They say that most accidents are a sequence of several failures, but from what's in this article it sure seems
to me like 100% Boeing's fault.
If the only maintainence problem with this aircraft was a broken sensor, then that is almost irrelevant because sensors can break during flight too.
If it's really true that a mere broken sensor can cause the computer to ram the aircraft into the sea, then someone at Boeing really fucked up. Where are the redundancies and sanity checks?
Pilots and former safety regulators said that Lion Air flight and maintenance crews regularly filled out two log books, one real and one fake, to hide malfeasance.
If that’s true, i wouldn’t quite call it 100% boeing.
Here we have an Indonesian company with a terrible safety record and an aircraft that hasn't been maintained properly.
However, if the computer is found to have initiated the pitch downwards, then the same failure could happen to any aircraft of this type, even if well maintained, if the sensors or computer simply begin to malfunction while the plane is in the air. Absent pilot error, the worst that should happen is a reversion to manual control.
What concerns me is that any software flaws with the aircraft will not be addressed until the problem reoccurs with another more reputable airline in the future, because Lion Air appear so guilty in this case.
It sounds like a trim runaway incident. This has been a known issue since the earliest days of electronic trim controls.
For those who don't know, trim is the system by which the neutral position of an aircraft's controls is set. In this case in pitch. An aircraft will fly at more or less a fixed speed for a given trim setting, slowing down will cause it to pitch down unless a correcting force is applied to the controls, and speeding up will cause it to pitch up. The problem is that in a severe out of trim condition it can take tens of kilograms of force to maintain the desired pitch.
Trim runaway is when the trim motor for whatever reason doesn't stop moving, in the simplest systems this is sometimes caused by faulty switches. Most aircraft actually have a switch which is split down the middle but is naturally pressed as if it were one. This requires two of the switches to fail to get this situation. There are usually trim in motion indicators and alarms if it's in motion for too long which are intended to help pilots avoid this situation.
I suspect the computer drove the trim heavily nose down, as a result of the envelop protection trying to avoid a stall. The pilots probably tried to intervene or the autopilot handed them the aircraft back knowing something wasn't right. At that point the trim was mis-set enough that they failed to recover correctly.
It’s also possible for the flight crew to have been fighting the AP (often inadvertently), resulting in auto-trim continuing to trim against them.
If the crew applies sustained pitch up inputs, above what the flight director is commanding, the auto-trim will apply trim down to compensate. This can result in pilot applying even more pitch up input, resulting in more trim down. Solution of course is to kill the AP and trim motors, the multiple means of how to do so is a memory item in every aircraft.
Trim runaway has caused accidents to be sure, but is still a flight crew error IMO, unless every means to kill the trim was tried and failed.
From my complete layperson perspective, this flawed-sensor/autopilot failure feels even more inexplicable than Tesla's Autopilot failing to stop for stationary objects. In the latter case, I can grasp how it's difficult -- or at least an open-ended problem to train a system to distinguish such objects in real time. But the heuristics for stable flight seem much more bound to hard-coded heuristics and physical facts -- isn't there a calculable, mostly-predictable limit -- for any given altitude -- to how much a plane can correct for a stall by nosediving. And when this limit is approached, shouldn't the plane's autopilot cede more control to the human pilot, if there's no indication that the pilot is otherwise incapacitated?
But it sounds like there's still a lot of unknowns about sensor readings and chain of events -- for all we know, it's possible the plane made a reasonable auto-correction, but the pilots misinterpreted the sensor readings and inadvertently caused the plane to go into an uncontrollable dive. Given that this is the Boeing 737 Max 8's first major crash, and it happens to be with one of the most unsafe budget airlines, it seems premature to say Boeing is at 100% fault. OTOH, 1 crash/189 deaths of a new plane, of a model that has had just 2 years of service so far, is not a statistic that justifies giving Boeing the automatic benefit of the doubt.
edit: Also, the Lion Air plane was said to have had the same major glitch with its airspeed indicator in all of its 4 final flights [0]. Even if Boeing's design is found to have shortcomings, Lion Air choosing to not ground the plane despite 4 consecutive flights of buggy behavior is a huge indictment of its safety culture.
