More on the MAX 8

Or, "Regulatory Capture: It's a Feature, Not a (Software) Bug"

Apologies if someone's already written about this; I just happened to see it upon launching a new browser tab, and thought it worth adding to the ongoing discussion here at C99. From The New Yorker:

How Did the F.A.A. Allow the Boeing Max 8 to Fly?

Immediately, the article cuts to the chase.

It found that the F.A.A. outsourced key elements of the certification process to Boeing itself, and that Boeing’s safety analysis of the new plane contained some serious flaws, including several relating to the MCAS.

I encourage you to read on for specifics on how this travesty deliberate strategy unfolded. I don't have much else to say except for it makes me sick to my stomach. As someone else commented in a different essay, capitalism humanity seems either to be at an endpoint, or a major crossroads of "evolve or die."

(I unfortunately can't stick around in real-time on this due to some major deadlines, but hope to check back in later).

Share
up
24 users have voted.

Comments

What else? Crossroad indeed.

up
16 users have voted.

"Religion is what keeps the poor from murdering the rich."--Napoleon

is Nancy Leveson:

she's been trying to create an applied science of safety engineering for a couple of decades now. here's a powerpoint "summarizing" her ideas, and introducing the book in that previous link. the latter half of it corresponds to the video above, I think (definitely some shared slides). some of it is very complicated systems engineering stuff, some of it less so. i have no doubt she will at some point be offering her opinion on the MAX8 debacle. on the site where i found the video link, the guy who linked it said this:

If you don't want to watch an hour long video, she says most serious accidents and near misses happen not because something failed (and lets face it software 'bugs' are just another type of failure). But because bad interactions between properly functioning systems[1].
One of her comments is you need a system that watches for stuff like that. Lion Air Flight 610 crash happened because there wasn't a system that could make a determination that the pilots needed hard control over the aircraft. A safety system being repeatably overridden by the pilots for 11 minutes should have resulted in that system being shut down.

no clue whether anybody's putting her stuff into practice.

up
16 users have voted.

The earth is a multibillion-year-old sphere.
The Nazis killed millions of Jews.
On 9/11/01 a Boeing 757 (AA77) flew into the Pentagon.
AGCC is happening.
If you cannot accept these facts, I cannot fake an interest in any of your opinions.

Eagles92's picture

@UntimelyRippd Great addition to the discussion!

(Haven't watched it all yet, but plan to do so later).

up
6 users have voted.
studentofearth's picture

@UntimelyRippd could be easily transferred to medical therapy. Research and treatment keep focusing on the magic molecule or metabolic pathway to "cure" a condition. Little targeted effort is made to see how it effects changes in all or part of the body systems through unintended feedback loops. Most of those effects are discovered after a product has been on the market for at least 2 years. Then used as marketing material as to why use the next product out of the lab.

Sorry for the topic change. More of a reflection of my though process than wanting to start a new discussion. Her discussion could also be overlayed on social, economic and political interrelating systems.

up
10 users have voted.

Still yourself, deep water can absorb many disturbances with minimal reaction.
--When the opening appears release yourself.

Bisbonian's picture

@UntimelyRippd Certainly looks like it applies to the MAX problem. I would love to hear what she will say about it.

up
6 users have voted.

"I’m a human being, first and foremost, and as such I’m for whoever and whatever benefits humanity as a whole.” —Malcolm X

passenger airlines seem to be limited to Boeing and Airbus. They both have tentacles in other manufacturers, too.

So, I don't plan to fly the new airlines, even with a software fix.

There are probably numerous consumers who have the same notion, so maybe Boeing for civilians will get killed - 'free' market and all.

up
5 users have voted.

dfarrah

Cassiodorus's picture

I'm not sure exactly how this would transpire, though I think we ought to try the notion of revolution elaborated in Fred Magdoff and Chris Williams' Creating an Ecological Society.

Anyway, as regards an immediate quick fix, I'm not sure that anything can be done without getting Donald Trump out of the White House.

up
4 users have voted.

