back to article Boeing big cheese repeats pledge of 737 Max software updates following fatal crashes

Boeing chief exec Dennis Muilenberg has repeated earlier promises that a software update for the troubled Boeing 737 Max airliners is coming "soon". In an open letter published last night Muilenberg acknowledged the "shared grief for all those in mourning" after the separate crashes of two 737 Max 8s within a few months - …

  1. Craig 2

    Just as it used to be with Windows upgrades, we will be holding off flying a particular aircraft until at least Service Pack 1 is installed...

    1. el kabong

      Used to be?

      You mean, windows updates are not dangerous anymore?

      That's really great !!!

      1. Craig 2

        Re: Used to be?

        Used to be as in Service Packs.... now even the most minor update can be fatal of course, I suppose that's progress for you...

        1. MrDamage Silver badge

          Re: Used to be?

          "Excuse me passengers, this is your captain speaking. As you will note, we are now in a nose-down position and plummeting straight for the ground.There is no need for panic, as once we pass the 10000 foot threshhold, we're hoping the system will reboot and allow us to take control.

          If this is not the case, please feel free to haunt Boeing managers who determined this software was to be rolled out despite known flaws."

          1. Frumious Bandersnatch

            Re: Used to be?

            Good evening. This is your Captain

            We are about to attempt a crash landing

            Please extinguish all cigarettes

            Place your tray tables in their

            Upright, locked position

            Your Captain says: Put your head on your knees

            Your Captain says: Put your head in your hands

            Captain says: Put your hands on your head

            Put your hands on your hips. Heh heh

            This is your Captain - and we are going down

            We are all going down, together

            And I said: Uh oh. This is gonna be some day

            Standby. This is the time

            And this is the record of the time

            This is the time. And this is the record of the time

            https://genius.com/Laurie-anderson-from-the-air-lyrics

            1. Frumious Bandersnatch

              Re: Used to be?

              Here come the planes.

              They're American planes.

              Made in America.

              https://www.lyricsfreak.com/l/laurie+anderson/o+superman_20081561.html

            2. Reliance
              Unhappy

              Re: Used to be?

              Put your head between your knees and kiss your ass goodbye...

    2. Anonymous Coward
      Anonymous Coward

      Boeing 737 MAX-8 Update 1904.

      When you turn on the engine, the plane phones home and checks your software update. It will prompt you to install the latest updates that bring the following functionality and enhancements:

      - Enhanced user interface

      - Enhanced user experience by removing some bugs that may lead to a fatal crash in rare circumstances

      - New or improved features

      1. Anonymous Coward
        Anonymous Coward

        Enhanced user experience by removing some bugs that may lead to a fatal crash in rare circumstances

        You'd think that after 30+ years of Windows we would have stopped making such dangerous assertions..

        1. Anonymous Coward
          Anonymous Coward

          Not my fault that Microsoft confuses "removing issues" and "exacerbating issues" so often.

      2. notowenwilson

        "When you turn on the engine, the plane phones home and checks your software update"

        You've flown a DJI drone then?

    3. Anonymous Coward
      Unhappy

      No joke.

      I doubt I'd ever get in a 737 Max now... or any other 737 (as I suspect a renaming scheme might try to hide the fact).

      I've no qualms on flying... but this one incident, does not bode well for future "tech" that throws sense (training) and safety (fail safe systems) out the window.

  2. Anonymous Coward
    Anonymous Coward

    Car analogy

    "...you could program it so the car would feel the same to drive as it did with the original engine and wheels."

    Maybe I or we could but it appears to me no company can, the best they can do is the feeling of a video game.

    Increasingly technology is being used to remove the connection between the operator, equipment and the real world because most buyers are not operators and most operators find it too difficult to fly, or in the case of cars drive, without technology between them and the equipment.

    Of course while one can manually (with powered hydraulics) fly a 737 that isn't the case with more modern designs some of which are so good they are IMO well worth dying for now and then.

    1. el kabong

      Want to try to reprogram it so it feels and drives like an F1?

      When you change the engine proportions and attach it in an unbalanced way you'll get different dynamics, you'll get poorer dynamics.

      There is no way you can make software fool physics and force physics to turn an unstable system into a stable one.

      1. commonsense

        Re: Want to try to reprogram it so it feels and drives like an F1?

        There is no way you can make fool physics and force physics to turn an unstable system into a stable one.

        There is. The Eurofighter Typhoon has "relaxed stability" (which means it relies on input to fly) and relies on four computers to turn pilot inputs into lots of continuous adjustments to the control surfaces to make it do things that the pilot would expect. Without those computers, it would be unfliable.

        The Typhoon has a lot of redundancy built into its software to account for anomalous sensor inputs and computer decision making. It seems Boeing's MCAS system doesn't.

        1. el kabong

          To have complex handling is not the same as to have poor dynamics

          The 737 is unbalanced and has poor dynamics while that fighter jet is perfectly balanced and has great dynamics, the complexity in its handling is there to explore to the max its inherent dynamic qualities.

          Unfortunate comparison, the 737 is a geriatric machine it's one of a series of modifications on a design that was first used 60 years ago, by comparing it to a well designed modern machine you just made it look even worse.

          Besides, where's the point in comparing one to the other, they are totally different things!!!

          1. commonsense

            Re: To have complex handling is not the same as to have poor dynamics

            No, the Typhoon is deliberately unbalanced. Turn the computers off (if such a concept existed) and even Douglas Bader couldn't keep it in the air.

            Generally speaking, passenger aircraft should be positively stable, i.e. can be trimmed in such a way to fly without input.

            This has got nothing to do with "dynamics", but all to do with stability. From what I understand, the 737 Max 8 design changes have made it somewhat less stable, and has MCAS available to manage trim as a result. Nothing inherently wrong with that, assuming of course that MCAS is:

            1) tested properly

            2) has suitable redundancy

            3) is predictable

            4) alerts when it is called upon

            5) pilots are correctly trained to know what to do when it comes on.

            Seemingly none of the above apply.

            Regarding the comparison - the point is that you CAN turn something that's unstable into something that's unstable, and that there's nothing wrong with computers doing this, providing they are suitably designed.

            1. commonsense

              Re: To have complex handling is not the same as to have poor dynamics

              Oops. "the point is that you CAN turn something that's unstable into something that is stable"

              1. el kabong

                Yes, you cant get dynamic stability from a statically unstable system

                software can do that, in some cases, provided you're careful enough to make it work properly.

                What software cannot do is apply a brute force injection of dynamic stability into a dynamically unstable system. You can try to fool physics but you will end up hurting someone.

                1. aberglas

                  Seafire conversion of Spitfires in the 1940s

                  Similar issue.

                  They needed to add a heavy arrestor hook at the back, which broke the CoG. So they added a big spring to the elevator to trim it up. So hands off it would fly level.

                  But get it into a spin and it was time to jump out.

                  Needed more radical redesign, but that would have cost more.

                  (Also, could not see over the nose for a carrier landing. Amazing that a pilot could do it at all.)

                  1. itzman
                    FAIL

                    Re: Seafire conversion of Spitfires in the 1940s

                    First of all spirfires were always tail heavy and always flew with down trim. In fact being on the edge of pitch stability makes for a very very sensitive set of controls. An advantage in a fighting machine which is why modern typhoons are trimmed that way, and use software to compensate

                    The addition of more weight to the back simply made matters worse.

                    Ultimately spin recovery depends on getting the nose DOWN. Opposite rudder may get rid of the turn but unless the aircraft left to itself at almost no airspeed will put its nose down then you will fall off into a spin in the other direction.

                  2. PC Paul

                    Re: Seafire conversion of Spitfires in the 1940s

                    There's saying in the Radio control world:

                    CoG too far forward: model flies badly.

                    CoG too far backward: model flies once.

                  3. SkippyBing

                    Re: Seafire conversion of Spitfires in the 1940s

                    The fix was slightly more than a spring. Basically the problem was the pilot could apply more back stick than the aircraft could handle in certain situation leading to the nose pitching up too far/rapidly and the aircraft breaking up, due to the aft centre of gravity. It was so far aft they packed lead into the engine bearer and it was still on the limits of what would be acceptable for the land based variant.

                    To counter this a weight was hung off the front of the control column, this meant as the g-forces increased the pilot would have to apply increasing back pressure. Consequently pulling out of a dive the stick would actually be moving forwards despite the pilot maintaining a constant pressure.

                    The spring came into it to keep the control column in the neutral position. Unfortunately Supermarine mounted the weight horizontally off the front of the control column, so in a vertical dive it was hanging straight down and the pilot could still apply too much aft pressure before the g would act on the weight in the required direction. Leading to a loss of wings and the aircraft. The Fairey Firefly had a similar issue but the mount for the weight was at a 45 degree angle. And they didn't faff around with springs.

                    More on this, and other aspects of flying the most inappropriate naval aircraft of WW2, in the excellent 'They Gave Me a Seafire' by Mike Crosley.

                2. ridley

                  Re: Yes, you cant get dynamic stability from a statically unstable system

                  Yes you can, all modern fighters will try to fly backwards without the fly by wire computer system making adjustments hundred if not thousands of times a second.

              2. jglathe

                Re: To have complex handling is not the same as to have poor dynamics

                Both is possible.

            2. Snapper
              FAIL

              Re: To have complex handling is not the same as to have poor dynamics

              I think there have been some reports that 5) was glossed over by Boing in order to convince the airlines that they did not need to send their pilots for expensive simulator training.

          2. W.S.Gosset

            Re: To have complex handling is not the same as to have poor dynamics

            > that fighter jet is perfectly balanced

            No, it is UNstable. It can NOT fly without CONSTANT inputs correcting its instability, its fuckups.

            It is SO unstable, no human can respond fast enough to its fuckups to avoid it crashing immediately.

            Hence, a computer constantly corrects its fuckups to keep it on a given stable 3Dvector, and applies an algorithm to the human pilot's jigglings of hte controls to work out the intended change to the vector, then adjusts to that new vector.

            And it is not the only one. A number of fighters have been built this way in the last 30 years.

            1. Richard51

              Re: To have complex handling is not the same as to have poor dynamics

              Unstable fighter aircraft go back to the very beginning of armed flight. The Sopwith Camel was unstable but was very successful, even though it killed about a quarter of those learning to fly it, whereas the BE12 was stable and useless.

              1. itzman

                Re: To have complex handling is not the same as to have poor dynamics

                No, the Camel was barely stable. Today's fighters are unstable.

                1. Michael Wojcik Silver badge

                  Re: To have complex handling is not the same as to have poor dynamics

                  Snoopy's Camel always seemed to have level trim.

        2. el kabong

          To the typhoon software is an enhancement...

          while to the the 737 software is the duct tape that tries to keep it from falling apart. Unsuccessfully as we are now beginning to discover.

          Dynamic stability is what matters, the typhoon is dynamically stable even though it may not be statically stable. The 737 is unstable in whatever way you look at it.

          1. ridley

            Re: To the typhoon software is an enhancement...

            Typhoon - unstable needs computer inputs hundreds of times a second to keep flying.

            737 Max 8 dynamically stable, you need input to make it unstable it appears in these cases computer input.

        3. button pusher

          Re: Want to try to reprogram it so it feels and drives like an F1?

          Also the F-16 (the first relaxed stability manned aircraft?).

