"Southwest Airlines Co., the largest 737 Max customer, said in a statement before Boeing’s announcement that it was confident that computer-based training would have been sufficient to supplement its existing training program."
Translation: Safety is not our highest priority. It's up there, but profitability is higher.
For any airline sim time is a finite resource. They have to choose what to focus on. They can't have every pilot experience every possible failure in the sim.
Sure pilots experience failures in the sim. The point is they can't experience every possible failure scenario or they'd never get out of the sim.
Southwest has had three fatalities in 48 years of operation, and in only one of those was pilot error a contributing factor, so saying their pilot training prioritizes profits over safety is unfounded snark.
Will this test whether pilots have the upper-body strength necessary to manually turn the cockpit trim wheels considering the size and aerodynamic forces for this large an aircraft?
Unless there has been some change other than to MCAS, the manual trim wheels are still the only option to correct runaway horizontal stabilizers.
My understanding is that you only get the large forces when you have a large amount of trim and are going fast. On 737's without MCAS, the only way runaway trim would get anywhere near that would be if the pilots ignored it for a long time.
What MCAS added was that it could keep reactivating. You got what looked like runaway trim, stopped it, and a few seconds later MCAS would kick in again. Each cycle of this could end up accumulating net trim until you got into the high force region and could no longer manually turn the trim wheels.
The manual trim wheels are not necessarily the only option in that case. If the runaway is due to faulty MCAS commands, the electric trim (operated by the yoke switches) is probably still functional, so I believe it is possible that the procedures for handling MCAS failure have been modified, now that Boeing is no longer pretending that MCAS makes no difference.
In addition, I believe MCAS itself has been modified. I have not seen a clear description of the changes, but they might include additional redundancy, rejection of improbable data, warnings that there are these problems, warnings whenever MCAS activates, restrictions on how much it can change the trim, and a cutout switch for MCAS that keeps the electric trim functioning.
In the worst case, manual retrimming with the wheels is still the last resort. I have seen it suggested, by sources generally considered reliable, that (prior to the Max) the need for the manual trim has been so rare that its use is not part of simulator training for any 737. I do not know if that will change, but if so, it would seem to raise the question of whether pilots of earlier variants also need additional training in its use (I would guess that it is most difficult on the largest and heaviest variants.)
The gear ratio would change. Also I can't imagine certification is only required for changes from a pilot's perspective, but from a functional perspective.
It's the time and pilot logistics more than the price. Pilots can't do this sort of stuff at their house, they need to fly somewhere and spend four hours or more in a simulator. Not only is it a pain for everybody involved, it means that you don't have that particular pilot for that entire day. And then furthermore you can only use that particular pilot to fly the MAX moving forward. The whole point of maintaining a type rating is that all of your pilots can fly all of those planes, regardless of the particular version of the model.
Rather the other way around - the MAX can only be flown by the subset of 737 pilots who have had the training. In practice that will mean for Southwest to maintain the efficiencies they achieve through standardization they'll need to ensure all of their pilots receive the additional training.
Ah...even assuming they could do 6 sessions in every 24 hours (and it took only one session per pilot), thats going to take a really long time to get the required pilot crews certified.
probably each session in the simulator is 50 minutes. and this would just be something else added to the normal recurring training.
commercial simulators are designed to work 18 hours a day, 7 days a week. you can use them more, but eventually you will fall behind with periodic maintenance and certification testing.
I'd reverse my decision too, if you know I made a product that I knew could kill people due to some poor design in key systems and then it killed hundreds of people.
What difference does it make when the actual hardware is still flawed? I still refuse to fly in 737 MAX and its variants. Boeing can convince AA and Southwest pilots to give them vote of confidence but consumers are not stupid.
If pilots and pilot unions are satisfied with the results, I'm satisfied with the results. There's no-one more safety conscious in the aviation industry than pilots, since they're responsible for the souls on board their aircraft, including their own.
Their jobs are on the line too which complicates things. I don't recall many pilots expressing distrust towards Boineng and FAA, the narrative always was "Don't worry, the issue is handled by professionals, these planes are safe". The planes turned out not to be safe.
> Their jobs are on the line too which complicates things
That's why pageandrew said "pilot unions" and not just "pilots". I doubt that SW, for example, is ready to try to break a strike by pilots in order to force the 737 Max back into service.