"The degree to which liberals are coming to inhabit an alternate reality, impenetrable by facts or reason, is actually frightening." -- Steve Maher

Bisbonian's picture

@Cassiodorus , has been to cut funding to regulatory agencies, and then shifting their regulatory function to the corporations that were formerly regulated. The democrats have not visibly pushed back against this tactic. So the FAA gets less funding, and "needs" to delegate some of their functions to the corporation that they should be checking on. They don't have the manpower to cross-check Boeing's work, and of course nobody wants one of our leading defense contractors to have any financial problems, so artificial timelines and deadlines are respected, at the cost of thorough evaluation and testing. Yes, we'll have to get people LIKE Trump out of the office...no matter what letter they put behind their name.

up
9 users have voted.

"I’m a human being, first and foremost, and as such I’m for whoever and whatever benefits humanity as a whole.” —Malcolm X

Eagles92's picture

@Bisbonian

up
5 users have voted.

I'm shocked that despite the typically absurd dumbing down of their explanations this article gets straight to what I feel are the main issues in the MAX 8 affair.

Flawed, faulty, and/or inadequate designs making it into service is nothing new in aviation. Catastrophic flaws are many times fewer today but they can obviously occur. Witness the MAX 8 debacle.

My first in depth window into one came about five years into active duty as a USAF pilot. I had been a T-37 instructor pilot for a bit over a year. My wife, now ex, was a junior 1LT aircraft maintenance officer. She had a brand spanking new 2LT working for her. His father was an executive at McDonald Douglas in the commercial aircraft division. I heard from the visiting father that he had been one of 5 or 6 design team leaders on the DC-10 at dinner one night. He went on to clearly state that he had never been, nor ever would be, on a DC-10 that intended to go flying. I was shocked and didn't think I'd really understood the man. He repeated his statement adding that he was intimately familiar with some of the engineering compromises that had gone into the DC-10. He called them dangerous and contrary to long standing, sane engineering design principles. The decisions were clearly in the interests of cost containment and had been directed from above over strenuous engineering objections.

Two weeks later a DC-10 departing Chicago O'hare had a wing mounted engine break loose from it's pylon and the aircraft stalled, crashed, and killed everyone aboard.

There was a lot of blame for this one to go around. MD and American were both culpable in many areas from design, maintenance, maintenance practices, and pilot operational philosophy. However, if a couple of the design flaws listed as causes had not been present there would have been no crash.

I am no more aware of the MAX 8 specifics that any of you except Bisbonian who flies the jet. From his first explanations I saw an almost certainty of the two issues, a single AOA sensor design of MCAS and a flawed certification process, being the primary causes. That seems to be playing out.

The single sensor system goes against long standing practices of using three sensors in a critical flight control, among other, systems designs. A single sensor is not fault tolerant and you never give a system so much control over flight controls without fault tolerance being built in. In my opinion a software fix is as flawed as the original design and I s a continuation of a boneheaded effort to apply a fast and cheap bandaid to a mortal wound.

My objections to the certification process comes from two directions. First, Boeing has no business self certifying anything that is flight critical. They want to let Boeing self certify toilet roll holders, OK, but not flight control systems meant to manage an unsecified flight characteristic deficiency in the highly modified basic 737 airframe. My second objection is the common type certification process itself. The MAX 8 is not a 737 in anything other than name.The FAA, apparently with congressional acceptance, has been squeezed by budget and political pressure to abandon the basics of the original idea of common types. Call it regulatory capture or politically motivated power's influence on a regulatory body but it's not in the public's best interest. This is Ronnie Raygun's government is the problem philosophy maturing as it has in so many ways in America.

up
8 users have voted.
Bisbonian's picture

@vtcc73 .

In my opinion a software fix is as flawed as the original design is a continuation of a boneheaded effort to solve a problem fast and cheap.

Agreed.

My second objection is the common type certification process itself. The MAX 8 is not a 737 in anything other than name.

Strongly agreed. The 737-100 and -200 have far more in common with your T-37 (a Cessna twin-engine jet trainer, with manual flight controls, no computerized navigation system, and basically a point-and-go airplane), than they do with the 737NG (next generation, i.e. -600, -700, -800, -900), and almost nothing in common with the MAX beyond the single aisle, twin engine jet transport.

My biggest hope right now is that Boeing and the FAA will be forced to classify it as a different "type", and I will not be qualified to, nor have to, fly it.

up
7 users have voted.