I'm not saying that you're wrong or that one couldn't come up with a better algorithm but at the same time I wonder if it's a good idea to have ultra-complicated heuristics in something like an airplane. For one thing a complicated heuristic with many inputs and weights is a lot harder to validate and can lead to strange and unexpected failure modes.
Besides that the problem of having a very clever autopilot is that it makes it a lot harder for humans to react appropriately when it messes up, because they both don't expect it and are more likely to panic. The Tesla autopilot accidents are good examples of that, those have seen would've been easily avoided by a human but because the autopilot was usually fine on its own the driver didn't react quickly enough.
An other much more tragic example is the Air France Flight 447 crash in the Atlantic where the autopilot detected a faulty sensor and disengaged and the two pilots managed to get the otherwise perfectly functioning plane to crash into the ocean because they basically freaked out and failed to understand what was going on.
That's a strange paradox in a way, as we move from fully manual to fully automated we have a strange "uncanny valley" for safety where the computer is clever enough to handle most situations which lulls the human operator into a false sense of safety. The operator pays less attention, eventually starts losing their skills and reflexes and then at some point, maybe years later, the computer messes up and you have a handful of seconds (if even that) to remember what you're supposed to do.
On the other hand a simple but predictable autopilot might not be quite as autonomous but at least it's easy to understand and anticipate, and it forces humans to remain attentive.
This is my question: why just one AoA sensor? It seems like there is plenty of space on the nose to put two or even four. Their results could be averaged. Presumably the MTBF for any individual AoA sensor is quite low (if we're happy to fly planes with just one right now), so this shouldn't cause too much of an increase in maintenance burden.
I don't actually know how many AoA sensors there are, but the NYTimes article seems to refer to refer to them in the singular when talking about this plane.
Every article I’m reading says “AoA sensors”, which implies more than one. I think the flight computers did not correctly handle one of several sensors providing bad data.
> isn't there a calculable, mostly-predictable limit -- for any given altitude -- to how much a plane can correct for a stall by nosediving. And when this limit is approached, shouldn't the plane's autopilot cede more control to the human pilot, if there's no indication that the pilot is otherwise incapacitated?
There is, but there will always be a dependency on sensors to feed the input values into these funcitons. Modern flight computers are far better at pretty much any flying task than humans. Other than communicating wiht traffic control and raising/lowering the flaps and gear (none of which are absolutely necessary), a modern airliner can take off, cruise and land entirely on its own, with no human intervention.
I agree that it's probably a combination of bad maintenance, a not quite perfectly fault-tolerant system design and human error of the pilots. One factor that hasn't been mentioned is that even the newest versions of the 737 contain ancient, obsolete technology. A newer airliner will probably have more redundant and more fault-tolerant systems.
Nope. Nope nope nope. It can, very theoretically, do each of those things, but it can't switch those modes, must not take off automatically (there's no safe way to do this, and therefore would be very illegal), and requires vigilance that's above manual w/r/t landing. Please stop perpetuating urban legends.
One factor that hasn't been mentioned is that even the newest versions of the 737 contain ancient, obsolete technology
You mean technology like... wings? ;-)
More seriously, the "ancient" stuff is such because its reliability has been proven over decades of refinement. "Don't fix what ain't broke," as the saying goes. The aerospace industry moves slowly for a reason. I'd much rather fly on an old maintained plane than the very newest.
> Other than communicating wiht traffic control and raising/lowering the flaps and gear (none of which are absolutely necessary), a modern airliner can take off, cruise and land entirely on its own, with no human intervention.
A single operator handles multiple military drones. A large part of this is they can takeoff and fly to a specific location, and or land from a specific location on their own.
Just because other aircraft can to this today does not mean "a modern airliner can". No modern airliner currently has the capability to make remote controlled flights.
Hm. Autopilots have been able to fly the whole plane for decades, from runway to runway. They're not permitted for whatever reason; there has to be a pilot in the seat. But honestly for most flights of airliners (not even just modern ones) the autopilot is in control almost all of the time.
Can they be remotely operated? I'm thinking putting a plane into autopilot has to be a remote operation by now. Its so trivial, how can they have left that out?