Which leaves us with pageandrew's comment: "If pilots and pilot unions are satisfied with the results, I'm satisfied with the results."
Not at all, unions are supposed to create a bargaining power for the employees in a viable company. Their best interest is in planes flying, generating profits so they can pay the pilots and pilots paying their membership fees.
Their business model depends on the business of their member's beings successful. This doesn't mean they cannot oppose company actions, it means though they want the planes in the skies and not on the ground.
Well, now that it's all blown up, the pilots should know not to trust the system, and challenge it. And I would delegate my skepticism to them and trust their judgement. Because if the plane crashes, it's not just their occupation in the line, it's their lives.
I'm not comfortable with the situation because Boeing proved they had the ability and motivation to corrupt the system of approval and training - there has been very little response from pilots, airlines and the government addressing their actions and while this time it ended poorly there is nothing calling out the corner cutting and affixing a price to it that'll discourage similar corner cutting in the future.
If I've got a wicked sharp pairing knife and I cut my finger while peeling something with it then I'll be more careful, but chances are that as the pain fades I'll relax - maybe I'll always be careful with that particular knife but when I get a new pairing knife the memory will be detached.
Boeing needs more than the vague memory of bad PR and low profits for a quarter or two to learn this was unacceptable - and the American legal system is unable to apply a lesson, while the general business culture refuses to learn the lesson.
Any information about the inspections and studies conducted by those pilots who make the claims? They probably "should" learnt a thing or two from this but did they?
> Well, now that it's all blown up, the pilots should know not to trust the system, and challenge it.
That they should in no way proves that they do. Computer programmers build all sorts of foot-guns with the idea that they'll be clever enough to avoid them in the future. I expect pilots are a little more humble and self-aware than that, but they're still human.
The new software has been updated to use both sensors. It won't activate when sensors disagree by more than 5.5 degrees.
The new software now only does a single stabilizer movement. They have eliminated all known failure conditions which might cause multiple movements.
With only a single movement, the pilots will be able to counteract the force.
Two sensors is not quite as good as three sensors. It can't know which sensor is bad. But it can disable itself and prevent unintended activations.
The new software, when combined with adequate pilot simulator training to both disable MCAS when it encounters an issue, and to fly the plane in with MCAS disabled makes things safe enough.
So, this fixes the MCAS problem (Where the plane plunges nose-first into the ground, despite the best attempt by the pilots to pull the stick up)...
But how does this fix the problem that MCAS was supposed to be a band-aid over (That the plane is aerodynamically unstable during take-off, and pulling too much on the stick will cause the plane to easily stall)..?
The new MCAS sounds like it will only protect against this instability once - and, if overriden, will not do anything to protect against a stall?
> But how does this fix the problem that MCAS was supposed to be a band-aid over (That the plane is aerodynamically unstable during take-off, and pulling too much on the stick will cause the plane to easily stall)..?
MCAS is not even enabled during take-off, which makes it hard to see how it could be meant to address supposed stability problems during take-off. It can't come on until the flaps are retracted.
I mean, that's true of every plane. You pull back too much, it will stall.
It's not that the MAX stalls super easily, It's not an instability. It's just that the controls feel wrong when approaching stall. The FAA have pretty precise regulations about how much backpressure the pilots should feel when approaching stall.
In normal flight, the plane is never anywhere near stalling, so MCAS never activates. Nor do the pilots encounter this weird stall.
The combined chances of both MCAS being disabled AND the pilot not recognizing the stall is pretty low.
But this is why the simulator training is important, so the pilots are familiar with the new feel as the plane approaches stall.
The fix means MCAS doesn't activate unless two sensors roughly agree, and it only activates once, which means that the plane is still controllable with just the yoke after MCAS activation. MCAS will also deactivate if the yoke is pulled back (questionable IMO, since it is supposed to compensate for mishandling), and you can leave the electric trim on and undo what MCAS did without fear of it activating again.
IMO the risk of a mistaken activation that leads to an accident is extremely remote with these changes.
I thought the MCAS would typically be activated while the pilot would already be pulling pack on the yoke. So I'm a little confused under what circumstances MCAS would ever activate. Does it activate while yoke is pulled back but the pilot can additionally yank harder to deactivate?
