Boeing was already plenty culpable for these disasters, but this underscores just how much they pressured they pressured their customers to avoid training that could have mitigated the problems and prevented the crash, just to keep up the illusion that they wanted to present to the world: that it was effectively identical to the NG when it really wasn't.
As far as I can understand it, the training would - at best - have done nothing, since Lion Air only wanted a brief familiarization session in the simulator that wouldn't have covered anything so exotic as MCAS failure, and all the things it would've covered were almost exactly the same. That's a best case scenario. The MAX-specific simulator was apparently having such bad initial problems that Boeing staff griped internally that they wouldn't trust their family to pilots trained in it.
The key point is that Boeing was so keen on their narrative that there were no differences that even a 3 hour simulator training was considered unnecessary.
And if this simulator training would have been unhelpful, maybe we should let the FAA know that Boeing is once again trying to pull a fast one since one of the major changes they’ve made is to require simulator training.
On the other hand, Boeing was also under pressure from other customers (https://www.reuters.com/article/us-boeing-airplane-southwest...) who wanted to avoid simulator training for their pilots. Which doesn't excuse them of course, but I think it's important to see the whole picture...
If you're not able to keep promises you shouldn't make them in the first place. The buck stops with you, period.
No pilot training was often used as an argument. But I think the problem was actually much more severe.
If Boeing would have designed a completely new plane (which they should have) they would have lost a decade to Airbus' offerings in their most important market.
That, in my opinion, was the real reason for that shoddy hack of a plane.
And now they're still going to lose that as well as their reputation.
But if they'd been honest about the fix, required pilot training, maybe this problem would have been discovered in a less catastrophic way so it could have been fixed earlier. It wouldn't have been as cheap as they'd like, but they'd still have a foot in the door in that market and they'd have their reputation. Now they squandered everything.
So Boeing was slow to react to the market forces at play and lost out to a faster moving more adaptive competitor. When that happens in a market you typically lose money and try to stage a comeback by reinventing yourself or in some way try to work your way back. Boeing chose to rush and is now paying the price for being a slow and complacent behemoth of a company at a market where others are innovating and competing.
This has nothing to do with markets and everything to do with ethics. It is not ethical for a company to knowingly risk lives to rush out a new product. In the airline industry, it is unheard of for this to happen. Everything is triple redundant for a reason. Typically you would cut corners elsewhere that is not a risk for human lives. Boeing already tried that by outsourcing the construction of the 787 and it was riddled with failure. They should have learned their lesson there.
What they are paying so far is peanuts compared to what others paid with their lives. And compared to the company the executives who effectively said, 'so what if people die' will pay essentially nothing.
That's just it, they are not paying the price. The "free market" goes out the window when the government decides that the continued existence of your company is important to "national security", and abdicates their regulatory responsibility because you're special. Were Airbus allowed to effectively self-certify their planes in the US? I rather suspect not.
I don't know how you can look at this whole situation and think "yup, free market working as planned. Everything fine and normal!"
Besides, the reason we have regulations is because there are limits to the free market if we want to live in a sane society. Markets only find optimal solutions if everybody has perfect information, but in reality nobody has perfect information. You're free to choose between brands of honey, but it's expected that the government will ensure that no honey contains plutonium because 1) a consumer can't easily tell if it does and 2) it's assumed that everyone would avoid radioactive honey if they knew about it. Similarly, airlines are free to choose between aircraft, but it's assumed that none of them want an aircraft that will spontaneously and uncontrollably dive into the ground; it's the government's job to ensure that nobody sells such a plane.
I ran an ecommerce platform for a decade, from inception to billions of pounds of customer throughout per annum.
We always listened to our clients, and their wants and needs, but we also always put the robustness and the reliability of the platform over any feature request, no matter how adamant, vocal, or lucrative the client.
A big part of being a provider is to be the expert, to be the voice that says “what you are asking for is dangerous, and we will not do it”, and being prepared to sacrifice short term client pleasing for long term stability and overall client happiness. The customer is not the expert. They are not qualified to make decisions that endanger themselves and other customers. This is why they are paying you.
Yes, they’ll be thrilled when they get their shiny new blank, but hellfire will rain upon you when you have an outage due to a poorly planned improvement.
In my case, our worst case was revenue loss for our customers. In Boeing’s, their worst case is a terrifying death for hundreds of people.
The picture here is that Boeing have been deeply irresponsible, and have let their short term goals compromise their long term stability, the quality of their product, and have forgone their duty of care.
Precisely this. Responding with integrity is vital and shows that you care about the long-term wellbeing of the client and relationship rather than simply maximising short-term gain.
>Responding with integrity is vital and shows that you care about the long-term wellbeing of the client and relationship rather than simply maximising short-term gain.
Vital to whom? Certainly not to venture capital nor to shareholders, because I see a real dearth of corporations acting with integrity, especially tech bigcos
Vital in the sense that this is one of the opportunities life gives you to either demonstrate greatness or be a bit of a weasel. If you aspire to be more than a weasel you can find a little bit of Cato inside yourself, take what seems in the short term to be the tough road and respond with integrity.
As far as VCs and investors are concerned, I have seen all sides of that coin. There definitely are VCs and investors who are always and only out for a quick buck and others who think long-term, act with integrity and respond positively to it in others. In my experience the more you can surround yourselves with the second type the better your life will be, although as a public company, Boeing doesn't have that much opportunity to pick its investors.
They could have taken the position that it's up to the airline to decide if they want simulator training. Recommended but not required. That puts the responsibility on the airline. Still not ideal, but better than actively discouraging the training.
They couldn't actually afford to have that happen because they then would have had to implement an accurate MAX specific simulator. Doing so would have revealed some of the other design flubs, such as the Flight Computer as a single point of failure. That's why they were so concerned about Lion Air setting a precedent for other customers with regard to simulators.
If there is one thing this entire saga has revealed, its that Boeing was criminally culpable at nearly every step of the way.
Starting with the design goals of the 737 Max, continuing with penny pinching during the implementation, then bullying and lying during the certification process, then further bullying during the sales and training process, then massive amounts of blame shifting after the first crash, trying to pin it on the airlines and the pilots, then repeating the same thing after the second crash, then not providing documentation and data during the investigation, then further trying to get away with half baked fixes, then bullying the FAA to try and allow the Maxes to fly well before they were ready, etc.