They can't and don't fly runway to runway by themselves because even the smallest problem/perturbation/deviation from the norm knocks the plane out of the higher levels of automation and requires a human to intervene. The automation is great at making small adjustments to keep a plane flying stable, but give it a complicated, unknown airframe and it would fail miserably
Fog yes, but one of the three redundant guidance units malfunctioning? No. In fact, pretty much any hardware problem or malfunction will prohibit CatIIIb landing, which is common in current aviation. Craft will regularly fly with "minor" hardware or sensors in an inop status.
Basically to let the plane land itself, first the stars have to align
So do manned military aircraft. The military does a crazy amount of flying so you need relative rates for similarly refined systems* to really compare them.
* AKA older designs have better understood failure modes.
Too early to say that, and it's still conjecture from what I can tell.
Bad maintenance, and/or airline culture could still be a big part of the incident if it turns out there were warning signs ignored or bad repairs done.
So I would still disagree that anything is conclusive and certainly not 100% Boeing's fault yet.
"Boeing" is 100,000+ people, and many times more in contractors and subcontractors. As you say, there's redundancy and sanity checks. No one person is solely responsible for any system on a BCA aircraft.
Blaming "Boeing" here is about like blaming "Microsoft" for a bug in a Microsoft product, or "NASA" for Apollo 13. All the problems may have taken place in a building with that name on the door, but it's still very far from a single point of failure.
The whole point of a corporation is to protect the liability of the individuals in the company. I would argue Boeing and Microsoft are the correct entities to blame. After all, if the people who actually fucked up aren't individually liable, and the organization as a whole isnt responsible, then who is?
100% Boeing's fault? I would disagree with you after reading the article. That plane should have never been allowed to fly after having problems for many days and without figuring out proper fixes. Perhaps Lion Air should have flown in some Boeing engineers to look at the plane.
From the article, the plane has had 2 reports of sensor malfunction by the time it took off. If it was as simple as "sensor is bad -> plane falls", it would had fallen much earlier.
Quite the opposite: you don't read about most sensor failures except in tweets "grr flight delayed again". In other words, malfunctions happen and are dealt with, that's non-news by definition. Saying "there's this one case on the news, therefore it's the only one observed" misrepresents the data entirely.
Really? Aircraft crashes are staggeringly rare. For the most part they are caused by the pilots of those aircraft.
I haven't read too much into it but I suspect this system was part of an envelope protection system designed to stop the pilots from being able to fly outside of the aircraft's performance limits. Once a fix is applied I'm sure this system will save many more aircraft than it harms.
Nitpick: Aircraft crashes aren't actually that rare, but Commercial Scheduled aircraft crashes are very rare. If you buy plane tickets you're far more likely to die driving to the airport than in a plane crash. But if your friend takes you for a fun trip in their Cessna that's a different story.
General Aviation is dangerous the same way private automobiles are dangerous. The operators take silly risks, they lack advanced skills, corners are cut on maintenance, procedures are not followed correctly. They usually have just one engine (if it fails this may be survivable but it's not good) one pilot (who doesn't need to be as fit and healthy as a commercial pilot, nor as well trained) and they aren't required to file a flight plan, which means they may not really even have a plan A let alone plan B.
I think it was clear I was talking about commercial aviation but to lend some balance to your post let me address some of the points.
General aviation aircraft operate in completely different circumstances. Using shorter, sometime grass, runways without the benefits of instrument landing systems. Usually outside of the ATC system.
The general aviation fleet is generally ageing. 30+ year old aircraft are not at all uncommon.
They have one engine; however it is about 2 steps below a lawnmower in terms of mechanical complexity. So long as it receives a fair supply of fuel stoppages are very rare.
I don't think you can make any connection between a lack of flight plan and the safety of a flight, other than perhaps that the search and rescue team might have a better chance of finding you if the worst happens.
There are plenty of non-commercial pilots who aspire to a standard of piloting which are at or above the level of commercial pilots (consider display pilots).
All in all, the level of safety in general aviation is roughly similar to that of riding a motorcycle.
>I don't think you can make any connection between a lack of flight plan and the safety of a flight
Part of proper flight plans are taking the steps to mark out your emergency procedures and landing places for failures in several portions of the trip, including a few different failures during takeoff. Sure, it might just be "Turn into that field there and cross your fingers", but you've at least thought about it and planned before hand
Last time I run over Brazilian statistics, being a random person inside a plane was about as dangerous as being a random person inside a bus (what is safer than a car).