Yes, it typically would. There's something called an aft column cutout switch which deactivates nose down trim if you're pulling back on the yoke with a certain amount of force. They're proposing to use this switch to deactivate MCAS. I'm unsure how much force it takes to activate this switch, but it seems to me that this makes MCAS less useful for its intended purpose, and that's why I said this decision was questionable.
couldn't make it 3 sensor that would change the certification (obviously they can now) but I wonder what this means for Southwest Air.
The whole reason the MAX exists is because of Southwest. If southwest didn't throw their weight around and loudly announce they were considering Airbus, the MAX would likely exist in a non-737 configuration right now.
And now retraining is required and we still have the MAX abomination. It’s not a bad plane, I’d happily fly on it again.. it’s just a dumb fuselage for modernizing a fleet
Let's suppose that the entire control logic for MCAS was now re-implemented with vacuum tubes. Would you now argue that the aircraft crashes indicate a hardware problem? Or would you agree that the real problem is in the system design, since any conforming implementation of it will produce the jeopardy?
If it was implemented with vacuum tubes, that would indicate a hardware problem as well as a system design problem.
So in this situation, the claim is that braindead contractors mechanically implemented something to spec by force of law? Sure, then whoever designed the logic is accountable.
In 99.9% other environments, the distinction is collapsed because the implementor typically has responsibility to design sub-component level logic correctly, to high-level requirements, but also to overall business need and in service to even higher level project goals, and the team that designed the logic is also implemented by the same team.
nope, all of the vacum tubes would be working as designed. not a hardware problem, a system design problem.
thus the invention of a discipline called 'systems engineering'..
i would say in 100% of engineering development, the design is done as a system, and specific requirements are allocated to design elements (like MCAS software). Each of these elements is tested against the requirements.
aeronautical engineering is a very specific skill. so is aircraft controls. so is airworthiness. a software engineer is an expert in software, not these other disciplines.
At the level of specification you've laid out here, the act of 'software development' is reduced to almost nothing, and you have re-categorized the entire effort as systems engineering.
Having a specification for how a system should behave in response to various input signals is not at all the same as actually having the functioning software for achieving that system.
In fact, achieving a functional and fully correct piece of software based on such a specification is not at all a trivial task, as experienced software engineers will well appreciate.
Because while the specification may describe a certain sequence of inputs that should result in a certain sequence of outputs, it probably does not prescribe the exact data structures, memory layout, logic flow, and computational steps required to guarantee the correct output is always produced from a given set of inputs.
And the people being paid to create the necessary data structures, algorithms, calculations and control logic in order to implement the design specification... those developers are specifically not in a position to make systems design engineering changes to the underlying specification itself.
Software engineering as a field has accomplished so much in terms of quick iterations and low-friction paths to products that I think it has become lost that there are established ways to establish a safety case in a technical manner. Modern software engineers have achieve this speed, largely, by choosing not to apply the level of rigor in process that you describe. This is usually ok, because most software projects do not require that level of rigor (until the costs are too high not to, like AWS, which formally specified critical parts of their infra in TLA+ before software and IT people implemented it).
I think the parent post is an example of this problem taking on flesh. It has been so long since we realized the folly of over-specification in most projects that we have lost memory of there being cases where having a body of people engineering the system and specifications distinctly from the people who implement them actually does matter a great deal.
As a software engineer and not a systems engineer, I thank you for your comment. It has great clarity.
But pilots are subject to Dunning Kruger. Most probably think they could figure out how to handle MCAS and give the OK but in reality it might be over optimistic.
> What difference does it make when the actual hardware is still flawed?
Pilots often know a great deal about the general design qualities of the planes they fly. Defective parts happen, parts wear down, sensors break, etc. When a sensor or mechanism breaks, pilots recognize the symptom and override the feature that uses the broken part.
737 MAX tries to bolt the big engine on the little plane (old design), with minimal changes. This plane may not be necessarily defective on its own, the MCAS was created to compensate. But it will activate incorrectly with a defective sensor. MCAS was designed not be overridable (or optionally so, if you shell out for it?). Why not put in an override? Because Southwest offered Boeing a financial incentive bonus if they provided 737 MAX with minimal/no new training requirement. If the plane has a new indicator light and a new switch to override a feature, you have to train pilots on how and when to do so. Instead, Boeing decided to "just" rely on MCAS.
> Boeing can convince AA and Southwest pilots to give them vote of confidence
Pilots have the most to lose, their trust should be valuable.
