. The standard airman is supposed to weigh 170 pounds (next time you're at the airport, note how thin the pilots in uniform look.) If you weigh much more, you will be examined further before medical license issuance, including clinical sleep apnea testing.
In addition, some pilots have faced medical review (ie. grounding) after drinking large caffeinated drinks (2L Coke or Mountain Dew, or a Slurpee) that caused cardiac events (erratic heartbeat, etc.) The FAA requires an explanation when a pilot stands down from a flight, so this is a serious matter - it's hard to prove why you were sick yesterday but ready to fly today.
So you can basically lose your career over a Red Bull if it makes you cancel a flight.
If it was only over a few weeks probably not, but I’m pretty sure that your past few weeks diet is representative of your average diet during the last ten years, and that could be riskier than a 737 max flight.
You have completely changed the premise of the argument now. Yes lifestyle changes have a bigger effect than a single plane ride. This calculus changes immediately if you make 1000 plane rides on a MAX. A typical diet over a few weeks is definitely safer than a MAX ride.
Yours is not a good argument. You can't assess this type of risk, let alone control it.
Even if you are an aeronautical engineer, you won't convince me that you can assess these risks, because teams of aeronautical engineers designed this plane and did it overall very safely like they did the planes that came before it, and I'd have no reason to believe your claims. None of them assessed this level of risk as risky, they were willing to fly in it, and the only thing that seems absurd is you thinking you know better.
There are flaws of varying severity in every large scale human endeavor, kinks get worked out, this one is stochastically late in the game.
In terms of controlling this risk, that is exactly what "we" are doing, that's what this article is about, removing an identified risk from this plane's design. There is no reason to think that the plane now has bad juu-juu, that's superstition.
> Even if you are an aeronautical engineer, you won't convince me that you can assess these risks, because teams of aeronautical > engineers designed this plane and did it overall very safely like they did the planes that came before it, and I'd have no
> reason to believe your claims.
That feels really really naive and an unfair judgement to make. I don't need to be an aeronautical engineer to know about other market force at play, and a repeated lack of ownership of the issue by Boeing: incentive for Boeing to not go out of business, airlines to get a return on the airlines they bought, etc. They reek of dishonesty on this matter.
As a traveler I would absolutely bucket that airplane model into the "Something is fundamentally wrong" and distrust.
No, these crashes, as well as the decisions that led up to them are evidence that the design process of the aircraft was flawed. This increases the probability that there might be other design flaws in the aircraft that will surface once it re-enters service. That's not bad juu-juu, it's just proper Bayesian statistics.
Note that the problems aren't specific to the 737 MAX either; I know commercial / cargo pilots who were worried by the 787 design process and would have been terrified to fly the plane in its first several years. They believe it was simply good luck that the 787 didn't experience any bigger issue than battery problems. Likewise, many pilots are worried that the 777X could have potential safety problems and want to avoid flying it.
> because teams of aeronautical engineers designed this plane and did it overall very safely
346 people and their relatives, which crashed, burned and died in two of those brand new planes within 6 month and their relatives probably beg to differ.
The history of this plane and the facts that came out after those accidents do not sound like a "very safe" design process.
Read Dominic Gates' reporting (for which he got a Pulitzer) to inform yourself about some of the nastier aspects of the design of this plane.
My understanding is that the crashes were due to properly functioning (but awkward and confusing) MCAS systems. I have to imagine that any pilot flying a 737 MAX is going to have a very solid understanding of how that system works and how to tell if it's malfunctioning and avoid the same situation.
Also, it was 2 crashes in 500,000 flights. It seems a little misleading to just compare it to hull losses.
> properly functioning (but awkward and confusing) MCAS systems
It had almost unlimited pitch authority, used only one (potentially faulty) AOA indicator to decide to activate, and could activate repeatedly unless purposefully deactivated. Even the way in which it was certified was extremely suspect. I'm curious as to how you think that is "properly functioning". Its initial implementation was straight up dangerous, as should be plainly obvious by the 346 deaths it caused. (https://www.seattletimes.com/business/boeing-aerospace/faile...)
In the cases of the Ethiopian crash, they _were_ aware of the "proper" procedure to deactivate the MCAS:
> But on the Ethiopian Airlines flight, the pilots appear to have recognized the errant MCAS problem and flipped the cutoff switches as described in the checklist. But then it appears that the pilots were unable to move the manual wheel, likely because the forces on the tail made it physically challenging to turn.
> The bottom of Boeing’s runaway stabilizer checklist seems to acknowledge the possibility of this physically challenging scenario. It suggests that the pilots can first use the electric trim to neutralize those potential forces before hitting the cutout switches.
> After failing to manually control the stabilizer, the Ethiopian Airlines pilots appear to have flipped the cutoff switches back on, which awakened the MCAS system. It soon sent the plane diving to Earth.
They let their airspeed get too high, so they were unable to manually trim because of the physical forces involved. But making this mistake during this phase of flight this is somewhat understandable, as they encountered the problem just one minute after takeoff (which is a pretty critical / task heavy phase of flight) and were still very close to the ground. Chelsea Sullenberger (the guy who ditched into the Hudson) commented that "Even knowing what was going to happen, I could see how crews would have run out of time and altitude before they could have solved the problems." (https://www.bloomberg.com/news/articles/2019-06-20/fight-for...)
> Also, it was 2 crashes in 500,000 flights. It seems a little misleading to just compare it to hull losses.
If we're talking about the relative safety of different aircraft, no it's not. Compared to, say, the Airbus A320neo (which has had 0 hull losses over ~1300 aircraft over 10 years), it's terrible. It's a far less safe plane.
The EA pilots were given an Emergency Airworthiness Directive which gave a two step process for recovering from MCAS malfunction:
1. use the electric trim switches to drive the trim to normal
2. cut off the trim system with the console cutoff switches.
That's it. As simple as that. And it is NOT what the EA pilots did (they cut off the trim first).
Here are the exact directions:
"Initially, higher control forces may be needed to overcome any stabilizer nose down trim already applied. Electric stabilizer trim can be used to neutralize control column pitch forces before moving the STAB TRIM CUTOUT switches to CUTOUT. Manual stabilizer trim can be used before and after the STAB TRIM CUTOUT switches are moved to CUTOUT."
Thanks for giving the link to the document. Looking at the context, the sentence you quoted is more a built-in disclaimer than a procedure that the pilots were supposed to learn to apply in only a few seconds they would have before the airplane crashes to the ground for overriding pilot close to the ground.
After all the changes, it's at the end, and uses the weaseling "may be needed" and "can be used". We saw that not doing very specific sequence in a few seconds makes the plane non steerable.
Edit: Answering: "The LA pilots worked the problem for 5 minutes, the EA 2 minutes. Quite a bit more than seconds." They "worked the problem" during that time by actively attempting to prevent the plane to crash. It's surely not that they simply had that much time to think about what to do next. Also, during most of that time of "minutes", if I remember correctly, the plane was most of the time actively turning to the ground, overriding their attempts to force it flying in the safe direction and doing that repeatedly. I really don't see that for these two accidents it can be said that it was "a pilot error" and I don't see any institution claiming that publicly anymore, even if some would really, really like to be able to do that and would immediately do, if it were possible. "Two simple steps"? Well "may be needed" and "can be used" is surely not even "after X happens do P and then do Q, if not exactly done in that sequence and at that point, the plane will surely crash." Nobody had the training to fight against the program that every time they straightened the plane up turned it back to the ground, making the manual trim impossible to be applied.
The LA pilots worked the problem for 5 minutes, the EA 2 minutes. Quite a bit more than seconds.
Frankly, I'm baffled by the EA pilots. If I was a MAX pilot, and I received an EMERGENCY AIRWORTHINESS DIRECTIVE about how to not crash like LA pilots, it's my job to read, understand, and remember those instructions. And not just my job, it'd save my own life, too. It's not like it's complicated, either. Two simple steps.