There are two large features of that data. First there is the fact that scheduled fights carry more people than the other kinds, pushing the overall average into the "safe" region. Second, there is very wide difference between kinds of flight, where agricultural aviation can be more dangerous than riding a motorcycle in heavy transit.
If I recall the prior discussion in HN correctly, the flight path was abnormal well before the impact. This contradicts somewhat that it was a surprise nose dive. Also, the pilot asked for return to the departure airport without indicating an emergency. The last discussion speculated somewhat about unsafe center of gravity which I found more convincing. We'll see.
It seems to me that aircraft with a lot of automation should have a single big red button to turn it all off.
In most situations, of course, the automation is good, preventing pilot errors like stalling or exceeding safe control inputs, but these are fundamentals that every pilot learns in the first few hours of flight training. Unlike some fighters that are inherently unstable, a 737 can be flown safely without the computer overriding the pilot's control inputs so long as the pilot flies reasonably.
I've had a similar experience in a car. Antilock brakes are designed to override an erroneous control input: braking too hard for the available traction. In the event of a wheel speed sensor malfunction, they can override a reasonable control input: moderate braking well within the limits of the available traction. This is terrifying, and there's no way to override it in the moment. It can, however be overridden in most cars by pulling out the fuse for the ABS.
There are risks associated with an aircraft having different operation "modes" as well. For example, in https://en.wikipedia.org/wiki/Air_France_Flight_447 the aircraft detected that some of its sensors were no longer working, and switched into a more manual mode of operation, with appropriate warnings to the pilots. The pilots couldn't get their heads around this, and stalled the plane into the sea.
No doubt, though I think a compounding factor here is the automatic switching between modes. The pilots didn't seem to understand what the plane was doing and why.
A reasonable response in that situation might be to hit the big red button, removing any question about the behavior of the flight controls. It may not have been enough in this scenario, as the pilots didn't seem to be paying appropriate attention to the angle of attack indicator, which was apparently functioning and clearly indicating a stall, but it may have put them in the right frame of mind to correct the problem.
>It seems to me that aircraft with a lot of automation should have a single big red button to turn it all off
737s have a big lever that can be smacked to shut off all autopilot function and return to a completely human controlled system. Most of the time even just using the Yoke to fight the autopilot will turn it off as well, after a few seconds
Also, in most automotive instruction manuals I've read, they specifically call out that you can simply press very hard on the brake pedal to overcome the forces produced by the ABS pump and lock up the brakes if need be
Although pilots then have to deal with exactly the same failures as the automation, and their success rate in those situations is hit and miss at best. It is possible that suitably advanced automation would perform better than a pilot at dealing with complex failures, but that just doesn't exist yet. The design just reverts to pilot control when it hits unusual edge cases.
Also, perhaps we need addittional sensor types that do not rely on direct air flow to work.
Upto about 5 or so years ago I can't think of an ABS equipped car I've driven without an ABS button. I'm less sure about more recent models as there's so many combinations of traction control, ABS and other assorted gimmicks. With recent winters free of ice I've not even bothered to look. Maybe it was a regulation thing here in the UK. Maybe it still is. :)
I have a sports car with both. Many racers add buttons by adding switches and relays to the ABS circuit, but many modern cars go into Safe-mode when you do such hackery. My scion helpfully disabled power steering when abs went out for some godforsaken reason. For the average driver, removing it would be a manuver in futility and libablity for the manufacturer.
If this was an anti-stall manuver, wouldn't they have been given a cue from the auditory warnings and the stick shaker as to what was about to happen? I know that stick pushers (that literally take the yoke out of your hands) are common on these aircraft, but I'd be surprised if it was actually so strong that a human could not overcome it.
Stick shakers aren't a fix. The pilot in the Colgan air accident kept pulling back even though the plane activated the stick pusher; he kept pulling back until that disengaged.
Even the best designed plane will eventually meet a pilot that can fly it out of the air.
I find it weird that the article tries to blame everyone EXCEPT Boeing. This appears to be clearly Boeing's fault and the article smells like a shoddy PR damage control attempt.
> “The problem is, the less-desirable airlines are the ones with the least resources that are scraping the bottom of the barrel in terms of human resources,” said Martin Craigs, the chairman of Aerospace Forum Asia, an industry advocacy group in Hong Kong.