"I’m a human being, first and foremost, and as such I’m for whoever and whatever benefits humanity as a whole.” —Malcolm X

Bisbonian's picture

@Bisbonian . A further consequence of the large engine, stubby landing gear was made apparent by my recent preparation for my upcoming checkride. They didn't make the main landing gear longer, because it really wasn't possible with the airframe, BUT, Boeing did make the nose landing gear longer. This had a few impacts (literally, as well as figuratively). First, the ground crew plugs a headset into the lower side of the airplane, to talk to me during push-back and engine start. Now that plug is 9 inches higher (because the nose landing gear is 9" longer). So now, every pushback tug is equipped with a ladder, so that everyone can reach the plug.

Now that the nosegear hangs nine inches lower on approach to landing, the real danger of hitting the nose wheel first presents itself. This is dangerous because it tends to bounce the nose upward, causing the wings to rotate upward, causing the plane to bounce and climb, right at landing airspeed. This can lead to a stall, or to a second "landing", too slow, and with too much rate of descent, and very likely hitting tail first, causing at the least, significant damage to the hull of the aircraft.

In order to prevent this from happening, another kludgey software solution was introduced, called the "Landing Attitude Modifier". The LAM activates (raises) certain spoiler panels (those hinged doors on top of the wings) in order to raise the nose of the plane while in the landing phase. This: A) changes the "sight picture" that the pilots see on landing (slightly). B) reduces the chance of hitting nose-wheel first, and C) increases the chance of hitting the tail end of the airplane instead. It's a delicate dance...brought to you by enhanced software.

up
7 users have voted.

"I’m a human being, first and foremost, and as such I’m for whoever and whatever benefits humanity as a whole.” —Malcolm X

@Bisbonian @Bisbonian @Bisbonian used to be a disqualifer for a common type designation. We were the launch customer for the 747-400. It is essentially a 747-300 with different engines, a glass cockpit, and range extending additions. I was current on the -200 and was 757 qualified 16 months previously. I still went through a full initial training cycle because it was a different type rating! It was also the easiest training I ever experienced. Having to carry a technology phobic captain through the program was the only challenge. I truly enjoyed shutting up and sitting on my hands for a sim period when he complained that I was helping him too much. Good point but boy did he humble himself fast. He earned my respect for doing it though.

up
5 users have voted.
Bisbonian's picture

@vtcc73 , in the 737-200, -200 advanced, -300, -500, and -700. I once flew all four basic models in the same day. Our original "difference training" for the -700 consisted of a tri-fold, laminated, two-sided piece of paper, with the system differences listed on it. It was soon determined that we needed a little bit more training.

But at the time, I didn't think it was all that odd, as I was once current in KC-135As (J57-P-43WBs), -135Rs (CFM-56-2Bs), and both seats in the T-38, all at the same time. The real difference is that I knew each of those planes inside and out, serviced them as well as flew them, and often helped to turn a wrench. Our understanding of the MAX has been deliberately kept opaque.

up
6 users have voted.

"I’m a human being, first and foremost, and as such I’m for whoever and whatever benefits humanity as a whole.” —Malcolm X

@Bisbonian A best friend who was also a flight examiner with me at PIT had a nasty experience with multiple qualifications. I barely escaped a similar fate due to a screw up by crew planning. He was triple qualified as a captain in the 727 and A320 and as a first officer on the 747-400 for over five years. He was also flying the A-37 in the ANG at the time. He was taking five PCs a year, getting bounced for currency, and usually a couple of requalifications a year. He seldom flew the same jet more than two months at a time and several times a year flew in two categories in a month. Only a contract violation by the company let him drop one qual. They scheduled him to fly in three categories one December. Then tried to discipline him when he refused. That would have been a very expensive grievance and a big problem with the FAA. Only the threat of a huge expense convinced the company to do the right thing. It took more than two years longer to drop another qual. No wonder he retired at 55.

up
6 users have voted.

@Bisbonian sorry double post somehow

up
0 users have voted.
Eagles92's picture

@vtcc73 Truly appreciate the insiders' insights that you and Bisbonian have been sharing on this topic.

Even though I was young, I clearly remember the DC-10 crash viscerally, as well as the resulting healthy skepticism over the model's safety. After your comment, I wanted to refresh myself on the details.

Interesting, isn't it, that Wikipedia blames the crash on "faulty maintenance?"

We're well and truly screwed, across the board.

up
7 users have voted.