A crash is not due to one cause. Multiple things have to fail for this to be a problem. Blaming pilots is way too simplistic. The design of those warnings were highly confusing and overwhelming. Saying "oh, just have better pilots" it NOT good enough. It should be as per the Swiss cheese theory where multiple things should fail before there's a problem. Further, not hide things like MCAS, downplay the need for additional training, refuse additional training when requested, change MCAS without notifying FAA, pressure people into being quick over safe, design MCAS to rely on a sensor, have a critical system (MCAS) rely on one sensor despite this not being allowed (critical systems MUST have multiple sensor inputs), etc.
But yeah, it was the pilots not reading a message.
Looking back, MCAS was not a good idea. But whatever led up to MCAS might have given the 737 MAX also some other bad changes. At the moment we don't know, maybe in future it'll be "obviously aside from MCAS the 737 MAX should also have a fix for X".
It was that the message (see the whole, the link was quoted) definitely wasn't clear. It has multiple weasel words and it is far from a clear and actionable sequence checklist for the exact condition in which two planes were put due to the MCAS. Only with the hindsight of knowing how two accidents developed and the independent pilots trying to reconstruct on the simulators these events it can be claimed that that formulation described something usable. Just with the pilots "reading it" at that time and even having it in front of them at the moment of the accident, without any special training for that situation (where the plane multiple times "undoes" the actions of the pilot, orienting the plane toward ground as the plane is still flying low) it's still improbable that the accident wouldn't happen.
Note: It's Boeing who insisted that the training for MCAS is not needed.
It's written in airplane jargon, of course, but it's plenty clear.
> It's Boeing who insisted that the training for MCAS is not needed.
It's not completely unreasonable to expect the pilots to be able to handle runaway trim, especially given an EMERGENCY AIRWORTHINESS DIRECTIVE reiterating how to do it. Runaway trim is a critical problem, which is why the electric trim switches are there as well as the cutoff switches, all in easy reach. Dealing with this is supposed to be a "memory item", meaning something the pilots must know.
But clearly in hindsight, dealing with runaway trim must be specifically and better trained for.
> special training
The thing about runaway trim is it turns on when it's not supposed to. That's why the electric trim overrides are there and the cutoff switches. Those are there for all Boeing jets since electric trim was installed going back to at least 1960 and probably much earlier.
When I worked on the stabilizer trim system on the 757, I worked mostly on the gearbox, but was peripherally involved with the electrical system for it. The cutoff switches were there for "when demons possess the control system and try to drive you into the ground."
> The cutoff switches were there for "when demons possess the control system and try to drive you into the ground."
For the second crash it wasn't about "hit the switch" at any moment you will when you notice the problem. It was: "unless you are lucky to hit the switch in a very special moment, you won't be able to regain the control of the plane at all." Not in the message, not trained, and even some pilots learned that only later in the reconstruction of the crash on the simulator.
The EAD was quite clear. Trim back to normal with the electric trim switches, then shut off the trim.
There is nothing confusing about that. There is no "very special moment". There is no "you won't be able to regain control at all".
The proof of what I say is in the first LA incident (the one that didn't crash). The pilots trimmed back to normal a couple times with the electric trim switches, then hit the cutoff switches, and landed safely without incident.
In the second LA incident, they trimmed back to normal 25 times, never thought to cut off the trim system, and crashed on the 26th time.
> The EAD was quite clear. Trim back to normal with the electric trim switches, then shut off the trim.
I don't see that wording anywhere in EAD. Only the quoted weasel worded sentence. It's your interpretation post-crashes and their analysis that they were supposed to do exactly that in exactly that order. Or do you have some other quote? The mental model the pilots were trained to was "if the electric doesn't work, switch it off, trim manually." The MCAS changed that to: 1) electric will work, but MCAS "invisible ghost" will pause to confuse you that the controls work and only then undo whatever you managed to do. 2) There's only one position in which turning off the switch was safe, under their circumstances -- switching to manual trim outside of the "normal" was a practical death sentence, also nowhere written.
So, as far as I see, not only your "clear" sequence was nowhere written that clear, the mental model that the pilots had to have changed completely, but without training, and the safe procedure to escape was figured out only after looking at the logs of two crashes.
That it is "clear" to somebody sitting in the armchair with the crash logs and having all the time in the world to think about it after all that happened doesn't mean that those who survived had such clearness, just that they had luck.
Um, I worked on the 757 stab trim design for 3 years. I'm not an armchair quarterback here. An EAD is not a document where you look for loopholes, parse linguistics, and debate angels dancing on pinheads. Take the straightforward meaning, add it to the information a pilot already knows, and it makes perfect sense.
P.S. your version of what the words mean is solely your invention. I've shown this text to many people, and none have come close to your creative version. This includes pilots.
> A crash is not due to one cause. Multiple things have to fail for this to be a problem.
You're entirely correct.
> Blaming pilots is way too simplistic.
Also correct, but in my opinion the pilots were one of the multiple causes of the accidents, based on the published accounts of their actions. Ignoring Emergency Airworthiness Directives is inexcusable. Ignoring EADs is a problem that should be dealt with as part of the corrective actions required by the FAA.
Recall that immediately prior to the LA crash, the previous flight crew on the same airplane had the same problem, dealt with it, and landed safely. (That was also before the EAD was issued.)
Let me put it another way - would you want to get on an airplane with a crew that didn't pay attention to Emergency Airworthiness Directives? I wouldn't.
And yes, Boeing must fix the MCAS system. I'm not excusing Boeing's role in the accidents.
These are some links to youtube sims of the two events. It seems that the Lion Air pilot at least who of course did not know about the top secret MCAS system was trying to fight MCAS directly with electric trim and at first was successful but for some reason did not hit the cutout switches after getting back to level flight. So the Lion Air pilot used electric trim correctly but failed to use the cutoff switches and the Ethiopian pilot used the cutoff switches correctly but failed to use the electric trim long enough. Maybe the Ethiopian pilots were aware of the Lion Air flight fighting MCAS with electric trim and losing and just went directly to the runaway trim stab procedure too soon. For whatever reason both flights were also going too fast and made no attempt to slow airspeed.
That article I think summarizes the state of the pilot error arguments back when people were still discussing this online. Two methods of disabling an out of control MCAS were mentioned but only one would actually work with a faulty AoA sensor: lowering the flaps. I wonder why Boeing did not mention just lowering the flaps to disable MCAS in an emergency situation. Could that also have saved the flights?
This is actually the first I've heard anyone mention the simple method of using the electric trim to fight MCAS until reaching a neutral trim and only then hitting CUTOFF, but would this still work if you were already at max trim and heading nose down toward the water? This method seems to depend on the electric trim being fast enough to fight MCAS to a neutral or near neutral trim even from a maxed trim stab position. Is it fast enough to do that?
>“It appears the flight crew reactivated electric trim,” former Boeing engineer Peter Lemme said. “But they only made a very small nose up adjustment - I would have expected them to immediately and without stopping move the stabilizer back into trim. The last MCAS command comes 5 seconds after their last manual trim command.”
This does appear very strange to me. Why let go of the electric trim before getting to neutral or even a bit nose up? Did they think the trim could only be used in small increments or something? Were they so focused on the mystery of what was causing the trim adjustments that they didn't think to just jam down the electric trim switch until trim neutralized?
Here is another good article that summarizes what happened. Seems to me that there are essentially 3 ways the flights could have been saved although I'm less sure about your method of just electric trimming to neutral and then hitting CUTOFF because the electric trim adjustment would have to be fast enough to overcome the MCAS counter-adjustments. Surely electric trim would not have been designed for such a race.