At every stage of the process Boeing has led with lies and bullying. There is absolutely no reason to give them the slightest of the benefit of the doubt.
For every action, the best approach is probably to consider what would be the worst thing Boeing could have done as a response, because that’s likely what they did.
And that is the true damning point: they wanted to hide a problem they were aware of, and maintain an illusion that all was fine despite knowing it wasn't. Had they taken a more neutral stance, they could argue they didn't know. Now it's just reckless stupid endangerment.
> If Boeing wanted to be responsive to those customers they
> could have produced a plane that didn’t need additional training.
The 737 platform could not accommodate the more efficient, larger engines in their original location. In order to add these engines, they had to be placed in a different location and thus the plane handles differently. Thus, the requirement for additional training.
There was no way to create such an efficient aircraft on the 737 airframe without requiring pilot training, even if software could smooth over the differences 99% of the time.
These are not equivalent issues - we have market forces pressuring Boeing to keep the cost down versus Boeing pressuring an airline to not train its pilots as it thought was warranted.
It is a simple fact that training is part of the total cost of ownership of an airplane, and so it is to be expected that it will be an issue in negotiating the price an airline is willing to pay for them, or whether to go with a different airplane.
In a responsible or well-regulated industry, responding to these sorts of issues (which are ubiquitous), through a reduction of safety standards, is supposed to be off the table. What Boeing was doing here was apparently part of a larger campaign to subvert this principle by hiding any hint of a safety concern.
Not disagreeing with anything you said. But just want to add that Lion Air themselves do not have a good reputation in terms of safety and timeliness. And the truth of the matter is that some companies in Indonesia have a bad culture, where it would put the word 'lobbying' to shame. It does put things into perspective.
I think I remember an early phase in the news coverage in which Boeing seemed to actively try painting Lion and Ethiopian as irresponsible in order to divert blame. If this memory isn't completely off then the revelation of Boeing having resisted a push for more training by Lion is an epic karma bite.
What perspective is that? I'm unsure how this would affect my view of the issue. If anything Lion Air pushing for simulator training is a good thing, no?
In a way, Boeing’s plight underlines American work culture vs. European and other relaxed but stringent work cultures.
American businesses are constantly churning output with not much to show for (relative to effort vs results) as the employees are burned out, investors and C-suite demand more of the middle-management and they in-turn pressure engineering and sales teams, etc.
The results have spoken about which one works and which doesn’t. Toxic work culture starts from the top.
I studied abroad in the US as a European and the first sentence the microeconomics professor blurts out: "Greed is good."
At that point I wasn't as gobsmacked anymore because several days before some 17 year old girl yelled in a 300 person biology lecture at the professor to stop telling lies about evolution (first week of college).
But "greed is good" struck me as an oddly American way of viewing the world. Europe isn't free of greedy people, by any means, but it's sort of not the first rule you learn in school.
I guess it depends. I have a German engineering degree and took a business administration course as a part of that. And in one of the first lectures our professor told us that The formal goal of the company is to maximize profit. Which seems to be just a more formal way of expressing Greed is good. But then again, this might be influenced by American business culture…
Agreed, and I obviously suffer from some bias since I could not experience college in both countries.
But the microeconomics angle seemed more personal - as in attempting to describe interaction between people with some extrapolation to larger entities.
IMO the business school of though is the one which is currently hindering progression, holding on to values from the industrial revolution. It's as we all know a philosophy of top-down management of expendible resources. This way of thinking simply doesn't apply today. We need a breakthrough of the servant leadership way of thinking.
I think the results have shown not all industries benefit from being purely profit driven.
To extrapolate that further is a bit disingenuous. The US is still a leader in innovation over Europe, by a large margin. And I say that as a European.
Is it in terms of patents, in terms of the number of new companies, new companies that succeed (and according to which metrics?), new companies using/developing new technologies?
Do you consider modern implementations of old concepts as innovation or not (i.e. transitioning some activities into the digital world, that kind of things)?
Do you normalize that "innovation" quantity with how much money is injected into the "innovation industry"?
Even if Lion Air had done simulator training, it seems unlikely to have helped, unless there was specifically material on MCAS or at least stabilizer runaway by the electric trim system.
One airline demanding and getting simulator time doesn't help if the decision has already been made to not inform pilots about MCAS. Boeing's flight rules model has always been around the pilot(s) having situational awareness and being in absolute control; the problem with MCAS is not what it does, or that it's needed to avoid stalling, the problem is that it was not known to pilots, that it operates without any clear indication that it's operating, and that it can only be disabled by disabling electric trim, and that manual trim is extremely difficult to impossible to use if the stabilizer is at full nose down (there was an old 737 procedure for this, but it was removed some number of redesigns ago, it was reportedly not in the 737 NG manual)
Note that the video is about manual trim in extreme conditions.
If pilots knew about MCAS and that in the case of a runaway trim due to MCAS they need to disable electrical trim and switch to manual trim early and keep it manual for the rest of the flight, they would not get into the conditions where it is hard to turn the manual trim wheels.
But even if they had known about MCAS, I think I read somewhere that they had 30 seconds to diagnose the problem before it put the trim in this configuration.
Can someone explain how Airplane Simulators for pilots work?
Do simulators have the same hardware as real planes, or do they have a software model of the airplane?
If you simulated a broken AoA sensor, would the simulated plane behave similar to the real plane? Would the MCAS system have the same bugs in the simulator as in the one in the real aircraft?
Can you try new scenarios in a simulator, or can you just try scenarios that the simulator was designed to run?
>Do simulators have the same hardware as real planes, or do they have a software model of the airplane?
the avionics are usually real, being fed dummy data from a software model with regards to the plane.
Here's a PDF about it.[0]
Training simulators are typically convertible, meaning that the flight characteristics are entirely fluid and made by the simulator using physics models and data provided by the airplane manufacturer. This makes it possible to train multiple platforms on a single simulator.
I don't know how corporate simulators work. In automotive fields they utilize all OE automotive hardware and the simulator is only in charge of feeding data to the automotive systems. I would hope that it's similar for corporate plane simulators -- a real plane ECM/brain and accompanying systems being fed dummy data.