Fuck you, NYTimes Journalist, for including this quote in a story that seems to inescapably point at a combination of Boeing equipment failure and Lion Air's upper management.
Note: somewhere around the second paragraph I realised this is very indirectly relevant, if at all.
I think poor working conditions in the Asian textile industry is a relevant analogy.
A textile factory collapses due to inexcusabe management decisions or incompetence. The management pulled the trigger, so to speak. However, it's the abusive dynamic of the free-market that incentivised management to cut costs to sustain the business. If they had not met the price offered by the big brands, the contract would go to someone else, i.e. there's an abundance of low-cost supply.
In the Asian textile market, the manufacturers, working at thin margins, are incentivised to cut costs to unreasonable levels, because they'd lose business. The local regulators are incentivised to not regulate, because the demand would move to another jurisdiction.
My point is that sometimes, there's two sides to the guilty coin. There's the isolated incident and the general atmosphere that breeds those incidents.
I can not relate this to the topic of Asian airlines, but you might find this interesting nonetheless.
> The local regulators are incentivised to not regulate, because the demand would move to another jurisdiction.
This situation is different.
It's not like most flights can move and start on different jurisdictions. Besides for the few that can, jurisdictions can compete on safety too, it's something the airline clients care about, not some externality.
I follow all of that, sure. But I still don’t think you can blame either on “bottom of the barrel staff” given that the proximate cause appears to be much much closer to the money than them.
I don't know how much an accelerometer would help. See, you can be upside down and still feel like gravity is pointing downward depending on the flight conditions.
With an accelerometer and gyro, one can "dead reckon" to know the groundspeed and angle of attack. Augment with GPS and those results can be near perfect. Sign the GPS data and have a clock onboard the aircraft and it can't be spoofed. Combine with weather predictions delivered from a satellite and I bet you could get enough information to fly a plane with no external sensors at all.
The whole "sensors were broken" thing should never be a reason for a plane to crash if this alternate mode of flying is possible.
Reading through the report via the NYT reminds me strongly of Junger's The Perfect Storm and it's description of the last minutes of the Jolly 110. Specifically: Task-Saturation.
For reference to set-up the situation[0]:
"On 30 Oct. 1991, United States Air Force Sikorsky HH-60G Pave Hawk, assigned to the 106th Rescue Wing, nicknamed the Jolly 110, New York Air National Guard, headed out into a hurricane that would become known as “The Perfect Storm.” Aboard were Major C. David Ruvola, pilot; Captain Graham Buschor, co-pilot; Staff Sergeant James R. Mioli, flight engineer; and pararescue jumpers Technical Sergeant John Spillane and Technical Sergeant Arden Rick Smith. Their mission was to attempt a rescue 250 miles (400 km) out to sea.
Due to the severity of the storm—a weather buoy located 264 miles (425 km) south of Halifax, Nova Scotia, reported a wave height of 100.7 ft (30.7 m) on 30 Oct., the highest ever recorded in that part of the Atlantic Ocean—the Pave Hawk crew was unable to make the rescue and had to return to their base.
Having already refueled from the Lockheed HC-130 Hercules tanker three times during the mission, and with low fuel, a fourth refueling was needed for the helicopter to make it back to the mainland. Because of the the extreme turbulence and lack of visibility, Jolly 110 could not make contact with the refueling drogue trailing behind the airplane.
Major Ruvola made more than 30 attempts, but finally both drogues had been damaged by the severe conditions. With just twenty minutes of fuel remaining, Jolly 110 would have to ditch in the middle of “The Perfect Storm.”"
Now, from The Perfect Storm:
"Ruvola finally breaks out of the clouds at 9:28, only two hundred feet above the ocean. He goes into a hover and immediately calls for the ditching checklist, which prepares the crew to abandon the aircraft. They have practiced this dozens of times in training, but things are happening so fast that the routines start to fall apart.(Aside: for a good look into the utter chaos of helicopter underwater egress, see this video from SmaterEveryday[1]) Jim Mioli has trouble seeing in the dim cabin lighting used with the night vision gear, so he can't locate the handle of the nine-man life raft. By the time he finds it, he doesn't have time to put on his Mustang survival suit. Ruvola calls three times for Mioli to read him the ditching checklist, but Mioli is too busy to answer him, so Ruvola has to go through it by memory. One of the most important things on the list is for the pilot to reach down and eject his door, but Ruvola is working too hard to remove his hands from the controls. In military terminology he has become 'task saturated' and the door stays on. " (pg 184, The Perfect Storm, S. Junger)
Now, those Lion Air pilots had better weather, much better, but the time in which they had to react was much less. Though I know nothing about how those cockpits are set-up and what the protocols are, there is a strange similarity to the Jolly 110 ditching and 'Task Saturation'.