And also that seems like such an obvious thing to do even if you haven't read the airworthiness directive you cite. Something is messing with the trim. There is a button that adjusts trim ffs. Why not try to just hold it down? Even a child might think of that simple solution. But these pilots didn't? Some of them were even experienced.
The other two methods are lowering the flaps which seems to have worked well for them even if it was by accident or slowing down the plane and then hitting the CUTOFF switches and hoping you can spin the trim wheels fast enough. Probably the Ethiopian pilots were unaware of the airworthiness directive and reverted back to the standard runaway trim procedure without realizing their high speed would make the wheels more or less impossible to turn. I am not a pilot so I am not clear on how easy it is to slow down a plane that is already in the nose down position. Gravity is a harsh mistress.
> This is actually the first I've heard anyone mention the simple method of using the electric trim to fight MCAS until reaching a neutral trim and only then hitting CUTOFF, but would this still work if you were already at max trim and heading nose down toward the water?
Yes, and it did indeed work. The pilots, though, did not cut off the stab trim.
> This method seems to depend on the electric trim being fast enough to fight MCAS to a neutral or near neutral trim even from a maxed trim stab position. Is it fast enough to do that?
Yes, and it doesn't "fight" MCAS. It overrides it electrically in hardware (not software).
> I'm less sure about your method of just electric trimming to neutral and then hitting CUTOFF because the electric trim adjustment would have to be fast enough to overcome the MCAS counter-adjustments. Surely electric trim would not have been designed for such a race.
I'm sure about it. The electric trim moves just as fast as the MCAS would, because the trim is electrically ON or OFF. There's no speed control on it. It's not a race, either. The electric trim switches are between the MCAS and the motors, they override it.
Furthermore, in the LA flight before the LA crash flight, the same problem happened. The pilots restored trim and hit the cutoff switches, and landed safely. The mystery to me was why that airplane was allowed to take off again before being repaired.
> And also that seems like such an obvious thing to do even if you haven't read the airworthiness directive you cite. Something is messing with the trim. There is a button that adjusts trim ffs. Why not try to just hold it down? Even a child might think of that simple solution. But these pilots didn't? Some of them were even experienced.
Exactly, and that's what the pilots did in the first non-crashing incident.
> Probably the Ethiopian pilots were unaware of the airworthiness directive
Yup, and that was a contributing factor to the crash.
Hull losses is a reasonable way to reason about relative risk of dying from spending your time on the plane. E.g. if you lived on one of the aircraft, you would have had a ~0.5% chance of dying during that time period. That's pretty terrible.
Assuming the average flight is 1 hour long, that’s a 0.5% chance of dying in 28.5 years of flight time. 0.995^138 is approximately 50%, so the expected amount of time you’d need to spend onboard to have even odds chance of dying due to hull loss is about 4000 years.
There are a lot of factors this analysis doesn’t take into account, particularly the difference in airframe fault rate over time: A new plane will have different reliability figures than a 4000-year old one.
If we are talking about flights and not hulls, then you should include every incident report by every pilot on any issues - it wasn't only times MCAS acted up .
I think the difference is that this is a (potentially) higher level of risk for a generic product. You can avoid it by simply avoiding the plane, which will be trivial for some consumers.
Can anyone locate statistics on the total numbers of passengers, or passenger-miles that have happened on a 737 MAX? It would make it possible to run a bunch of estimated risk calculations instead of taking a handwavy intuition-based approach.
Given the amount of additional scrutiny these models are getting I wouldn’t be surprised if in the long run of their lifetime they have a better safety record.
Do we know or is a reason to believe that FAA checked anything else then the MCAS and the systems related in the crashes? The MAX has probably many differences because is larger so all the new stuff should be put under the microscope since you can't trust the previous tests, measurements or decisions, Boeing guys were proud on how they mind tricked the FAA guys so FAA should now re=review everything then you can be 100% this airplane was scrutinized.
If this already happen and I missed it please link me to it.
That seems to be related to a rule that FAA added after some other incident but the MAX was not forced to follow this new rule, it is not an issue that was discovered when scrutinizing the MAX.
What I have read indicated that it was a violation that was missed:
> During the original design and certification of Boeing’s 737 MAX, company engineers didn’t notice that the electrical wiring doesn’t meet federal aviation regulations for safe wire separation. And the Federal Aviation Administration (FAA) failed to detect Boeing’s miss.
Boeing did try making the argument that since their 737-NG planes were produced prior to that rule, and they're safe, that the MAX shouldn't either. But it was part of the regulations when the MAX was designed.
The European equivalent of the FAA, the EASA are double checking all of the FAAs working here.
The FAA are highly motivated to get everything correct this time in order to repair their reputation (which was tarnished by their original MAX approval). It would be highly embarrassing for if the EASA find anything the FAA missed.
I think FAA's reputation was more tarnished during in the grounding than the original approval, and their failure to investigate thoroughly after the first crash, the delayed the grounding for two days and doing it only after many other regulators did and put pressure on them was really damaging.
Similarly Boeing actively blaming pilot error after the first crash and ignoring reports from the field is the real issue to me rather than poor design itself.
Every new version of any commercial aircraft is long line of decisions cutting corners, 737's airframe were designed in 1960's for smaller older engines requiring the newer larger engines to placed in the more complex higher position- maintaining the airframe was cheaper than building a brand new model. Keeping the same performance made training/ type certification cheaper etc for airlines. For the most part such decisions do work, developing brand new airplane models is extremely risky financially.
It is plausible that risks were not understood well during design and developement, but their failure to act after the first crash is criminal negligence to me and they deserve all they are getting .
There's every reason to believe EASA are being strong armed by U.S. State Department. This is an administration that thoroughly believes in bribery, extortion, and retribution. I have no more confidence in EASA than FAA.
Curious the FAA comes out with their position before any final crash reports by either country. NTSB usually also reports on accidents involving U.S. made aircraft, and that too isn't released yet.
The EASA made some noises about requiring 3 AoA sensors (which all Airbus aircraft have) as opposed the the MAX's current 2 (most newer Boeing aircraft also have 3). There was also some talk about replacing the 3rd hardware AoA sensor with a virtual sensor (maybe an infrared horizon sensor based AoA indicator which would be much easier to add to the aircraft).
They didn’t try to fix the DC-10’s design problem (outward-opening doors causing explosive decompression) with a software fix. Also, the aircraft never regained the trust of the flying public, relegating it to freighter duty. That doesn’t seem like a desirable outcome for Boeing or the MAX’s buyers.
For sure, the horses have already left the barn as far as reputation is concerned. But even freighter duty is infinitely better than what they currently -- over-sized paperweights.
Although I'm sure low-cost carriers or developing nations will gladly fly them at the right price.
It may have been turn out different if the pandemic had not happened.
The way international market is today, 737 MAX is probably making money more now on the tarmac for the airlines than their other aircraft. Boeing is going to be forced to pay the airlines for this grounding pandemic or not.
Global travel is also going to be weak next few years, even if vaccine becomes available next few months , the economy will take a lot longer to recover and it will be a while for the current capacity even without MAX to be used, not to mention all the new orders being delivered.
Of course it will depend on each airline, their financial health, leasing agreement and demand, and of course Boeing settlement terms etc
It would depend on the airline. Southwest Airlines, definitely. Some third world airline where their pilots come through pilot mills and take the controls at less than 500 hours? No way. But that is true with any airplane, not just the Max. Statistically Southwest Airlines should have had a crash, yet it was Ethiopian and Lion Air that did. Given the maintenance and pilots history of Lion Air, a crash wasn’t unexpected. Is it a coincidence that no European, American, or Canadian 737s crashed despite flying an order of magnitude more flights in the airplane? There was a recent report that said that a large number (hundreds) of Pakistani airline pilots didn’t have legitimate licenses. That kind of thing is more scary than the 737 Max.
