back to article Boeing 737 pilots battled confused safety system that plunged aircraft to their deaths – black box

With investigations continuing into the cause of Lion Air flight 610's deadly crash into the Java Sea, experts are scrutinizing the plane's automated control system. Early data from the doomed plane's flight recorder suggests that for much of its 11-minute flight on October 29, the pilots were struggling with the craft's …

  1. disk iops
    FAIL

    Hey software, get the fuck out of the way!

    The pilots are either competent or they aren't. there is NO reason whatsoever for software written by blithering idiots to override and countermand the pilot. He is GOD. If he is an imperfect, distracted, negligent god, then sucks to be you for the passengers but this was a clear case of software elevating itself above the meat.

    Programmers, fuck off! Sensors are fallable - it's fine to chime and red light, even buzz/alarm when something sure looks wrong but do NOT interfere.

    1. Remy Redert

      Re: Hey software, get the fuck out of the way!

      But this wasn't the software's fault. It never is. It was the designer who allowed a single faulty sensor to put the software into a dangerous state. This is an aircraft control system and it should have existed at least in duplicate, with multiple separate sensor inputs to insure that the system is always right and that if a situation ever comes to pass where it cannot be certain it is right, then it will cede control completely to the pilots

      1. sanmigueelbeer Silver badge

        Re: Hey software, get the fuck out of the way!

        It was the designer who allowed a single faulty sensor to put the software into a dangerous state.

        Go HERE.

        Look at the two lines for the Angle of Attack (AoA) sensors. One is for the left and one is for the right. Notice that the lines are separated? At any given time, the AoA sensors should never be separate. They're meant to be redundant so the readings are meant to be the same.

        There are actually two faults to this unfortunate events, they are:

        1. One of the Angle of Attack sensor was faulty. The AoA sensor feeds information to the FMS and one of the systems, MCAS, reads from this.

        2. The MCAS was an "undocumented feature" introduced by Boeing which a lot of airlines were not familiar of.

        For unknown reason, after take-off the MCAS was reading to input from the AoA sensor and immediately took action for the one that had the worst reading. For the next few minutes, the both pilots were battling with the MCAS to keep the plane from crashing until it was no longer possible.

        It's a very bad idea to have software making decisions based on the output of a single sensor.

        Imagine you flying at night across ocean and into a thunderstorm. It is very hard to determine which way is up or down or what angle is the plane's nose pointed. This is what the MCAS, with the help of the AoA, is meant to do.

        But the root cause to the crash was a faulty AoA sensor. The fault of the two pilots was that they were unaware of the MCAS and they were unable to disable it. With previous flight, one of the flight crew disabled the MCAS and was able to gain control of the a/c.

        1. MacroRodent Silver badge

          Re: Hey software, get the fuck out of the way!

          Sounds like that angle of attack sensor should be triplicated. How else can the software decide which sensor is bad, if both produce plausible values (one being wrong, but not impossibly so).

          - And the same for goes for all other safety-critical sensors.

          1. Andre Carneiro

            Re: Hey software, get the fuck out of the way!

            “Sounds like that angle of attack sensor should be triplicated. How else can the software decide which sensor is bad, if both produce plausible values (one being wrong, but not impossibly so).

            - And the same for goes for all other safety-critical sensors.”

            Yes, I’m somewhat perplexed by the lack of a “tie breaker”.

            Again, comparing with the Airbus implementation:

            The Airbus aircraft generally have 3 ADIRUs (Air Data and Inertial Referencing Units), each with its own AoA sensor. And yes, there is a voting system so that a rogue sensor will merely cause a DISAGREE state and is disregarded, rather than something potentially rather more catastrophic.

        2. zaax

          Re: Hey software, get the fuck out of the way!

          Is that not what the artificial horizon is for?

        3. Ian Johnston Silver badge

          Re: Hey software, get the fuck out of the way!

          The AoA reading seem near identical until the final dive and crash. Was the plane spinning then? Once there is significant side slip, all bets about equal ... well, anything, really ... on both sides are off.

        4. eldakka Silver badge
          WTF?

          Re: Hey software, get the fuck out of the way!

          Look at the two lines for the Angle of Attack (AoA) sensors. One is for the left and one is for the right. Notice that the lines are separated? At any given time, the AoA sensors should never be separate. They're meant to be redundant so the readings are meant to be the same.

          You can't really have an effective redundant system with only 2 lines, you need 3. If one sensor fails with 2 lines, then which one is the faulty one? You can't reliably identify a single-sensor failure if you only have 2 sensors. With 3, you can detect a single-sensor failure. Of course, 2 sensor failures are then possible, but the chances of that are orders of magnitude less than single-sensor failures, and the sort of thing that'd make 2 (or more), widely-dispersed sensors fail is likely to be fatal to the aircraft anyway.

          Any critical sensor systems should be triply redundant, not dual, at least in larger (bigger than dash-8's) passenger aircraft. After all, we are talking about more than a hundred lives (more than 500 in the largest aircraft models) per aircraft in these cases.

          1. Alan Brown Silver badge

            Re: Hey software, get the fuck out of the way!

            "You can't really have an effective redundant system with only 2 lines, you need 3"

            AT LEAST 3 and preferably an odd number, if not prime.

      2. dvvdvv

        Re: Hey software, get the fuck out of the way!

        Multiple redundant do fail, too. In one prominent case, two of the three AOA sensors failed on an A321, which made the safety system to ignore the only sensor that was working and trim the airplane into a dive. The correct mitigating action was to disable the misbehaving system, and that was exactly what the crew of that A321 did. And that's what the crew of the penultimate fight of the crashed Boeing did, too. Everybody lived.

      3. Anonymous Coward
        Anonymous Coward

        Re: Hey software, get the fuck out of the way!

        "But this wasn't the software's fault. It never is. It was the designer who allowed a single faulty sensor to put the software into a dangerous state."

        Having worked on safety critical systems - we developed state machines to identify, pretty much, every possible output . This safety system should have had redundancy and additional sensors to check.

      4. MrXavia

        Re: Hey software, get the fuck out of the way!

        "It was the designer who allowed a single faulty sensor to put the software into a dangerous state."

        Surely should have the inputs & processing in triplicate for something like this?

        And there should be an easy way to override it, I mean something clear like a big red covered flip switch that can be turned off!

        Single sensors are fine for toys, but not for a plane carrying passengers!

    2. Anonymous Coward
      Anonymous Coward

      Re: Hey software, get the fuck out of the way!

      It looks like Boeing has started to ape Airbus in that the computer has the ultimate say when it comes to the flight controls. The logic is that on average computers make less mistakes than humans. Unfortunately this line of reasoning fails to take into account of the fact that all software contains bugs because it's written by humans.

      1. Marketing Hack Silver badge
        IT Angle

        Re: Hey software, get the fuck out of the way!

        It's a very bad idea to have software making decisions based on the output of a single sensor. Didn't we learn that several years ago when the pitot tubes on that Airbus airliner out of Brazil iced up and that caused the plane to assume that it was stalling, and that forced a crash into the South Atlantic with no survivors?

        If you are going to give software the ability to countermand the flight crew, then you need to have fault-tolerant redundant sensing systems in place to make sure that the systems on the plane have accurate information. Otherwise you arrive at the horrific logical end of "garbage in, garbage out".

        1. Remy Redert

          Re: Hey software, get the fuck out of the way!

          That was an Airbus and the software reacted correctly. It decided that the airspeed information it was getting from the various sensors was conflicting, so it switched from normal law (where it controls the airplane and the pilots are allowed to tell it where to go) to alternate law 2 (aka "I don't know any more, you're up pilots").

          The pilots then proceeded to over-correct for a slight roll caused by the autopilot switching off, pulled the nose up, got a brief stall warning when the angle of attack sensors indicated something was up and then proceeded to put the plane into a stall so deep the computer considered the measurements of the alpha sensors to be impossible, so it did nothing and assumed the pilots were doing the right thing.

          The software (and software designers) in this case did everything right and the pilots proceeded to crash the plane. Had the system switched back to normal law when the airspeed readings came back (about a minute after the failure, but before the stall), the airplane would never have stalled. But because of safety reasons, the pilots would have had to switch the plane back into normal mode themselves once they verified the problem that triggered the switch had been resolved.

          1. Denarius Silver badge

            Re: Hey software, get the fuck out of the way!

            Re Airbus crash south Atlantic. AFAIRC from chats around airfields and a few public documents this incident also showed defects in pilot flight currency in directly handling aircraft. Similar incidents had happened to other airlines whose crews flew recreationally. Those crews looked at all instrument data such as indicated airspeed, angle of attack and engine power settings. They correctly concluded airspeed data was wildly wrong and flew their aircraft accordingly. Airbus were notified of the airspeed pitot tendency to ice up. In the crash incident the crew failed to realise a full stall happening because of a strong belief in all IFR pilots that one trusts instruments ahead of anything else, thus failing to assess all data.

            If Boeing has drunk its version of AI KoolAid in it control system, then I will have to think about seaborne travel more positively.

            1. Symon Silver badge
              Coat

              Re: Hey software, get the fuck out of the way!

              Re Denarius :- "I will have to think about seaborne travel more positively."

              https://www.dw.com/en/why-are-ferry-accidents-common-in-indonesia/a-44403800

              I think you'll find that you're better off avoiding travelling in Indonesia. Altogether.

              p.s. https://youtu.be/0wxp-NxJny8?t=81

              1. Alan Brown Silver badge

                Re: Hey software, get the fuck out of the way!

                "I think you'll find that you're better off avoiding travelling in Indonesia. Altogether."

                Not just Indonesia. I wasn't happy to notice that the Plimsoll line had been adjusted several feet upwards on most ferries I used in the Philippines.

          2. e_is_real_i_isnt

            Re: Hey software, get the fuck out of the way!

            The worst part was that the Airbus also silenced the stall warning when the AoA was out of range high - this caused the co-pilot to pull back on the stick whenever the nose came down, because that shut off the stall warning that would return when the AoA came back within range.

            1. Daniel 18

              Re: Hey software, get the fuck out of the way!

              "The worst part was that the Airbus also silenced the stall warning when the AoA was out of range high - this caused the co-pilot to pull back on the stick whenever the nose came down, because that shut off the stall warning that would return when the AoA came back within range."

              More irony here. The system was designed to avoid information overload by muting bad or irrelevant data - and the pilot was misinterpreting that.

          3. lowwall

            Re: Hey software, get the fuck out of the way!

            You are missing a critical point.

            There were three pilots (one was the original captain who had been recalled from his rest period when the trouble started). Two of the pilots realized what was going on. And one of those pilots did realize what was happening and made the correct (forward) movement with his joystick to lower the nose. But the other pilot's stick was actually controlling. The Airbus controls are fully fly by wire and give no feedback, including no indication that the pilots are making conflicting inputs. The only way to tell there is a conflict is to actually look over at what the other pilot is doing and everyone was too distracted by the aural warnings and odd data coming from the displays. This was the last link in the chain that doomed the flight.

            Here's the last words from the CVR:

            02:13:40 (Bonin) “But I’ve had the stick back the whole time!”

            02:13:42 (Dubois) “No, no, no… Don’t climb… no, no.”

            02:13:43 (Robert) “Descend… Give me the controls… Give me the controls!”

          4. hayseed

            Re: Hey software, get the fuck out of the way!

            Actually, the Airbus ceded control to the pilots, but it averaged input from the pilot and the copilot. The pilot knew what he was doing, the copilot didn't and kept yelling something about "touch-and-go" - but at the heights they were at, there is much less lift, and one does NOT tilt up the plane like in a landing exercise like at sealevel.

        2. David Leigh 1

          Re: Hey software, get the fuck out of the way!

          ddfsdfd

        3. David Leigh 1

          Re: Hey software, get the fuck out of the way!

          FYI pitots = HARDWARE, not SOFTWARE.

          1. Neil Barnes Silver badge

            Re: Hey software, get the fuck out of the way!

            I rather think the biggest error on AF447 was the two pilots not knowing what each was doing; one of those sticks should have overridden the other (I don't claim to know how to implement this!)

            I'm glad I was on that plane on its flight down to Brazil and not the return flight that night...

            1. Andre Carneiro

              Re: Hey software, get the fuck out of the way!

              Whenever the two side stick receive a command, there is a very loud DUAL INPUT aural and visual warning on the FMA.

              The end result of the command to the plane is the sum of the vectors of both inputs (so a full “pitch down” input would effectively nullify a “full pitch up input”).

              Moreover, there is a SidestIck Priority button which, when pressed, disables the other one, gives a loud PRIORITY LEFT/RIGHT aural warning and a visual warning on the console of the pilot who lost priority. This is in case a stick fails and starts sending weird inputs.

            2. Andre Carneiro

              Re: Hey software, get the fuck out of the way!

              Also.... The issue with that particular AF flight was multifactorial (as these things often are) and started before the actual event (as these things often do).

              In a very very quick summary, there were significant training issues. Losing Air Data at high altitude is serious but it's fairly trivial to maintain level flight using Thrust and Attitude (pitch up measurement) alone. There are tables for that in the manual: ""For this thrust, at this weight, with this pitch, this plane will fly at approximately this altitude and continue doing so").

              The choice of route (straight through a thunderstorm from which other planes had deviated) was probably a determinant factor and indicated the complacency of the pilots and the over confidence in the superiority of the technology (the last point being driven home by the fact that the copilot had a full nose up input on the stick for most of the incident which is a schoolboy error when dealing with a stall, because he assumed the alpha-protections would keep the plane from stalling). That the Captain was absent from the flight deck when the plane entered the storm cell again may suggest complacency or a lack of awareness of the risk.