I doubt the corporate simulators are at all convertible -- they're likely brain-in-a-jar simulators; planes without engines or hydraulics, being fed dummy data.
> Do simulators have the same hardware as real planes, or do they have a software model of the airplane?
If you're looking at the highest fidelity level D simulators, the instruments and controls in the cockpit are either the same parts as the aircraft, or functionally identical (but cheaper).
> If you simulated a broken AoA sensor, would the simulated plane behave similar to the real plane? Would the MCAS system have the same bugs in the simulator as in the one in the real aircraft?
One of the big costs in building a simulator is buying the data package from the aircraft manufacturer, with the aero model and details of system internals, things like electrical and hydraulic schematics. Sim makers build a software model of these internals at a pretty low level. For the most part, if you introduce a fault in some part of the system it will behave the right way as an emerging property, not because you're forcing the system to have the right outputs.
Some software components from the aircraft get installed on the simulator with the same hardware platform from the aircraft, others get run as executables on the simulator's computers, and others get re-implemented from scratch (lots of FORTRAN and C).
That kind of detail comes into play when the instructors introduce multiple failures at the same time - pilots have to take corrective actions to make the faults go away or manage them - if you don't model the systems at a pretty low level you'll never high fidelity.
> Can you try new scenarios in a simulator, or can you just try scenarios that the simulator was designed to run?
There is a list of malfunctions available to the instructor, who runs the session from the back of the "cockpit" on touch panels. For the most part, these malfunctions cover failures that are anticipated by the aircraft manufacturers, and the corrective actions / system behavior are well understood. Each fault is tested to make sure it works properly. You don't go and fail some random component in the system.
When an important failure happens in the real aircraft, it might get added as a training scenario to simulators already in operation.
> You don't go and fail some random component in the system.
I always wondered if they did that, something akin to fuzzing tests in SW. Wouldn't it be useful to detect unexpected situations that'd be catastrophic? Or the benefits from it wouldn't outweigh the cost/time loss?
Even with a pretty good model, if you introduce new failures that were not anticipated/tested, there's a risk that the system will not behave as per the aircraft. Now you're giving "negative training" to your pilots, maybe worse than no training at all.
Also, imagine you're an airline with thousands of pilots and dozens of instructors: you're running an airline and a school at the same time. You need to build a curriculum of training and testing that will standardize your pilots. There's room for thinking outside the box but not too much.
Keep in mind that this is a simulator for training the crew. This is not a hardware testbed. These are separate beasts entirely. There are all kinds of setups from component tests up to system integration testing. My understanding is that the impact of component failures is tested on these hardware integration testbeds.
I always wondered if they did that, something akin to fuzzing tests in SW.
Well Boeing certainly doesn't fuzz their software as evidenced by the major bugs in the 737 NG and 747-400's flight displays. Both had bugs that would black out all instruments under specific conditions. That got fixed fairly quickly on the 747, but apparently Boeing didn't learn their lesson with the NG.
The bug didn't black out all instruments, it blacked out the multi-function displays. Certainly less than ideal, but that's precisely why backup instruments exists.
The bug didn't black out all instruments, it blacked out the multi-function displays. Certainly less than ideal, but that's precisely why backup instruments exists.
The bug blacked out all six display units. What other instruments are you thinking of?
It varies wildly on the simulator. Boeing or Airbus are completly able to rehost their software on a simulator mostly made from real OEM parts. From that, it's simply a matter of designing new scenarios from what you're feeding the various sensors.
On the other hand, if you're simply looking for some training hours on some specific basic scenario and/or aircraft, the simulators can be a lot rougher and still be certified. I "flew" on an airliner manufacturer designed simulator, and everything from the instrument panel to the hydraulics simulating the small impact when rolling between plates on a concrete runway felt pretty damn real.
For more basic stuff, even X-Plane exists in an FAA-approved version.
Some private companies offer short discovery sessions for enthusiasts, but the few I know of do cost around 150-250 euros for an hour. This particular one was within Airbus facilities, so definitely not something accessible to the general public.
This helpful stack exchange question https://aviation.stackexchange.com/questions/3040/what-are-t... and it’s associated answers do a good job outlining the progressively more demanding requirements for an airplane simulator built for use by certified pilots.
I have a little background in this myself and the requirements to certify as Level C are tough l, but Level D requirements are quite stringent and rather hard to replicate. ( I did a detailed proposal a decade ago on using cutting edge VR and Haptics to try and cut the operational cost of maintaining multiple simulators for a flight training school. Level D was quite pedantic with respect to the “realism” requirements, we kept running into the requirement to not just look real, sound real, heck even feel real (switch actuation forces), but be real for that exact type of plane. Our argument was that we could reach sufficient fidelity with the haptics and graphics. This was all crazy expensive stuff, but ours would be cheaper crazy expensive stuff ;-)
To put it into perspective, in a couple of cases we found it was cheaper to build a Level D simulator by cutting off the entire front of a real second hand plane (finding one with an airframe issue that made it no longer airworthy was the dream) of the desired type, and then wiring up all the switches and displays and electrical stuff to the simulator driving hardware and mounting the entire thing on a huge platform. The cost to buy the plane, cut the front off, tap and splice existing cable harnesses stiffen the cockpit section and overbuild the motion platform
was cheaper than reverse engineering the layout with sufficient documentation and wiring a “fake” cockpit with sufficient accuracy including sourcing all the correct parts with the associated paperwork to prove they were all correct.
It never went anywhere but it was very educational and has served as a useful perspective as I have observed the rise of the modern VR ecosystem with respect to input and haptics. :-)
They accurately simulate the forces on the controls, see this youtube of 737 pilots unable to manually trim in the simulator [0], but I don't think they could anticipate and simulate every single possible fault.
Pardon my French, but seeing that photo makes me fully appreciate two things: 1. Just how incredibly low 737 sits to the ground (obviously a feature from back in the days when luggage was manually loaded), and 2. How anyone would think pushing those enormous engines forward like that could be any less disruptive of its proven design than lengthening the undercarriage to give them the clearance they so desperately need.
Death of a thousand cuts. Indeed. Hope the monster never flies again.