          1. Anonymous Coward
            Anonymous Coward

            Re: Want to try to reprogram it so it feels and drives like an F1?

            Hehe - The computers on the F-16 that I have seen were very dense analogue boards stuffed with ceramic-cased OP-Amps, there was 5 of them in a shoebox-sized module and they voted on what to do. The output and inputs were digital, though, some MIL-spec version of ARINC.

            These boards were done with proper mathematical models, not some crappy Kalman Filter code with autotune of parameters that was coded straight from "Numerical Recipes in C", probably by some H1B replicant or an intern!

        4. Annihilator

          Re: Want to try to reprogram it so it feels and drives like an F1?

          "The Typhoon has a lot of redundancy built into its software to account for anomalous sensor inputs and computer decision making. It seems Boeing's MCAS system doesn't."

          I keep reading that there are two AoA indicators on the aircraft that MCAS depends on for its actions, and if one starts acting erroneously, it doesn't know which one to believe. On its own, that wouldn't be a problem so much, as MCAS is meant to operate within certain limits and the pilots able to easily override it. What seems to happen is that Boeing overlooked the limits of MCAS (the 4x reference) and the extent to which it continues to trim the aircraft down in these scenarios.

          1. Gordon 10
            Unhappy

            Re: Want to try to reprogram it so it feels and drives like an F1?

            I've read that it only uses 1 at any one time cycling between them at power off. So gawd knows how it determines erroneous inputs.

            I've still yet to see an explanation of why the Max doesn't have best of 3 aoa consensus like most Air Buses or whether the MCAS uses other inputs like inertia sensors.

            MCAS smell like a bodge to be honest - at least to a layman.

            1. veti Silver badge

              Re: Want to try to reprogram it so it feels and drives like an F1?

              It doesn't "determine erroneous outputs", that's kinda the whole point. It could, easily enough, calibrate the sensor while the plane is taxiing toward takeoff, when it knows for a fact that the angle of attack is zero, but apparently that wasn't deemed necessary or useful.

              There's an excellent and detailed account of the whole sad ballsup here. (If you get a message about ad blocking, try revisiting with a mobile device.)

              1. ridley

                Re: Want to try to reprogram it so it feels and drives like an F1?

                If the angle of attack was zero on the runway the aircraft would not be able to take off.

                1. Gordon 10

                  Re: Want to try to reprogram it so it feels and drives like an F1?

                  He explicitly said taxiway so he's right and you are wrong :P .

                  The AOA doesn't change until the weight starts coming off the front wheel near the end of take off on a runway.

                  It also changes if the pilot stamps on the anchors :)

                2. itzman

                  Re: Want to try to reprogram it so it feels and drives like an F1?

                  If the angle of attack was zero on the runway the aircraft would not be able to take off.

                  Wrong.

                  1. Airfoils are capable of generating lift at zero angle of attack.

                  2. That's what the elevators are for - to push the tail down and the nose up.

            2. Muppet Boss
              Mushroom

              Re: Want to try to reprogram it so it feels and drives like an F1?

              Unfortunately, the quorum of AoA sensors is not trustworthy, as they are subject to the same adverse conditions (icing or wasps or tape) and more than 1 could and do fail simultaneously (same as with pitot tubes), as in 3 AoA sensors in Airbus 2 showing incorrect input - this is well documented, see e.g. http://services.casa.gov.au/airworth/airwd/ADfiles/over/a320/2015-0135R3.pdf.

              However, the failed sensor does not typically produce random values, the incorrect value produced is typically the value at the moment the sensor got blocked and does not normally change (same as with pitot tubes). If of 2 AoA sensors, the first produces changing values and the second produces unchanging or near-unchanging values, the second sensor most likely failed. With this and other available sensor input (pitot-static) combined, the problem of determining failed and working AoA sensors seems to be solvable in practice, even with only 2 sensors available. Probably even with a software update.

              It does appear to me that Boeing managed to squeeze a poorly engineered potentially unsafe system past all controllers though.

              Icon because what happened next.

              1. DavCrav

                Re: Want to try to reprogram it so it feels and drives like an F1?

                "It does appear to me that Boeing managed to squeeze a poorly engineered potentially unsafe system past all controllers though."

                That seems to be because it was presented as an upgrade rather than a new aircraft, so there were reduced checks before certification.

                Whoops.

              2. Gordon 10

                Re: Want to try to reprogram it so it feels and drives like an F1?

                Its not about whether they are trustworthy though. its about whether 1 2 or 3 AOA sensors reduce the number of overall failure modes and failure probabilities. Theres always a trade off between complexity and redundancy.

            3. Anonymous Coward
              Anonymous Coward

              Re: Want to try to reprogram it so it feels and drives like an F1?

              I just read about having this single point of failure and just didn't believe it at first. I used to work with safety critical systems and if what is being described is real, then it is just one huge clusterfuck and someone needs to do jail time

              Not only that but there probably needs to be a check for the existence of brown envelopes.

            4. ibmalone

              Re: Want to try to reprogram it so it feels and drives like an F1?

              "Man with one altimeter always know height, man with two never certain."

            5. ridley

              Re: Want to try to reprogram it so it feels and drives like an F1?

              How would an inertia sensor help? (genuine question)

              IIRC it is quite possible to stall at a high speed. I think the airfrance 447(?) stalled at quite a high speed in "coffin corner"

              1. SkippyBing

                Re: Want to try to reprogram it so it feels and drives like an F1?

                Inertia helps, because if you're doing 300 knots in level flight, you're not stalling, if you're doing 300 knots and falling, you are. Basically you're looking at the difference between where the nose is pointing and where the aircraft is going, if it's more than 15 degrees in an airliner you're probably in a stall.

                You should be able to get the right information from the inertial navigation system, which I think are still used as a back-up to the GPS.

          2. ridley

            Re: Want to try to reprogram it so it feels and drives like an F1?

            Or that, from the article, it appears to reset itself every ten seconds to have another go at putting the nose down.

            1. Anonymous Coward
              Anonymous Coward

              Re: Want to try to reprogram it so it feels and drives like an F1?

              The MayBot algorithm.

        5. Stork Silver badge

          Re: Want to try to reprogram it so it feels and drives like an F1?

          Same for the F-16

      2. Anonymous Coward
        Anonymous Coward

        Re: Want to try to reprogram it so it feels and drives like an F1?

        "For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled."

        Who said it, where, when, and why? No prizes, it's just to remind readers that it's all been said and done before, and *some* people have learned lessons.

        RIP.

      3. dfsmith

        Re: Want to try to reprogram it so it feels and drives like an F1?

        Bicycles are an unstable system. As long as there are active inputs, it can be controlled quite consistently.

        1. Lars Silver badge
          Coat

          Re: Want to try to reprogram it so it feels and drives like an F1?

          "Bicycles are an unstable system". Yes, but speed will make the wheels function as gyroscopes and it gets stable, as for inputs, they are not reliable "under the influence", I am told.

          1. Kubla Cant

            Re: Want to try to reprogram it so it feels and drives like an F1?

            Off-topic, but I think the "bicycle wheels as gyroscopes" theory is mistaken*.

            A cyclist essentially balances by steering the bike to keep the point(s) of support below the centre of gravity (when cornering, there are also centrifugal effects). It's harder to balance at low speeds because it takes longer for the wheels to move back underneath you. In this situation most riders also move their upper body over the point of support. The classic example of this is when standing on the pedals to climb a steep hill.

            If you can't steer the bike, it's very hard to balance it. Everyone can balance with their feet off the pedals, and most people can balance with no hands on the handlebars. Both at once is usually a recipe for disaster.

            * Stand your bike upside down and crank the pedals as fast as you can to get the back wheel spinning. Then tilt it. You'll get an idea how small the gyroscopic force is - especially if you have small or lightweight wheels.

            1. Prst. V.Jeltz Silver badge

              Re: Want to try to reprogram it so it feels and drives like an F1?

              "Off-topic, but I think the "bicycle wheels as gyroscopes" theory is mistaken*.

              me too

              "crank the pedals as fast as you can to get the back wheel spinning."

              just think, they are spinning a lot faster than when you are dawdling along at 5 mph , perfecly stably , at that point there is near zero gyro force

            2. Michael Wojcik Silver badge

              Re: Want to try to reprogram it so it feels and drives like an F1?

              I think the "bicycle wheels as gyroscopes" theory is mistaken

              Yep. There's been quite a lot of research into this, including various physicists both doing the calculations and creating modified bicycles which have minimal gyroscopic effects.

              It's not the cyclist either; bicycles will tend to remain standing while they're moving even if they're unoccupied. This has also been demonstrated in various ways, and you can do a simple home test by standing next to a bike and giving it a good shove forward using the handlebars. If you push it straight, it should stay upright - though it may turn - for a decent distance.

              It seems that bicycles are stable while moving because as they start to lean to one side or the other (i.e. as their vertical symmetry breaks) they naturally steer into the lean and turn. (This is due to the fact that bicycles are designed so the front wheel contacts the ground behind the steering axis.) That converts the lean into centripetal acceleration rather than linear.

              See e.g. this and this.

      4. rsole

        Re: Want to try to reprogram it so it feels and drives like an F1?

        Did someone mention the space shuttle, essentially a brick falling elegently with the assistance of software.

        1. W.S.Gosset

          Re: Want to try to reprogram it so it feels and drives like an F1?

          Or the old 50s/60s' test-pilots' saying:

          "If you put a big enough engine on a BRICK, it will fly."

      5. ridley

        Re: Want to try to reprogram it so it feels and drives like an F1?

        Almost all modern military fighter aircraft are purposely designed to be unstable and want to fly backwards it is only the fly by wire system that allows them to fly. Doing this allows them to be extremely fast at maneuvering.

        On the other hand the F117 was just plain un aerodynamic and had to be flown by computer, hence the Woblin Goblin nickname.

        1. Prst. V.Jeltz Silver badge

          Re: Want to try to reprogram it so it feels and drives like an F1?

          first one i heard of that *needed* computers because of its shape was the stealth bomber, which u can tell just by looking at it , youd never fly it manually

      6. Reliance

        Re: Want to try to reprogram it so it feels and drives like an F1?

        There is no way you can make software fool physics and force physics to turn an unstable system into a stable one.

        The US F-117, for example, is an unstable aerodynamic platform run by software that makes it act stably. There are others.

        1. Anonymous Coward
          Anonymous Coward

          Re: Want to try to reprogram it so it feels and drives like an F1?

          "The US F-117, for example, is an unstable aerodynamic platform run by software that makes it act stably. There are others."

          But they haven't changed the physics. Although they've apparently fooled the people in the procurement departments at various War Ministry offices.

    2. ChrisC Silver badge

      Re: Car analogy

      ""...you could program it so the car would feel the same to drive as it did with the original engine and wheels."

      Maybe I or we could but it appears to me no company can, the best they can do is the feeling of a video game."

      Many moons ago watching a fly on the wall series at the Empire Test Pilot School following already qualified pilots earning their test pilot wings, ISTR one episode showed us a heavily modified bizjet (I want to say a Dominie, but I could be wrong) which could be configured to fly with the handling characteristics of something else. And more recently I was reading the excellent "Into The Black" book about the development of the Space Shuttle, which also made reference to use of a modified bizjet to allow the pilots to evaluate the shuttle handling characteristics during the glide down to landing.