The copilot on the Ethiopian airlines crash had just 200 hours of experience. On a US airline, the minimum is 1500 hours. The cause of the malfunction is certainly worthy of discussion, but both the Lion Air and Ethiopian crashes could have been prevented with better pilot actions.
Talking to actual pilots that operate internationally and it’s pretty clear that there are some scary operations going on.
Southwest Airlines requires at least 1000 hours of turbine time as a minimum, along with an ATP rating. At Ethiopian, you could get hired with zero hours of turbine time. That’s the real scandal that these airlines put kids in the right seat of a big airliner with less experience than required to get your single engine commercial license in the US.
Lion Air pilots were aware of the issue, and did the follow the checklist, however their airspeed was too fast and physical resistance when cutoff switch was triggered was too high they were forced to switch it back on, and MCAS went kicked back in and they didn't have time. I am not sure how much Southwest 's pilot or anyone not trained in this specific scenario could have done much better.
Sullenberger the pilot who landed on the Hudson in his testimony pretty much said the same thing after spending time on the simulators with this scenario. It is easy for crews to run out of time solving this issue, the U.S. simulator training did not include the scenario in the real world it is just as likely for a U.S. pilot to have crashed.
> Lion Air and Ethiopian crashes could have been prevented with better pilot actions.
Boeing tried to say it was the pilots for a long time. I don't want to fly on a plane whereby you need to be an exceptional pilot to not crash the plane.
Lion Air's request for additional training was eminently worthy of mockery from what I could tell - it would've been a lot of hassle, and so brief and cursory to be basically useless if their pilots already knew how to fly a standard 733 and completely inadequate if they didn't.
Ethiopian is one of the safest airlines in the world, far more so than some tinpot US airline backed by the FAA which covered up Boeing flaws for commercial purposes and still refused to ground the max until every other country had.
>Something tells me airlines are going to be making it even more difficult to determine which aircraft you'll be flying on when you book a ticket.
Something tells me their competitors (who aren't flying 737 Max) are going to advertise that they don't and the ones who are refusing to tell you what plane you're flying on are going to lose a ton of business.
Delta is already a dominant player, making a move like you've stated will just cement their position.
They get additional bonus points from me for stringent enforcement of mask wearing policy.
If you don't wear a mask you don't board the plane. If you take it off during taxiing or during the flight and refuse to wear it they kick you off the plane and ban you from flying with them.
If I would have to fly any US carrier I would chose theme whenever possible.
Edited to add: They kick you off while still on the ground.
The DC10 had a phenomenal safety record after the initial crashes. There is a tremendous amount of incentive to ensure the MAX doesn't crash within the first 5 years after being recertified. I would definitely take a MAX when it becomes available again.
There is a funny anecdote, likely apocryphal, but still worth retelling because of the implied wisdom:
When talking about the soon to be released Chinese passenger jet one of the principals of the company was overheard saying that he would never allow his family to board one of these aircraft, that's how bad they were.
Some party bigwig overheard this and addressed the man: "I know 100% certain that this is going to be one of the best aircraft ever made in China. Because you and all your extended family will be on board the maiden flight."
"This had better be the best thing ever, because since I heard that you expressed technical reservations you may be powerless to do anything about, and I have power over you, out of spite I'm going to put your entire family on a plane against your wishes, possibly regardless of your realistic capability to influence the outcome."
There is no implied wisdom there besides "best not be the family of a principal in China who made the mistake of being too open with his opinion in front of the wrong people"; even if you were going for the old adage of the Greek architects and bridge builders being expected to "stand beneath their bridges" with their family when they were tested.
You really lose the evocative power when you insert an authoritarian power with demonstrable disregard for human life into the equation. You lose the message in the quagmire of unsavory politics with a Western audience. Furthermore, you run the risk of unintended wisdom extraction, such as that sometimes, no matter how hard you want something to be good, you just can't marshal the people/knowledge/manpower to get it done well with what you have, within the time slotted. The capacity to recognize when this is the case is the entire reason for existence of the field of engineering in the first place, yet is also one of the least appreciated or safe aspects to actually express when you start making the outcome of an engineering project a matter of political import.other Other unintended nuggets of wisdom retractable from that parable includes "keep your Mouth in check around high-ranking Party members/Politburo/Das Kommisar."
Sometimes it's better to just be direct about it. My two cents anyway. Again though, I've been around enough tainted engineering projects to recognize the perversity in the gesture. If I were that Party member, I'd be pushing my principal on why they felt way and what problems needed to be overcome without resorting to abusing my position to instill fear. After all, I would have no interest in losing my best and brightest, if the real problem was subcontractors not meeting QC targets, and no one being willing to call it out or escalate which is all that happens when you start throwing weight around as originally expressed.
what it does however is it realigns the incentives of the C*O from meeting target deadlines to meeting target safety, especially in a culture where people are too afraid to speak up their concerns.
The interesting thing is that this didn't have anything to do with the quality of the plane at all - they were working on the simulator, and their messages were about how they wouldn't trust their family on planes trained using that simulator. As far as I know, the simulator in question was never used since the whole point of the whole mess was to ensure pilots trained on the existing 737 were allowed to fly the Max without any extra simulator training.
Actually, the entire point was to not release an accurate simulator, because to do so would invalidate the original marketing assertion that MAX was substantially different to fly, and would provide a trivially accessible platform from which to discover the flaws of MAX's implementation.
Largely the same as your point, but takes into account that Boeing's success was being predicated on no one looking at the MAX too hard for too long.
I think he means we simply never heard about the employees that said the same thing about other planes because they didn't crash. These were highlighted after the fact.
I wouldn't either and none of my friends & family would.
In fact, I don't see how the they can even take the chance of flying this plane without a complete structural redesign. Another crash and they are finished for good. This spells doom for boeing.
If some airlines tried to hide or change the type of aircraft you have booked, then you can be sure there will be others that won't (and make it a selling point).
Boeing owns enough of the US legislature through bribery or in-district employment to never, ever, ever have to worry about bankruptcy or any other adverse market impact.
Will they be allowed to teeter on the edge of insolvency? Sure. Fall over? Not when taxpayer money is free and infinite.
A new buyer could take them private as part of bankruptcy to reduce the liabilities because of current company, while retaining the employees keeping government happy, or they could be broken up into different companies, defence division could split / bought by another defence contractor perhaps, there are many options in these conditions which does not immediately impact politician concerns.
The MAX is also known as the 737-8200. Now that the product recognition is working against it, I think we will see the forgettable name a lot more.
At least in the US you can typically cancel a flight for free within the first 24 hours if it is booked more than seven days out, if that helps.
You are right that the airline can change the type of plane like that but it is uncommon. A much more common way to end up on a different type of plane than was booked is weather cancellation. (Personally, I don't like most of the regional jets, but by the end of the day of waiting for a 1 hour flight, I'll take anything.)
The 737-8200 is the 737-8 MAX 200 that Ryanair requested before all of this happened. Its a special ultra high capacity 737 MAX 8 with two more overwing exits and some knee unfriendly seat pitch.
> would anyone choose to book a trip on one of these new Boeing aircraft rather than anything else?
To me getting to/from the airplane (any model) is usually of significantly more concern[0] than flying itself, so the only reason I would actively choose a specific airplane is if I get to fly in a new or interesting model. So there, you have a definite yes from me.
[0] Traffic accidents, possibility of losing possessions, issues at immigration, untrustworthy taxi drivers, etc.
> would anyone choose to book a trip on one of these new Boeing aircraft rather than anything else?
I would - and I'm a former Boeing flight controls engineer, so my opinion is not limited to whatever I read from journalists who get about 75% of things wrong whenever they write about aviation.