              It was all very sad and it is easy to analyse with the retrospectoscope but ultimately the software did exactly what it should do and the plane should not have come down.

              Then again I wasn't there and the barrage of inconsistent warnings and failures would probably have overwhelmed me as well.

            3. rg287

              Re: Hey software, get the fuck out of the way!

              I rather think the biggest error on AF447 was the two pilots not knowing what each was doing; one of those sticks should have overridden the other (I don't claim to know how to implement this!)

              The main thing is not to override (though there is a feature for one stick to take priority in the event a stick goes faulty) but to warn when dual, conflicting inputs are received.

              Boeing does this with linked yokes - if the other side of the cockpit is pushing forward, you'll receive physical tactile feedback of that if you're trying to pull back. The Airbus sticks do not provide linked force feedback.

            4. error 13

              Re: Hey software, get the fuck out of the way!

              I believe there is a rather simple system for this - each stick has a red button called something like priority control. Push it and hold it and you get exclusive control. Why the captain didn't push the button will forever be a mystery

              1. tim 13

                Re: Hey software, get the fuck out of the way!

                What happens if they both press it?

                1. I ain't Spartacus Gold badge

                  Re: Hey software, get the fuck out of the way!

                  As I understand it the two-inputs alarm did ring. But the pilots were too distracted by other alarms to notice. I think too many designers forget how much information the human can take in, and put too much on screens. It's still easier to read an analogue altitude dial quickly than a digital one - I think because the analogue one is effectively a picture - whereas you have to process the numbers and think about them with a digital one.

                  The same is true with the sidesticks. Why have a buzzer and a warning to tell you that someone else has hands one. It's fine in normal flight, but what if all brain cells are currently busy processing other warning data? At that point the physical action of having the stick pulling in another direction is telling you directly what's going on. Simplicity is best.

                  Remember that Quantas A380 that went all roller-coaster a few years ago, and kept going through multi-thousand foot dives and climbs? The crew had to put the plane into one of the more manual flight modes to correct it. I think the copilot had something like 1,000 warning messages in 5 minutes. No human can take in that data. He spent the first minute or two just scrolling through his screen acknowledging warning bells to shut them up and there was no way to work through that much info to come to any diagnosis of the problem.

                  You can train pilots in sims to take in more data, but I'm always struck by those Air Crash documentaries just how many alarms the pilots are subjected to. And they're distracting. Once confusion sets in I feel they actually make recovering from the confusion harder - even where there might actually be time.

                  1. N.

                    Re: Hey software, get the fuck out of the way!

                    << As I understand it the two-inputs alarm did ring. But the pilots were too distracted by other alarms to notice. >>

                    My recollection is that the pilots were not fighting over the control of the plane. The captain put the younger pilot in charge before going to bed. When the Pitot probes froze, this pilot set the plane in a steep climb, as the book recommended, but without informing his colleague. The plane stalled. At an altitude of 600 m, he told his colleague about what he was doing for the last five minutes or so. The more experienced pilot understood immediately what was happening ; he took over and set the plane in a dive. Near the water surface, the younger pilot got scared and battled with his colleague for control. It was too late, anyway.

                    That is what I remember from reading the investigation report ; I might be wrong.

                2. defiler Silver badge

                  Re: Hey software, get the fuck out of the way!

                  What happens if they both press it?

                  I'd like to hope that the Captain has priority then. After all, it's the Captain's aircraft. Which seat the Captain sits in can vary between airlines, but once the plane is set up for an airline it shouldn't need changed until it changes hands.

                  That's how I would do it, anyway... All opinion. I'm the guy sitting in the back.

                  1. Andre Carneiro

                    Re: Hey software, get the fuck out of the way!

                    If they both press it, whomever pressed it last will have the side stick priority.

                    If the priority button remains pressed for more than 45 seconds, then the other stick will he disabled for the remainder of the flight.

                    1. Anonymous Coward
                      Anonymous Coward

                      Re: Hey software, get the fuck out of the way!

                      If the priority button remains pressed for more than 45 seconds, then the other stick will he disabled for the remainder of the flight.

                      -----------------------------------------------------------------------------------------------------------

                      That's not good.

                      1. Andre Carneiro

                        Re: Hey software, get the fuck out of the way!

                        “If the priority button remains pressed for more than 45 seconds, then the other stick will he disabled for the remainder of the flight.

                        -----------------------------------------------------------------------------------------------------------

                        That's not good.”

                        Why not?

                        If you have a faulty stick it makes sense to disable it rather than constantly taking priority every few seconds and risk an unexpected random input at a critical time, IMHO.

                3. ITS Retired
                  Holmes

                  Re: Hey software, get the fuck out of the way!

                  Set it up so who every made the red button make its contacts connect first, has control. If they can do similar on game shows, they can do this in multi-million $$$ passengers planes, too.

            5. ridley

              Re: Hey software, get the fuck out of the way!

              IIRC one of the sticks DID override the other. The co-pilot was pulling back on the stick the whole way down from 35000+ feet until they nearly hit the sea, but by then it was too late.

              https://www.youtube.com/watch?v=XAom93qwoN0

              Watch 42 minutes in.

        4. dvvdvv

          Re: Hey software, get the fuck out of the way!

          Another bullshit. The software didn't force AF447 into the ocean — the software correctly detected that it couldn't make decisions based on the malfunctioning sensors and put itself out of the loop, making it very clear to the pilots. It was the pilots who dropped the plane into the ocean.

        5. Someone Else Silver badge
          Facepalm

          Re: Hey software, get the fuck out of the way!

          If you are going to give software the ability to countermand the flight crew, then you need to have fault-tolerant redundant sensing systems in place to make sure that the systems on the plane have accurate information.

          Or... you simply do not give the software the ability to irrevocably countermand the flight crew. Period.

          1. Anonymous Coward
            Anonymous Coward

            Re: Hey software, get the fuck out of the way!

            "Or... you simply do not give the software the ability to irrevocably countermand the flight crew. Period."

            Unfortunately, I've read quite a few air accident reports where investigators concluded that one way the aircraft could have been saved was to have turned control back over to the autopilot.

      2. dvvdvv

        Re: Hey software, get the fuck out of the way!

        Bullshit. The pilot always has the ultimate say, be it Airbus or Boeing.

      3. Alan Brown Silver badge

        Re: Hey software, get the fuck out of the way!

        "It looks like Boeing has started to ape Airbus in that the computer has the ultimate say when it comes to the flight controls. "

        The difference is that the airbus is an aerodynamically _stable_ design.

        The 737MAX has pushed the 737 design out from aerodynamically stable (the originals and turbofans out to the 1990s - when trimmed, pilots only need to touch the controls occasionally to nudge the aircraft back on course when flying "straight and level") to neutral (1990s to now) and into "unstable" territory - (pilot or computer needs to constantly fly the aircraft to keep it straight and level - fighter jets are an extreme example of this kind of thing)

        Instability should never be allowed in a civil transport and the MAX should not be allowed in the air. There are a bunch of questions that need to be asked of the FAA's approval processes and why a 50-year-old design has been allowed to be progressively modified to the point where it's become inherently unstable whilst retaining the basic type approval.

        I suspect this is going to be an example used in textbooks in future.

      4. Fursty Ferret

        Re: Hey software, get the fuck out of the way!

        Regarding Boeing apeing Airbus here...

        There are some fundamental differences.

        1. Airbus uses voted data from three or more sources. A single source fault will be automatically excluded, often with only a maintenance message after landing.

        2. Because of the fly by wire nature you will never find yourself at the limit of your strength. This hugely increases capacity for decision making.

        3. In the event of two simultaneously faulty air data sources, Airbus publish a simple and quick procedure to remove the flight control protections. It's two buttons.

        4. They are also aware of a single faulty AoA vane triggering a stall warning at lift off, and all pilots know the memory actions associated with it (TOGA power, maintain pitch 15 degrees).

        The first crew of this 787 that continued the flight actually demonstrated almost perfect decision making. So one of the stick shakers was going off. The situation was carefully evaluated, a clear risk assessment was made and the safe outcome of the flight was never in doubt.

    3. Updraft102 Silver badge

      Re: Hey software, get the fuck out of the way!

      Until this incident, I would have said that's why I like Boeing more than Airbus. Boeing's philosophy was supposed to be as you say... assist the pilot, but never usurp his authority. The Airbus philosophy is that since pilot error is a/the cause of most crashes, it's going to overrule the pilot if it thinks he is in error. This incident seems an example of the Airbus philosophy, not the supposed Boeing one.

      1. eldakka Silver badge

        Re: Hey software, get the fuck out of the way!

        The Airbus philosophy is that since pilot error is a/the cause of most crashes, it's going to overrule the pilot if it thinks he is in error.

        In the case cited above, the Airbus aircraft recognised it had no idea what was happening, so it gave full control to the pilots, it did not overrule the pilots. Therefore Airbus does recognise that it may, at times, be best to leave it to the pilots. It's default mode is to stop the pilots from doing anything stupid (too tight a turn, to steep a climb/dive, etc.) but that can be disabled by either circumstances where the aircraft recognises that it's got NFI, or by manually switching to alternate law 2.

        I believe (from memory, could be wrong) the issue was multi-fold:

        1) confusing and contradictory indicators;

        2) issues with cockpit layout and information feed to pilots (e.g. alarms being set off by angle-of-attack sensors, but that information, the angle-of-attack, not being available on pilot instrumentation);

        3) that each sidestick was independent of the other, so that one pilot doesn't know what position the other pilot has their sidestick in, resulting in the 2 pilots providing conflicting control input, but neither of them knowing what the other was doing to know that there was conflicting control input.

        4) management issues, whereby clear, concise instructions weren't being given and/or followed by all pilots, e.g. why wasn't it made clear that the pilot in the right-hand seat was now in control and the pilot in the left-hand seat must remove their hands from the flight controls (sidestick) to prevent contradictory control input (tho the fact that this was happening should have been reported by the aircraft, e.g. mechanically (or electrically/haptic-feedback-type) link the 2 sticks).

        It really had nothing to do with the software overruling the pilots. There were many other issues with Airbus's software and cockpit layout/information feed to the pilots, but overruling the pilots wasn't one of them in this case.

        1. rg287

          Re: Hey software, get the fuck out of the way!

          In the case cited above, the Airbus aircraft recognised it had no idea what was happening, so it gave full control to the pilots, it did not overrule the pilots.

          Yeah, AF447 saw a significant chain reaction of errors, some down to human factors, some down to cockpit design. It really epitomises that complex systems can fail in complex ways, even when sparked off by a seemingly simple root fault (like a pitot tube icing over).

          - The autopilot correctly realised it was getting unreliable data and correctly switched to alternate law.

          - The co-pilot had lost situational awareness and thought they were in a dive, pitching up and placing the aircraft into a stall.

          - The pilot attempted to correct the stall condition, but this was where a combination of human factor and cockpit design created a fatal error condition.

          1. Cockpit cooperation and communication broke down - the pilot was unaware that the copilot was trying to correct what they perceived as a dive condition

          2. Because the airbus sidesticks are not mechanically linked and there was apparently inadequate indication of conflicting inputs, the pilot was unable to perceive this from his controls and did not understand that this was the reason why the aircraft was failing to react to a nose-down input on his stick.

          On a Boeing, the linked yokes would have led to at least one half of the cockpit asking "WTF are you doing?" to the other because they would have been physically fighting against each other.

          Ironically, an MCAS system (separate to the autopilot, which had already quit) may also have prevented the co-pilot pitching up into a hard stall condition.

        2. Anonymous Coward
          Anonymous Coward

          Re: Hey software, get the fuck out of the way!

          I have heard the various official and unofficial reports about the Air France crash, and I I am not a conspiracy theorist however I suggest that the pitot tube icing was a cause of the incorrect instrumentation reading, and that the icing was picked up by flying too close to a thunderhead...which as you get closer to the equator can top out as high as 60,000 feet.

          The airplane 'pancaked in' as the result of hitting the water in a flat spin, the spin resulting from a stall. Not having flown an Airbus 340 or 350, I can't say what the pilot assisted procedure is to recover from a spin, but it would require the fully committed action of someone who had considerable flying ability and experience and knowledge of the state of the aircraft and could apply it within a 3 and 1/2 minute descent window from the point of recognition. There is no glide in a spin and a recovery would likely have taken 10,000 feet of altitude or more for spin recovery and required full power with the aircraft pointed nose down in order for the aircraft to begin flying again which would have consumed additional precious altitude at a faster rate than terminal velocity.

          The captain was returning from Brazil with his wife onboard and was not at the controls or on the flight deck when the plane encountered the icing (icing, which is a manageable occurrence). The left seat pilot was an experienced 'type' pilot with almost no experience flying through the horsey latitudes while the right seat had a new pilot to 'type' with many hours flying trans-equatorial. It was a moonless night, with no visual reference (over water), and the non-equatorial pilot flew too close to a thunderhead he was avoiding which led to the icing. Normally you would fly around the thunderheads guided by visual reference or radar, with equatorial thunderheads being of the type that have unique characteristics because of their sheer height. The right seat pilot would have had the knowledge of this uniqueness however he was not the pilot in command.

          These planes are built to be able to fly into and through rough weather but for some reason the icing was unexpected.