      So whilst it clearly wouldn't be feasible to use a mixture of modified flight control software and aerodynamic mods to give a large lumbering aircraft the same handling characteristics as a much smaller nimbler aircraft, it does seem that by starting with something more capable than the aircraft you're trying to emulate, you can artificially slug its performance to approximate the desired characteristics sufficiently well to be of genuine use in roles where the accuracy of the approximated characteristics is rather important.

      Which is essentially what Boeing were trying to do with MCAS - artificially reducing the effects of the additional lift generated at certain points in the flight envelope to match the characteristics of the older 737s. And that's all well and good so long as it all works exactly as intended. It might even be OK if it stops working so long as the pilots are aware of what problems can arise when it goes wrong and how to work around the problem. What's clearly not even remotely OK to anyone outside of the Boeing board, is to introduce such a system without feeling the need to let the pilots know about it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Car analogy, software emulation

        Using software to simulate the real world can work great but the last few I've used have done such a poor job of it I question my own memory of it being done right.

        The last car such car I drove had drive by wire for throttle and steering and electric assist and control for brakes, even the parking brake was electric and only worked under very specific conditions. Engine rpm often had little relation to throttle position and I managed to have engine RPM decreasing while throttle position was increasing, and vice versa, Steering was completely insulated from the car and road. Thanks to poor tires as well as electric steering was unable to predict when lost of traction was about to occur even on asphalt. With many cheap cars today brakes will not allow threshold braking and there is often no easy way to turn off or adjust traction control or ABS.

        On more than one occasion I have found myself fighting software for control of more than one vehicle.

        Of course a friend has pointed out that their Panamera feels great and has none of those problems. Which shows software can be as good as, and even much better than, mechanical systems if enough time and money is spent. Then again I'm pretty sure his model had a problem with steering software.

        Since I do not get to use those cars that get software right I'm left feeling like the some pilots of the 737's in question.

        IMO Boeing should not use software to hide or enhance flying abilities but that isn't what the buyers want and like cars it's the average buyer who decide such things.

        1. Mark 85

          Re: Car analogy, software emulation

          Upvoted because you have described the problem exactly. I suspect that some point, the airlines would like "pilots" that are basically meatbag window dressing. Hire basically a computer operator who has no knowledge of the guts and mechanics of flying.

          There's a lot of similarities betwixt flying and driving. Seat of the pants and feedback from the controls are big part of it. Once everything goes full computer control and human "takeover" controls aren't needed then fine, but until that happens we need the control and the feedback the vehicle gives us.

          1. eldakka

            Re: Car analogy, software emulation

            I suspect that some point, the airlines would like "pilots" that are basically meatbag window dressing. Hire basically a computer operator who has no knowledge of the guts and mechanics of flying.

            That's true of any and all professions that require skilled (read: well-paid rather than minimum wage-slaves) staff.

            IT have been doing it, trying to 'dumb-down' systems so that organisations don't need highly technical, expensive, staff to set stuff up, configure it, tune it, keep it running smoothly. They'd rather have a room full of unskilled staff following flow-charts and panicking when the task goes off-script.

            Airlines have done it over time, at one time aircraft required a flight engineer(s) in addition to pilot/copilot to manage and monitor all the complicated systems that go into making an aircraft fly. They've managed to get rid of those by having more automation. Next on the chopping block will be getting rid of one of the pilots. That is, making the system 100% automated, thus only needing a single pilot to deal with emergencies, who could also be the chief steward for the flight as most of the time they won't be needed in the cockpit at all for the entire flight.

            Hospitals are trying to reduce the number of doctors and nurses needed per patient, by using computer expert systems to help with diagnosis.

            Factories try for more automation to get reduce even the minimum wage-level staff they need.

            It is all about cutting costs. And the most obvious cost to cut is the meatbags that require wages, and breaks, food, sanitary facilities, moan and whine to management or unions, complain and take the company to court when they get underpaid or other payroll shenanigans, can be whistle blowers to expose unethical (if not downright illegal) business activities, etc.

            1. Anonymous Coward
              Anonymous Coward

              Re: Car analogy, software emulation

              "IT have been doing it, trying to 'dumb-down' systems so that organisations don't need highly technical, expensive, staff to set stuff up, configure it, tune it, keep it running smoothly. They'd rather have a room full of unskilled staff following flow-charts and panicking when the task goes off-script."

              IT has been automating tasks and removing jobs for decades. IT people forgetting that they are supposed to be adding value and efficiency to an organisation OR an organisation assuming that IT adds no value or efficiency to an organisation often results in outsourcing and the effects you describe.

              The question is where the problem really lies and if the course can be changed before reaching the situation described above - in many cases, the answer is find a better organisation...

              For Boeing, losing one aircraft was "clearly" operator error and failing to follow the documented procedures and the automation remained unchanged. The second aircraft changed that and the changes in how Boeing certifies planes in the future will be interesting. But the automation will remain.

            2. Anonymous Coward
              Anonymous Coward

              Re: true of any and all professions that require skilled

              Showing the connections like that deserve a 10X thumbs up.

              It's all about cutting costs, increasing profits, and ensuring the rich get richer while the poor get poorer.

              And we now have decades of stats showing just that, the rich ever richer, while the middle, the skilled, gets less for more education, effort and time. Countries with rights and laws are made to compete with the most corrupt.

              Everything is connected and those connections can be seen by looking at a couple of 737 crashes.

            3. kiwimuso
              Facepalm

              Re: Car analogy, software emulation

              "It is all about cutting costs. And the most obvious cost to cut is the meat-bags that require wages, and breaks, food, ....."

              Perhaps 'management' should think about automating themselves then, as they are quite clearly the most expensive meat-bags on the company payroll.

              It would solve the "golden handshakes" cost to the company as well. You know the ones where the CEO fucks up, the company loses vast amounts of money and maybe the share price drops like a stone and when they finally let the CEO go they still get paid a handsome payoff, because "it's in their contract"!

              Most other staff just get fired if they screw up.

              Icon, 'cause it seems obvious to me.>>>>>>

          2. veti Silver badge

            Re: Car analogy, software emulation

            There's a joke that's been going around in aviation circles for a while now, that the ideal flight crew on a modern passenger jet is one pilot and one dog. The pilot is there to feed the dog, and the dog is there to bite the pilot if he tries to touch the controls.

        2. Prst. V.Jeltz Silver badge

          Re: Car analogy, software emulation

          "The last car such car I drove had drive by wire for throttle"

          virtually every new car does now , and has for some time

          1. Anonymous Coward
            Anonymous Coward

            Re: Car analogy, software emulation

            Indeed, so very true.

            Drive by wire, throttle, steering and brakes and now CVT's are so common and for so long that there is a generation of drivers who have no idea of what is happening while driving. They have been completely insulated from the car and road their whole life.

            The same generation feels that they should survive every crash, that crashing shouldn't be so feared. At worst crashing should only mean a reset and a new car. Software and tech has people believing that the laws of physics and mechanics can largely be ignored, and they are not wrong.

            That enables most drivers to drive far faster and in poorer conditions than they could otherwise.Expecting anything else would be similar to expecting pilots to fly airplanes.

            BTW there are cars that will allow access to the software to improve road feel but they have yet to give the feedback of equally expensive mechanical systems. For those that want that feedback, particularly in a RWD front engined car with proper balance there are increasingly few options.

            Shame that because electric powered cars can be, IME, even better when it comes to balance, control, feel and feedback.

  3. Commswonk

    Simply Ghastly...

    Whatever happened to the stick shalers of old that used to warn pilots of an imminent stall? Dispensed with as "old hat" by the look of it.

    I am more than a little alarmed that given the number of other flight characteristics being monitored by both pilots and software (forward air speed, rate of climb, attitude, altitude) this MCAS seems to have been fully autonomous in that it wasn't paying any heed to other inputs, and having decided on a course of action kept putting the nose down despite the pilot(s) applying manual corrections. It seems to have been functioning entirely on its own without reference to anything else.

    I know that it is in woefully bad taste to make any sort of joke about it, but it wasn't designed by an E*** M*** was it?

    Maybe it's the way the article was written but to me it signals very long term trouble for Boeing.

    1. Anonymous Coward
      Anonymous Coward

      Re: Stick shakers

      Stick shakers remind me of automatic spark advance for automobiles, a step in the progression towards having no operator at all. If an operator really needs that technology maybe we should reconsider if there is a need for the operator or just more technology?

    2. Alister

      Re: Simply Ghastly...

      The stick shaker is still included - and may in fact have been a contributory factor in the Ethiopian incident, as it could have added another distraction for the pilots at a critical period.

      1. ilmari

        Re: Simply Ghastly...

        That is a very good observation!

        Stick shaker and stall warning comes on. Pilots think plane is nearing stall.

        Nose dips down - yep, definitely stalling for real!

        But how can the airplane stall at 300 knots? The airspeed indicator must be wrong.

        They manage to recover, try to guess their airspeed, make sure they're going fast enough.

        Still the plane repeatedly stalls.

        Icing? In Africa? But it would also explain airspeed indicator fault.

        Are spoilers and flaps stuck? Troubleshoot the hydraulics, get them to ret*crash"

        ... And they failed to notice the trim was moving on its own, and didn't run the right checklist to deal with that.

        1. W.S.Gosset

          Re: Simply Ghastly...

          This is probably the best description yet of the actual events&thought-processes in the cockpit at the time.

          It's for situations like this that the Flight Engineer used to be a mandated part of hte flight crew. Take a lot of the engineering aspects off the flightcrew when the shit hits the fan, so that the flightcrew can focus on the aeroplane, not on what its machinery is trying to do.

        2. paulll

          Re: Simply Ghastly...

          "Stick shaker and stall warning comes on. Pilots think plane is nearing stall.

          Nose dips down - yep, definitely stalling for real!"

          More likely:

          Stick shaker and stall warning comes on. Pilots think wtf? Why does this thing think it's stalling?

          Nose dips down -wtf? What the hell's it doing? It's not responding either. Wait I guess I can trim it out. Phew.

          10 seconds later, MCAS cycles again. But a bit lower. Repeat.

          Besides the obvious oversight with the AoA inputs, it's mind-boggling that this thing would engage while sinking at low altitude. I imagine it's supposed to work in a low altitude climb as part of its normal function and disengage in a low altitude sink but only accounts for instantaneous vertical acceleration...which would be an oops. (Once you get low enough it becomes pointless to try to recover lift by pitching down, it makes more sense to try for a potentially survivable belly-landing, rather than go nose-first and explode.)

    3. upsidedowncreature

      Re: Simply Ghastly...

      What is an E*** M***?

      Edit: Duh, never mind, the coffee kicked in and I figured it out.

    4. MMR

      Re: Simply Ghastly...

      It is a bad taste joke in a way. E*** M*** is not a one man company and T**** employs an army of programmers. Perhaps the same type of programmers who are able to write software for S****X which accidentally is another E*** M*** venture.

    5. Anonymous Coward
      Anonymous Coward

      Re: Simply Ghastly...

      Stick shaker still exists and works on the Max. Check out the preliminary report of flight 610. One of the line graphs you can see is the stick shaker - and it's on from the start of the flight until the end. Which no doubt added another source of confusion to the pilots.

    6. sanmigueelbeer
      Holmes

      Re: Simply Ghastly...