> Given the option, would anyone choose to book a trip on one of these new Boeing aircraft rather than anything else? I know I wouldn't, my family wouldn't, and none of the friends or co-workers I've discussed this with would.
You wouldn't, but the thing is - you don't get the option.
Your airline won't tell you which plane you'll be flying until boarding time. You then have the option of cancelling your flight without a refund, or flying.
Most airlines only use one manufacturer for this size class; it’ll be 737-XXXs, or a32Xs, but rarely both. So just choose an appropriate airline. Not always an option, of course, but on the biggest routes it generally is.
It depends on who’s flying it. No argument the aircraft design was faulty and Boeing is fully responsible for that, and even worse covering it up. However Lion Air pretty regularly crashes non-MAX 737s and the first officer on Ethiopian was extremely inexperienced and wouldn’t have been let anywhere near the front of a commercial airliner in the US. Your choice of airline will have a much bigger impact on risk than your choice of aircraft.
Your 'However' subreptitiously implies that there are mitigating factors that _diminish_ Boeing's murderous lack of duty of care.
This is factually incorrect for Ethiopian Airlines Flight 302, where 157 people died.
Ethiopian Airlines Flight 302 was extensively analysed and no pilot fault was found (irrespective of a junior 1st officer). [0]
That crew absolutely did their job and died trying to save 157 souls. I appreciate that it was probably not your intention but you should take stock and think about this before (even if subsconsciously) 'However'ing Boeing.
I would. I get it that Boeing messed up the first time, but this was always a failure that was preventable with proper pilot instruction and awareness. Even if they didn't fix the software I couldn't imagine a 737MAX pilot not being aware of this.
People still drive Tesla's using autopilot and they drive head on into barriers on the highway or under trailers and decapitate people.
This is a failure because Boeing cut corners through their design process because they prioritized the following over safety:
1) Bringing it into the market as soon as possible so they had an answer for the neo
2) Ensuring that it flew similar to other 737s so that airlines would pick them instead of the Airbus due to not requiring pilot training.
The MCAS/AoA issue is the most easily manifested issue that led to 2 crashes. There’s almost certainly other issues that may also exist with this plane that we don’t know about yet because they’re slightly less likely than the MCAS issue. And it’s possible that some of those other issues may also lead to fatalities.
The fundamental problem with the 737Max wasn’t the MCAS or the AOA sensors but the design process which greatly devalued safety. I’m not sure how possible it is to make up for that with after the fact testing.
It's not the crazy rush to have a new airplane asap? Plus avoiding scrutiny by hiding what MCAS did? Plus hiding scrutiny by having it rely on only one sensor? Plus not assessing MCAS as a new critical system, meaning it should have 2 or 3 sensors as input, plus a new type rating? It wasn't all of that and more.. just some pilot instruction and awareness?
While Boeing totally screwed the pooch on this one, and I won't be choosing to fly on one if I can, the public having more confidence in a system than its creators/domain experts isn't exactly uncommon. Would you trust your medical record privacy to Windows XP running AVG?
To my knowledge, we don't actually know that. None of the emails I've seen refer to anyone's title or name. For all I know it's a janitor who heard rumors around a water cooler.
That's a ridiculous statement. The "Would you put your family on a MAX simulator trained aircraft?" quote comes from page 103 of this PDF [1] and is in the context of a technical discussion of the aircraft's design by people who clearly understand the internals.
That's bullshit. The MAX aircraft are not the same as the earlier 737 line. These should be completely certified as new aircraft, and my guess is they would fail real certification. The required "design changes" are nothing. Not only would I not want to fly on one of the MAX aircraft, I wouldn't want to live underneath a procedure - departure, airway, approach - used by a MAX.
Go for it. Let them fly. 'Boeing has built so many, we can't let them fail!' Uh huh. Political Sunk Cost.
Add to this the meta-problem this creates. Right now, there's trust in the industry to not cut corners which is one of the reasons so many choose to fly. If that trust erodes (even slightly) it is difficult to gauge what the impact would be. I remember an AA exec saying they make their profit on the last 4/5 people per flight. Combo of thin margins, high gearing and the industry is exposed to even small shocks in demand.
They need to implement triple redundant AOA indicators. It's obscene that these failure modes are even possible much less approved. Knowing there is a disagreement just lets you know you are close to being fucked.
Triple is not needed, just double with a redundant "disagree" alarm.
Once the pilot knows there's one bad AOA, they can lock out the bad one as an input to the autopilot/MCAS, or hand fly without automation. Of course this is all a bunch of new software and training though.
> they can lock out the bad one as an input to the MCAS
The 737 MAX didn't support that as delivered.
Even with the warning (which some US airlines paid for), you couldn't "lock out the bad one" even assuming you knew which one that was (you don't). All you could do is disable the electronic horizontal stabilizer completely, so that MCAS couldn't command it into a dangerous and unrecoverable state.
MCAS has been fixed, in the sense that it won't command continuously bad trim inputs until the aircraft is unrecoverable when bad AOA data is provided, but ultimately the aircraft either needs to be designed around trustworthy AOA data (i.e. triple) or you untrustworthy (i.e. double, even with the warning). Half measures are exactly how we got to this point, with two crashes.
Both answers are actually acceptable. A lot of completely safe aircraft have untrustworthy AOA inputs, the key there though is that automated systems are designed around that assumption. MCAS had too much flight authority to be linked to untrustworthy inputs.
> Half measures are exactly how we got to this point
also they increased the maximum stabilizer angles mcas could command, the review/certification was done with a 0.6 cap (effective but not overwhelming) and on production it was increased on a whopping 2.5 degrees.
it was also meant to be using vertical acceleration to understand whether the plane was actually stalling, but that trigger was removed
it was also supposed to operate slowly enough to let people catch up with its operation and be able to disconnect it in case of a runaway trim, but the increased angle required to move the stabilizer faster
I don't know the exact English term for this kind of iterative failure of people communicating changes to each other assuming they are both fixing a problem, instead making it worse, but it's not just like they were doing half measures, they were each tuning their systems in silos, without considering cross system functionality from each system behavioral changes
Impedance mismatch I believe they call that in the Electrical Engineering world. If you don't match up your output characteristics to the specified input characteristics of the next circuit element, you're hosed.
Yep. The "AOA sensor disagreement" light is built into every cockpit, but it won't turn on unless the airline purchased a specific premium add-on. Boeing claims they initially didn't realize the light was bundled as an add-on, and then once they did realize, they decided it wasn't critical to the airplane's safety and just kept selling it as an add-on, which is... kind of alarming, to put it mildly. https://www.nytimes.com/2019/05/05/business/boeing-737-max-w...
Shoot you’re right, I read “warning light” and just assumed. Thanks for the correction! On the other hand, it’s even weirder that Boeing didn’t bother fixing it if it was just a software patch...
This is what I don't get. If the solution is "install a AOA Disagree light, and disable MCAS in that scenario", why has it taken two years to develop this solution?
The Flight Computer as architected was found to be a single point-of-failure with a catastrophic failure mode with the software as delivered. That's a big fat no-no. Even if it was only under the most unlikely circumstances possible, you don't design a system that can fail that way, even in theory. Murphy is considered to always find a way, so you must be able to survive that casualty.
Therefore, they had to rearchitect the software with greater redundancy, which in aerospace, comes with such a load of verification burden as to be a majority of the work on it's own, especially given as it will almost guaranteed change the operating interface procedurewise in some way for pilots. Throw in the issues getting all international regulators independent buy-in, and fix wish lists, negotiating through those, documenting and publishing training and maintenance material updates...