> how incredibly low 737 sits to the ground (obviously a feature from back in the days when luggage was manually loaded)
People, not luggage. Specifically, the 737 was designed to cover short-haul routes between regional airports that didn't have gates, where people had to get on the plane by walking up portable steps.
Boeing never expected the 737 to be the low-cost plane of choice between major aviation hubs.
FWIW That's a 737 Classic. The engines were already too big (and still smaller than the A320 engines) as evidenced by the flattened nacelle. The engines grew with each successive generation (NG, MAX).
I've read (but not confirmed) one of the other things keeping the 737 so low to ground is the type of emergency exit used. Extending the gear so that the whole mess sits higher off the ground would require new exits and a ton of extra things to certify.
Yeah, there’s a lot of knock-ons with “just” extending the gear. It would definitely cost a lot more (though still far less than a complete new airframe), which is obviously why Boeing and customers wanted to dodge it.
On the other hand, building a plane so aerodynamically unsound that it cratered 346 customers the moment it went out the door is the very textbook definition of “false economy”. One that Boeing itself will be paying for for years to come; even as those who made all the actual decisions gently golden-parachute to the ground.
This whole thing looks like a disaster. As other commenters are pointing out, even if the pilots did the MAX simulators, would they have been trained to respond to the AOA failure? Unlikely.
It seems like Boeing completely missed serious cases on the testing of the plane, and is hoping that the "UAT" phase (simulator training) would have uncovered the issues.
But UAT never underwent the condition of an AOA sensor failing.
"There is absolutely no reason to require your pilots to require a MAX simulator to begin flying the MAX,” the Boeing employee replied. "Once the engines are started, there is only one difference between NG and MAX procedurally, and that is that there is no OFF position of the gear handle. Boeing does not understand what is to be gained by a three-hour simulator session, when the procedures are essentially the same.”
I still think it's interesting to reflect on the mindset that leads to this conclusion. As far as I have been able to determine (although I'm not in the aerospace field), the 737 MAX is procedurally identical to the NG, except when something breaks. The failure modes are slightly different, with potentially lethal results. As a computer scientist, I'm not accustomed to thinking about functional equivalence in the presence of hardware failure, and maybe this Boeing employee was not sufficiently drilled on the need to consider such aspects for aeroplanes. It is of course the fault of Boeing corporate culture and internal procedures that this can be overlooked.
>As a computer scientist, I'm not accustomed to thinking about functional equivalence in the presence of hardware failure...
How are you not?
I mean, I get it 90% of the time we screw up the programming somehow, but as a computer scientist, I never ignore the possibility of hardware failure. Memory goes bad. Devices fail. Networks die. Semiconductors transiently in strange ways if you don't take the right precautions...
It's the entire impetus behind GIGO. If you shove garbage into a perfectly working software system; (corrupt data from a malfunctioning input source), you still get out garbage.
It's why life and safety critical automation is so fundamentally different from lower stakes programming tasks where "reboot the damn thing" is a viable option.
If your sensor goes bad, and you're in the air, you can't do squat to fix it. You have to detect the error, and fail the system gracefully by taking it out of the loop, informing the operator of the system failure, and most importantly, never allow that system to do anything that could jeopardize the ability of the operator to continue operating.
This is or at least I thought it was basic Control Systems 101...
I research compilers and type systems. If the RAM dies while the compiler is running, you rerun the compiler on a new machine. A lot of computer science abstracts away the notion of hardware failure, because otherwise it becomes enormously cumbersome to talk about anything. This is fine as long as you don't actually build real high-reliability systems with the same approach.
I hope it's obvious that the software you work on is not supposed to be run during the flight.
The critical software is supposed to do as little as possible, and everything is expected to be in already compiled (and thoroughly verified) state.
And even for the product of yours, as soon as it is not used only for the research but as a production compiler which produces a firmware for the plane, it would have to be proven much more than what is expected from it while it is just an artifact of a research.
In short, even if you are lucky to just do the research, you should be aware (and thankful) that the critical software has other expectations. Including how it responds to failed sensors: different response to the external inputs is a fundamentally different software, even if you never thought about it before.
I think his main point was that for most of us, hardware failure is considered an adequate excuse for why something works -- most of us are not expected to have software that _continues working_ when things break.
The "failures" of the sensors are simply the "less common" inputs. The proper control software should simply be written for all possible inputs, which include inputs from faulty sensors, and the result of the processing should not have some catastrophic consequences.
Compare to the web app that awaits the username, but when the username is not the "most common" (e.g. contains some new unicode symbols, or is of zero lengh) it allows catastrophic security failure and intrusion.
Yes - this seems to me to be the same erroneous thinking that lead to the Ariane 5 maiden flight loss, caused by an integer overflow. There again the thinking was "this is effectively the same vehicle as its predecessor, therefore we do not need to test it thoroughly".
I suppose it depends on the field in which you work, but many safety-critical fields have an expectation that hardware failures are captured and mitigated and there are various tools to capture these design decisions and ensure they are tested. One example tool in this case would be a software fault analysis (FTA) or failure-mode-effects analysis (FMEA) that looks at a broken sensor input value as a failure mode.[1]
It's been my experience, however, that these sorts of design tools are more unfamiliar to software groups than hardware bubbas. It's not uncommon to simply see "software fails" as a failure mode which isn't very helpful. I'd be curious what the HN community's experience is with software as it relates to design tools like FTAs, FMEAs, hazard analyses, etc.
> "Boeing knew the approach might be questioned [Calling MCAS a simple addition to Speed Trim], so it sought input from its FAA-designated authorized representative (AR) "to ensure this strategy is acceptable” for certification.
> "After speaking with the [AR], concurrence was provided that we can continue to use the MCAS nomenclature internally...while still considering MCAS to be an addition to the Speed Trim function,” the memo said. "This will allow us to maintain the MCAS nomenclature while not driving additional work due to training impacts and maintenance manual expansions
I can imagine some Boeing employees being uncomfortable, but having it run past the FAA would have relieved that. Pretty shocking regulatory lapse. I know nothing about the AR system - is this a Boeing employee, or someone who works full-time for the FAA?
The FAA basically picks a Boeing employee and says "you represent and answer to us now."