          The captain arrived on the flightdeck at some point in the 'enter into stall', 'stall', or entry into the spin (he detected an unusual change in aircraft or engine pitch perhaps, the remnants of the autopilot system before kicking over to manual).

          A spin without visual reference doesn't feel much different than straight and level flight although the electrical based systems such as the INS would have been reflecting the mayhem and toppling. No one was in a position to confidently summarize and positively control the aircraft to exit the spin by deploying spoilers, landing gear, or a hard counter rudder while pushing the nose over applying full power to attempt to get the lift required for the machine to start flying because none of the crew were in the right places, or had the right experience to be sitting where they were sitting.

          I hear this flight referenced all the time for the published reasons in this string. IMHO this was an organizational error (on duty captains flying with their spouses) on overnight flights especially when crossing the horsey latitudes, the bad luck of that combination of skills and experience (or lack of experience) on the flight deck at that stage of the flight, a dark and moonless night flying over water not providing any visual reference, and an iced pitot tube which delayed and prevented any present pilot from recognizing the actual state of flight and taking decisive action to stop the spin was the real cause.

          While I agree that the software on the Java Air flight was faulty or interpreting faulty data, the 737 Max does differ from the other 737 series probably due to the need to monitor lift (angle of attack) more carefully due to the length of the longitudinal axis, weight capacity and probably ooth. What this means is that an experienced pilot on type would have to have learned about the critical differences between this model and the rest of the 737 models, and learn about the unique recovery procedures (pull the fuse) of the Max.

          The pilots should have been forced to learn about the new procedure and been given the information of the critical-ality of the angle of attack on this model. It has not been determined whether or not this took place.

          Pulling a fuse to save an aircraft and the souls on-board does seem pretty Mickey Mouse though.

          The first thing which I thought of when I heard the report of the crash, although the poor maintenance record of the airline formed the bulk of the initial news article's reason for the crash, was the potential failure of a Neo engine which is an available power plant on this aircraft. This is a new aircraft jet engine which uses a gearing system in order to move a greater number of very thin fan blades at a higher rate of speed using less fuel (per pound of thrust). There have been problems with this engine but when it works it provides an relative economic panacea for the airline.

          A safe angle of attack is achieved (and determined) by airflow which is a function of thrust when taking off, climbing and at altitude, and a function of altitude when descending. Maybe the size and weight of the aircraft precipitated the systems modification, maybe the new engine, but in any event this system was new, critical, and persistent.

          IMHO no aircraft of this type should crash at 800 hours without any reason short of sabotage. The reason for the unfortunate crash may turn out to be attributed to a combination of mechanical and pilot error with a contributing factor being poor maintenance practices. It is a certainty that Boeing will change the responsible hardware and software system quietly over time.

          1. Anonymous Coward
            Anonymous Coward

            Re: Hey software, get the fuck out of the way!

            Your excellent writeup covers lots of important things but seems to miss one important fact re pitot tube icing: in the case of the loss of AF447 and all on board, there were pitot tube icing issues already identified and various remedial programs were in progress, but its importance hadn't been fully recognised, and combined with various other unrelated failures, it led to the loss of AF447 and all on board:

            https://en.wikipedia.org/wiki/Air_France_Flight_447

            Article includes links to the original definitive history, showing that the "must never happen" state of two identically failed pitot tubes outvoting the one good pitot tube had been a worryingly frequent occurence over a few years, but in general, some other part of the picture had prevented a "must never happen" failure becoming a disaster.

            When all the failures and omissions line up together like holes in pieces of swiss cheese, well we know what happened on AF447.

            General Swiss Cheese model overview below [1].

            It's not rocket science (well, actually, maybe it is - see e.g. O rings and Feynman's addendum to the space shuttle inquiry report) e.g. via [2].

            But when the regulatory authorities start accepting modifications to equipment and procedures without proper understanding of the implications, we all stand to lose.

            [1] https://en.wikipedia.org/wiki/Swiss_cheese_model

            "The Swiss cheese model of accident causation is a model used in risk analysis and risk management, including aviation safety, engineering, healthcare, emergency service organizations, and as the principle behind layered security, as used in computer security and defense in depth. It likens human systems to multiple slices of swiss cheese, stacked side by side, in which the risk of a threat becoming a reality is mitigated by the differing layers and types of defenses which are "layered" behind each other. Therefore, in theory, lapses and weaknesses in one defense do not allow a risk to materialize, since other defenses also exist, to prevent a single point of failure. [etc]"

            [2] https://motherboard.vice.com/en_us/article/nz7byb/the-challenger-disasters-minority-report

          2. Alan Brown Silver badge

            Re: Hey software, get the fuck out of the way!

            "I suggest that the pitot tube icing was a cause of the incorrect instrumentation reading, and that the icing was picked up by flying too close to a thunderhead."

            In the case of AF447 it was also related to the _type_ of pitot used (although why you'd want them all from the same maker I'm not quite sure, it means they may all fail the same way. Nonetheless, that's what airlines insist on) and the factor that the pilots didn't turn on deicing heat when approaching said thunderhead (which should be automated anyway)

            1. Anonymous Coward
              Anonymous Coward

              Re: iced up AF447 pitot tubes

              "In the case of AF447 it was also related to the _type_ of pitot used"

              Correct.

              "why you'd want them all from the same maker I'm not quite sure"

              That's not permissible, exactly because "it means they may all fail the same way"

              "Nonetheless, that's what airlines insist on"

              If they do, it'll be news to a lot of people. Three pitot tubes of two dissimilar designs is the usual requirement. There's a reasonable description in the AF447 wikipedia article. Three sensors, two designs, so as to reduce the risk of two plausible but identically wrong signals outvoting a correct but implausible signal. Reducing the risk doesn't necessarily eliminate the risk. In recent years mergers and acquisitions among suppliers may have introduced hidden risks - different model numbers, shared design features.

              'Dissimilar redundancy' needs to be properly enforced by people with a clue, people who understand the 'bigger picture', typically not people with MBAs and years of headcount reduction and introduction of inappropriate 'cost reduction' programs. MBAs etc tend to understand the wrong kinds of redundancy :(

              ps re Lucas

              Who do you think has been designing, making, and supporting the fuel systems, FADECs, etc, for the engines on a large proportion of Airbus and Boeing's widebody jets, amongst others?

              Does the name Trent ring any bells?

      2. Graham Triggs

        Re: Hey software, get the fuck out of the way!

        "Until this incident, I would have said that's why I like Boeing more than Airbus. Boeing's philosophy was supposed to be as you say... assist the pilot, but never usurp his authority. The Airbus philosophy is that since pilot error is a/the cause of most crashes, it's going to overrule the pilot if it thinks he is in error. This incident seems an example of the Airbus philosophy, not the supposed Boeing one."

        I may be wrong here, but my impression is that even with Airbus, it is human part that causes virtually all failures. Admittedly, sometimes that is down to bad interface design, where the human thinks they are doing one thing, but are actually telling the software something else.

        And whilst we could say that because this incident was caused by a faulty sensor, and that a faulty sensor should not be allowed to override a pilot's input, pilots are still depending on what the plane is telling them. If the software can get bad data, so can the pilot - and there are crashes where the pilot has been given the wrong altitude, airspeed, etc.

        We have to be realistic here - the software is pretty reliable within its operating parameters. And some of the cases where a pilot might be able to react on instinct, e.g. flying in bad weather, maybe there could be better decisions to be made to not put a plane in that kind of risk.

        Whilst we worry about the reliability of the software, think of the incidents that could be prevented. If you can (mostly) rely on a plane flying and landing itself, detecting and avoiding any obstructions, you can afford to lock the controls to the biometrics of the pilots prior to take-off, knowing that if anything happens to them - or simply there is a failure to read the biometrics - it is the plane that will get itself to safety It would significantly impact the possibilities for hijackers.

        But however good the software can be, pilots are necessary. Maybe the unexpected situation is unavoidable. Maybe you are running low on fuel and need to land at an airport where guidance systems for an automated landing are malfunctioning. You need a human element to deal with passenger emergencies. With 100s of people on board, you need to cover these possibilities.

    4. Malcolm Weir Silver badge

      Re: Hey software, get the fuck out of the way!

      Actually, the issue here is that the pilots were not properly trained on the MCAS -- Boeing added that system to the 737MAX but didn't make a big deal about it (or indeed any deal about it) -- so much so that other 737MAX pilot groups are furious! That's "furious" as in writing letters to the FAA about it... The three big unions representing 737 operators in the US (Southwest, American and United) have all responded with anger towards Boeing.

      The issue is that *if* you know about MCAS, you can defeat it's "help". If you don't, you have no idea why your airplane is constantly trying to put it's nose down.

      All indications are that Lion Air's pilots (and those of Southwest, American and United) did not know, and have not been trained on or practiced with MCAS, let alone MCAS failure modes.

      1. dvvdvv

        Re: Hey software, get the fuck out of the way!

        You don't really need any special MCAS training — a runaway trim is a runaway trim no matter what the cause is. And dealing with a runaway trim is a well-established and relatively simple procedure.

    5. Graham Triggs

      Re: Hey software, get the fuck out of the way!

      Whilst I would agree that this is probably a system too far, maybe your anger is a little misplaced.

      It's not the programmers who thought they were god.

      It's not the programmers who decided to have this system.

      The programmers have simply done their job to implement a protection routine based on the inputs that it is given. And in all likelihood it is the data rather than the algorithm that generated the problem.

      That they did, that the system was installed in the aircraft is a management decision.

    6. Voland's right hand Silver badge

      Re: Hey software, get the fuck out of the way!

      I am sorry Dave, I am afraid I can't do that.

      On a more serious note, "Switch to Manual" should mean "Switch to F*cking Manual".

      1. Prst. V.Jeltz Silver badge

        Re: Hey software, get the fuck out of the way! Can it?

        What does "Switch to Manual!!" actually mean?

        Is it possible for software to "Get the fuck out the way?"

        It isnt on my car - a 28 year old sports car - it still has a little computer running software deciding how much fuel to put in and which / when spark plug to fire , and when it fucks up , as it has a few times locomotion ceases.

        My cay at least has a throttle cable - most dont these days , and neither do these planes.

    7. Destroy All Monsters Silver badge
      WTF?

      Re: Hey software, get the fuck out of the way!

      Programmers, fuck off!

      Someone in here has no clue how such systems are designed, implemented and rolled out.

      Get to Amazon and read books.

    8. SW10

      Re: Hey software, get the fuck out of the way!

      Looks like your aircraft is stalling. Would you like some help?

      [ Yes ] [Cancel]

    9. TomChaton

      Re: Hey software, get the fuck out of the way!

      "Programmers, fuck off!"

      You first.

      We'll be right behind you on Ark Fleet Ship C.

    10. nariman
      Boffin

      Re: Hey software, get the fuck out of the way!

      Yes, quite.

      I mean, I haven't worked in safety critical systems design, just kernel software and real-time systems in general, but one of the first questions during say a design review for a safety critical system might be "what if the inputs are total rubbish".

      I mean we go to such extreme lengths for web forms.

      If a subsystem has the capability to override the pilot and cause death (i.e. nosedive the plane, which seems to be the primary purpose of the sytem, in effect) then surely it has to be n-modular redundant and voting and all that high brow aerospace/aviation gubbins?

      No?

      So reawakening some of my degree from a long lost part of my brain it seems like the IEC 61508 standard has an automotive flavour "ISO_26262" (which I am using here to prove that there is at least a pretty obvious step at which this should have been identified as an issue). Clearly the aviation standards will be more exacting (right?).

      https://en.wikipedia.org/wiki/ISO_26262#Parts_3-7:_Safety_Life_Cycle

      Bullet point number two (after "identify the item and its requirements"):

      "A comprehensive set of hazardous events are identified for the item."

      Is "bogus input from a single sensor with no validation" not a "hazardous event" given that the direct consequence is nosediving?

      Hindisight etc. Icon for sarcasm.

    11. Anonymous Coward
      Anonymous Coward

      Re: Hey software, get the fuck out of the way!

      "there is NO reason whatsoever for software written by blithering idiots to override and countermand the pilot."

      The problem is a little more subtle than a lot of news articles are spewing (and it's that sublety that made it so deadly.)

      The software never "overrode" the pilots. MCAS is designed as an assist. It trimmed nose down at an inappropriate time, certainly, due to a bad sensor. But the pilots were able to trim the nose back up easily. In fact, MCAS gets "out of the way" as soon as a pilot makes a trim adjustment and stays out of the way... for five seconds. Then it tries again. It's trying to help.

      The tragic flight was a game of back-and-forth. MCAS trimmed down. Pilot trimmed up. Wait five seconds. Repeat 20+ times. Then, for some reason, they didn't. MCAS served the ball, but the pilots didn't return it. We don't know why.

      The pilots could have disabled all electric trim and adjusted it with the manual trim wheels. This is exactly what the previous flight on this exact airplane did. We still don't know why these pilots didn't do that.

      The condition they faced is called a "runaway stabilizer" and turning off electric trim is part of the checklist on how to deal with it. The issue is that a typical runaway stabilizer is *continuous*, but MCAS does that whole "wait 5 seconds" bit which was undoubtedly confusing. There's still a lot of missing information here.

    12. Steve Channell

      Re: Hey software, get the fuck out of the way!

      There Is a simple procedure that works in this case: throttle out (foot on the gas). Pilots don't like throttling out because it uses lots of fuel and causes stress on the engines... All of Which is recorded for performance review.