@Eagles92 @Eagles92 that American used was the primary cause. That’s what got the press coverage. However, the engine separation was survivable had the design of the hydraulic system not caused the leading edge slats on the side of the lost engine to retract as hydraulic power was lost. That wouldn’t have caused the control loss but the crew followed their training. They had been taught to slow to V2 by raising the nose if their airspeed was above V2. That decrease of 10 knots caused the wing with retracted slats to stall and the airplane departed controlled flight.

Very seldom does one failure in the system cause a crash. That’s why single point failures are so dangerous in aviation. That’s what irritates me so much about MAX 8.

up
6 users have voted.
Bisbonian's picture

@vtcc73 , No less than V2, no more than V2+20, keep what ya got if you are between the two. I wonder if that was influenced by that DC-10 crash.

up
6 users have voted.

"I’m a human being, first and foremost, and as such I’m for whoever and whatever benefits humanity as a whole.” —Malcolm X

@Bisbonian NWA had it's embarrassing moments. A couple years once as I've tried to forget. But they were definitely way, way ahead of the curve on operations. I found that the might DAL operation was about 20 years behind ours when we merged. Those knob jobs did some seriously stupid things as standard practice. I understand they've evolved since I retired.

That DC-10 accident was an instructional point in our new hire aircraft performance class section on the airspeed indicator bug system (an NWA developed procedure). The lesson was that if it's flying doing what you're doing then don't change anything that might have a negative performance implication. Our limit was V2 + 10 but no IP said anything until V2 + 20. Their point was that obstruction clearance was guaranteed to V2+10 for a failure at V1. Every knot and foot of altitude later than V1 was in your personal performance bank for the you to use as your judgement dictated. It was better to use the cushion than take risks you might not know existed.

up
6 users have voted.
Dawn's Meta's picture

@vtcc73 But, but that doesn't seem to address the single AOA sensor. That seems to be a much needed set of back up sensors. Plus new designation and telling pilots everything.

I remember the DC 10 problems: I wouldn't fly on one for any reason for quite awhile.

Thanks for the discussions from experienced fliers for those of us who know nothing about how this stuff works.

up
4 users have voted.

A society grows great when old men plant trees in whose shade they know they shall never sit. Allegedly Greek, but more possibly fairly modern quote.

Consider helping by donating using the button in the upper left hand corner. Thank you.

@Dawn's Meta @Dawn's Meta @Dawn's Meta the use of three sensors is not for backup but is for comparison. A sensor can fail or be unreliable in many different ways. Only when a single sensor fails completely is it possible to detect with confidence. Calibration, faulty wiring, an electrical issue in the sensor, physical damage or blockage of the sensor and other things can affect the data. Bad data is more likely than a hard fault and can only be detected by comparison to another sensor. Two sensor only identify that one has a problem not which one. A third sensor offers a third vote. The software can be made to do several things at that point. Ignore the one that is different or ask the operator to choose. A failure or different data of a second sensor in a two sensor system does require the operator’s intervention because, again, the system has no basis to decide.

Wide bodies have triple inertial reference systems with integrated GPS that software or a pilot can use to refine the decision. I don’t think any 737 has IRS which has advantages over GPS alone. But all require triple installations for fault tolerance. So should MCAS.

I just read in my feed from Aviation Week that the KC-46 has a version of MCAS. I doubt it is a single sensor installation. Although considering how completely buggered that program has been it’s not safe to assume squat all.

up
4 users have voted.
Dawn's Meta's picture

@vtcc73

up
3 users have voted.

A society grows great when old men plant trees in whose shade they know they shall never sit. Allegedly Greek, but more possibly fairly modern quote.

Consider helping by donating using the button in the upper left hand corner. Thank you.

up
1 user has voted.

@Dawn's Meta I also didn’t want to fly it but I did for four years. It was a very advance jet for it’s time. It had a better flight control system than the 747 from a pilot’s standpoint. The trouble was that it was so advanced that the technology was new, unproven, and mixed with old equipment. That is always a difficult integration. Rube Goldburg definitely had a major part in its design. I flew it at a time when the big problems had been fixed. It was a joy to fly but not quite as nice as the 747, especially the -400. Abnormals and deferred maintenance items could be a major headache and multiple deferrals often had traps for the unwary or new guy. I always needed to be thorough and careful but on a couple of occasions came up a little short.

up
2 users have voted.