The employee however, is still managed, and reports first to Boeing management. They're a glorified liaison/paperwork interface. This was different than before as I understand it, because the FAA used to become the direct report for their Designated Engineering Representatives under the old system. This meant there was no management layer running interference between the rep and the regulator.
I believe with AR even the picking is done by Boeing. unlike DER. One huge downside of this is that the informal interactions between FAA and Boeing engineers are almost non-existent, leading to even greater lack of technical knowledge on the FAA side.
It's not that shocking except in hindsight. The speed trim system is, from what I can tell, incredibly similar to MCAS at least on paper. They both adjust the stabilizer trim in order to ensure the legally-required amount of force is needed to move the stick in certain scenarios, both activate 5 seconds after the last manual trim input when flaps are up and autopilot is off, and both rely on non-redundant sensors. The only difference is the exact combination of sensors used and the exact obscure scenario they're designed to protect against.
I read here previously, I think it was here, that the primary difference was that after repeated counteraction by the crew the speed-trim system would give up, whereas MCAS doubles down and reduces the time between its attempts to force trim "correction", literally wearing pilots down physically until the system wins and the plane crashes.
Another post showed how AoA sensors (IIRC) has systematic errors causing MCAS to operate when corrections weren't required. As you say, lack of redundant sensors.
Around the time just before the MAX was grounded, I remember there being lots of unfounded speculations (here on HN as well!) that Lion Air's and Ethiopian's pilots were somehow substandard and lacking the training of their first world counterparts. Meanwhile it was Boeing actively keeping vital information and training from pilots.
The lesson from this is still not learned, and can see at least one apologist on this thread repeating this same BS again...it's infuriating.
On the specific issue of simulator time though, if the simulator behaves basically the same as a Boeing 737 NG, what is the point of putting them through the MAX simulator? It does seem like a pointless exercise that wouldn't have provided the pilots any extra practice (or crucial knowledge of actual differences like MCAS).
Obviously, now that they're adding checklist practice for emergency scenarios relevant to the 737 MAX, it makes sense to require simulator practice, but I don't think that would have previously made a difference.
Well Boeing knew that the MAX did not behave like the NG so there's that. Even if the airlines and Boeing went along with that farce there's at least a couple of entries in ASRS where pilots complained that they didn't feel prepared to fly the MAX. One mentioned that the instrumentation was sufficiently different that their usual pattern of visually scanning the instruments did not work with the MAX and that monitoring the instruments in the MAX required significantly more effort. The implication was that additional training and familiarity with the specifics of the MAX would reduce the cognitive load.
I had my first flight on the Max [to] ZZZ1. We found out we were scheduled to fly the aircraft on the way to the airport in the limo. We had a little time [to] review the essentials in the car. Otherwise we would have walked onto the plane cold.
My post flight evaluation is that we lacked the knowledge to operate the aircraft in all weather and aircraft states safely. The instrumentation is completely different - My scan was degraded, slow and labored having had no experience w/ the new ND (Navigation Display) and ADI (Attitude Director Indicator) presentations/format or functions (manipulation between the screens and systems pages were not provided in training materials. If they were, I had no recollection of that material).
Yeah, I'm curious which airline this was. For obvious reasons ASRS anonymizes data but this seems like an end-to-end failure and it's pretty disappointing that the pilot(s) didn't feel comfortable rejecting the plane.
Of course not. It was all part of the same ruse. If the MAX simulator behaved differently, it would have been that much more difficult to say that no training was needed.
I'd really be interested in knowing at what level these two employees were at. How deep does the rot go? Even if the CEO is gone, these people are still around.
Isn't it also unfaithfulness to capitalism to protect an industry in such a way? I would have assumed that if someone believes in the mechanics of capitalism would have let it be.
Can anyone experienced in aviation ballpark how much retraining a pilot on a new plane costs? How does it compare to a pilot's annual compensation or other figures of importance (e.g. annual airline revenue or profit, operating expenses of a plane etc)? Helping airlines avoid retraining seems like the driving factor behind all these apparently shortsighted decisions that led to the MAX but, assuming everything had gone well, what were the actual potential savings? I'm just trying to understand the stakes.
Lion: "we'd like to practice using this plane so we don't crash it".
Boeing: "no".
Lion: crashes it. Hundreds die.
Boeing: "not our fault, their pilots were untrained".
In fairness to the guy, he came from the Military side of the house, the program was basically ready for flight by the time he took over the CEO slot. Basically all of the fatal design decisions were made before he became CEO.
The 737 MAX was a failure of process, not by specific choices made by a leader - he was fired however for his poor response to the crashes, he committed many tactical and PR errors, which made the restoration process longer than it should have been.
If still you want to lay blame at any single persons feet, lay the blame at the feet of James McNerney, the CEO who ran Boeing while the bulk of the development of the MAX was done, he's the one who kicked the MAX program off.
This is excessively kind to Muilenberg. Arguably the biggest screw-up was promising the airlines too much with regards to delivery date and training requirements. That created too much of an incentive to ship an unsafe product.
The truly fatal decision though was made in 2016 when Muilenberg was CEO. That decision was to make MCAS a single sensor system vs. a two sensor system. Originally, MCAS would activate based on a combination of a G sensor and the AoA sensor. Sometime in the middle of 2016, when they did flight testing, they found that the undesirable handling characteristics could manifest without high G, so they took the G sensor out of the mix. In order to account for the low-speed, low-g handling problem, they also had to make the MCAS corrections be much more powerful, which made it much more dangerous. The FAA apparently wasn't informed of this.
This key moment was approximately one year into Muilenberg's tenure, and so the buck has to stop with him. Muilenberg was also CEO after the Lion Air crash, and he's responsible for the decision not to ground the fleet at that time. He's also responsible for not wanting to ground the fleet after the second crash, and pressuring the FAA to quickly certify a fix.
What do you mean? The policy set here was literally set at the highest level, a specific choice - "no training, no certification" was the precise goal for the 737 MAX. How can you claim that is a failure of process.
I'll argue that making the MAX behave the same as a non MAX 737 is a reachable and reasonable engineering goal, the process failed because it didnt do it safely.
Airbus absolutely uses its fly-by-wire system to change the handling characteristics of its airplanes, to make them fly the same - I see no reason why Boeing couldn't do the same thing.