  2. Pink Duck

    Question

    Why didn't they just disable MCAS?

    1. Remy Redert

      Re: Question

      Probably didn't realize it was the problem or didn't know how to disable it. This situation escalated rapidly and never should have happened. Proper design dictates multiple sensors, multiple systems and if they disagree, hand off to the pilot and let them know their safety system isn't working any more.

      1. dvvdvv

        Re: Question

        The previous crew realized that the system was trimming the elevator wrong (it's kinda hard to miss) and knew how to disable it.

        Redundancy (sometimes it's hard to tell if and which sensors are malfunctioning) and full handoff to humans (they happen to lose their minds anyway) don't always work either.

    2. Anonymous Coward
      Anonymous Coward

      Re: Question

      Apparently they didn't even know the system existed.

      The automatic trim Boeing introduced on the 737 MAX, called MCAS, was news to us last week. Graver, it was news to the Pilots flying the MAX since 18 months as well.

      Boeing and its oversight, the FAA, decided the Airlines and their Pilots had no need to know. The Lion Air accident can prove otherwise.

      https://leehamnews.com/2018/11/14/boeings-automatic-trim-for-the-737-max-was-not-disclosed-to-the-pilots/

      1. Anonymous Coward
        Anonymous Coward

        Re: they didn't even know the system existed

        This is what is likely to happen when a company once known for its engineering excellence ends up subcontracting out almost eveything - the "manufacturer" (and/or associated regulatory authorities) become little more than a team of marketing managers and thought leaders.

    3. SkippyBing Silver badge

      Re: Question

      Boeing decided it was best not to tell pilots about MCAS as they didn't want to overload them with information. It was assumed the standard procedure for dealing with runaway trim would be sufficient, except in this case it didn't present as runaway trim because it's limited to 2.5 seconds of travel at a time.

      So the pilots were attempting to diagnose a problem without knowing all the potential causes, it's therefore likely they misdiagnosed the issue and were applying the wrong solution. n.b. there is another automatic trim system (STS), for fine tuning the pitch as speed increases, that they would have known about and may have thought was the issue.

      https://www.avweb.com/avwebflash/news/Pilots-Not-Told-About-737-MAX-Auto-Trim-System-Updated-231846-1.html

      1. dvvdvv

        Re: Question

        The trim is off. You feel it on the wheel. You correct it. The damn wheel rotates away again. And again. And again. It's hard not to notice. 2.5 seconds or no 2.5 seconds.

    4. ridley

      Re: Question

      I remember reading that it is not the same on the 737 Max and had not been covered in their conversion training (3hours).

      Not a good time to need to RTFM

    5. Martin Gregorie Silver badge

      Re: Question

      Were they

      (a) able to disable MCAS?

      (b) trained on how and when to disable MCAS?

      Serious design and training errors were made unless both (a) and (b) can be answered 'Yes'.

      1. SkippyBing Silver badge

        Re: Question

        'Were they

        (a) able to disable MCAS?

        (b) trained on how and when to disable MCAS?

        Major design and training errors are at fault unless both (a) and (b) can be answered 'Yes'.'

        Yes, in that you can disable all trim via two switches. Although in previous 737 variants you could over ride it just by moving the control column backwards, this was removed from the MAX as it would negate the purpose of MCAS which is purely to push the nose down if you're approaching the stall. The MAX needs MCAS as due to putting ever larger engines on the 737 it as lost the natural tendency to recover that the original design had.

        No, as Boeing didn't include it in the training.

      2. Anonymous Coward
        Anonymous Coward

        Re: Question

        I'm afraid it goes even further than that. This looks like a fatal combination of Boeing's commercial desire to make MAX fly like an NG and the FAA's decision to allow Boeing to effectively self-certify it's design.

        Had Boeing told pilots about the existence of MCAS they'd then not be type qualified on both MAX and NG with specific training on both, which would have cost money.

        The most worrying aspect as far as I'm concerned is that the FAA signed off this concealment of information. If the regulators are making fatal errors, that's bad. The way in which the aviation industry safety system works kinda assumes that the regulators are infalable...

      3. dvvdvv

        Re: Question

        Yes and yes.

    6. sanmigueelbeer Silver badge

      Re: Question

      Why didn't they just disable MCAS?

      1. Lion Air pilots (all of them) didn't know anything about the MCAS. Boeing is under fire for not telling anyone. Call it an "undocumented feature".

      2. Because Lion Air pilots didn't know, they also didn't what it "feels" like with the MCAS takes over.

      3. The flight crew from the previous flight "blindly" disabled MCAS. They didn't do this on purpose. They misdiagnosed the issue and turned off the trim which resulted in gaining control of the a/c.

  3. e_is_real_i_isnt

    They didn't need to disable MCAS - they needed to disable the stabilizer trim motors - which is done with the two switches. The stabilizer trim is set via wheels that are right alongside the pilots, wheels that are marked in black and white stripes to make any motion readily visible. Wheels the pilots can manually overpower to overcome the motors by brute force if required.

    These pilots seem not to have known about one of the major control surfaces:

    Rudder, Elevator, Stabilizer, Ailerons, Flaps, Spoilers. That's it. Six things to know about.

    This suggests that Lion Air has really poor training for its pilots. Of course, they are the same people who put the plane back in the air without finding out what went wrong when the exact same thing happened to the trim on at least three previous flights or leaving a sticky-note on the control panel to warn that the stab trim motors should be shut off.

    1. Anonymous Coward
      Anonymous Coward

      @e_is_real_i_isnt

      How do you train your pilots if the plane manufacturer does not inform you of the new feature added to the plane?

      1. dvvdvv

        This feature is pretty much covered by long-established procedures already. There are no new switches to flip, no new actions to perform to deal with its faults.

        1. SkippyBing Silver badge

          'This feature is pretty much covered by long-established procedures already. '

          Well it obviously isn't or they wouldn't have crashed.

          Boeing claim the runaway trim procedure deals with the issue, however runaway trim presents as just that, the trim motoring all the way to the stops, MCAS is an intermittent nose down trim that the pilots may think they've countered with the standard actions because it stops and they don't know about MCAS. If you've got more than one thing going wrong, and they did because one pilot's control was shaking to indicate approach to the stall, and their airspeed indications were mismatched, the trim occasionally motoring nose down and then stopping may not register as important until it's too late.

    2. SkippyBing Silver badge

      Sitting in front of a computer in a low stress environment it's easy to say 'they should have turned the trim off' however in a cockpit at 300kts with multiple conflicting errors manifesting it's a bit more complicated.

      During the flight one pilots stick shaker was going off to indicate they were approaching the stall, because it was wired to the same faulty sensor. There was also a slight disparity between the two airspeed indicators. However there was no way they were in a position to stall so why is the shaker going off? The nose intermittently going down may not have seemed like their biggest problem until it was too late*. In fact they may have thought they'd solved it by pulling back on the control column and activating the trim cut-out, now this doesn't exist on the 737 MAX, but did on the earlier versions, and in high stress situations people revert to previously learnt behaviour, it's called negative transfer.

      In short Boeing's fix for the poor stall behaviour of the MAX creates additional confusion, especially if you don't know about it. The pilots could have used the trim cut-out switches to remove the fault but that relies on them making the correct decision in a high stress situation, something humans are famously bad at. A proper design review wouldn't have let a single AOA sensor fault manifest itself in this type of failure.

      *The trim works by moving the whole tail plane making it very difficult to counter with elevator alone at the extremes of its travel.

    3. Anonymous Coward
      Anonymous Coward

      > Rudder, Elevator, Stabilizer, Ailerons, Flaps, Spoilers. That's it. Six things to know about.

      I'm so glad we have such experts as you here to advise us.

      And there was I thinking that LANDING GEAR might, in some way, be important to the successful conclusion of a flight.

      1. e_is_real_i_isnt

        Landing gear is not a flight surface.

        1. A.P. Veening

          Landing gear is not a flight surface.

          It most definitely is an air brake, so as such it is a flight surface (when deployed).

      2. Norman Nescio Bronze badge

        Rudder, Elevator, Stabilizer, Ailerons, Flaps, Spoilers. That's it. Six things to know about.

        I'm so glad we have such experts as you here to advise us.

        And there was I thinking that LANDING GEAR might, in some way, be important to the successful conclusion of a flight.

        "Any landing you can walk away from is a good one!"

        — Gerald R. Massie, U.S. Army Air Forces photographer. Written in 1944 after the crash-landing of his B-17.

      3. dvvdvv

        You very rarely need the gear when you deal with in-flight control problems.

  4. Mayday Silver badge
    Boffin

    Aircraft Systems

    I'm a pilot - a shit one compared to these guys and their ilk who can fly 737s nonetheless, but anyway.

    Some systems will happily fly the aircraft into a stall (I realise that is not what happened here, I am just using this as an example) if the pilot does not intervene or uses said system incorrectly. It will even scream the words, "STALL! STALL! STALL!" etc into the headsets whilst doing so. Part of the training in my particular aircraft is to recognise this and disable the autopilot and recover if this occurs.

    This sounds well and good, but if these fellows had thousands of hours (it would appear 6k for the captain and 5k for the FO) of experience and muscle memory then a new system, which may not even be able to be disabled, and possibly not have had an emergency checklist associated with it may (may being operative term) have contributed.

    1. dvvdvv

      Re: Aircraft Systems

      The trim. Runs. Away. You do the "runaway trim" memory item. If you don't, it does it again. And again. And again. And yes, you disable it exactly the same way you disable any other auto-trim — you disconnect the servo with those same switches.

      1. SkippyBing Silver badge

        Re: Aircraft Systems

        But the trim wasn't running away, it was moving a bit and then stopping which it does in normal operation. Probably on occasion it stopped when the pilots did something they expected would counteract the automatic trim and it appeared to work. If it was the only problem they had to deal with then it might have been a higher priority, but there was also an airspeed indication mismatch and a stick shaker active on one pilot's controls. Figuring out that a bit of trim movement is the most pressing issue would have been helped by knowing MCAS existed and has full authority over the stabiliser.

  5. disk iops

    I meant to add in my little screed that the first rule of being a pilot is to fly the damn plane. There should NOT be any software systems to second-guess the pilot(s) beyond anything more than an advisory role. There should be NO automatic trim. If you can't be arsed to pay attention to trim and adjust it with deliberate control inputs as speed and elevation changes you are NOT flying. You're barely supervising and probably inattentively at that.

    Heck I used to sit in the jump seat on Tokyo to Anchorage when I was a kid for hours and well remember the clattering of the trim wheels as they spun.

    I have no beef with how the Airbus (Air France?) software behaved. It's supposed to yield (I would argue software shouldn't be in control at any time...) on demand and for any reason. That the pilots screwed up is unfortunate but is the cost of flying silly fast at silly altitudes where the coffin corner is much too easy to hit. Shaving safety margins so excessively to save money is where this whole modern society has gone off the rails.

    If you can't reliably hand-fly the plane from end to end you're NOT doing your job, your fitness to task is not acceptable, and your route is too damn long, and/or you're under-crewed. We don't tolerate autopilot for trucks or chartered busses, so why do we allow 200+ person vehicles to just let the fakakta computer run the show? Flying should be expensive, it should require the absolute best physical specimens with the sharpest minds and attention spans actively engaging the controls.

    IMO pilots as a class are incredibly naive about how unreliable computers, sensors, and software is. Part of that I'm sure has to do with the manufacturers lying their asses off as well because millions of hours in fancy computers and control software THEY decided to develop have to be paid back somehow. Like e_is_real_i_isnt said, there are 6 basic controls - none of them should ever be run by a computer. Frankly I'd add FADEC to that as well although that is one "computer" that would be nearly impossible to remove. Then again, there have been crashes caused by them misbehaving as well.

    When you have to have a computer run things because it's too complicated for a human to run things, we've gone way too far.

    1. asdf Silver badge

      except

      Aren't most modern aircraft fly by wire? The days of the pilot being manually in control of analog (non digital) controls are in the past from what I understand.

      (edit: 737 max looks like it is only partially FBW. Learn something every day. Carry on but FBW and automation is the future)

      1. Anonymous Coward
        Anonymous Coward

        @asdf - Re: except

        Fly by wire doesn't necessary mean a computer will do man in the middle and interfere with pilot commands.

    2. Crypto Monad

      > We don't tolerate autopilot for trucks or chartered busses

      Trucks have been suggested to be one of the first expected applications for self-driving vehicles.

    3. SkippyBing Silver badge

      'Heck I used to sit in the jump seat on Tokyo to Anchorage when I was a kid for hours and well remember the clattering of the trim wheels as they spun.'

      Automatically if it was a 707 or newer.

      'If you can't reliably hand-fly the plane from end to end you're NOT doing your job, your fitness to task is not acceptable, and your route is too damn long, and/or you're under-crewed.'

      And what advantage is there to an aircraft being hand flown across the Atlantic? Literally none, and in fact when pilots were doing it there were far more crashes than there are now. To demonstrate more graphically look at the charts linked below, as automation has increased the accident rate has fallen and aviation has become safer year on year. 2017 was the safest year on record, despite there being more flights than ever and more automation than ever. Your argument that pilots should be doing all the flying and computers removed from the equation isn't backed up by any data.

      https://aviation-safety.net/statistics/

      1. A.P. Veening

        Hand flying

        QUOTE

        'If you can't reliably hand-fly the plane from end to end you're NOT doing your job, your fitness to task is not acceptable, and your route is too damn long, and/or you're under-crewed.'