      Whatever happened to the stick shalers of old that used to warn pilots of an imminent stall?

      The trigger points to the stick shaker is no longer just stall.

      In the Lion Air incident, the stick shaker was activated the moment the aircraft was airborne until it crash. In previous two (or three) flights, the pilots also observed the same thing. Except, those pilots "accidentally" (or mistakenly) disabled the MCAS and made it.

      Another thing about the stick shaker is how company policy defines it. In the initial Lion Air investigation recommendation, the pilot has the "final say" if the plane is deemed "flyable" or not. But when the stick shaker got activated immediately after takeoff that alone is grounds for any pilot to invoke that the flight is not "flyable" and turned around. Apparently, this policy is not "standard" in Lion Air. However, even if this was standard, it wouldn't make any difference because the aircrew didn't know how to disable MCAS.

      software update for the troubled Boeing 737 Max airliners is coming "soon".

      I hope Boeing did extensive testing of this software in a LIVE aircraft.

      So good news and bad news:

      Bad news: Operators and passengers are going to be caught between a rock and hard place. Ever operator will have to take the risk and load this software. Immediately.

      Good news: Due to the two incidents, it would seem that every pilot (will) know how to disable MCAS. Maybe some pilots will just disable MCAS before take-off.

      1. W.S.Gosset

        Re: Simply Ghastly...

        > In previous two (or three) flights, the pilots also observed the same thing. Except, those pilots "accidentally" (or mistakenly) disabled the MCAS and made it.

        If you're thinking of the 2 Yank pilots: minor correction:

        they disabled the AutoPilot, and the problem went away.

        .

        Which then raises the questoin of the link between the autopilot and MCAS...

        1. sanmigueelbeer

          Re: Simply Ghastly...

          If you're thinking of the 2 Yank pilots: minor correction:

          I'm talking about the pilots to the two previous Lion Air flight before the fatal one.

      2. imanidiot Silver badge

        Re: Simply Ghastly...

        There is no way to disable JUST MCAS. Pilots can only disable ALL electrical trimming (including the manual trim switches on the control yoke) which leaves them with only the cable driven manual trim system using a handcrank on the trimwheel in the cockpit. That is a workout to say the least (IIRC 120 turns for full stroke from full down trim to full up trim)

        But pilots might now know what MCAS is and why their plane keeps trimming nose down in 10 second bursts. However, if this information is not in the flight manual it remains to be seen they think of it during a time of crisis. It's come out yesterday that the Lion Air pilots where frantically searching in the manual to find an explanation and couldn't find anything. In both of these accidents the pilots didn't have time to decide to turn back. Once the wheels left the ground they were immediately in full emergency mode trying to find out why their aircraft was trying to kill them. I can understand why they kept climbing. Altitude is life in aviation. It gives you time and options.

  4. Groaning Ninny

    Following a previous poster to a different topic (Amazon cargo plane crashing in US), I started following the views on PPRuNe. The Ethiopian flight is discussed here:

    https://www.pprune.org/rumours-news/619272-ethiopian-airliner-down-africa.html

    Very interesting, and also quite possibly used as a primary source for various news sites.....

  5. Kennelly

    To save you visiting the full report for this info - the fig 5 charts extract spans a time period of approx 13 mins, the pilots were fighting the auto-adjustment for control over a period of seven minutes

    1. el kabong

      Software as a panacea, they used it before to sell us clean Diesel engines

      Now they are using it to sell us air travel that is both cheap and safe, it's magic.

      Is there anything software cannot do?

      1. Yet Another Anonymous coward Silver badge

        Re: Software as a panacea, they used it before to sell us clean Diesel engines

        Yes it can make flying amazingly safe.

        Of course you could go back to the days of piston engines and carburetors and pilots taking star sightings and hoping to find land before they hit cloud.

    2. Anonymous Coward
      Anonymous Coward

      The question I want answered is does a full 5 degree horizontal stabilizer trim provide so much nose-down moment, full elevator deflection is unable to correct it?

      If so, people at Boeing need to be going to prison for a long time.

      1. Anonymous Coward
        Anonymous Coward

        Because the more I think about it, depending on the slope of the CL/alpha curve for the wing and the horizontal stabilizer respectively, if the nose dips a little, causing alpha on the wing to drop, the wing will be providing less lift and less nose up moment, resulting in an unstable accelerating nose-down dive.

      2. Anonymous Coward
        Anonymous Coward

        That seems to be the issue, that MCAS is capable of pushing the nose down beyond the limits of the pilot being able to counter it. I'm reminded of how the Thinkpads (in the days before trackpads) had a little red 'nub' in the middle of the keyboard to control the mouse - occasionally the mouse would start to "drift", you'd correct it with your finger, confusing the laptop into drifting it to counteract your movements. Only lifting your finger off would allow it to realise and stop moving.

        It's also perhaps an overly simplistic interpretation, but I'm reading that the MCAS can be over-ridden but that it can in certain circumstances start adding trim again to an already-MCAS-trim level (effectively adding 4x as much stabiliser trim than that envisaged by Boeing)

        1. Anonymous Coward
          Anonymous Coward

          I think Air France crash that had the two pilots inputting opposite correction, one nose up in panic, one nose down down to stop a stall. Each one over compensated for the other, and in the end the aircraft fell from the sky. :(

          1. Anonymous Coward
            IT Angle

            Thumb down?

            Ok, I may have oversimplified that one. But similar happened, as the feedback on the stick did not clearly show the nose up was from the other co-pilot. I'm happy to be corrected though!

            1. SImon Hobson Bronze badge

              Re: Thumb down?

              as the feedback on the stick did not clearly show the nose up was from the other co-pilot

              That is about it. One pilot realised what was happening but could not feel that the other pilot was holding the stick fully back - made worse by the way Airbus have put the sticks (basically a gaming joystick) in the cockpit sidewalls so one pilot would have to look across past the other to see what they are doing.

              In a traditional "mechanical" system, the two sticks would be mechanically linked - so one plot would be able to feel what the other was doing. It was eventually realised what was happening, but not before they ran out of altitude in which to recover the situation.

  6. Thought About IT

    Finger of blame

    If, as seems to be the case, the algorithm relied only on the device measuring angle of attack, when there are completely independent devices measuring airspeed and rate of climb which could have been used to check for faults, it's a choice between gross negligence by the designers and cost cutting by the accountants. In either case, someone should go to prison.

    1. A.P. Veening Silver badge

      Re: Finger of blame

      "In either case, someone should go to prison."

      After a severe flogging.

      NB: I object to capital punishment as there always is the possibility of finding an innocent guilty, I don't object to corporal punishment that leaves no more permanent injury than a scar.

    2. Anonymous Coward
      Anonymous Coward

      Re: Finger of blame

      Whistle blowers alleged that after Boeing merged with MD the MD culture (that produced the DC-10 within a tight budget) emerged over the Boeing quality control attitude. The B-787 was criticised as built to an inflexible deadline and budget, with safety implications.

    3. Anonymous Coward
      Anonymous Coward

      Re: Finger of blame

      What is the Boeing 737MAX manoeuvring characteristics augmentation system:

      https://theaircurrent.com/aviation-safety/what-is-the-boeing-737-max-maneuvering-characteristics-augmentation-system-mcas-jt610/

    4. imanidiot Silver badge

      Re: Finger of blame

      But how do you know your IAS and rate of climb indicators are correct? Not to mention the fact that AoA is almost completely independent of both airspeed and rate of climb. You can stall an aircraft at any speed at whatever rate of climb if you want to.

  7. JimmyPage Silver badge

    Lifts the veil on aviation ...

    So clearly having a "pilots licence" isn't enough, if every individual airplane has different controls and responses. Suggesting pilots need to train to the plane ?

    Was this wheeze from Boeing an attempt to avoid that extra cost (thus making the plane more attractive to airlines) ?

    Perhaps regulators need to take a similar approach to automobiles ?

    1. Cursorkeys

      Re: Lifts the veil on aviation ...

      So clearly having a "pilots licence" isn't enough, if every individual airplane has different controls and responses. Suggesting pilots need to train to the plane ?

      This already happens, the extra license needed for a particular plane is known as a Type Rating.

      https://en.wikipedia.org/wiki/Type_rating

    2. Alister

      Re: Lifts the veil on aviation ...

      Was this wheeze from Boeing an attempt to avoid that extra cost (thus making the plane more attractive to airlines) ?

      It was a way for Boeing to claim that the new 737 MAX handled in a similar way to the old 737NG and 737/800, thus allowing them to bypass new type certification for the aircraft, which would have delayed the roll out and cost more.

      All new planes require that pilots have to be trained in their handling and control, so that is a normal, accepted cost to the airlines.

    3. Anonymous Coward
      Joke

      "Perhaps regulators need to take a similar approach to automobiles ?"

      Sure, you would see far less people around with SUVs if they were required to show they can drive off-road, and get past obstacles....

      1. Anonymous Coward
        Anonymous Coward

        Re: "Perhaps regulators need to take a similar approach to automobiles ?"

        I had a cousin who lived in Japan for 4 or 5 years and if I remember correctly the bigger the motorcycle he wanted to drive the hard the driving test was. He started out on a quite small bike. I wonder if it's similar for a car licences?

        1. SImon Hobson Bronze badge

          Re: "Perhaps regulators need to take a similar approach to automobiles ?"

          What I saw in a TV program (a while ago) said that part of the test was to lay the bike on the ground and pick it up again - can't pick it up and you fail. If you pass, you are limited to that weight of bike.

    4. Mark 85

      Re: Lifts the veil on aviation ...

      In theory, even auto drivers should have a training period as different cars have different characteristics. Truck drivers already do as here in the States, it's an "add-on". So yes, the pilots need to train to the plane as every plane has a different flight envelope. Difference between cars and planes is that one will kill you and everyone in it if you don't actually know and understand the differences.

    5. veti Silver badge

      Re: Lifts the veil on aviation ...

      Yes, that's exactly what it was. That was explicitly touted as a selling point in Boeing's pitch to airlines with existing 737 fleets.

  8. Overflowing Stack

    Yey! A software update

    They should roll it out mid-air just to make sure it works.

    1. This post has been deleted by its author

    2. ma1010
      FAIL

      Re: Yey! A software update

      They should roll it out mid-air just to make sure it works.

      Only if all the board members were on the plane. And nobody else. And the plane was over water, away from any other traffic in the air or on the water.

  9. Chris G

    Based on what is repeated from the Seattle Times article, it seems to me that Boeing may be culpable due to lack of testing subsequent to the upgrade and/or failure to address feedback from the first crash and comments from other pilots.

  10. amanfromMars 1 Silver badge

    Criminal Negligence and/or Corporate Malfeasance? Those are a Rock and a Hard Place

    So Gareth, in essence, Boeing created a turd that was unstable and dangerous to fly and thought giving it a specific computer system to take care of known aerodynamic deficiencies with another level of autonomous machine control which was/is beyond human control ie cannot be easily over-ridden by a qualified/experienced pilot, was a good idea for safeguarding humans?

    Hmmm? Bummer, man. That's brutal.

    1. Anonymous Coward
      Anonymous Coward

      Re: Criminal Negligence and/or Corporate Malfeasance? Those are a Rock and a Hard Place

      That post made sense, I don't know whether to commend or commiserate.