> Airbus absolutely uses its fly-by-wire system to change the handling characteristics of its airplanes, to make them fly the same - I see no reason why Boeing couldn't do the same thing.
AFAIK, being on the same type rating means the A320neo has the same behaviour as the A320ceo _even when in direct law_, where there's a 1:1 mapping between input and behaviour. (Yet alone the very limited mechanical fallback!)
Of course the difference is, pilots have mandatory knowledge and training for all of an Airbus's "laws" including the direct mode that has no abstraction, i.e. joystick inputs directly translate to control surface deflections. Whereas with MCAS, pilots were not told about it, the operating manual has no mention of it, there was no training in sim based on it being upset due to a faulty angle of attack senstor, and most remarkably? No training with it disable via stabilizer trim set to cutoff. Appalling.
As a pilot and former CFI, without any question whatsoever, a pilot must know how the airplane behaves near stall. Student pilots have demonstrated certified pilot level competency of their particular make/model aircraft stall behavior, before any CFI feels comfortable doing a student pilot sign off for solo flight. It's that goddamn basic.
And 737 MAX airplanes have two such stall behaviors, with MCAS and without (via stabilizer trim cutoff). I'd like to see every Boeing pilot involved in these decisions put on a hot seat and asked if they really think it's appropriate to sign off a pilot, as competent to fly, when they aren't completely aware of two different stall behaviors for this aircraft.
In my opinion it's unconscionable to have deprived pilots of this knowledge. I am aware of the make/model type certificate arguments. As yet no authority has said for sure whether MCAS knowledge requirements would have then required a new type certificate, or if in fact MCAS is improperly papering over an airworthiness deficiency.
What we do know is, it's damn suspicious that this make/model has been grounded this long, with multiple supposedly official statements that software fixes are done and tested and should be ready for FAA approval and deployment any day now, and yet that's been postponed at least 3 times that I'm aware of. If this is strictly a software fix, and a mere tweak back to the original basis of certification, why all the delays?
The purpose of the MCAS is to make the aircraft certifiable - full stop. The MAX is dynamically unstable, in the sense that at high angles of attack it will tend to continue increasing AOA into a stall - a terrible airframe sin which they tried to fix in software. This is the real story, not this type rating stuff.
The normal failure scenario for safety critical electronics on an aircraft is that you have an entirely redundant system that takes over. I don't see why that approach wouldn't have been sufficient here.
It is documented in the articles: failure modes have to be trained if they aren’t the same, and with MCAS as it should be (not as if was and failed catastrophically twice) they can’t be the same. New devices have to be recertified. Two sensors can’t be redundant, three would be again not the same plane. Newer computers won’t be the same plane etc.
Wait to see what the final opinion of European agencies are once the latest changes are evaluated and you’ll see that it’s not the same plane, even if Boeing all the time bent over backwards over the dead bodies of others.
It's because in the US it takes much more than knowingly allowing such issues to directly kill hundreds to go to prison.
We're not talking about "calculated" deaths like the ones VW's CEO hopefully goes to prison for. Rather directly attributable ones like the 737MAX or GM's faulty ignition switch scandals.
I wasn't suggesting that either VW's, GM's, or Boeing's CEOs actually go to prison for "killing" anyone but rather for "knowingly allowing such issues to directly kill". And as the GM example stands to show, it's not particularly hard to get away with this in the US if you are the CEO of a powerful company.
Given that Boeing and GM are/were some of the most powerful in the US stands to reason that most companies will fall under the "less powerful" characterization. But I think my point was clear already: the more powerful the company, the more clout they have when it comes to keeping their CEOs out of prison. whether or not this is doable for smaller players is irrelevant when talking about a heavyweight like Boeing.
I can't help but notice that all these are examples of CEO's going to prison for making rich people less rich. None a single one for making poor people dead.
Then I'm sure you also noticed none of this makes my point* less valid. Despite the wave of downvotes (which are probably aimed at me explicitly mentioning the US) I can't see any rebuttal of something I actually said:
*Given the precedents (like the GM scandal), CEOs of big/powerful companies (Boeing) in the US (where Boeing "lives") will pretty much get away with anything, including knowingly allowing hundreds to die (which Boeing/CEO did).
Later edit:
> simply trying to lockup CEOs I don't think is the right way to go.
Indeed, it's just a good first step. The very same companies and CEOs will always fight any legal changes that would further a culture of safety first because that usually hurts the bottom line.
I mean that is a pretty strong statement. It's not like it was really possible to criminally charge Tony Hayward with being at fault for a faulty blow out preventer design, even though a number of people died. In some ways we were probably less safe with him fired, given that one of his objectives was to develop a much stronger engineering centric culture at BP.
In Brazil Vale and a number of its executives (along with the European dam inspector) are expected to be indicted. It will like be about falsifying documents related to dam safety.
Proving that the CEO is the one that should go to jail, while satisfying, is actually quite difficult. While I would probably agree with one piece of your sentiment, senior executives are often able to escape prosecution for things that are clearly illegal (looking at you HSBC), simply trying to lockup CEOs I don't think is the right way to go.
Did Boeing actively prevent Lion from buying training sessions? Or did Lion think "safety is not so important to us that we're paying the training out of our own pocket?"
Hammurabi's code (~1700 BC) includes this about building:
Building Code
229. If a builder builds a house for a man and does not make its construction sound, and the house which he has built collapses and causes the death of the owner of the house, the builder shall be put to death.
233. If a builder builds a house for a man and does not make its construction sound, and a wall cracks, that builder shall strengthen that wall at his own expense.
Bugs in houses have been criminalized for a very long time. I don't think it's unreasonable to treat aircraft that carry passengers in a similar fashion.
Hammurabi's code probably isn't a great example when looking for precedent on appropriate punishment. Another example from your link is 210: "if a man kills a pregnant woman, the punishment is that the man's daughter shall be killed".
I think you are deliberately emphasizing part of the op's post that wasn't meant to be the main point.
They weren't commenting on the severity of the punishment, but rather showing an example of a very old case where similar scrutiny was placed on poor workmanship making the builder culpable to negligence and the ensuing fallout of that negligence.
From HN guidelines:
Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith.
Sorry, I wasn't meaning to dismiss the point wholesale, just saying to be cautious of an "appeal to authority"/"appeal to precedent" sort of argument, especially in this case. I do think the severity was at least part of pjmorris's point, and they called it out in their response to me.