        And what advantage is there to an aircraft being hand flown across the Atlantic? Literally none, and in fact when pilots were doing it there were far more crashes than there are now.

        END-QUOTE

        There is no advantage whatsoever to actually doing so unless necessity intervenes, but it is absolutely necessary that the pilots be able to do so in case of need. And in anything approaching a "normal" emergency, the pilots will only have to fly less than half the Atlantic by hand, turning back and diverting are nearly always completely acceptable options if that involves less time in the air than the original destination.

        And for those who like an acronym explained:

        ETOPS - Engines Turn Or Passengers Swim

        Yes, I am old fashioned enough to prefer more than two engines for long over-water flights.

        1. SkippyBing Silver badge

          Re: Hand flying

          'ETOPS - Engines Turn Or Passengers Swim

          Yes, I am old fashioned enough to prefer more than two engines for long over-water flights.'

          An acronym which again isn't supported by any evidence, there have been no losses of a twin engine jet airliner due to the failure of an or both engines aside from the Hudson river crash which ironically wasn't a long over water flight. However, a four engine airliner losing two engines would also have had to ditch as the design criteria is for the loss of one engine.

          'There is no advantage whatsoever to actually doing so unless necessity intervenes, but it is absolutely necessary that the pilots be able to do so in case of need.'

          Pilots often cope with normal emergencies perfectly adequately, see http://avherald.com/ for regular examples. This was in no way a normal emergency, it wasn't even in the checklist because Boeing didn't think pilots needed to know about it, you try diagnosing an unknown intermittent fault at 300 miles an hour.

          The issue is, if you make pilots hand fly long sectors just for experience, you will have more accidents than you prevent. Which is why they invented simulators, but you still don't practice for failures that no one knows can happen.

    4. dvvdvv

      The only problem is that much more people died per flight or per person-mile back when there were no FADECs and ADRs. But rant away, I feel your pain.

    5. Anonymous Coward
      Anonymous Coward

      When you have to have a computer run things because it's too complicated for a human to run things, we've gone way too far.

      ----

      Or you accept that, and replace the humans with the best computer system you can build, and then you keep refining and improving it. You would almost certainly lose fewer aircraft that way. Not none, but a lot fewer.

    6. Someone Else Silver badge

      @disk iops

      One upvote for 'fakakta'. Gave me a giggle, once I transliterated it.

      A better spelling for it (using the latin character set) might be 'verkochte'

    7. Anonymous Coward
      Anonymous Coward

      "We don't tolerate autopilot for trucks or chartered busses"

      Trucks operate in much more confusing, constrained, and complex environments that are much harder to adequately observe with sensors.

      Aircraft can be made to detect the ground, bad storms, and other aircraft quite well... and the atmosphere gives a lot more space for maneuvering, avoidance, and recovery from problems. And you don't have to worry about pedestrians popping out from behind objects.

  6. Steve 114

    Conversely

    Seeems the new Boeing system would have prevented the old Airbus crash. The old Airbus system would have prevented the new Boeing crash. Needs a big red disconnect-all button: "Just fly me" (and pilots with occasional experience of doing so).

  7. Norman Nescio Bronze badge

    PPRuNe threads

    The relevant Professional Pilots Rumour Network Threads are below.

    Note that it you are not a professional pilot, it is really not a good idea to post there, and especially not with 'newbie' questions and theories that are not backed by experience in the aviation industry. However, the forum publishers are nice enough to let other people read the forums, which can be an invaluable source of information.

    Note also it is a Rumour Network - don't assume everything posted is correct. But there is a good signal to noise ratio.

    PPRuNe Rumours and News thread: Indonesian aircraft missing off Jakarta

    PPRuNe Tech Log Thread: B-737 Speed Trim System

    PPRuNe Tech Log Thread: 737MAX Stab Trim architecture

  8. wolfetone Silver badge

    I remember watching an episode of Air Crash Investigation and they were talking about fly-by-wire controls that Airbus have, and that Boeing don't do that because they would rather trust the pilot to fly the plane.

    What happened to that?

    1. SkippyBing Silver badge

      A lot of Boeing aircraft now do have FBW, certainly the 777 and 787 do. Essentially the computers can fly the aircraft more accurately than a human, which is more fuel efficient. Part of this is down to reducing the stability of the aircraft which means there's less drag as your control surfaces aren't working as hard to keep it pointing in the direction you want, although they are moving more often. It would be very tiring for a human to fly an aircraft with reduced stability hence the FBW. Although you'd still get fuel savings with the autopilot flying a positively stable aircraft because they're consistently better over a long period of time.

      And good luck trying to sell a less fuel efficient aircraft to an airline.

    2. Spazturtle Silver badge

      It's simply not safe to let humans fully fly an aircraft, pilots like to talk about the good old days when everything was manually controlled but the truth is that pilots have never been very good at fully flying an aircraft and never will be. Accident rates have plummeted since the computers took over.

      Some pilots still like to think they are big hot shot mega dicks who are fully in control of everything and you will see some commenting that this crash was 100% the pilot's fault and say things like "hur dur any good pilot would have been able to resolve the situation".

      1. wolfetone Silver badge

        "It's simply not safe to let humans fully fly an aircraft, pilots like to talk about the good old days when everything was manually controlled but the truth is that pilots have never been very good at fully flying an aircraft and never will be. Accident rates have plummeted since the computers took over.

        Some pilots still like to think they are big hot shot mega dicks who are fully in control of everything and you will see some commenting that this crash was 100% the pilot's fault and say things like "hur dur any good pilot would have been able to resolve the situation"."

        I think the pilots of the Quantas A380 that had an engine explode would beg to differ on that one. Especially when all the computers crapped themselves and basically said "We give up, it's up to you", the pilots landed it safely without hydraulics or anything like that.

        1. Spazturtle Silver badge

          "I think the pilots of the Quantas A380 that had an engine explode would beg to differ on that one. Especially when all the computers crapped themselves and basically said "We give up, it's up to you", the pilots landed it safely without hydraulics or anything like that."

          I don't think having an engine explode and having to perform an emergency landing counts as a safe situation. The computer and pilots are all part of the same system, when one of those parts is removed the situation becomes a lot more dangerous.

          Also on Qantas Flight 32 the computer switch flight control mode from Normal Law to Alternative Law giving more control to the pilot, but it didn't go into Direct Law mode giving all control to the pilot.

        2. Anonymous Coward
          Anonymous Coward

          Especially when all the computers crapped themselves and basically said "We give up, it's up to you"

          -----

          Of course, that's what they are designed to do, as a matter of policy. It's that pilot-centric philosophy rearing its obsolescent head.

          You could design a 'never give up' autopilot, and over time, it would probably be amazingly good at keeping planes from crashing, or mitigating an unavoidable crash.

      2. Alan Brown Silver badge

        Human factors

        "Accident rates have plummeted since the computers took over."

        Exactly this. Since the 1970s there have been exceedingly few crashes which weren't caused by human factors(HF) - and that's why the study of them has become obsessional in aviation.

        HF led to the realisation that hiring ex military fliers for civil transport jobs was a bad idea, because military fliers are trained to press on regardless when they should have diverted or gone around - that in turn led to the establishment of all those airline-funded flying schools and aviation degree colleges, etc

        When HF started to be applied on the ground it was realised that bad road _design_ was a major factor in traffic crashes and that drivers pay little attention to posted speed limits - they take their cues from the road design and furniture - and perversely the more "protective" furniture there is (signs, fences, parking restrictions, light controlled crossings), the safer the drivers feel, the faster they drive and the LESS attention they pay to their surroundings - leading to a problem that adding crossings or lights to protect pedestrians frequently results in them being less safe.

        Lion Air seems to have thrown HF out the window with the reported requirements of pilot conversion and training (a few hours of PC simulation, vs other airlines requiring actual time in a flight simulatior) and the reported safety culture there is an order of magnitude worse than reports that came out of MAS (shifting faulty kit from aircraft to aircraft instead if actually fixing it, or overriding a safety inspector's grounding order by pulling political strings to get his boss to issue a countermand are actively undermining safety, vs simple sloppiness).

        HF is most successfully applied across an entire organisation to find out why safety culture is failing, but in this case I'm willing to bet that it's coming from criminal levels of mismanagement in pursuit of profit above all else.

    3. LDS Silver badge

      Fly-by-wire and automated system are not the same thing

      FBW means there is no direct mechanical linkage from controls to actuators - everything is done electronically.

      But even planes which may not employ full FBW may be highly automated - autopilot, autothrottle, FADEC etc. will still take control for most of the flight. They are more efficient, and reduce stress on pilots. For example, flying at high altitudes, where the difference between the stall speed and the "never exceed speed" (VNE) could be quite small, would require a big effort from pilots.

      The Boeing 737 which crashed at Schipol in 2009 was under autopilot and autothrottle control - it's not that Boeings are less "automated" than Airbuses, they just employ a different kind of controls automation.

    4. Lars Silver badge
      Coat

      "What happened to that",

      Boeing had to become modern as they realised they had to go fly-by-wire with the Dreamliner, as there was no choice. The wings are simply too complicated for anything else.

  9. Anonymous Coward
    Anonymous Coward

    knackered sensors can cause 737-Maxes to nosedive

    Ladies & Gentlemen, this is your captain speaking, we are going down... We are all going down, together. We'd like to sincerely apologise for this inconvenience and hope you enjoy the rest of your flight.

  10. DropBear Silver badge

    This is not the first crash I heard about that involved auto-anti-stall. I'm a bit fuzzy on the details, but it was a passenger plane (on a test flight? Not sure but I don't think there were any passengers in it...) that was supposed to do a low pass over an air show for the audience - except they were instructed to do it unusually low, failed to locate the airstrip involved in due time, botched the approach and embedded the plane in the forest at the end of the strip. An already shitty situation for sure, but the explicit reason preventing them to at least _try_ pulling up was, again, the automatic anti-stall overriding the pilots, ruling "nope, the trees it is for you!". Due to the circumstances there should even be some footage of it happening, possibly even on the net. Arguably, the plane may have crashed either way (well I guess we'll never know now will we), but at the very least the pilots should have had the decision about where to crash...

    1. SkippyBing Silver badge

      That was an Airbus, I believe the problem there was they'd configured the aircraft to land to do the flypast without asking the engineers if that was a problem. It turned out once the aircraft thought it was going to land that's what it was going to do. I'm not totally sure why the actions for a go-around weren't successful, unless the pilots didn't think to try that. In that case I'm pretty sure it was Airbus operating the aircraft so you'd think they'd have known.

      1. Brian Morrison

        The crash was essentially due to additional factors, one being that they descended to 30ft over a runway that they could not land on when they were supposed to fly past at a minimum of 100ft if this was the case. This affected the flight control systems, disabling some of the protections that are inhibited if you are intending to land.

        When they realised that they were too low and selected takeoff/go-around thrust, the spool up time of the engines was about 7 seconds, by the time the engines had increased thrust from near idle power they were busily ingesting tree branches and naturally flamed out as the combustion chambers filled up with crushed wood.

        The A320 was very new then, and a lot more is known about the Airbus flight control systems now. The aircraft did what it was told to do, the flight crew were just a little bit ignorant about the corner case they were exploring.

    2. Paul Crawford Silver badge

      I think it was the opposite - the pilots *assumed* the plane anti-stall would stop it stalling, but below a certain hight it disengages as it *assumed* they would only fly that low in an attempt to land.

    3. Major N

      https://en.wikipedia.org/wiki/Air_France_Flight_296

  11. SkippyBing Silver badge

    Preliminary Repor

    The preliminary report is available here:

    https://www.flightradar24.com/blog/wp-content/uploads/2018/10/2018-035-PK-LQP-Preliminary-Report.pdf

    Note this has been produced without the evidence from the Cockpit Voice Recorder which would give more insight into why the pilots did what they did.

  12. Archtech Silver badge

    Lack of systems thinking

    I appreciate the many helpful and informative comments in this thread. But one thing strikes me rather forcibly: a strong tendency to place the blame here or there - on the software, no on design decisions, etc.

    Surely the underlying issue is a lack of whole systems thinking. It's never enough to design an automatic subsystem to correct apparent stalling risks, or to write correct software implementing such a subsystem.

    It's necessary to consider the aircraft and its human crew - and possibly even its passengers - as a single system, whose subsystems can interact in complex and sometimes unexpected ways.

    One salient example that has emerged from these comments is that, even if the avionics are virtually perfect in themselves, that very fact exerts strong influence on the pilots. They may become over-confident in the automatic systems, and unsure of their own manual flying skills. They may even forget, in the heat of a sudden emergency, how to do certain vital things.

    1. SkippyBing Silver badge

      Re: Lack of systems thinking

      Some of the comments on the Pprune threads linked above make your point about considering the whole system. It does look a lot as if Boeing added MCAS to get around a certification problem with the 737 MAX but didn't consider all the potential interactions with the rest of the 50 year old design. It's also quite worrying that it only uses 1 of 2 AOA sensors* and doesn't even do a comparison with the other one to see if the data is valid.

      *It swaps the in use sensor every flight, hence the previous sector not experiencing the same issue with MCAS, although the other faults were still manifest.

    2. Spazturtle Silver badge

      Re: Lack of systems thinking

      The system should have had 3 AoA sensors and using a voting system to find the true value. If 1 sensor malfunctions it is ignored as 2 will still be voting for the same value, if 2 sensors malfunction then the system disables itself as there is no winning vote.