      To me the issue is this: with a commercial aircraft there should be no actual reason for not giving it the best possible stability and ease of control. It isn't like a combat aircraft.

      If this is correct:

      The root cause seems to have been defective aircraft design to save money.

      Contributing factor is that the sensor system doesn't seem to have been truly redundant (tripled) and wasn't integrated into other controls.

      Once you've got these factors, no matter what you do with software you are at risk.

      As an aside, one thing that annoys me about my car is that in auto mode the headlamps turn on when it is dark enough and auto dip, the wipers wipe when it is raining, but the headlamps do not turn on automatically when it is raining, leaving me with one case out of 4 to remember to do manually.

      1. Andre Carneiro

        Re: Criminal Negligence and/or Corporate Malfeasance? Those are a Rock and a Hard Place

        Your car is required (provided that you are in Europe and it has been built recently) to have daytime running lights, thus obviating the need to manually turn on your headlights if it happens to rain during the day.

        1. Anonymous Coward
          Anonymous Coward

          Re: Criminal Negligence and/or Corporate Malfeasance? Those are a Rock and a Hard Place

          Cars and CDV's with type approval gained after 06/02/11 (for sale in Europe) must have seperate daytime running lights, commercial and public service vehicles must have them if they gained type approval after 01/08/12. Nordic countries mandated DRL's in 1977.

          Many vehicles do activate full headlights when the wipers are activated more than 3 times a minute, regardless of whether DRL's are fitted or not, as mentioned, the light switch has to be in the 'auto' position for this functionality to operate though. - and it certainly pre-dates DRL's, I'm fairly sure it was a Ford feature ported across to all PAG vehicles (like heated windscreens) and licenced to other manufacturers.

        2. A.P. Veening Silver badge

          Re: Criminal Negligence and/or Corporate Malfeasance? Those are a Rock and a Hard Place

          But those DRLs don't activate the rear lights and therein lies the real problem.

          1. Andre Carneiro

            Re: Criminal Negligence and/or Corporate Malfeasance? Those are a Rock and a Hard Place

            Fair point, hand't thought of that...

          2. imanidiot Silver badge

            Re: Criminal Negligence and/or Corporate Malfeasance? Those are a Rock and a Hard Place

            On many modern cars the rear lights come on with the DRLs or can be programmed to.

            Personally I prefer the system my turn of the millennium Volvo uses. Headlights and taillights are on when the ignition is on. Full stop. (This can be switched so they can be turned off, but why would I? It doesn't have DRLs so its the only way to be easily visible)

          3. Anonymous Coward
            Anonymous Coward

            Re: Criminal Negligence and/or Corporate Malfeasance? Those are a Rock and a Hard Place

            I like the look of my LED DLR's on my car, but if you turn off your automatic lights, the DLR's can be so bright you forget to turn on your headlights as you can see perfectly well by them!

      2. Anonymous Coward
        Anonymous Coward

        Re: As an aside, one thing that annoys me about my car

        If we're swapping car gripes, mine is that the speed limiter can't be configured to come on with the ignition - it requires to me manually activated every journey. I have yet to hear a valid reason why that should be (assuming "shit design" isn't a valid reason).

        1. werdsmith Silver badge

          Re: As an aside, one thing that annoys me about my car

          It's just a quick thumb button on the steering wheel.

          The car maker needs to hand over responsibility for staying within speed limits system to the driver, the driver is in control. This avoids one area of liability.

          1. Andytug

            Re: As an aside, one thing that annoys me about my car

            Speed limiters are hopeless, cruise control is a far better system. The driver is the speed limiter and should know if they're going too fast for the conditions around them.

            1. Anonymous Coward
              Anonymous Coward

              Re: The driver is the speed limiter and should know ...

              About half of all drivers have skills that are below average. Are you sure we can rely on them to know? :-)

            2. Anonymous Coward
              Anonymous Coward

              Re: As an aside, one thing that annoys me about my car

              Cruise control is hopeless, speed limiters are a far better system. The moment I take the foot off the pedal, the car slows down. I use it all the time, set the limit to a safe speed just below the speed camera trigger speed and if necessary, I can push the pedal down to override the limiter.

              The driver is still the speed limiter and needs to set an upper limit. The car won't keep the speed without a constant signal to do so, though.

        2. Terry Barnes

          Re: As an aside, one thing that annoys me about my car

          Someone else might drive the car after you. If the limiter comes on automatically and they don't know about it or understand it they might end up in trouble if they try to join a motorway and find they can't get down the slip road faster than 30MPH. Requiring you to activate it each time means that you'll know because you did it.

        3. SloppyJesse

          Re: As an aside, one thing that annoys me about my car

          My Peugeot forgets the position of the rear wiper switch. If it is on when the ignition is turned on they do not function. Have to turn the switch off and on again.

          Guess someone forgot to call the 'check the physical switch position' routine...

          And if you turn the fog lights on with headlight on auto guess what? Yup, if it gets lighter the auto headlights turn off and also cut the fog lights off. Because no one ever started driving on a foggy dark morning and it got lighter...

          Don't get me started on the sound system...

          1. imanidiot Silver badge
            Trollface

            Re: As an aside, one thing that annoys me about my car

            It's a Peugeot... Did you really expect the electronics to make sense? Or work?

            1. Kubla Cant

              Re: As an aside, one thing that annoys me about my car

              Not just Peugeot. The BMW 5-Series Touring (estate car) has the same stupid mistake. Also, because the front and rear wipers are on the same stalk, you have to turn off the rear wiper to wash the windscreen.

              1. Anonymous Coward
                Anonymous Coward

                Re: As an aside, one thing that annoys me about my car

                I have noticed this with different makes of rental cars. It appears to be a useful feature, too, as it avoids the horrible sound of windshield wipers scraping a dry and dusty windscreen the next morning.

                On the gripping hand, when does that ever happen in the UK

            2. Mat

              Re: As an aside, one thing that annoys me about my car

              I see you used trollface there but in reality it is unneeded because you are totally accurate in your assertion!

      3. Kubla Cant

        Re: Criminal Negligence and/or Corporate Malfeasance? Those are a Rock and a Hard Place

        with a commercial aircraft there should be no actual reason for not giving it the best possible stability and ease of control

        Apparently, the 737 was originally a smallish plane designed for regional airports. It had short landing gear so it was convenient for places without boarding ramps.

        After many changes and upgrades, Boeing reached the point where they needed a model with more economical engines. But they couldn't fit new high-bypass engines under the wing. They couldn't make the landing gear taller because of the way it retracts, so the engines had to be moved forward. This pushes the nose up under maximum power. There's a suggestion that when the nose goes up the fat nacelles themselves produce lift, which pushes the nose up even more. This is the instability they were trying to disguise.

      4. spinynorman

        Re: Criminal Negligence and/or Corporate Malfeasance? Those are a Rock and a Hard Place

        "with a commercial aircraft there should be no actual reason for not giving it the best possible stability and ease of control"

        When I finished my apprenticeship at BAe in Bristol in 1979 I worked in the Avionics department. There were two research projects active: Relaxed Stability; and Gust Load Alleviation. The former investigated reducing the size of the tail plane, thus reducing stability, but regaining stability via a control system. The latter adjusting control surfaces to reduce thermal gust load on the wings, using a control system, allowing for a thinner wing skin. Both control systems would allow for a lighter, and therefore more efficient aircraft.

        The reasons for these changes are obvious. The competitive pressures between aircraft manufacturers is huge, and the flying public expect / have become accustomed to, cheap air travel. I wouldn't say that this kind of design is defective - but the control systems must be expertly scrutinised and employ majority voting.

        As others have pointed out, it's possible that where there are multiple sensors if one sensor fails, they might all fail. In this case the failure must be detectable and ... safe. Perhaps for this particular aircraft more effort should have been taken to design a more robust AoA sensor.

    2. TheSirFin

      Re: Criminal Negligence and/or Corporate Malfeasance? Those are a Rock and a Hard Place

      I agree. But one thing that will make for even more uncomfortable reading for Boeing Execs, Shareholders and fans, is that all 3 possible warning systems which Boeing had designed to alert of possible malfunction of, or pilot conflict with, said MCAS system were ALL additional extras on the both the Max 8&9 aircraft. Neither of the two aircraft that have crashed had any of these systems installed**. In fact, a recent pilots report from American Airlines suggests they may be the only carrier who has selected them. How such critical alerts could be "optional extras" given the number of stripped back, bare bones carriers out there is a galling commercial decision for any company to have taken. This, more than anything I feel will be highlighted in all the reports written on the causes of these tragic events. [** Source: AvTalk Podcast No53, produced by FlightRadar24. Worth a listen].

      1. Bonzo_red

        Re: Criminal Negligence and/or Corporate Malfeasance? Those are a Rock and a Hard Place

        If the US courts have been locking up VW engineers for allowing cars to operate contrary to federal regulations, how many Boeing executives and engineers are going to be spending time in the local pententiary for killing a few hundred passengers?

        1. Anonymous Coward
          Anonymous Coward

          Re: Criminal Negligence and/or Corporate Malfeasance? Those are a Rock and a Hard Place

          Hmm. The fact that one is a US company and the other European will make no difference Im sure.

        2. Mark 85

          Re: Criminal Negligence and/or Corporate Malfeasance? Those are a Rock and a Hard Place

          Engineers, maybe. Or not. Executives and/or board members... definitely not.

        3. amanfromMars 1 Silver badge

          Re: Criminal Negligence and/or Corporate Malfeasance? Those are a Rock and a Hard Place

          If the US courts have been locking up VW engineers for allowing cars to operate contrary to federal regulations, how many Boeing executives and engineers are going to be spending time in the local pententiary for killing a few hundred passengers? ...... Bonzo_red

          I wouldn't like to be held responsibility and liable for the following input/output ...... the last two paragraphs on this page .... Alert ..content is protected

        4. veti Silver badge

          Re: Criminal Negligence and/or Corporate Malfeasance? Those are a Rock and a Hard Place

          That's completely different. VW was a foreign company selling to Americans. Boeing is an American company selling to foreigners. And the victims were also mostly foreign, therefore not important.

  11. commonsense

    That promise of a patch was originally made a week ago. Various news outlets reported that it would be deployed by the end of this month, rather than April as was originally expected before the worldwide grounding.

    So they're going to rush out a patch? What could go wrong?

    1. Mark 85

      So they're going to rush out a patch? What could go wrong?

      Let's ask Microsoft about this? They probably know.

  12. tip pc Silver badge

    MCAS is more like lane keeping technology and auto braking

    MCAS is more like lane keeping technology and auto braking on newer cars. Lane keeping is weird, its like the steering gets really heavy and feels almost like the car is steering in a rut in the road when actually the car is steering. Lane keeping does allow you to change lane if your positive enough, I guess if you where tired you'd just go with where the car is steering you. Looks like MCAS just kept on ever more forceful overriding the pilots despite their numerous positive control inputs.

    1. defiler

      Re: MCAS is more like lane keeping technology and auto braking

      I've read 50kg needed to be applied to counter the effect of MCAS. I tell you what - you try pulling back 50kg, just to straighten your dive, and then more to try to pull out.