It’s not actually an appeal to authority. It’s stating the long historical precedent of building codes, and that there is a criminal component to knowingly violating a building code which leads to the death of an occupant.
You've got a great point here. I've heard, and need to look in to it more, that most countries have a 'restorative' justice system, while the US has a 'retributive' justice system.
Generally speaking, when you murder someone you are punished for it. I'm not entirely sure why this would confuse you. If we didn't punish them, there would be no deterrent for the next person to kill people when it's convenient to do so. It's part of what makes us civilized.
Did the CEO PERSONALLY kill them? No, but the claim for outlandish executive pay is executives get paid like they do because they have "all the responsibility". Every time the responsibility bird comes calling, they seem to claim they should have none. Cake and eating and such.
Companies don’t generally try to spend money they don’t need to.
I have yet to see evidence that the oft-complained-about high tier executive pay in the US is artificially inflated and isn’t just market conditions pricing the work.
If you pay a CEO $3,000,000/year, because otherwise he would leave and get paid that at another company (making that other company more successful than your company) then you aren't "artificially inflating" his pay. You are paying him what the market demands.
Replace with whatever term you prefer; I think the message is still true regardless of the term lay people use.
I don't think anybody would complain if the CEO at the time was charged with 300+ crimes of some sort, manslaughter, gross negligence, murder, whatever. On a jury I'd be pretty lenient to the prosecution in this matter if they could find evidence that the CEO was aware of the calculus taking place, i.e. let's cut some corners with our regulatory capture so we can ship this plane more quickly and make more money, it is at that point that premeditation for me seems apt.
This is wrong and why not only multiple degrees of murder charges exist, but multiple different charges exist for homicide, eg murder, manslaughter, negligent homicide.
Is it really so hard to believe that this could be an organizational issue where no single individual is culpable enough to deserve a custodial sentence?
It really feels like many commenters here are just after some weird revenge porn.
> 1 is a non starter, because Boeing is "too big to fail".
This I think is the root of the problem. If we can’t conceive of and apply meaningful consequences for the distributed failures of groups of people, then people will group themselves in ways that allow them to distribute their failures in unpunishable ways.
I'm just not sure what a court-ordered re-structuring would look like. Something between a bankruptcy proceeding and an anti-trust action? Lots of moving parts and laws and whatnot.
How many people does an organisation "with the right culture" have to kill before there need to be consequences?
I think a hundred is rather large number
if you create a business culture where your product ends up killing people, then yea I would like our government to have a good hard look at the people responsible for that culture.
> Generally speaking, when you murder someone you are punished for it. I'm not entirely sure why this would confuse you.
Right... but why always prison? Why's it always 'who's going to prison for this'?
And the way it's written 'someone should be in prison', 'why isn't anyone in prison' it looks like nobody cares much who goes to prison, just has to be someone.
And it's never a case of 'this person should be tried carefully'. It's always just 'PRISON'.
Overall, seems like you want to find someone - anyone - drag them out of bed - put them in prison immediately, and you think that'll make something better somehow.
I think that's a pretty uncharitable interpretation of the conversation going on here.
At this point it's pretty obvious that there was, at minimum, negligence. They knew what could happen, and took the least-cost route through the forest. And we've all seen countless cases where high-level people at companies have clearly committed some sort of crime, but get off incredibly easy. Prison is IMO a reasonable punishment, if we can adequately assign blame to individuals.
Another option is of course a large enough fine directed at the company, but that doesn't really hurt the people involved enough. The CEO will get his golden parachute, and will perhaps have a slightly-tarnished reputation, but will find another job and his lifestyle won't be harmed one bit. All that does is reinforce the message that you can cut corners, cause deaths, and suffer no consequences. Other executives see that and continue to do the same thing.
I suppose another alternative to prison might be fines directed at individuals, but I expect the response to that will be stronger legal-liability insurance packages for executives, and so the targets of those fines won't get hurt all that much. Depriving someone of their freedom for a period of time is the great equalizer.
That's not why we want someone to go to prison. It's to send a message to the next company that decides to cut corners. If there are no consequences, then bad behavior will continue to happen.
...but again, why prison specifically? Why do you need prison to achieve what you want? Why's that the first and only thing you reach for? And why are you calling for the punishment not the trial?
Because the court of public opinion has already ruled. It's not entirely fair, but I don't think it's entirely unjustified, either.
I'm not convinced fines work to actually punish rich executives. Likely they have liability insurance that will cover a lot of it, and golden parachutes will cover the rest. The deprivation of freedom caused by prison is pretty unique.
Do you have suggestions for alternative punishments that actually punish the target, and serve as a disincentive for other corporate malfeasance?
The layman is often more interested in the end result, and history has provided ample evidence that the legal system doesn't do the best job at making sure the general cultural message gets across.
The layman wants "don't cut corners and kill people, or punishment". The legal system tends to deliver "Accept a plea bargain, get reduced sentence," or "Cut corners,and apply sufficient lawyer to defray the consequences."
Justice is for many distinct from the machinations of the legal system. I like to use the story told in the song "The Night the Lights went out in Georgia" as an example.
A person finds out their wife was cheating with the whole town. Gets distraught. Goes home, finds just his gun left behind. Goes to a friend's house, sees weirdly sized footprints that don't match his friend's, eventually finds his friend dead. Flags down a cop with a shot. Cop assumes he killed the friend, Judge open shuts the case, guy gets hanged.
Turns out hanged guy's sister killed the friend and the cheating wife.
Without knowledge of the sister's deeds, the legal system believes justice was served by hanging him. He killed, therefore his life is forfeit. Where's the justice when the sister is taken into account and the hanging has been done? The legal system would have hanged the sister if it bothered to work right and done nothing to the man, but as the score stands, two will have been executed for the crime, one wrongfully. The judge facilitated the death of an innocent man. Should the Judge not suffer for his dereliction of duty? What about the sister? Even if we recognize she forfeit her life through her actions, an innocent man was killed. To balance that out, it stands one must be spared. Does the Sister get let off Scot-free?