      1. dvvdvv

        Re: Lack of systems thinking

        How do you know that 2 sensors malfunction if they show reasonably close values? True story, happened to an Airbus A321 in 2014.

        1. MacroRodent Silver badge

          Re: Lack of systems thinking

          How do you know that 2 sensors malfunction if they show reasonably close values? True story, happened to an Airbus A321 in 2014.

          A really tough problem. Perhaps using sensors of different design, hoping that if they fail, they don't fail in quite the same way?

    3. Alan Brown Silver badge

      Re: Lack of systems thinking

      "Surely the underlying issue is a lack of whole systems thinking."

      Yup. This in spades. One of the things that always stood out is how badly disconnected (and disorganised and just plain dis-ergonomic) most flight deck systems are. There are a lot of things that "should" be automated but simply aren't (because noone thought about it, or "it's too hard") or where having various systems talk to each other would save a lot of hassle.

      The L1101 and the Tristar both proved that things could be done a lot better, but "better" doesn't always sell well.

  13. Christoph Silver badge

    If a plane can do this, what happens to cars?

    It is still claimed that we will soon have fully automatic driverless cars. These will be operating in a vastly more complicated environment, with far less time to sort out problems. And there will be far more of them. What are the chances that nothing like this will happen?

    A plane can in emergency hand control over to the pilots. A car may have no driver, or the driver may be asleep, drunk, and/or distracted. In any case if they are suddenly given control they will not have time to assess a situation which is so complicated that the car has given up.

    Car automation can do a lot, but I cannot accept that full automation will come any time soon - and it will at the least require a major rebuild of all the roads, together with new signage designed for automatic reading.

    1. dansbar

      Re: If a plane can do this, what happens to cars?

      I completely agree that car automation is much furthwr away than those with a stake in the technology would like us to believe, but one major difference between cars and aircraft is that if a system fails on a car and the fleshy bags of water realise they can just turn the whole thing off. Stop it dead. With an aircraft, the pilots have no such luxury.

      1. Swiss Anton

        Re: If a plane can do this, what happens to cars?

        Try walking away after the software has driven you car into a solid concrete bridge support at70mph.

    2. jtaylor

      Re: If a plane can do this, what happens to cars?

      It already did.

      A few years ago, Toyota made the news after several of their vehicles crashed at high speed. In one horrifying case, a passenger called 911 for advice as the car accelerated out of control.

      The proximal cause was stuck throttles.

      This failure mode is easily managed by shifting into neutral to disengage the engine. Some drivers did this, some did not. Some of my friends were terrified this might happen to them. They simply had never been told how to deal with such a situation and did not have the systems knowledge to figure it out themselves.

      Operators must be trained and skilled to manage the systems they are responsible for.

      1. Dave 32
        Pint

        Re: If a plane can do this, what happens to cars?

        It wasn't just Toyota that had the stuck throttle problem. Some GM vehicles had it, too. I know, because it happened on the 1986 Chevy Blazer I owned. The first time it happened, it scared me significantly. Fortunately, I had a long stretch of clear roadway ahead, which gave me time to diagnose the issue and come up with a solution. The solution to the problem was to just tap the accelerator pedal and release it quickly (well, at least on that GM vehicle). I got to the point where I could reproduce it at will. But, had I been the captain of a passenger jetliner, with a dozen other warnings going off, with some automated systems trying to assume control, and with the ocean fast approaching, I'm not sure I could have found a solution.

        Dave

        P.S. After that first incident, I did need a beer, or two.

        1. Alan Brown Silver badge

          Re: If a plane can do this, what happens to cars?

          "The solution to the problem was to just tap the accelerator pedal and release it quickly"

          The other solution was simply to turn the ignition off and coast to a halt.

          But not to the lock position, that would be silly. Taking the key out would be even sillier - but that's exactly what a significant number of drivers actually did.

          Duh.

    3. Francis Boyle Silver badge

      Re: If a plane can do this, what happens to cars?

      It is still claimed that we will soon have fully automatic driverless cars. These will be operating in a vastly more complicated environment, with far less time to sort out problems. And there will be far more of them. What are the chances that nothing like this will happen?

      I can absolutely guarantee that something like this will happen with driverless cars just as I can guarantee that until we get drivers cars people will continue to die on the roads at a rate of over one million per year. To bring this post back on topic imagine the outcry if the airline industry killed a million people each year.

      1. Alan Brown Silver badge

        Re: If a plane can do this, what happens to cars?

        "I can guarantee that until we get drivers cars people will continue to die on the roads at a rate of over one million per year. "

        This is the point. Driverless cars will kill people at a rate of less than 1% of meatsacks, but that's not good enough for the "what about" and "but what" brigade.

        The insurance industry will drive the change. As soon as they see statistically lower claim rates from automated vehicles, you're going to see lower premiums when vehicles are in automated mode and significantly higher ones with a monkey in control. The fact that automated vehicles are loaded with cameras will kill claims of "the robot crashed into me" stone dead and leave 90% of meatsack drivers who crash into a robot facing full liability (and probably careless driving charges). When the knee point happens the change will be rapid.

    4. Alan Brown Silver badge

      Re: If a plane can do this, what happens to cars?

      Cars can pull over. Signs can have transponders.

      One of the more exciting parts about automated vehicles (in urban areas at least) is that outside of feeder roads we can actually start enforcing significantly lower speed limits - primarily because we DON'T have to deal with impatient irritable overconfident monkeys at the controls.

      Automated vehicles don't need to be perfect. They just need to be better than most drivers and that's an astoundingly low bar to pass.

  14. dansbar

    Really?

    "This is a computer system designed to prevent the nose of the Boeing 737-Max from pulling too far up and putting the plane into a stall when under manual control. It has nothing to do with the airplane's autopilot."

    Nope nope nope nope nope

    When machinery is under manual control, it should be under manual control. There is absolutely no reason at all for this system to automatically control the aircraft. For decades aircraft have had the capability to alert the pilot audibly and visually and to even announce recommended action to a potential stall condition as well as a plethora of other potential pilot errors. That's where it should end. The pilot should always then get to decide whether to follow that advice or not.

    How the hell did people sit in a room and decide that it was fine to let the computer have the final say?

    I can handle the risk of a pilot making a mistake, I know that other than in the rarest of cases they will tey very hard to correct that error to save their own skin.

    1. SkippyBing Silver badge

      Re: Really?

      'When machinery is under manual control, it should be under manual control. There is absolutely no reason at all for this system to automatically control the aircraft.'

      Except Boeing had no choice if they wanted the aircraft to be certified for flight. In essence on previous 737s as the aircraft approached the stall, think ~15-20 degrees nose up, the loss of lift from the wing coupled with the centre of gravity being ahead of the centre of lift caused the nose to fall recovering the aircraft from the stall. In trying to put even bigger engines on the 737 they had to move them forwards and up, this created an interesting aerodynamic effect where as the stall was approached the pods start to generate lift which counters the natural nose down tendency. In other words rather than naturally recovering from a stall the aircraft would now naturally enter one at high* angles of attack. This could lead to an irrecoverable stall and death. MCAS is designed to stop the nose getting too high and making the aircraft fly more like a legacy 737.

      Before you say it's automation gone mad, the Hawker Siddeley Trident from the 60s had a stick-pusher to prevent it entering an irrecoverable stall. Because why let people put the aircraft in a situation where it definitely will kill them?

      *it's high for an airliner

    2. Electronics'R'Us

      Re: Really?

      Automated control of aircraft has been with us for decades; having designed flight safety critical systems, I am astounded that this particular subsystem was not comparing both AOA sensors. In a 'disagree' situation, the system should simply raise an alarm (MCAS offline?) so the aircrew know something dodgy is going on.

      It should be inconceivable that a subsystem capable of changing the control surfaces is not redundant.

      That said, as the crew did not even know of MCAS, they might get confused with "What the hell is MCAS?"

      To me, this is a fundamental design flaw that should never have got past the independent technical authority even within Boeing, let alone by the FAA designated representative.

      The flight control system on the 777 is a triple redundant system, incidentally (with different processors in each lane at that).

      1. SkippyBing Silver badge

        Re: Really?

        'I am astounded that this particular subsystem was not comparing both AOA sensors.'

        I was also astounded that the disagreeing AOA sensor warning is an optional extra that only comes if you specify the AOA readout on the pilot's displays! What next, save money by not having the engine fire warning light?

    3. Jason Bloomberg Silver badge
      FAIL

      Re: Really?

      How the hell did people sit in a room and decide that it was fine to let the computer have the final say?

      That's one good question but I think it's also important to ask why the pilots weren't informed this was the situation and would remain as such until they intentionally turned the system off, and that was done in a way which was counter-intuitive to their training.

      When I have cruise control on and I have to slam on the brakes I expect my car to stop. I don't expect the cruise control to keep it going at the same speed. I wouldn't realise I needed to turn it off manually before an emergency stop unless there were a fucking big warning sign on the windscreen. And if there was I'd not drive it on the grounds of "that's fucking ridiculous".

      It's hard enough, and counter to muscle memory, remembering which stalks the wipers and indicators are on at times. Having something behave in a way one never expected and were never told about is a disaster waiting to happen.

      1. Spazturtle Silver badge

        Re: Really?

        "When I have cruise control on and I have to slam on the brakes I expect my car to stop. I don't expect the cruise control to keep it going at the same speed. I wouldn't realise I needed to turn it off manually before an emergency stop unless there were a fucking big warning sign on the windscreen. And if there was I'd not drive it on the grounds of "that's fucking ridiculous"."

        Your anti-lock braking system (ABS) system will cut out the breaks though, this situation is similar to if your car's lock-up sensor malfunctioned and your ABS decided to disengage the breaks to try and correct it.

    4. Norman Nescio Bronze badge

      Re: Really?

      "This is a computer system designed to prevent the nose of the Boeing 737-Max from pulling too far up and putting the plane into a stall when under manual control. It has nothing to do with the airplane's autopilot."

      Nope nope nope nope nope

      When machinery is under manual control, it should be under manual control. There is absolutely no reason at all for this system to automatically control the aircraft. For decades aircraft have had the capability to alert the pilot audibly and visually and to even announce recommended action to a potential stall condition as well as a plethora of other potential pilot errors. That's where it should end. The pilot should always then get to decide whether to follow that advice or not.

      How the hell did people sit in a room and decide that it was fine to let the computer have the final say?

      I can handle the risk of a pilot making a mistake, I know that other than in the rarest of cases they will tey very hard to correct that error to save their own skin.

      MCAS is Boeing's solution to the problem of getting the 737 MAX certified as airworthy by the FAA (14 CFR Part 25 - AIRWORTHINESS STANDARDS: TRANSPORT CATEGORY AIRPLANES). The 737 MAX replaced the engines with heavier, differently shaped, more powerful versions that needed to be placed further forward on the airframe. This increased the moment arm of the engine's thrust, which exacerbated the pitch-up when thrust was increased. This meant that at high angles of attack, increasing the thrust could stall the aircraft*. In order to pass the FAA's longitudinal stability requirement, Boeing came up with MCAS, which moves the stabiliser to provide nose-down pitch at high angles of attack to prevent stalling. Without MCAS, the 737 MAX would not have been certified to fly.

      More information here: The Air Current: What is the Boeing 737 MAX Manoeuvring Characteristics Augmentation System (MCAS)?

      And here: Leeham News: Boeing’s automatic trim for the 737 MAX was not disclosed to the Pilots

      It operates when the aircraft is being flown 'manually' (i.e. not by the Auto Pilot) with flaps up, because without it, the aircraft would not be certified as airworthy. It is there to prevent unwanted handling characteristics becoming a problem, but that works only when MCAS is receiving good data. You can fly a Boeing 737 with electrically assisted trim turned off, as there are manual trim wheels connected via cables to the stabiliser trim mechanism. They move when the electrical trim operates. Manual operation requires 50 turns per unit of trim (250 turns from full up to full down), and if the stabiliser is experiencing significant aerodynamic loads, can require some effort to move.

      So, if you are flying with flaps up (i.e. not configured for landing), without autopilot, MCAS is in operation. If the MCAS system is incorrectly told there is a high Angle-of-Attack, it will automatically command Nose Down trim until the AoA falls to a level that the MCAS system programming is set up to regard as not needing the correction assistance. If the AoA doesn't change by enough, it will continue to command Nose Down pitch. It the pilot uses the toggle switch on the yoke to manually control the electrically assisted stabiliser movement, MCAS backs off for a few seconds, but will resume after a short period. If you switch to autopilot, MCAS is disabled, and if you extend flaps it is disabled. However, if there is an airspeed mismatch between the pilot's and co-pilot's instruments, autopilots generally disengage. As the airspeed is calculated from a combination of data from the pitot system and the AoA sensors, if AoA is wrong, airspeed will be wrong.

      If you are at the point where the stabiliser's nose down trim setting exceeds the elevator's authority to bring the aircraft's nose up, you have a problem (at this point, it will probably require both the pilot and co-pilot pulling as hard as they can on their respective control-yokes simultaneously). Disabling all electrically assisted trim at that point may put you in an unrecoverable situation, as you may might be unable to manually alter the stabiliser pitch setting fast enough to get out of the dive. If you are using all your strength to pull on the yoke, you don't have any hands free to rotate the trim wheels.

      If the incorrect operation of MCAS is recognised at an early stage, it is easy to recover. If you leave it too long, it might not be possible to recover.