      Even if you can split this load between both yokes, that's still a hell of a load to try to sustain. From the sound of things, this looks like what Boeing is going to address. By limiting MCAS to 1/4 authority that 50kg can be dropped to 12.5kg, plus additional input to raise the nose. That's doable for a while in an emergency.

      What it doesn't do, though, is address the one-input issue.

      1. tip pc Silver badge

        Re: MCAS is more like lane keeping technology and auto braking

        MCAS works on the "Horizontal Stabiliser"

        The Yoke works on the Elevators

        There is no 50kg of force needed.

        https://theaircurrent.com/wp-content/uploads/2019/04/737-mistrim-stab-forces-the-air-current-3.jpg

        https://en.wikipedia.org/wiki/Tailplane

        https://en.wikipedia.org/wiki/File:Tail_of_a_conventional_aircraft.svg

        https://en.wikipedia.org/wiki/Elevator_(aeronautics)

  13. Andre Carneiro

    MCAS is being misportrayed

    The mainstream media seems to keep misrepresenting the role of MCAS.

    It is not a simple anti-still mechanism. There is a stick pusher for that.

    I am pasting a very clear explanation of what MCAS does and why it came to be. Credit to FCeng84 (https://www.pprune.org/member.php?u=291487) from PPRune for this post.

    "There is a cert requirement that as AOA increases, the nose up pilot command required must not decrease. This is demonstrated at fixed thrust levels so there is no change in thrust pitching moment. The 737MAX issue here that gives rise to the need for MCAS is that as AOA increases the lift provided by the engine cowling that is so large and mounted so far forward of the wing causes a nose up pitching moment that results is a decrease in the column pull needed to maintain a steady positive AOA rate. That characteristic is not compliant with the requirements. MCAS comes active during this maneuver putting in nose down stabilizer that must be countered by the column. The net effect of engine cowling lift and MCAS nose down stabilizer as AOA increases is that the column needed to complete the maneuver does not decrease part way through the range of AOA for which characteristics must be demonstrated. 737MAX without MCAS fails the cert demo. 737MAX with MCAS passes the cert demo."

    It exists to make sure that the "feel of the aeroplane" is consistent across increasing Angles of Attack in order to pass certification, not as a protection against stall as such.

    That said, that is more or less irrelevant. The engineering of it (one single data feed? Seriously?) and the certification process (the manufacturer self-certifies? Seriously?) are critical issues which, I believe, are rooted in complacency: 2017 was the first year in aviation history where not a single life was lost to commercial aviation.

    It's sad to see that this flagship industry is starting to let its guard down.

    1. Andytug

      Re: MCAS is being misportrayed

      To have a safety critical system reliant on just one fundamental input (AOA sensor) is crazy and surely against some regulation somewhere, there should be 3 so that if one fails or goes rogue it can be ignored in favour of the other two?

      1. Alister

        Re: MCAS is being misportrayed

        @Andytug

        Yes, absolutely correct. But in Boeing's corporate world, the costs of doing it properly were deemed greater than doing it quickly. Guess which won.

        Also note that no model of 737 has more than two AOA sensors, so already the rule-of-three is broken.

        A point raised by someone on PPrune is however interesting:

        There are literally thousands of conventional 737s of various types still flying around every day, using the same AOA sensors as those fitted to the MAX, so why do we not hear about many failures? It would suggest that in general, the AOA sensors are pretty reliable.

        But then that begs the question, what is different about the MAX that caused the AOA sensors on two separate airframes to fail in such quick succession?

        1. MiguelC Silver badge

          Re: AOA sensors

          Maybe the AOA sensors worked in these two instances just as in any other 737 plane (MAX or other), the difference being the use that MCAS makes of them?

          1. Alister

            Re: AOA sensors

            I thought it had already been established - at least for LionAir - that the reason that the MCAS kept triggering was that the AOA sensor was providing erroneous data?

            Such that even after the plane had pitched nose down below the horizon, the MCAS was still seeing a high AOA and responded by adding more nose-down trim.

        2. Gene Cash Silver badge

          Re: MCAS is being misportrayed

          > why do we not hear about many failures

          Because on the OG 737s, the AOA sensors aren't tied into a system that kills you if they fail, thus making the evening news.

          In the OG models, they mainly run a display. The pilot notes it's wrong/disagrees with the copilot's display, and ignores it, logging a maintenance ticket. That does not make the evening news.

          1. Alister

            Re: MCAS is being misportrayed

            In the OG models, they mainly run a display. The pilot notes it's wrong/disagrees with the copilot's display, and ignores it, logging a maintenance ticket. That does not make the evening news.

            Yep, fair point. It would be interesting to find out how many times that happens, and how reliable the AOA sensors normally are.

        3. PhilBuk

          Re: MCAS is being misportrayed

          @Alister

          The rule of three is broken - so is the rule of two. The 737 has two Flight Computers (FCs), these each have their own AOA sensor - there are no links between the two. In flight, only one FC, and therefore only one AOA is used. The standard operating procedure is to alternate FCs between flights. So it's worse than you thought - only one AOA is used during flight and if that one is buggered, so are you.

          Great design Boeing!

          Phil.

    2. Anonymous Coward
      Anonymous Coward

      Re: MCAS is being misportrayed

      Still, "AOA increases the lift provided by the engine cowling that is so large and mounted so far forward of the wing causes a nose up pitching moment that results is a decrease in the column pull needed to maintain a steady positive AOA rate" means that the risk of a stall is increased - as the the pilot must decrease the pull to maintain the AOA, it it keeps it in the same position the AOA keeps increasing by itself - and it could catch off-guard pilot trained in previous models.

      Especially in critical situations at higher AOA - take off and landing, where a stick shaker may be less useful, especially if the plane has reached a dangerous AOA, because it could take more time to recover.

    3. steelpillow Silver badge
      Boffin

      Re: MCAS is being misportrayed

      The root of the problem is that the lifting engine cowlings moved the aerodynamic centre forward of the centre of mass at high AOA. The traditional solution is to move the aircraft centre of mass forwards likewise, for example by extending the forward fuselage. This of course would mean a major structural redesign and could have further ramifications, such as a taller tailfin.

      Another approach that has been used successfully is to introduce a "lifting tail". This is a tailplane or horizontal stabilizer optimised to provide a little lift in normal flight. It acts to move the aerodynamic centre back aft of the existing centre of mass. But that would reduce fuel economy and range, and might also require a larger tailplane and strengthened rear fuselage.

      The modern approach is to fix such handling problems in the software so that, even if the plane flies like a brick tied to a pig, it still feels like a Spitfire. This was, very sensibly, the MCAS solution. Except, it doesn't feel like a Spitfire, it feels like a pig that has eaten the brick. Worse, Boeing and the FAA together chose not to train pilots in the gentle art of turning it off. And that is down to bad engineering, bad certification, and bad operational support.

    4. pavel.petrman

      Re: MCAS is being misportrayed

      Re the manufacturer self-certifies? Seriously?

      Self certification is actually quite common in highly complex areas (in many locales even nuclear power plant operators self-certify) which fact usually comes with very strong incentives for the operator or manufacturer not to lie in the certification. And having seen the complex certification processes in the nuclear power generation I would never argue that a public agency would be per default better suited to do the certification, quite the contrary. So in this case it may have been the incentives what failed.

    5. Anonymous Coward
      Anonymous Coward

      Re: MCAS is being misportrayed

      This is surely going to be another one of those laws of unintended consquences. That, in order to address a requirement that a dozy pilot who's holding a constant backforce on his control control shouldn't be able to cause a runaway pitch-up, that they've added a complexity to the control system that has caused two crashes and claimed hundreds of lives, when it kicked in by mistake and trimmed to the point of loss of control.

  14. steelpillow Silver badge
    Devil

    Let's not wait

    So, having analysed the current software for failure modes, let's rush the upgrade out a month early and we can all start flying again.

    Let's not wait to do the job properly, followed by independent FMEA and validation of the new software build first, that might cost money and look bad.

  15. Pascal Monett Silver badge
    Thumb Down

    Forget ROTM

    I more and more have the feeling that if we collectively kick the bucket, it will simply be by our own stupidity.

    We are obviously interfacing the human and the machine with more and more software, however we are singularly failing to properly think about the consequences, or properly test all the scenarios before we put it into production.

    Do that in a bank or an administration and you only get headaches trying to set the situation straight again (and some loss of money). As we have seen, do that in flight automation software - which we need - and you lose lives.

    Sorry Boeing, someone was not thinking right when they drew up and improperly tested this functionality. And more than 350 people have paid that negligence with their lives.

  16. Anonymous Coward
    Anonymous Coward

    Why did it require two?

    Why did it require TWO crashes to begin to realize that there's something wrong?

    Pretty serious issue if every aircraft fault now needs two crashes to prompt reaction. Especially in this age of software enabled incidents...

    There's some root-root-root... analysis needed here, about six layers of Why?

    1. Alister

      Re: Why did it require two?

      Why did it require TWO crashes to begin to realize that there's something wrong?

      Because Boeing and the FAA collectively stuck the fingers in their ears and denied that there was anything wrong. Until the preliminary report from the LionAir crash, they didn't even own up to the fact that MCAS was installed.

      Lest we forget, it's only a week ago that the FAA was still expressing "complete confidence" in the 737MAX, and that was AFTER the second crash.

    2. muhfugen

      Re: Why did it require two?

      Because more than 55 million people die every year, and the few hundred which died from these two accidents are nothing more than a rounding error.

      1. Tom 64
        Mushroom

        Re: Why did it require two?

        There is a difference between dying of old age, and dying from corporate manslaughter, don't you think?

        The only reason Boeing are acknowledging the problem now is because at the rate the accidents were occurring, it wouldn't be long until a 737MAX went down in a country where Boeing could get sued.

  17. Gustavo Fring
    Unhappy

    IS E M

    elon musk ? it seems to fit the correct number of asterisks ... but that cant be right , surely ?

  18. Aladdin Sane

    Seems to me, that the basic 737 design is unsuited to the power output of the newer engines. Rather than fiddle with the software, maybe they should consider sorting the hardware?

    1. Alister

      That would have cost them much more money though, and a full re-certification process.

      1. A.P. Veening Silver badge

        I'd say they guessed wrong and it will cost them even more money. A full re-certification will be required now and EASA and CAAC (to name just two) aren't going to rubber stamp the FAA certificate this time, but will require re-certification independent from FAA. If Boeing is luckier than it deserves, EASA and CAAC will agree to a combined certification, but will still have to be without FAA.

      2. Aladdin Sane

        I think this approach is going to cost a hefty amount in the long run.

        1. Anonymous Coward
          Anonymous Coward

          Again, on Pprune, someone posted some figures, I don't know how true they are:

          Boeing's projected income for sales of 737MAX 8/9 models: 600billion dollars.

          litigious value for each death, in the region of 2-3million dollars x 320 = 900million to 1 billion dollars

          Cost of recertification circa 10-15billion dollars in total.

          Profit!

          1. Hopalong

            litigious value for each death, in the region of 2-3million dollars x 320 = 900million to 1 billion dollars

            737Max production rate - 10 per week, ticket price for a max-8 $121M (not that anyone pays list price)

            So the cost of litigation < weekly income .....

    2. Robert Sneddon

      737

      The 737 has been around for a long time and Boeing has a number of large customers who want 737s, the newest and shiniest 737s with more efficient engines, better fuel consumption, more passenger capacity but basically 737-shaped flying machines. South West Airlines has 750 of them, for example and they will only buy 737s.