Authoritarian culture is well-known as a risk for aircraft safety. Japanese carriers had a poor safety record, due to the culture of authority, where a first officer was reluctant to point out a captain's errors. Following a decent amount of training in https://en.wikipedia.org/wiki/Crew_resource_management the safety record improved. Similar techniques are now being taught to surgical teams in hospitals, where there has traditionally been a reluctance for junior members to point our mistakes made by the senior surgeon.
But what is "authoritarian culture", in the context of authoritarian regime? I'm not an expert on Japanese culture, but does the emperor still have power to set the norms and the punishment? And could you provide a better link than the "Crew resource management" one, which makes no mention at all of a Japanese airline?
edit: here's a story about Japan Airlines, which apaprently had a spate of accidents in 2005, but previusly, hadn't had a fatal accident since 1985 (and apparently was the last airline in 2005 to have had a crash). https://www.nytimes.com/2005/10/05/business/worldbusiness/sa...
Probably because they aren't as corrupt. Do you have a specific example in mind?
Saudi Arabia for all that it is authoritarian isn't corrupt (within it's own country) they are pretty effective at rounding those people up on a regular basis. North Korea is stuck in the 1960's and led by an insane idiot but they execute people for using their top offices for personal gain.
>> North Korea is stuck in the 1960's and led by an insane idiot but they execute people for using their top offices for personal gain.
That is an incredibly naive point of view on the issue. USSR used to regularly jail/execute people for corruption, so to the outside it might have looked like it was really hard on people using their positions for personal gain.
But the truth couldn't be any further from this - basically everyone was corrupt, because that's how the whole system worked - and the people who were prosecuted were the ones who have fallen out with someone even higher up. It was basically the case of everyone is guilty, but the ruling party would selectively pick people to blame for things going wrong. The surveilance apparatus was very effective and it was trivial to find something on someone, it was just a matter of how hard you looked - and I can guarantee that pretty much everyone had to either take or give a bribe at some point in their lives, because the simplest things in life(like getting coupons to buy food for example) depended on you giving a "gift" to the right person.
I'm not glorifying them or anything. But bribes are part of an authoritarian system, those people have an almost feudal right to the power, and hence to extract value from it. However at the higher echelons where the government was ran from, failing to do the job you were given for bribes was a problem. I suspect that effective members of government took bribes in such a way to incentivize the behavior they needed.
> basically everyone was corrupt, because that's how the whole system worked - and the people who were prosecuted were the ones who have fallen out with someone even higher up
This is a textbook means of social control. You may also refer to our war on (some) drugs (when consumed by certain people).
Sorry, you've lost me here, in what seems like an extreme case of No True Scotsman. Just a few weeks ago, Saudi Arabia was the major news story for allegedly sending a hit squad to secretly murder its own citizen -- a man not charged with a crime but happened to be a vocal critic of the regime -- in its own embassy. Nevermind the convoluted attempt at a coverup, nevermind the regime that operates completely on nepotism.
I'm not saying they aren't nepotistic nor prone to poor attempts at covert ops. Just that they expect a modicum of results, even from their appointed family members. No one wants to die on an airplane because their cousin wanted a few extra bucks to look the other way on airplane safety. Where as bribes for access in the first place are very common in authoritarian regimes, I wouldn't even call that corruption per se, because they have the feudal power to extract the value from the post as long as they perform.
No what exactly? That poorly-run airlines are based in poorly-run countries is not a surprise, nor does it address the claim that "authoritarian corruption is why this plain crashed", unless you think that every country not on that list is not authoritarian.
If the only maintainence problem with this aircraft was a broken sensor, then that is almost irrelevant because sensors can break during flight too.
If it's really true that a mere broken sensor can cause the computer to ram the aircraft into the sea, then someone at Boeing really fucked up. Where are the redundancies and sanity checks?