      I am not an expert, so I may have got things wrong. Corrections are welcomed.

      NN

      *This is simplifying things a bit. The shape of the engine nacelle also provides additional lift at high angles of attack compared to the previous engine, so even without extra thrust, pitching up can be less benign than you expect. MCAS is there to ensure the combination of the airframe and handling systems meet the handling rules - it is meant to provide predictability.

      1. Archtech Silver badge

        Re: Really?

        "In order to pass the FAA's longitudinal stability requirement, Boeing came up with MCAS..."

        Great. In other words, to satisfy some legal requirement they stuck a bag on the side of the airplane's control systems.

        1. SkippyBing Silver badge

          Re: Really?

          'Great. In other words, to satisfy some legal requirement they stuck a bag on the side of the airplane's control systems.'

          To be fair it's a legal requirement that the aircraft won't enter an irrecoverable stall and kill you, so it'd definitely one to be in favour of.

          1. A.P. Veening

            Re: Really?

            "To be fair it's a legal requirement that the aircraft won't enter an irrecoverable stall and kill you, so it'd definitely one to be in favour of."

            I'd say it should be a legal requirement as well that the aircraft won't enter an irrecoverable dive and kill you.

        2. imanidiot Silver badge

          Re: Really?

          Just the presence or the function of MCAS isn't the problem here. It's the combination of a lack of training on the system and the systems response to a AoA failure that is at fault.

    5. e_is_real_i_isnt

      Re: Really?

      Do you press a button on the steering wheel for each splash of fuel in each cylinder and then press another button for each cylinder to fire a spark?

      In any case Boeing provided about 4 ways to over ride this -

      1) It cuts out if any flap is deployed

      2) It cuts out if the trim button on the control wheel is tapped

      3) It is offset if the trim wheel is manually turned

      4) It is entirely disabled if the trim motors are turn off with switches that are right there.

      1. imanidiot Silver badge

        Re: Really?

        @e_is_real_i_isnt

        However, if the pilot isn't aware of MCAS and the way it behaves, and isn't trained on the procedure to prevent this they might not know ANY of those. The situation and system response caused by MCAS is different from the trained "Runaway trim" procedure, as the system still responds (and stops trimming for a short while) when a trim up command is given or the trim wheel is manually moved. Thus I can imagine following the runaway trim procedure isn't the first thing that comes to mind for a pilot when MCAS goes mad.

  15. Milton Silver badge

    Computer knows best?

    Yes, this reignites the old debate about who should have the final say when it comes down to human-vs-computer (or, if you like, in broader terms, human perceptions-vs-instruments), but in truth it needs to be informed by people who are experts in the subject matter, not—forgiving the few exceptions on these pages today—BTL commenters who have never worked in aviation.

    The problem is, there is no perfect, dogmatic answer. Those are only open to ill-informed amateurs. The software is generally superb but not foolproof but, far more significantly, it has to rely upon information fed to it by sensors. If the sensors, be they pitot tubes, AoA, radioaltimeter etc—all of which have been implicated in fatal crashes even within the last 25 years—provide bad data, then GIGO applies. It is why Airbus systems, for example, have multiple degradation modes depending on what information is missing or suspect—'Alternate Laws' handing progressively more control back to the flight crew. It is why Boeing, ironically as it turns out, have been known for the philosophy of ultimately un-restricting the pilot's ability to operate the controls, even outside safe limits, in extreme circumstances. (This isn't a Boeing v Airbus contest: both build superb planes. I personally don't like the concept of the zero-tactile-feedback sidestick, but that's just me.)

    I suspect any analysis of the last 30 years' major airline incidents will show very few which were the sole result of sensor/instrument/computer failure. Even disasters whose precipitating events are such a failure tend to have been survivable, if only the pilots had done the right thing. AF447 would have survived if the pilots had followed a standard procedure for mutliple conflicitng airpseed warnings. The Lion Air plane would have stayed airborne if this flight crew had known (or remembered?) how to disable the stall prevention system. (Aeroflot 593 would have lived if the pilots had ... just ... let ... go. (Though that wasn't precipitated by instruments).)

    It is particularly saddening to think that Boeing's engineers may well have had incidents like AF447 in mind when setting up the stall avoidance system. One could argue that they should have allowed sufficient sustained back pressure on the control column to disable that system, similarly to how other aircraft autopilot channels can be disabled after positive sustained pilot input. The counter-argument—emphasised in the case of AF447—is that a panicked pilot may just keep pulling back, even as the plane plummets. Like I said: no perfect answers.

    One last point. This tragedy puts me in mind of Scandinavian 751. In that crash, a safety system of which the crew were unaware was triggered and caused an otherwise avoidable crash.*¹ Sound familiar? I'll allow the interested to read the Wiki article, but the parallels are a little eerie.

    *¹ During climbout he plane had suffered surging from both rear-mounted engines, caused by transparent ice breaking from the wings. Crew followed correct procedure, retarding the throttles to keep damaged engines alive long enough to allow an emergency landing, but an (unknown to them) safety system advanced the throttles again, thereby causing the engines to shake themselves to bits. (The good news is, the plane pancaked in a snowy meadow after losing a lot of speed clipping the hair of a conifer forest, and although it broke into pieces on impact, there was no fire and everyone survived. A real feel-good story. Pity it all happened too fast for a movie.)

    1. Richard Scratcher

      Re: Computer knows best?

      They could be handy for spotting human errors...

      "The Bombardier Dash 8 Q400 took off from Belfast City Airport on January 11th, headed to Glasgow. When the plane hit 1,500 ft, autopilot engaged - however, the target altitude was mistakenly set to ZERO ft, so the plane immediately started to nosedive.

      The aircraft fell around 500ft in just fifteen seconds before the pilot was able to regain control and bring it back to an appropriate altitude. During the dive, the plane was plummeting up to 4,300 ft per second - and if the pilots had been even a few moments slower to bring it back under control, there is little doubt that it would have crashed.

      The Air Accidents Investigation Branch (AAIB) found that the issue arose when the pilot chose a specific mode of autopilot, and the airline has introduced new policies including a different pre-flight checklist to make sure that this does not happen again."

      1. Stuart Moore

        Re: Computer knows best?

        Is there a valid case for an autopilot to have a height of zero feet? I'd have thought that should be a case of the autopilot refusing to engage. So not sure I'd call that just human error. Well, the programmer is human too I suppose...

  16. MrKrotos

    iPlane

    If Apple made planes = Your flying it wrong!

  17. Alan Bourke

    So anyway, tell me again how great an idea self-driving cars are ...

    ...or would be if they were remotely feasible today.

  18. Someone Else Silver badge
    Big Brother

    Oh, and...

    ...yes, we are very sure that driverless cars will never suffer this same fate...same fate...same fate...same fa...............

    Big Brother, because he wants full control, too

  19. naive

    Mathematical proof of correctness or a big RED "707 mode" button

    Even if the technicians made a mistake in installing the sensors, Boeing could be in a lot of trouble.

    Either Human pilots have the last word, or the computer. Since with this flight, the computer crashed the plane, Boeing has some explaining to do, for instance why does the plane take off in the first place if those sensors are faulty, leaving the plane in a situation where it can not be controlled.

    Boeing just needs to make clear that a) the pilot is always responsible and b) make a big red "707 mode" button disabling all nanny systems interfering with actions performed by the pilot. This button allows pilots to take full control, the computer should resort to writing advisory messages on a screen.

    In the end, if people could fly four engined 707's in the 60's without computers, they should be able to fly a 737 without them in 2018.

  20. kurios

    need an off switch

    There are too many circumstances in which automation can be in control of some aspect of aircraft operation. If one of these instances goes wrong, it takes too long to identify which one has gone bad and run the appropriate procedure while under high crew task load. And that's if the aircraft builder has actually kept documentation up to date.

    There should be a single switch that unconditionally inhibits all automation, returning full manual control to a pilot. Not a panacea, but it might have prevented this accident.

    1. Anonymous Coward
      Anonymous Coward

      Re: need an off switch

      A Big Red Switch in the middle of the cockpit should do it.

    2. SkippyBing Silver badge

      Re: need an off switch

      'There should be a single switch that unconditionally inhibits all automation, returning full manual control to a pilot. Not a panacea, but it might have prevented this accident.'

      But what if one of the a pieces of automation stopping you from having an accident? These aircraft aren't designed to be flown in full manual control, there's always some form of automation at work keeping it in limits.

    3. Anonymous Coward
      Anonymous Coward

      Re: need an off switch

      "There should be a single switch that unconditionally inhibits all automation, returning full manual control to a pilot. Not a panacea, but it might have prevented this accident."

      And caused, or failed to prevent, other accidents.

      There is no universal solution, and human pilots have racked up a fairly poor track record, over the years.

  21. Anonymous Coward
    Anonymous Coward

    planes/cars

    This is worryingly similar to my experiences with all car mechanics.

    Take my car in. The EML light is on. Debug codes. MAP sensor is giving implausible reading. Assume sensor is faulty. Replace map sensor. Give car back to customer minus £100.

    Driving out of garage EML light comes on again.

    Fault was not with MAP sensor at all.

    Thank god my car doesn't fly.

    1. Anonymous Coward
      Anonymous Coward

      Re: planes/cars

      Indeed. Multiple failures reported on previous flights and some of the "repairs" consisted of cleaning the electrical contacts.

      Yes, surely it's those rusty, dirty contacts that were the problem, and just needed a good cleaning. On a 3-month-old plane.

      1. Anonymous Coward
        Anonymous Coward

        Re: planes/cars

        "On a 3-month-old plane"

        Years ago I flew Edinburgh to Heathrow on a British Midland 737. During flight the cabin became uncomforatbly warm for a bit but when it goit a bit cooler the captain came on the intercom to apologize for the temperature fluctauation adding that "this is a new plane and we've been having a number of teething problems with it". 2 or 3 weeks later one of British Midland's new 737's crashed at Kegworth.

      2. SkippyBing Silver badge

        Re: planes/cars

        'Yes, surely it's those rusty, dirty contacts that were the problem, and just needed a good cleaning. On a 3-month-old plane.'

        You don't work on a lot of aircraft do you?

        Compared to the production run of the average car even the 737 is a niche product, meanwhile all the parts are subjected to a drop in pressure and temperature that would stop the average automotive engine running every time they fly a sector. So after three months a contact may well just need a clean because it wasn't installed correctly in the first place or even just because.

      3. Alan Brown Silver badge

        Re: planes/cars

        "surely it's those rusty, dirty contacts that were the problem, and just needed a good cleaning. On a 3-month-old plane."

        Don't be surprised.

        They may be on an assembly line, but these things are _hand built_. The looms are hand made and the electrics quite frankly make Lucas look good. Look at the report into the wiring of TWA800.

        "Aircraft grade" electrical connectors are about the mechanicals side. I've seen some pretty shitty contacts on brand new "out of the bag" components and the degree of attention to long-term reliability is significantly lower than that given to automotive connectors because the assumption is that they're going to be opened/closed/inspected every N hours, not left in service for years and expected to provide 100% reliability without being touched.

        (Automotive spec is significantly tougher all around than aviation or military spec)

    2. Alan Brown Silver badge

      Re: planes/cars

      " MAP sensor is giving implausible reading. Assume sensor is faulty. Replace map sensor"

      The first thing my mechanic assumes is a bad plug somewhere.

  22. Anonymous Coward
    Anonymous Coward

    Agile Software Development.

    Would you trust your life or those of your loved ones to this?

    1. Jason Bloomberg Silver badge
      Joke

      Re: Agile Software Development.

      "Sure I would. My team are so crap it would never get to the end of the runaway, let alone ever take off".

      The oldies are the goldies.

  23. sean.fr

    more acceptable to be killed by a human

    Pilot error is a major cause in crashes. Automation basically kills less people. Therefore it is a reasonable design decision to to automate as much as possible. In the same way air bags can hurt you, but we require them to be fitted in new cars because overall the benefits outway the risks by a large margin.

    The route cause is flying with bad instrumentation. Even if you fly manually, bad sensors can kill you. In daylight you can judge you angle of attack, height and speed. At night, or weather probably not. You have to trust the instruments. You can tweek the software, and pilot training, but that is larglying ignoring the real issue. The aircraft was not in a fit state. If you crash a car because your breaks fail, no-one asks why driving without breaks is not taught. ABS can help, but if you loose break oil or the pads are worn, or the tyres are worn, its a maintenance issue.

    1. Dave 32
      Pint

      Re: more acceptable to be killed by a human

      Ah, but driving without brakes is taught. And, I've put it to use many times, when I've blown either a master cylinder, or a brake line. You tend to remember that emergency brake pretty quickly, as you're aiming for something soft and cheap.

      The first time it happened, was as a teenager, as I was pulling into the family driveway, with my dad's new car 30 feet in front of me. I hit the brakes, and the pedal went all the way to the floor, when the master cylinder catastrophically failed (They didn't have redundant cylinders in 1966 models.). Talk about high pucker factor. I did a hard left into the soft dirt of the front yard, and jammed on the emergency brake. It made a royal mess of the lawn, but I didn't crash.

      I've subsequently blown the brake lines on my pickup truck, twice, and on the wife's SUV once.

      Perhaps the most spectacular incident was when my brother blew the brakes on a 5 ton dump-truck, with an overload of 7 tons of crushed stone in it. Not only did he not wreck it, but he actually made it back to his farm, and dumped the crushed stone where he wanted it, via use of the emergency brake and down shifting the transmission.