      737 pilots can switch between recent versions of the 737 easily with minimal retraining, the maintenance and ramp workers don't have to deal with lots of new hardware, any changes are incremental and reduce operating costs. Boeing really needed to design a son-of-737 which didn't have the airframe structural limits that the existing 737 versions suffer from. The resulting aircraft wouldn't be a 737 though meaning the customers would have a choice, wait for the new plane (797?) to start coming off the production line or buy planes like the Airbus 320neo now. That was something Boeing wanted to avoid at all costs hence the software-patch-for-an-aerodynamic-problem solution they eventually rolled out.

    3. imanidiot Silver badge

      It's not about the power output of the engines, it's purely about their size and the way their aerodynamics affect the aircraft at high angles of attack. Airflow upwards from below the aircraft push the engine cowlings upwards. On the old design the main part of the engines was close to the center of mass and didn't affect the pitch of the aircraft. The new engines are both larger and further forward. At high angles of attack the airflow from below pushes on the engines and because they are so far forward this pushes the nose of the aircraft up, increasing pitching moment. To counter this the MCAS system was introduced that counters this extra pitch up moment by applying nose down trim such that the pilot wouldn't feel the difference. However, when the Angle of Attack sensor fails, the MCAS system repeatedly adds nose down trim when not needed, until the pilots have to pull on the yokes with 50 kgs of force just to keep the nose from dropping. On 2 flights they lost that battle and the aircraft dove into the ground.

      1. Kubla Cant

        when the Angle of Attack sensor fails, the MCAS system repeatedly adds nose down trim when not needed, until the pilots have to pull on the yokes with 50 kgs of force just to keep the nose from dropping

        Solution: stronger pilots!

  19. Rasslin ' in the mud

    "MCAS was intended to add nose-down trim if it thought the aircraft was getting close to stalling."

    MCAS is a subsystem on a commercial aircraft! It doesn't THINK, it primitively responds to sensor inputs in a pre-programmed manner! If computers are so "gee-whiz" to the author, maybe he is working for the wrong publication.

    1. ChrisC Silver badge

      "MCAS was intended to add nose-down trim if it thought the aircraft was getting close to stalling."

      If I look out the window and see dark clouds rolling in, is "looks like rain" a thought that crosses my mind, or just a primitive response to sensor inputs?

      I'm pretty sure, nay, let's really push the boat out and say that I'm absolutely certain, that the author of this piece didn't for one femtosecond think that the MCAS system has any sort of sentience, and that the use of "if it thought" here is nothing more than a figure of speech used as a somewhat more readable alternative to "if it received inputs from the AOA sensor which crossed some pre-defined thresholds, determined after extensive flight regime testing, CFD modelling etc., to be a strong indicator that".

    2. Anonymous Coward
      Anonymous Coward

      Re: " if it thought the aircraft was getting close to stalling."

      It's just a way of expressing it, frequently used by those of us who in the past have had to explain things to the C-suite. "Thought", "Computed that", in context there is no ambiguity.

      1. Anonymous Coward
        Anonymous Coward

        Re: " if it thought the aircraft was getting close to stalling."

        Often there's more evidence of the computer thinking than the C-Suites

    3. Throatwarbler Mangrove Silver badge
      Headmaster

      Re: "MCAS was intended to add nose-down trim ..."

      PROTIP: In common parlance, people very often refer to programs or computers as "thinking" even when they do no such thing.

      You may also hear people refer to "dialing" a number on a cellular phone. Try not to let it bother you too much, is my advice.

  20. spold Silver badge

    Actually it will just be a change to the documentation for now...

    We will we have a fix real soon now, well a month later than we first said, and it will be coded and tested to the same exacting standards we are now famous for.

    Meantime

    In section 1 line 1 of the "737 Max 10 MCAS 101" manual please insert "N.B.You cannae change the laws of physics captain".

    In section 1 line 1 of the "MCAS recovery procedures" please delete the word "Don't" in "Don't Panic".

  21. Anonymous Coward
    Anonymous Coward

    Which airline wants to be the first to test the revised system?

    1. Anonymous Coward
      Facepalm

      Well it won't be BA; they pride themselves on having a Wright-era fleet and cancel so many flights that airborne accidents are statistically impossible.

      1. Anonymous Coward
        Anonymous Coward

        > Well it won't be BA; they pride themselves on having a Wright-era fleet and cancel so many flights that airborne accidents are statistically impossible.

        When they say they've got the right stuff they mean they've got the Wright stuff...

    2. sanmigueelbeer

      Which airline wants to be the first to test the revised system?

      I'm going to be brutally honest: Every operator will need to have this software installed.

      Airplanes make money when they are flying (and not flying INTO).

      The good news to this is every MAX pilot will now be armed with knowledge and skill to disable MCAS. Who knows, maybe pilots who didn't get simulator time (for the new "revised" syllabus with MCAS included) will/might just disable MCAS during (or immediately after) take-off.

  22. Anonymous Coward
    Boffin

    Here's an explanation for use in all news sites ever... (warning: science involved).

    MCAS is literally like mounting a Ferrari engine in a Vauxhall Corsa body, then driving it at high speed at night, through a town centre in the rain, manoeuvring by shouting instructions with your eyes shut at the gobby and horny 17 year old in the front seat who's drunk 8 blue WKDs in quick succession, and is showing off to his girlfriend who's alternating between screaming like a baby and vomiting into the footwell.

    1. Anonymous Coward
      Anonymous Coward

      Re: Here's an explanation for use in all news sites ever...

      I think you mean "metaphorically" rather than "literally like", and also the pilots deserve better.

      It wasn't the fault of the pilots, but they are the ones who get to be dead along with everybody else on board.

      Someone went and killed a whole load of people in New Zealand because of a right wing ideology. In this case over 300 people have been killed because of an ideology that put share price ahead of lives. Guess who will go to prison?

      1. Throatwarbler Mangrove Silver badge
        Thumb Up

        Re: Here's an explanation for use in all news sites ever...

        I wish I could upvote Voyna i Mor's comment a thousand times and also trumpet it from the rooftops.

        1. Anonymous Coward
          Anonymous Coward

          Re: Here's an explanation for use in all news sites ever...

          Don't let me stop you.

  23. Anonymous Coward
    Boffin

    Yep

    "This is your co-pilot speaking. If there's a software engineer on board, please come to the cockpit within the next 60 seconds."

  24. sanmigueelbeer

    Send in the lawyers!

    Once this blows over, I'd like to see if Ethiopia Air (and/or Lion Air) will launch a lawsuit against Boeing.

    It will be interesting to see how much compensation (outside of insurance) will Ethiopia and/or Lion Air will get from this.

    1. Frumious Bandersnatch

      Re: Send in the lawyers!

      Because obviously loss of human life invariably and inexorably leads to the idea of cash payouts. What a catch you are.

      1. Anonymous Coward
        Anonymous Coward

        Re: Send in the lawyers!

        That is why it's called "capitalism".

      2. sanmigueelbeer
        Thumb Down

        Re: Send in the lawyers!

        Because obviously loss of human life invariably and inexorably leads to the idea of cash payouts

        That's how "life" goes in America: People sue.

        Someone slips on a banana peel in mall, they sue the mall owner (get a generous payout). If one rides on public transport and gets t-boned, someone (will) sue the public transport authority and get a hefty payout (free health check to boot).

        `tis America. People for sport.

        (No offense to the Americans.)

        What a catch you are.

        Thank you. My wife agrees with you.

  25. Ptol

    Correct definition of a stall

    it is the break up of laminar air flow over the wing that defines the point when a wing stalls, not its air speed.

  26. herman

    "it is the break up of laminar air flow over the wing that defines the point when a wing stalls, not its air speed." - It is a bit more complicated than that also.

  27. TheMeerkat

    I suspect Boeing hired an Agile Consultant who told them they have to deliver “working software” every two weeks. There was no time for testing.

  28. TrumpSlurp the Troll
    FAIL

    Software release process

    As noted before, it is not good practice to install an undocumented software feature which does not display an alert when activated.

    Especially as the undocumented feature has obviously no documentation on how to to turn it off. Which you won't need because you don't know about it, let alone know that it has been activated.

    Noting that an alert would be displayed should an optional extra have been installed.

    Noting further that the supplier should have been well aware what percentage of the target install had in fact had the optional extra installed.

    Still, the Alpha testing by end users does seem to have highlighted the problem and a fix is being rushed out.

    I haven't seen anywhere so far that the software fix will be accompanied by the additional (so far optional) instrumentation to warn when the software is active.

  29. Anonymous Coward
    Anonymous Coward

    How to kill people by saving money, episode #28066

    If we go to root causes, the whole reason that Boeing added MCAS was because it made design changes that in any other case would have led to a need for pilots to re-certify on what appeared to be the same airframe (the car analogy is not far off - what Boeing did significantly changed its flight dynamics). That would have made it much harder to sell (associated costs and lag while everyone got up to speed), so MCAS to the rescue.

    The problem is that MCAS, for all its critical functionality, appears not to have been coded with much in the way of redundancy on sensor input, and a critical error in assessing trim made that its changes were cumulative and thus had a far greater impact on trim that was intended. Add to this an inability to kill it when it became problematic and you have the recipe for the disasters we have seen - it also demonstrates that grounding the planes before we had a third crash confirming a suspicion was the right call (not that I think that should ever have been a question - there are some stiff questions here for the lag in the US that carried the potential that one of these planes could have dived straight into a densely populated area).

    These changes and their fix handily bypassed any critical eye asking intelligent questions by the way in which the FAA changed its approach to certification - the latter is now being investigated, and the political climate in the US makes for an uncertain outcome at best. This FAA thing may lead to another disconnect - there's no redundancy in the safety that the FAA used to provide, and with the changes in approach that have now laid bare I can see it quite possible that other nations may start looking at making this a tad more independent.

    My fear is that this will spawn becomes a political battleground that has everything to do with power, much less so with our safety (as always, that'll just be the excuse).

    1. Keir

      Re: How to kill people by saving money, episode #28066

      How about.....these planes should not be allowed to fly publicly until Boeing has flown them each day for 6 months with at least 2 board executives in the plane. At least a 2 hour flight to be conducted in all conditions. Any time an issues occurs, the 6 month clock is reset to zero. That will help ensure that any safety issues are paramount as opposed to any cynical commercial focus to get the orders flowing again.

  30. FSS

    The question everybody forgot

    Will anyone here be willing to fly in such planes, even after Boing issue SW updates?

    1. Anonymous Coward
      Anonymous Coward

      Re: The question everybody forgot

      Nope, but I can see some airlines advertising the fact they use Airbus!

  31. Anonymous South African Coward Bronze badge

    Yo Boeing!

    Ever heard of a thing called a boycott?

    1. Fred Flintstone Gold badge

      Is that a new brand of plane that only taxies back and forth?

  32. JaitcH
    FAIL

    Trumps Regulation Deletion Doesn't Work Too Well In Many Industries

    The FAA has apparently used Boeing employees to perform testing in lieu of Third Parties.

    Hard to work for two masters.

  33. devTrail

    Still glossing over

    Some pilots have alleged that original training courses on the 737 Max glossed over what MCAS was and how it worked.