Justice != legality. We try to keep them lined up as well as we can, and collectively we begrudgingly submit to it as the best compromise overall. That doesn't mean though that everyone feels that what the legal system musters is always appropriate for the perceived wrong doing.
Messy business all of it. The messier the business, the worse the legal system seems to be at generating a long-term satisfying result.
Because it's one of the primary normative consequences for illegal activity, and people assume that the executives are culpable for the deaths of hundreds and that that's illegal.
I’m not in favour of our penal system. I don’t think it does much more than provide “justice theatre.”
But as long as we’re showing that movie, right now it shows another man being arrested, and the police do not confiscate his cellphone.
He uses it in remand, and when it runs out of batteries, he asks for help charging it. He is then charged (npi) with illegally possessing a communications device in remand, and upon conviction for possessing a thing that was not confiscated from him, he was sentenced to twelve years in prison.
I’d rather not watch a movie where 9% of the citizenry of a country rots in jail with no expectation of changing their lives for the better when released, with them basically performing slave labour for corporations, and with little evidence it works to deter crime.
But if we are going to make this movie, it shouldn’t be a movie about only the poor citizens going to jail for misdeeds. The movie should show this broken concept of punishment being applied to all citizens, equally.
Are you familiar with the expression “security theatre?” It doesn’t keep people safe, but it provides enough of the appearance of safety to make people feel like we’re doing everything we can.
Justice theatre is the same thing. It doesn’t do anything about poverty or crime, but locking “scary people” up provides enough of the appearance of safety to make people feel like we’re doing everything we can.
The fact that it is theatre, and not real policy, helps explain why it’s so tilted against the poor. They’re the scary people.
—
Theatre is the metaphor. Movie theatre, stage theatre, whatever you like. If you’d prefer not to use a metaphor, fine, but once a metaphor goes around a few times and people have a shared understanding of what it means, it provides a convenient shorthand for communicating something.
“Security Theatre” has achieved a certain success as a metaphor. I’m trying to tap into how the justice system resembles the air traffic security system and the bank’s five questions systems and so on.
Thanks for explaining. I think it's a little arbitrary as a metaphor but an interesting idea (I don't necessarily think "movie" when I think "theater"). I think it would have been clearer if you'd stuck to a single use. First we're showing the movie, then we're watching the movie, then we're making the movie. As a cognitive linguistic matter I'd probably consider those three different metaphors.
“Twisted” is an awful word to use when discussing justice being applied equally. If justice is not applied equally, it isn’t justice.
As I said right off the bat, I do not think it should suck for anyone, so if the argument is, “let’s fix the justice system by not making it suck,” you know you have a ready and willing ear.
1. Nobody should go to our current implementation of "prison."
2. If #1 is unachievable, or while we're working on #1, poor people should not go to prison while rich people slide out of going to prison.
I don’t know why you have a lot of trouble with #2. It’s not like you can only argue for #1 or #2, and by arguing for #2, you give up the right to argue for #1.
Is the desire for justice really a "twisted sense"? Would you be ok with this "oh well" principle whenever someone wronged you in any way? Or do you have a list of "acceptable" exceptions that conveniently supports this approach and the current situation happens to be on it?
Yes it will and it has, despite your unwillingness to concede the argument. Without something that serves as punishment, correction, and deterrent what's stopping anyone from freely praying on the weak? On you. It does make your life better but it doesn't open your eyes for you.
It's definitely not fair to kill them off because you're cutting off the nose to spite the face and mostly hurting people that have no share of the guilt here, the whole ecosystem that relies on that company.
"The company" did nothing wrong, the leaders, for encouraging the type of culture that lead to this, and specific other employees, etc. are the ones who did this.
It's like a bad tooth. You don't kill the patient for it.
This is why Boeing shouldn't be allowed to have anything to do with new Space contracts (ISS, etc) until this MAX issue is a solved, faint memory. eg for decades
The way Boeing seems more and more evil as the story is folded out, makes me think that all these article may be heavily one sided and never hearing Boeing's own version and motivations.
You can always read the prime source material yourself: Boeing's own internal emails and chats they released about the 737 MAX.
And do note: those released items are Boeing putting its best foot forward. And it's a low bar. Imagine the emails and chat transcripts that were not released.
> And do note: those released items are Boeing putting its best foot forward. And it's a low bar. Imagine the emails and chat transcripts that were not released.
My guess was that the new CEO was trying to get out ahead of developments by airing the remaining dirty laundry. It makes him and Boeing look sincere and starts the clock on the public forgetting the bad news. The constant drip of bad publicity made the previous CEO look like an idiot.
I don't expect Boeing to actually clean up their act, but I bet they're going to be smarter about things going forward. I doubt there are going to be any more damning reveals about the 737 other than what can be mined from these latest disclosures. 777X is another matter, but I bet any revelations will occur more quickly and cleanly.
A good defense lawyer never puts their client on the stand. While this is not currently a criminal trial, the same principles surely apply.
If Boeing starts talking, then the focus moves from debating whether more training was needed and who was responsible for deciding it wasn't (corrupt FAA? customer pressure? honest mistake?) to whether the company is hiding something.
The first is a better scenario for Boeing than the second.
> and that an erroneous MCAS activation would be quickly diagnosed as a runaway stabilizer. The 2013 memo casts doubt on the former, and the two MAX accident sequences disproved the latter.
This does not mention that an Emergency Airworthiness Directive was sent to all 737MAX crews after the LA crash explaining exactly how to resolve the runaway trim issue, which is:
1. restore normal trim using the column trim switches
2. cut off the stabilizer trim with the console cutoff switch
The text is:
Boeing Emergency Airworthiness Directive
"Initially, higher control forces may be needed to overcome any stabilizer nose down trim already applied. Electric stabilizer trim can be used to neutralize control column pitch forces before moving the STAB TRIM CUTOUT switches to CUTOUT. Manual stabilizer trim can be used before and after the STAB TRIM CUTOUT switches are moved to CUTOUT."
Both the LA and EA crews repeatedly successfully countered the runaway trim with the electric trim switches. The LA crew never took the next step of cutting off the trim. The EA crew did cutoff the trim, but did not trim to normal first.
Dealing with runaway trim is a "memory item" for the 737, meaning the pilots are supposed to know about the cutoff switches that are prominently placed on the center console in easy reach.