      Dave

      P.S. Beer, because, after incidents like those, you need a beer or two.

  24. david 12 Bronze badge

    Small Indonesian airline. That suggests that the pilot was an experienced foreign national, and that the co-pilot was not. Was that the case here?

    1. SkippyBing Silver badge

      Lion Air is not a small airline, they're the Asian equivalent of RyanAir or EasyJet and the largest in Indonesia, bigger than the national airline Garuda. They were also the launch customer for the 737 MAX. The pilots were Indian and Indonesian with 6028 and 5174 flying hours respectively, does that answer your slightly loaded question?

      1. david 12 Bronze badge

        Yes. the question was slightly loaded: I was trying to be as polite as I could be while still asking the substantive question.

        I wondered if that had changed: evidently not. Racial politics still plays a part in pilot selection in Indonesia.

        Having said that, it's just as well that everybody reading this should realize that locally, some people are going to be blaming one pilot because he is foreign, and other people will be blaming the co-pilot because he is not foreign.

  25. Borg.King

    AoA sensor replaced prior to fatal flight

    Wasn't the Angle of Attack sensor replaced prior to this last fatal flight of this aircraft?

    So far I have heard reports that there were issues on the 3 previous flights to this one, and the sensor had been replaced. Had one faulty sensor been replaced with another one? Had the wrong sensor been replaced? Did the new sensor pass all ground tests on the system before departure? Had the ground tests been properly executed? Has the cockpit been found to determine the state of the MCAS switches?

    If the MCAS / AoA system had issues on the previous flights, were those pilots aware of the new equipment operating procedures on the 737 MAX? How did those previous pilots overcome the documented system failures?

    The final AAIB report on this will make extremely interesting reading. I hope they find the cockpit voice recorder, though I expect it will just have the two pilots extremely baffled at why their aircraft is repeatedly countermanding their control inputs.

    1. SkippyBing Silver badge

      Re: AoA sensor replaced prior to fatal flight

      It appears, based on reading the FDR data by people more knowledgeable than me that the previous flight's pilots had overcome the MCAS issue by diagnosing a failure that required isolation of the trim system. As they didn't know about MCAS they wouldn't have known that's what the problem system was but the effect was to remove it from the equation anyway. However this may have meant the next crew were starting from square one when it came to diagnosing what was going on with the various issues that they were presented with or have been primed to expect a reversal of the usual trim system rather than starting from scratch. Neither of which are great situations to be in.

      'Has the cockpit been found to determine the state of the MCAS switches?'

      There aren't any as such, and the pilots weren't told it existed previous to the accident. The trim cutout switch position can be determined from the FDR and I believe they hadn't been activated at the time of the accident.

  26. Alan Brown Silver badge

    FAA grounding imminent?

    I'm surprised the FAA hasn't issued an emergency airworthiness directive grounding the aircraft already to be honest.

    This system is necessary thanks to the engines - over the years they've become so big that they've moved out from under the wings to in front of them and also been lifted up to achieve ground clearance - to the point that they can flip the aircraft on its back if the pilots aren't careful. (They've had to do this because it's impossible to give the 737 design longer landing gear)

    This is what happens when you take a "good proven stable design" and keep incrementally slapping shit on it until it is intrinsically unsafe to fly without massive amounts of augmentation. The 737 is essentially a hotrod "funny car" at this point in its career.

    1. imanidiot Silver badge

      Re: FAA grounding imminent?

      " (They've had to do this because it's impossible to give the 737 design longer landing gear)"

      Not impossible, just undesirable for the market the 737 operates in and for certification purposes. The advantage of the 737 design (and why it had originally been designed that way) is that the low ground clearance allows easy ground service to almost all relevant parts of the aircraft with easy methods (stepladders and low moveable scaffolds) where competitors require more safety equipment because the worker needs to be higher up. Redesigning the landing gear to put the plane higher off the ground would be easy but would necessitate a huge amount of new equipment be bought by customers all over the world. Customers that might be more likely to go to the competitor in that case.

      On top of that the landing gear is a very important bit of the aircraft and so structurally intertwined with the entire design of the main fuselage and inner wing spar section that a change in main gear leg length would necessitate a substantial redesign of the main wing spar, which would then require certification as an entirely new aircraft design instead of being allowed to be certified as a modification of the original 737 type air worthiness certification.

  27. Anonymous Coward
    Anonymous Coward

    Hidden (secret) functionality elsewhere ... nowhere should be assumed "safe"....

    .....anything "smart" needs to be treated with caution, not just new aircraft. For example:

    - https://www.theregister.co.uk/2018/07/27/jaguar_land_rover_connected_car_privacy/

    A Morris Minor is a pretty safe bet!

    1. Anonymous Coward
      Anonymous Coward

      Re: Hidden (secret) functionality elsewhere ... nowhere should be assumed "safe"....

      Sorry...truncated link.

      https://www.theregister.co.uk/2018/07/27/jaguar_land_rover_connected_car_privacy/

  28. IJD

    In the end, the fault comes back to Boeing. Adding the MCAS system onto the 737MAX was a bodge to get it through qualification after the engine/airframe changes made it unsafe in a stall, but the crash would not have happened if the system had been properly designed against sensor failure (redundancy, voting) and/or the pilots/airlines had been told about MCAS.

    The first one would have probably meant design changes to add the extra AOA sensors and cost Boeing more at manufacture (bad), the second would have meant recertification and retraining of pilots which could have meant them selling fewer aircraft (bad). In the end somebody decided that money mattered more than safety -- probably not deliberately, but this is the kind of sloppy "it'll probably be just fine" thinking which sooner or later kills people.

    Of course if it comes out that the possible problem was pointed out by engineering but stomped on by management (Ford Pinto, anyone?) and this ever comes out, Boeing will be in deep doo-doo...

    1. disk iops

      > In the end somebody decided that money mattered more than safety -- probably not deliberately

      > but this is the kind of sloppy "it'll probably be just fine" thinking which sooner or later kills people.

      Indeed. Companies need to learn how to say NO. When someone came up with the idea of putting ever bigger engines on the thing and it's no longer stable, the idea should have been buried, not sustained with "hey johnny is systems can write us up a software solution". NO god-damn NO! And in it's soul-less pursuit of sales and profits the aircraft co. decided to do something stupid the regulator should have jumped all over them and stopped it dead in its tracks.

      From https://www.pprune.org/tech-log/615709-737max-stab-trim-architecture-2.html I really like the bit about " And then we had STS, which trimmed the stabilizer without pilot input. Huh???? ... But rational was to tell the pilot ( I use pilot to assert whoever was in charge of moving controls), he needed to trim for the new speed/AoA."

      This is meddling on the part of the software by do-gooders. By interfering in the natural operation of the aircraft the pilot has now mentally checked-out. Any pilot paying attention would feel and recognize right quick he need to re-trim without being "helped", just like it had been for decades prior. If not, then by god he's not fit to sit in that seat! Then they layered on yet another nanny function because Boeing in this case made a DELIBERATE choice to say 'Yes' to some retard at the airline or in marketing. The customer, as a rule does NOT know what they are talking about and I'll bet airline execs don't have a clue or care about physics, they just want to cram more seats into the same space and have it fly farther and faster or negligible fuel. At some point an adult needs to stand up and say, "No, we're not doing that, this 50 year old design can not be modified further." The bane of modern technology is that the software programmers always pipe up with "we can write some code to 'fix' that". And as we've found out they did a typical CRAP job of it and didn't bother to follow the RULES that had long since been established.

      Revised engine nacelle and blade design for better thrust and fuel efficiency is again, fine. Decreasing drag with those winglets - brilliant. Upsizing, rotating and shaping the engine so the plane is no longer stable - STOP right there and do not execute! Or go hire yourself out to Lockheed and work on fighter jets.

      We do NOT need to fly at the ragged edge of performance. We do NOT need to carry ever more ridiculous numbers of helpless/hapless souls at one time. We do NOT need razor-edge efficiency in lift or engine performance that *require* ever more complex software solutions to try to bash it back into some flyable shape. We do not need more fancy software to make up for ever less skilled and mentally not-engaged pilots to pretend they know what they're doing. Progress does NOT have an infinite endpoint. Every activity has a cost and human beings are LIMITED. Apparently modern man has decided that all costs can be papered over and with ever increasing amounts of software.

      Same shit in motorcycles - not to jack the thread. First it was ECU and FI. Ok, reasonable and simple improvements that didn't overwhelm the meat or fundamentally change the relationship between rider and machine. Now we have cornering ABS, corner-by-corner brake and throttle maps, launch control, and gd fly-by-wire etc. All of it completely pointless and unnecessary to the task at hand - riding the damn thing from point A to B. You now have world-class racers, the best in the world who can literally get away with being as clumsy as a 2-bit street hack; pinning it and not getting their ass thrown over the moon. Worse, you have said street hacks with but 5% of the talent and skill riding machines that without electronic nannies would have found themselves quickly in the ER or morgue. "electronics this, electronics that" you hear incessantly in interviews. NO, god damn it! If you can't *directly* control the hydraulics of your brakes and regulate the engine with the throttle (again with no electronic, "here I'm detecting some slip, I'll take over") then the whole thing is a farce. We want to see skilled individuals doing their craft, not who has the best software developer and smartest algorithm and sensors all but riding the bike for him.

      Back to planes - "here, hold my heading and altitude for a couple minutes while I root around in my flight bag for the PB&J and a cup of coffee, so long as sensors appear nominal, otherwise warn me and let go" is/was a proper and acceptable degree of improvement. Though properly this should be and has been solved for decades via "yo, co-pilot, you have the stick". When someone else is doing the flying (eg. the computer) the natural tendency is for the human brain to check out.

      How many millions of hours were logged by mere teenagers in WW2 and wars since in transport planes, flying on partial panel, in lousy weather and getting shot at? Yeah, yeah the big bomber losses were atrocious but it wasn't because the pilot didn't know how to fly or the damn computer was second guessing them based on a shot-out sensors.

      Chasing unreasonable efficiency and lower costs is now taking lives and as the chorus for "more AI because it's better than people" is only going to make the failures bigger and costlier and more importantly the pilots increasingly helpless to diagnose and recover within the limited (by physics) window of opportunity. If you're going to have a pilot in command then the plane must fundamentally comport with human limitations, not spew thousands of messages and alerts at him to the point that their ability to cope is overwhelmed - the damn programmers again (I don't mean just the guy writing the code, but the whole foodchain). The computer must by definition be no more than an advisor or really dumb help. Otherwise toss the pilot out on his ass and have the computer run the entire show.

      If the introduction of computers are making a significant improvement in safety, then the conclusion is some combination of:

      1) the damn things are too complicated for humans to fly which by definition means the trajectory of design is WRONG.

      2) the skill level of the pilots it highly uneven and probably insufficient

      The answer isn't more computer, it's smaller, properly designed planes, fewer, simpler planes and more expensive seats. That or just go to drones and be done with it. If PiC screwup kills only 150 people at a time that's better than killing 800 because the gd computer was interfering and worse could NOT be removed or sufficiently sidelined because the airplane requires the computer to even fly at all, and some programmer decided the software (and it's suppodedly non-dodgy failure detection logic) knew better than the supposedly trained people with hands on the yoke.

  29. dmacleo

    in US (under FAR part 121 carriers) AOA sensors req a FCF (Functional Check Flight) after RAR (Remove And Replace) so odd the FCF (if reqd there, often reqs are mirrored) did not catch anything.

  30. JohnnyS777

    The real reason these people died:

    Money.

    This was a case where a significant FLIGHT CONTROL PROBLEM was encountered on the previous flight. Significant enough that the pilot called "pan pan pan". Only a "mayday" is more serious than that. So what happened? Ground staff followed a checklist and swapped/tested some components and they looked fine on the ground. It's clear the pilots and ground staff did NOT know what was the root cause of the problem. But the airline got to make money, so screw due diligence: Over a hundred people were loaded on and took off to die.They had a FLIGHT CONTROL PROBLEM and didn't test fly the aircraft? Why not? That aircraft should have been grounded until it had been flown without passengers by a competent test pilot who knew ALL the aircraft systems including the MCAS.

    Propose a new rule: If a commercial aircraft experiences a flight control problem on a flight and survives, it remains grounded after landing until (1) the flight control problem has been fully understood and remediated, and (2) a test flight (no passengers!) to normal cruising altitude and speed has been completed by a competent test pilot certified by the manufacturer. Any persons who are airline staff, management or engineer personnel who release the aircraft back to service without these 2 steps completed and documented shall lose all their professional accreditations and shall immediately be banned from working in the airline industry. Should the subject aircraft crash with loss of life, those persons should be charged with manslaughter.

  31. steward
    WTF?

    Dave, I'm really the pilot. You're redundant.

    Remy Redert writes:

    "But this wasn't the software's fault. It never is. It was the designer who allowed a single faulty sensor to put the software..."

    Sensors don't "put" software. They only feed data to software. Software functions to interpret and compare data fed to it.

    It was the software's - or, more particularly, the software designers' - fault.

    As for the software designers' responsibility... they're designing software for planes. The article says that "the pilots fought with the MCAS system, pulling the plane's nose up 26 times before finally losing control." It would seem to me that if pilots send a command more than five times contradicting a computer program, that software designers in the aircraft industry should be designing computer programs to just SHUT OFF at that point (with appropriate warnings) instead of saying "Nyah nyah I'm really the pilot, sod off humans!"

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019