There were also deeper problems from at least a reading of regulations from my point of view with how interpretations of statutory regulation have evolved, but unfortunately, those are beyond any ability of me to confirm or comment on ongoing developments as a non-industry insider. (Read: practically just me being pissy because no one in the industry except maybe WalterBright has given me a sufficiently convincing reckoning of.) From my recollection of my digging at the time, there were various statutory test criteria that an MCAS-less MAX could not meet, and thus should not have been certified as a civil transport aircraft if evaluated strictly to the statute as written. Obviously, reading of statute doesn't directly translate to 100% accurate assessments of how it is enforced, as they are written to be understood and convey meaning within an intended audience of specialists (which is it's own problem in my opinion), but nevertheless, back in the bad old days, there were quite the number of test pilots who felt that as time went on, the loosening of airworthyness standards from "strictly as written" was resulting in a slippery slope which was resulting in aircraft that were increasingly less capable of being fully understood by pilots, and potentially more dangerous in the event of substantial problems developing with their automation systems.
Obviously, we can see how history resolved that debate, but our forebearer's on the losing side of that argument sadly do win their "I told you so"s.
See the D.P. Davies Interviews with the Royal Aeronautical Society for more on that and some good listening.
It's not like pushing a JavaScript change to the website. Aircraft software changes are subject to the same level of design review as a structural modification.
Strictly speaking, you cannot know which one is bad, but the correct reaction to bad AOA data is not to engage MCAS. The accidents were caused by MCAS activating on the input of a single defective AOA sensor.
Attitude indicators are gyroscopic and themselves redundant. If you can get the plane into level flight and then examine the AOA sensors, they should be close to a known value (see picture) if you do some math. Not saying this is a good idea.
This proposed AD would require installing new flight control computer (FCC) software, revising the existing Airplane Flight Manual (AFM) to incorporate new and revised flight crew procedures, installing new MAX display system (MDS) software, changing the horizontal stabilizer trim wire routing installations, completing an angle of attack sensor system test, and performing an operational readiness flight.
Why not include a secondary angle of attack sensor. From what I hear some military aircraft have 4 of them in case of failure. I do understand that the bigger issue was not just that the angle of attack sensor failed but that the crew was not informed of how to handle the failure.
They have two AOA sensors. In a particular stroke of genius, the MCAS system would select one randomly at boot and use it exclusively (so you have twice the failure rate of a single sensor and no benefits from an extra one).
And the AOA disagree system the FAA "proposes" installing? That was already an optional extra.
It wasn't chosen at random. It swapped main FC's every boot, and each FC only took one AoA sensor as input. So if one fails, you'd only see it every other flight, and at that, only once you hit a flaps up configuration.
There was no automated cross-check out of the box.
Part of the reason for that setup was that Boeing knew if they implemented a multi-sensor solution, it'd require class D simulator training, which they were trying to avoid at all costs. See the 60 Minutes 737 MAX exposé. They apparently had a whistleblower willing to attest to it.
Imagine flipping a coin. Your chance of tails is 50%. What is your chance of a tails if you flip two coins? It's now 75% clearly (TT, HT, TH but not HH).
Now imagine it's not a coin but a normal distribution. If you sample from it twice then take the minimum of your samples, the chance that the minimum is below the mean is 75%. Just the same as with the coin but in another context.
Obviously the time-before-failure is not normally distributed, nor are the sensors completely independent random variables. But the chance of failure of the system will be higher than one sensor, not double exactly but higher.
It's wild that this wasn't the result out of the FAA the first pass around with these airplanes. This is basically everything Boeing wanted to and "managed" to avoid with this design, wrapped up and stamped "haha you fools don't do that". So why did it take 346 deaths?
That's a fairly mild fix. the FAA could have required that the MCAS system meet the requirements for a full authority fly-by-wire system.
Boeing built an unstable airplane, then tried to fix it with a tweak to a non-redundant auto-trim system. If this was a full fly by wire plane, like the 777 and later, or the Airbus 320 and later, there would be much more sensor and compute redundancy. Plus the fly by wire system has more awareness of the overall flight situation.
Noob question here: Since, if I get this correctly, all these changes will require new pilot training, why is the MCAS still needed?
My understanding was that this system was installed in order for the new plane to behave exactly like the old one therefore not requiring costly additional pilot training.
MCAS is needed to meet certification requirements. [0][1]
Your understanding is common, but wrong, because the media commonly misunderstood what it was for. It's not a anti-stall system. It's not required to behave exactly like the old one. It is required that the stick forces monotonically increase until the plane stalls, which it does not without MCAS.
And it's required because they couldn't rip out all the old control system and replace it with a fly by wire system.
Additional training != new type rating. Additional training may just be a couple hours of instruction. A new type rating would involve both ground school instruction and dozens of hours in a sim. It'd probably take a couple weeks to get a single pilot a new type rating.
However, the bottleneck is that there aren't very many sims worldwide, and most are owned by airlines that don't exactly have an incentive to get pilots other than their own trained.
Some sort of corrective system is required to adjust the raw aerodynamics of the 737 MAX. It some conditions it has characteristics which are not allowed for commercial planes in the US. [0] This is not, in itself, a problem. Many (most? all?) modern airliners have handling corner cases. A common way to fix them is to have sensors, computers, and actuators which adjust the aerodynamics or "push the controls". Boeing chose to use MCAS to adjust the handling in the undesired conditions. Unfortunately, they tried to extend existing sensors and software which were not sufficient for the job. They also, critically, tried to make it transparent to the pilots; this was to avoid extra training, and to avoid creating making the MAX a separate type with all the certification and logistics issues that involves.
The proposed fix is to change the software to admit to itself that it can fail, to limit the amount of control that MCAS can exert, and to train pilots to recognize failure modes and how, in the event of MCAS failure, manually handle the undesireable aerodynamics. Boeing can't simply disable MCAS and say that pilots have to always manually handle it; the rules specifically say the plane cannot behave in that manner.
[0] In some uncommon-but-not-impossible situations, pulling back on the control yoke and putting the plane closer to a stall is easier than pushing on the yoke and getting further from stalling. That isn't allowed for commercial aircraft.
There are different types of training requirements.
New type rating requires most training. Then there transition training between same aircraft family. These changes are probably just small updates that require least training.
Because Boeing and the FAA are talking out of both sides of their mouth. The planes aren't safe to fly without MCAS, MCAS is unreliable, so the solution is to disable MCAS whenever the plane determines it's best, even if it's going to be highly detrimental to safely operating. We still don't have ANY data on flying the planes safely without MCAS. We only have data on planes where MCAS fails, and those planes crashed.
No, they really don't. The prescriptive testing requirements are both clear, and written in blood. If you can't handle those extremes in the prescribed manner, you don't carry the flying public.
The regulation is clear cut, and unambiguous in that regard. Furthermore, the crashes that occurred happened because a system that is only supposed to kick in at the extremes did so in non-extreme situations repeatedly due to GIGO (Garbage In, Garbage Out), and to disastrous effect.
I welcome you to look at the FDR telemetry curves for the two flights. The AoA measurement for one of them was 70-80 degrees if I recall, the other was 20ish degrees offset from where it should have been.
> "To address the unsafe condition, the FAA proposes to require four design changes: (1) installing updated flight control software (with new control laws) for the FCC operational program software (OPS), (2) installing updated MDS display processing computer (DPC) software to generate an AOA disagree alert, (3) revising certain AFM flightcrew operating procedures, and (4) changing the routing of horizontal stabilizer trim wires."
> "The first design change is intended to prevent erroneous MCAS activation. The second design change alerts the pilots that the airplane’s two AOA sensors are disagreeing by a certain amount indicating a potential AOA sensor failure. The third design change is intended to ensure that the flightcrew has the means to recognize and respond to erroneous stabilizer movement and the effects of a potential AOA sensor failure. The fourth design change is intended to restore compliance with the FAA’s latest wire separation safety standards."
Notably the FAA does not required a 3rd AoA sensor, but simply for software to monitor both sensors, compare the values, and if they disagree beyond a given threshold, to light an "AoA Disagree" lamp and disable MCAS for the remainder of the flight.