    Are the journalists unaware of the details or is Boeing still glossing over?

    What kind of patch are they releasing? Making the system easier to disable, more redundant and tolerant to faulty sensors, both, or something else?

    How will the additional pilot training work? I guess they can't release new manuals and say that from the next day the planes can fly, pilots will need some time for the extra training. Moreover, if the system is shut down the pilots will have to learn to fly a plane that suddenly has a different balance, will they be able to try it in the simulator?

  34. BobC

    MCAS from a Systems Perspective

    I was an engineer at an aircraft instrument maker while it was developing and certifying its TAWS (Terrain Awareness and Warning System) product. I worked in essentially all aspects of the product except for the design of the hardware itself. In particular, I was involved in requirements analysis, software design and development, hardware production (processes and tools), and FAA certification.

    Though TAWS provided only audible and visual warnings, we were greatly concerned that we not urge the pilot to take excessive or inappropriate action, such as by announcing a warning too late, or by announcing an incorrect warning. The official TAWS specification described very well what the system must do, but did much less to define what the system must **not** do.

    One of my prime responsibilities was to conceive of ways to "break" TAWS, then update our requirements to ensure those scenarios were properly handled, and then update our certification procedures to ensure those scenarios were thoroughly tested. Many of my findings revealed "holes" in the official FAA TAWS specification, some of which were significant. (Being a competitive company, we fixed them in our product, then reported them to the FAA as real or potential flaws in competing products. Essentially, we kicked the hornet's nest every chance we could. Fun for us, harmful to our competitors, and safer for everyone.)

    The "single-sensor problem" is well known and understood within the avionics community. However, as our TAWS was initially an add-on product for existing aircraft, we often couldn't mandate many aircraft changes, which could greatly increase the cost and down-time needed to deploy our product. Fortunately, all aircraft are required to have "primary" and "secondary" instruments, such as a GPS heading indicator backed by a magnetic compass. Furthermore, sometimes the display for a low-priority function can be made to serve as a display for a secondary sensor when the primary fails, in which case it is called a "reversionary" display.

    The sweet spot for us was that the vast majority of our initial TAWS customers would already have some of our instruments in their cockpit, instruments that already had all the inputs needed to serve as reversionary displays. Inputs that can be shared with our TAWS product.

    When we looked at the whole TAWS specification from that perspective, we realized there were circumstances when "primary" and "secondary" instruments may not suffice, particularly if both relied on the same underlying technology (such as digital and analog magnetic compasses, which sense the same external magnetic field - meaning a non-magnetic way to determine magnetic heading was needed, which GPS could help provide).

    I had prior experience in "sensor fusion", where you take a bunch of diverse/redundant/fragile sensors and combine them to make better "synthetic" sensors. Back in the day this was done with various kinds of Kalman filters, but today a neural net would likely be more practical (primarily because it separates the training and deployment functions, making the deployed system simpler, faster and more accurate).

    So, for example, let's say all your physical AoA (Angle of Attack) sensors died. Could you synthesize a suitable AoA substitute using other instruments? Given a list of other functional sensors, the answer is almost always "yes". But only if there is a physical system component where all those other sensors meet (via a network or direct connection). We had that meeting spot, and the compute power needed for a ton of math.

    But even synthetic instruments need primary and secondary instances, which meant not only developing two independent algorithms to do the same thing in different ways, but also, to the greatest extend possible, running both of them on redundant hardware. Which, again, our initial customers already owned!

    This extended to the display itself: What if the display was showing an incorrect sensor value? The secondary or synthetic sensor was compared with what was actually being shown on the display. If we detected a significant mismatch, this system would simply disable the display, completely preventing the pilot ever seeing (and responding to) any bad information.

    I'm concerned Boeing didn't do enough analysis of the requirements, design and implementation for MCAS: My guess would be that MCAS was developed by a completely separate team working in a "silo", largely isolated from the other avionics teams. For example, this is an all-too-common result of "Agile" software development processes being applied too early in the process, which can be death for safety-critical projects. And, perhaps, for those relying on them, including passengers, not just pilots. Yes, a company's organization and processes can have direct safety implications.

    Another example: When an automated system affects aircraft actuators (throttles, flaps, rudder, etc.) the pilot must be continuously informed which system is doing it, and with a press of a button (or a vocal command) be able to disable that automated subsystem. It seems the Boeing MCAS lacked both a subsystem activity indicator and a disable button. Though it won't happen, I wish this could be prosecuted as a criminal offense at the C-suite, BoD and senior management levels.

    I believe the largest problem here was all levels of aircraft certification testing: It would appear the tests were also developed in "silos", independent of their relationships to other parts of the system, including the pilot. The TAWS product I worked on was also largely self-certified, but we did so using, again, two separate certification paths: Formal analysis and abundant flight testing (both real and simulated).

    The key element for FAA self-certification to be worth believing in relies on the FAA requirement for aviation companies to work with FAA-credentialed DERs (Designated Engineering Representatives). DERs are paid by the company, so there is great need to ensure no conflicts of interest arise. On our TAWS project, the first DER we worked with was a total idiot, so we not only dismissed him, but requested the FAA strip his credential and investigate all prior certifications he influenced. After that incident, we worked with a pair of DERs: One hands-on DER who was on-site nearly every day, and another God-level (expensive) DER who did independent monthly audits. We also made sure the two DERs had never previously worked together (though the DER community is small, and they all know each other from meetings and conferences).

    Did Boeing work with truly independent DERs? I suspect not: There are relatively few DERs with the experience and qualifications needed to support flight automation certification. Which means "group think" can easily set in, perhaps the single greatest threat to comprehensive system testing. I predict several FAA DERs will "retire" very soon.

    Even from reading only the news reports, I see several "red flag" issues the NTSB and FAA should pursue as part of the MCAS investigations.

    Bottom line, the Boeing Systems Engineers and the FAA DERs have well and truly dropped the ball, not to mention multiple management-level failures. I'm talking "Challenger-level" here. Expect overhauls of both Boeing and the FAA to result. Expect all certs for all Boeing products still in the air to be thoroughly investigated and reviewed by the NTSB, NASA, the EU and China/Russia. Do not expect any new certifications for Boeing for perhaps years.

    1. Intractable Potsherd

      Re: MCAS from a Systems Perspective

      Thanks, BobC - it is good to hear from someone who knows the industry. That you have verified what seems to be the consensus opinion at the moment* is depressing, though.

      *Pending outcomes of the accident investigations, of course.

    2. Fred Flintstone Gold badge

      Re: MCAS from a Systems Perspective

      Thanks for that. I was just sent a link to a document written by a pilot who has also an IT background, and it makes, frankly, for horrific reading.

      As a matter of fact, I preserved it, just in case Boeing tries to get it offline because it is a sane but wholly damning review of what happened, and why. I quote:

      If I have not been clear, so far, let me say it succinctly.

      Boeing produced a dynamically unstable airframe, the 737 MAX. That is big strike #1.

      Boeing then tried to mask the 737’s dynamic instability with a software system, similar to the systems used in dynamically unstable fighter jets (though those jets are fitted with ejection seats). Big strike #2.

      Finally, the software system relied on systems known for their propensity to fail (angle of attack indicators) and did not appear to include even rudimentary provisions to cross check the outputs of the angle of attack sensor against other sensors, including the other angle of attack sensor. Big strike #3.

      None of the above should have passed any muster. None of the above should have passed the “ok” pencil of the most junior engineering staff, much less a DER.

      Go read it. After that, I suspect you won't go near a 737 MAX ever again, even after the patch.

  35. DrM
    FAIL

    Just a tad pregnant

    So, Boeing finally went the Airbus (AirCoffin) route and put in SW the pilot couldn't take command away from.

    Decided they'd go the XL Airways Germany Flight 888T route when the three angle of attack sensors disagreed and killed everyone on board?

    Just a little bit though, just a little bit pregnant, just piles of dead bodies.

    http://bluephotons.com/

    1. Fred Flintstone Gold badge

      Re: Just a tad pregnant

      Airbus starts at least with a dynamically stable airframe (which is where all the 737 MAX's problems originate), and as its software has the last say instead of the pilot, redundancy is not seen as an afterthought but as a critical safety component (and, let's be honest, as the only way to get a FAA certification, at least one that's been done properly).

      Last but not least, Airbus has decades of experience with software running the show, so by now they have a pretty good handle on where issues can arise and what to do to address them now before it ends up killing people. For Boeing to think they can quickly slap something together to fix a fundamental physical design problem and put that pretty much in charge over the pilot is unforgivable, especially since this was so critical to keep the plane in the air. It also raises MAJOR issues about the certification path for the 737 MAX.

  36. Wobbly World

    300 knots at 600 feet 0oop’s!! RIP...

    What do we know about the behavior of the 737 Max 8 plane in the Ethiopian Air incident?

    When looking at the current data on the flight path of Ethiopian Airlines Flight ET 302 on March 12, the airplane got to 1,000 feet. The airplane at that point lost about 400 feet of altitude, which is extraordinary. The next thing that’s interesting is the airplane flew level for about 30 seconds, about 500 to 600 feet above the ground. This is not what a civilian airplane’s supposed to do—you’re supposed to fly away. And the airspeed continued to increase, they got to over 300 knots at under 1,000 feet above the ground. No pilot would consider doing that.!!!

    Why they weren’t able to immediately climb in that 30-second period is a mystery!!!

    But at the end of that the plane did climb, and it climbed very nicely. We don’t know what happened after that—the last thing we saw on radar was the airplane flying very fast and climbing. One would have thought that whatever happened, they figured it out and off they went. But, tragically, they didn’t.

    Can anyone here suggest what was going on to cause the anomalies listed above?

    In the case of the 737 [Max 8]engines are installed below the center of gravity. And so, as the wing loses lift, the engines generate a pitching movement that causes the nose to want to go up. If the nose is starting to rise all by itself and the pilot doesn’t want that to happen, they will have to push the stick to stop it from going up, and that force reversal is a big no-no. Basically you should pull the stick to go up, and you should push the stick to go down—and you should never have to push the stick forward to stop it from going up!!!

    The debris field starts some distance from the crash site was the plane breaking up before impact?

    Could this indicate an explosion or other catastrophe event, smoke was seen coming from the rear of the plane, though that needs taking with a pinch of salt as the witnesses view, could of hidden the fact, smoke was coming from the fuselage or an engine out of view of the witness but from their point of view looked to be coming from the tail, the same goes for the debris, paper and other items seen falling from the plane prior to it crashing, what are the forums opinions of this and the above?

  37. Anonymous Coward
    Anonymous Coward

    Technically it is not an anti-stall device. It is a mechanism to counteract the tendency of the position and size of the new engines to generate positive lift at higher angles of attack. This positive lift reduces the force required on the control column to increase angle of attack and certification means that column forces on the approach to stall should not decrease. MCAS dials in nose down trim to ensure the column force required to increase AoA remains consistent or increases on the approach to stall.

  38. kbutler.toledo
    Thumb Down

    Smell that? It is not burning jet fuel it is pure GREED (optional, of course) but the GREED is pure.

    Based on reports about the MAX airliners that if Boeing made automobiles they would make brakes optional, at a 'small' extra cost, however. You can always just drag your feet to stop the car.

    Profit was placed above safety and concern. I'll almost bet Boeing exec's travel on Airbus.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like