MCAS will also only be allowed to activate one time per "High AoA" event. The AoA sensors must return to a normal range before MCAS is allowed to activate again.
Finally, they must limit the maximum MCAS command authority within a set range so that manual control can always maintain altitude, whereas previously MCAS would command horizontal stabilizer adjustments without any regard to the current position.
It seems that in an AOA DISAGREE situation, the flight is still permitted to take off.
In my non-expert summary, they seem to be doing the absolute minimum amount of work possible to "address" the problem, and dodge completely the fundamental contradiction of why one would implement an unreliable-by-design MCAS system, hobble the control authority of that system, and further, permit flight when that system is known to be disabled.
In light of these admissions, I cannot comprehend why the MCAS system exists at all, and how the added complexity (variance in airframe operation) is worth any possible benefit.
In Elon-speak, the best part is no part. The best system is no system. So if you admit you can fly without it, why leave something in which is unpredictable, unreliable, and already proven to be deadly?
EDIT: The total cost of compliance for applying these changes to 73 existing airframes is estimated to be ~$1 million, 70% of which is the wiring harness change. <s>The software change itself seems to amount to about 20 lines of code, so let's call it $20 million.</s> Sorry, this seems like an absolute joke, and right now I'm pretty angry that this is what they came up with after "60,000 hours of review".
We did a PoC with Infineon, and demoed at CES this last January, something related to the limitations of Fail-Safe mechanisms in autonomous systems and what changes in deisgn & runtime context are essential for moving from Fail-Safe to Fault-Tolerant systems.
In the case of MCAS this probably works out okay because the remediation is to disable and hand control back to the human (something that I'm frankly shocked wasn't already part of the hazard and risk assessment) in loop. Alternative design approaches could probably extend the safe operational envelope for MCAS to tolerate more (or simultaneous) dimensions of failure, but outside of making MCAS a more valuable feature to market (which isn't that useful since it's baseline essential for the aircraft to even be certifiable) it's easy to see the calculation for not going down that redesign road.
Yep. The flight characteristics of the 737 MAX in high angle of attack flight is either significantly different or it isn't, compared to prior 737's. Boeing said it is and created MCAS to mitigate/moderate that difference.
That MCAS can be disabled, means pilots need to know about, trained on, and demonstrate competency, on the ensuing natural (minus MCAS) flight characteristic.
And if the pilots are aware and demonstrate such competency, why even have MCAS? Rip it out.
Sure, but without knowledge of MCAS, what would a pilot do with an AOA warning?
They would still most likely get an airspeed disagree warning (standard) because AOA is a parameter in the airspeed calculation. Again, they wouldn't know that was why the stabilizer trim kept moving to nose down, because the MCAS system was not disclosed to pilots.
My understanding is that the MCAS or something equivalent is necessary on the 737 MAX because the engines sit lower than they really should and the forward propulsion creates torque that raises the nose of the plane. Something needs to counteract that force.
If the MCAS is disabled, is the pilot able to trim the airplane manually similar to how MCAS works? Or will they have to just kinda hold the nose down with the main steering controls?
I don't know the specifics, but if MCAS is disabled, I'd assume the pilots would be able to manually trim the plane. In fact, one of the early flaws, IIRC, of MCAS was that it was tied to electric trim, meaning that to disable MCAS you also had to disable electric trim and and thereby go to manual. Since the 737 stabilizer trim is connected via wires and not fly-by-wire controls, the plane can get into an aerodynamic position where a pilot physically cannot bring the plane back into trim.
Boeing has a maneuver to correct this, but it involves descending to reduce aerodynamic forces on the stabilizer, adjusting trim, regaining altitude, and rinse and repeat until you're back in trim.
Personally, I wouldn't want to be a passenger on a 737 without electric trim and go through that maneuver, but it's better than crashing. Basically, the 737 should be considered too old an airframe to allow for non-type-rating-changing modifications (i.e. fly-by-wire stab trim, etc).
No, the engines are not low. They can't be, because the wing is low and the landing gear is short.
The engines are wider than the old ones. They are also much further forward, in order to avoid being low enough to hit the pavement. (part of the engine is higher up than the underside of the wing) These differences mean that the engines can act somewhat like canards, generating lift near the front of the aircraft. The engines themselves, even when not powered, generate lift.
The lift increases as the nose rises. This means that raising the nose becomes easier the more the pilot raises the nose, which is a hazardous way for controls to operate.
Basically all modern airliners with engines under the wing generate torque that tries to raise the nose of the plane. MCAS is to correct for nonintuitive behavior near the limit of the flight envelope when the wing is at a high angle of attack. Most flights never get anywhere near that, and disabling MCAS would not be noticeable.
MCAS only kicks in at high angle of attack with the flaps up. I believe that most flights never come near having it activate.
If it disables due to faulty sensors and the pilots are told it is disabled, most flights won't have to do anything different at that point. The plane will handle just like it normally does.
If there are flights that are supposed to have maneuvers that would trigger MCAS, pilots are going to need to be trained to avoid those maneuvers when MCAS is disabled.
This seems to be the part that everyone's missing. "Oh, this rarely happens" is ambiguous, we don't have any data on how often MCAS operated correctly during flights.
Also, in events that 'rarely happen' one of which is approaching a stall (according to the FAA's report), is it safe to disable the system in the actual scenario when encountered? It doesn't seem so. I can't see how both "Need this system for extremely rare scenario" and "Disabling this system because scenario is extremely rare is okay" can both be true.
> I can't see how both "Need this system for extremely rare scenario" and "Disabling this system because scenario is extremely rare is okay" can both be true.
The benevolent interpretation is:
a) the plane being in a situation where the system is required is rare, but frequent enough that the risk wouldn't be acceptable without MCAS.
b) MCAS breaking is rare, but frequent enough that we can't allow it to fly the plane into the ground when it does (as has been demonstrated).
c) Both things happening at the same time is so exceedingly rare that a crater is an acceptable outcome, just like we accept that all engines simultaneously failing at the same time during take-off will likely result in a crash.
These are fair points, but the FAA report used the wording "extremely rare" (or similar) instead of a concrete quantity, and I find that extremely reprehensible. As we all know, "extremely rare" needs to be quantified. There are 44k flights in the US alone every day (pre COVID).
> MCAS breaking is rare
This is the part I'm not particularly inclined to agree with. The scenario is no longer breaking, it's breaking OR disabling. There are a host of new conditions that will result in MCAS being disabled according to the report. Some of these conditions disable MCAS for the remainder of the flight, and the way that I read the scenarios, it's certainly possible for these conditions to stack together.
Reading the report gives the impression that the FAA is completely incompetent. They didn't specify any rate of failure or disabling of MCAS, and the 'failure scenarios' that are proposed to be carried out in the near future are lacking in exposing these disabled scenarios.
Also, the FAA stated in the report that the plane handles similar to the 737 NG when STS is disabled; however, the MCAS automation disables MCAS and STS. There is no information about the rate at which STS has been disabled in flights in NGs, and no comparison on how disabling STS during the 'near stall' portion of a 'rare event' behaves in those planes.
They wrote this long-winded document that's almost entirely devoid of meaningful factual detail. It reads like a Boeing PR piece if I've ever seen one.
MCAS is only needed in situations with a very high angle of attack, that is a very steep climb which should not happen in normal flight situations. For example, MCAS is completely deactivated, if the flaps are extended. So unless you get into the steep angles, a 737 MAX with MCAS disabled, wouldn't even feel different in flying.
That doesn't sound right. If I understand correctly, the crashes were not due to a programmer making a mistake in a few lines of code. They were due to inadequate sensor redundancy, inadequate pilot retraining, and possibly a missing warning light [0] (the fault still lying with Boeing on all three points). At no point did the behaviour of the MCAS software deviate from its specification.
Deactivating MCAS on AOA disagree would have prevented both crashes. But yes, the program behaved to spec, so strictly speaking it is not a programmer error but a spec problem.
> It seems that in an AOA DISAGREE situation, the flight is still permitted to take off.
That requires the AOA sensors to disagree while on the ground. Do they even report meaningful values while on the ground? (I mean, I suppose on takeoff roll they begin to do so...)
To me, this reads as a total reduction in the effectiveness of the MCAS.
We still have no indication that operating the aircraft without MCAS is safe, therefor if the system fails during a critical moment or is otherwise unable to account for the increased angle of attack, we could see jets plummet to the earth in a stall scenario. Absolutely the worst thing that could happen.
> Most pilots will never be in a situation where MCAS is useful.
And if they are in the situation? Also, there's no data on how many times MCAS activated on non-crashing flights with valid data, so this statement is 100% speculation.
Given the upcoming Microsoft Flight Simulator 2020 release, I wish it could provide us non-commercial flyers with a simulation of the flight controls under the specific events that cause failure in the Max 737.
I realize the subject isn't something a corporation would touch or code for, nor do they have a 737 in the lineup for 2020, but it would provide me with better understanding of the problem.
I would imagine, with a bit of work, you could write something for X-Plane to replicate the issues. X-Plane is pretty extendable and already has configurable failures, including pitch trim runaways.
It's good that MCAS will now disable itself without having to disable the trim motors completely. I wish they'd just taken the hit on a new type rating and given up on MCAS completely after the failures. Perhaps new 737 pilots could get training on NG and MAX at the same time?
One thing I'm not seeing much discussion of today (though it was addressed in previous posts about the MAX) is the development process issues that led to the problems in the first place. Some blame it on post-McDonnell-Douglas-merger penny-pinching, non-engineer-indulging managers. Whatever it was, the investigation should have resulted in not just plane modifications, but company ones.
The type rating is not the reason for MCAS. MCAS is there to make the aircraft satisfy certain stability requirements mandated for all planes by the FAA to prevent an inadvertent stall.
So even with a new type rating, MCAS would still be needed unless the airframe were massively redesigned.
It'd take a pretty fancy home force feedback system to be able to simulate forces in the multiple-pound range, which I think is what it'd take to give an accurate simulation.
Mind, "multi-pound" in this situation is "more force than a grown and fit pilot can reasonably exert from a cockpit seat".
I did some napkin math at one point, and the motor on those screwjacks to actuate against the Ethiopian Airlines loads was in the avenue of a 300 ft-lbs if I remember correctly.. (I only remember it was a number similar to what a car engine would be expected to put out).
I didn't know the exact gearing arrangement for the trim wheel, but the simulator footage was enough to convince me it certainly wasn't guaranteed to be practical.
In a way, it's fortunate that the two MAX crashes happened overseas. If they had happened in the US, Boeing could have used its regulatory leverage to cover up the problem for a few more crashes.
Maybe I missing something, but looks like a software update to make MCAS more robust. And if it bug, raise an alarm and flight-crew operating procedures should be (?) to deactivate MCAS and fly without ?
Could pilots actually fly the plane without MCAS ? It must feels like an entirely different aircraft.
> It must feels like an entirely different aircraft
No, if MCAS is disabled then the vast majority of the time it will fly just like normal. MCAS is only there to adjust flying characteristics when the wing is at a high angle of attack.
> only there to adjust flying characteristics when the wing is at a high angle of attack.
No, that's a Boeing talking point. It's there to prevent the aircraft from stalling, not to 'adjust flying characteristics.' The nose pitches up during high thrust, MCAS kicks in to to counter what the pilot is doing (stick and thrust) so the plane doesn't stall.
It's not there to prevent stalling, except in as much as pitching the plane too much does eventually result in stalling; however any pilot will have pushed the stick or trimmed long beforethat. It's there to make the plane behave exactly like an older model at a high angle of attack, to counteract the engines being further forward than those models.
All planes with low mounted engines (read: most current jet airliners) pitch up with increased thrust. It's not controversial, and pilots deal with it routinely. MCAS does not activate under normal flight conditions.
> MCAS does not activate under normal flight conditions.
This is entirely the problem. If MCAS operates, you're already doing something wrong. It was required in the first place because the likelihood of pilots doing something wrong is high. Now, instead of MCAS backing up the pilot's bad decision making, it might cut out at a critical moment.
We already know that Boeing revised (increased) the authority of MCAS without notifying the FAA because testing found the MCAS to be inadequate initially.
You can't simultaneously need MCAS and be okay with it being disabled intermittently. Those two things are directly at odds.
Yes, to my understanding the only issue a pilot would run into with MCAS disabled and neutral is decreasing control forces at high angles of attack. The FAA requires control forces to monotonically increase with angle. I say "only" but that probably makes for a very weird feeling airplane to fly; how dangerous that actually is for a trained pilot I can't answer for sure but my gut and experience tells me not very.
Or repurpose the existing second trim cutout switch... (AFAIK there are two, that used to serve different purposes, and are now both left in to keep the same type rating).
Yes! If this was available, at least the second crash seemed likely preventable given the timeline of events. I didn't read the timeline for the first one.
That would allow a pilot to put the plane in a configuration for which it is not certified to transport passengers, however, and the triggering thereof should always be deemed an emergency if we're going to take our regulations with any level of seriousness.
That article has opposing viewpoints on if it would be a good idea.
But, imagine if the switches were as before --- the left turns off automation control of electric trim, and the right turns off all electric trim. In that case Boeing's notice for what to do in case of MCAS failure would be turn off the left switch and then they'd have advice about how immediate the need to land is. As opposed to their notice which was insufficient for Ethiopia Air pilots because they weren't able to trim the stabilizer manually and tried reenabling electric trim and MCAS continued to be broken.
Hopefully the MCAS changes described will be sufficient to prevent it from causing more crashes, and Boeing has republished a procedure to gain manual control by easing off the yoke temporarily, but it still seems to me that providing electric trim without automation input, as was available before (but never suggested to be used) would provide an additional tool for pilots in exceptional circumstances.
My guess is their evaluation is somewhat in parallel and at least some communication existed before this proposal was made. Thus I expect their requirements to be largely compatible with this proposal.
Do you know that this is happening? I thought they were mostly following the FAAs ruling. Is it certain that this will change in the future or even for the certification of the 737 Max?
Can we just scrap this thing and move on already? Isn’t all of this back-and-forth alone evidence that this thing shouldn’t be flying?? It’s over, Boeing, you lose.
The 737 MAX with the MCAS fix is as secure as any 737 out there. Perhaps even more so due to having new engines, all of them being new air frames and because to my understanding in the review of the software they found and fixed another issue which always has been present.
One can certainly argue, that Boeing should have invested into a true 737 successor a long time ago instead of updating the old design, especially with all the restrictions of keeping the same type rating.
The problem is, this hasn't happened. Assuming air travel bounces back to pre-Covid levels, there is a huge demand for 737-class airplanes. Like thousands. Creating a replacement (which Boeing really should start like yesterday) will take about 10 years, you don't want to rush that, if you don't want to create an even larger security problem (just look to the 787 for initial problems and ongoing reports about manufacturing issues). So for the next 10 years, the option is either to fly the 737 MAX, fly much less or with aging 737 air frames from the pre-MAX times.
Because it’s far cheaper to make them safe than to trash them. The problem isn’t the basic airplane, it’s the short shrift Boeing gave the safety systems.
Something tells me airlines are going to be making it even more difficult to determine which aircraft you'll be flying on when you book a ticket. As far as I know they're not required to tell you, nor are they required to use the aircraft listed at the time of booking (they can swap it at the last minute if they want).