If the hardware is fixed (redundant sensors where necessary etc., but obviously not “smaller engines”) and the software is fixed, and training is fixed so pilots can handle the situations that can occur, and authorities believe the plane is safe - then I believe the plane is safe. It’s at least then safe enough that I wouldn’t pay hundreds of dollars to avoid it. Would I prefer an A320neo departing from the next gate at the same price? Sure.
I'm thinking the 787 with its rather shaky reputation might end up less safe than any 737-MAX8 that is approved for service again. Only time will tell, it's a game of (large) numbers.
Choosing not to fly is pretty simple (If you accept that some locations are simply off limits). Flying "another plane" is NOT simple, unless you completely avoid airlines that have MAX8's, or avoid flying where a MAX8 may be used.
The problem is amplified by a few statistical problems: 737-800 is probably the most common jet around. Most (all?) MAX8 operators have 737-800's. That means any time you book a flight where a 737 may be used, it can be either a 737-800 or a MAX8. You can't know.
You can always turn around when you see a MAX8 in your gate, but you can't know when booking that a MAX8 won't be used, even if it says 737-800 when you book. So unless you are ready to turn around in the gate when you see a MAX8, you simply can't book that airline. Depending on whose wedding or what job interview you were flying to, turning around at the gate might not be so appealing either.
I did exactly that in the period when we were waiting for the MAX to be grounded. I saw that Southwest owned MAX’s so I cancelled the ticket and rebooked on an airline that didn’t.
Also, since this catastrophe happened because of systemic bad engineering practices how many of the other upgraded systems or software in Boeing airplanes should we trust?
Also of note, the US Air Force has been refusing delivery of the air tankers Boeing is building because of manufacturing sloppiness. Bad engineering and poor quality manufacturing seems to be a hallmark of Boeing these days.
After the FAA let themselves get hoodwinked by Boeing, this means a lot less than it used to, and it will take time to restore a reputation for being a legit independent check.
Just wait until the European agency certify it. They got the right to certify it themselves (before that they were grandfathered in the "accept FAA certification as is for Boeing plane" deal), and they're taking it seriously. Also even the FAA seems to finally have realized how close they were to losing their world status, so they act all serious about it.
The reason is usually that it’s several hundred dollars more expensive to take the second cheapest flight. Or requires a stopover.
And if you aren’t aware of what plane is operating your flight then you risk having to cancel very late and re-book a likely much more expensive ticket.
> And if you aren’t aware of what plane is operating your flight then you risk having to cancel very late and re-book a likely much more expensive ticket.
I always try to select my seats at time of booking, which requires knowing the model+revision of the plane. Is that weird?
Not at all. But that’s based on a (good) guess about what plane will eventually be scheduled for the flight. Especially if it’s far in advance it’s more likely to change. Also, because it’s likely to change, carriers that use both 737-800 and 737-MAX8 (A lot of them if not most of them) likely use similar seat layouts for both, so last minute plane switches aren’t a problem even if everyone has a seat booked. So they could swap a 737-800 for a 737-MAX8 last second and you’d only know when you board it and spot the split winglets.
Boarding is not the first opportunity to know this - the flight plan has the tail number on it.
Apps such as Flighty (and I'm sure others, possibly even those without subscription) will provide access to those well ahead of time and notify you about changes.
It is unfortunate that "changing the plane type" is not grounds to change your ticket however.
If there is a late change of plane (final hours before flight is pretty common) due to technical problems or whatever, then that info may be accessible but it’s not very useful.
It is useful for changing plans if the plane changes days or weeks before departure, but as you say it’s not ground for cancelling or changing your ticket, so buying new tickets every time one sees a 7M8 pop up is going to be really expensive with airlines that have many of them. I guess the better idea then is to avoid those airlines entirely, but that might not be possible at all destinations.
>driving NYC to LA is vastly less safe than flying from NYC to LA commercially
How so? Is flying still safer than driving a well-maintained car and observer safety best practices? Or is it safer in regards to grand scheme of things and you might be one of those drivers that be drunk driving? Well, you can not drink and drive, it's not really random from a personal perspective.
Commercial air travel is about 110x safer in terms of fatalities per passenger mile than driving or riding in a car [1].
In 2014, incidents where at least one driver had a detectable amount of alcohol in their system accounted for 36% of traffic fatalities in the US. Even if you exclude those fatalities entirely, driving is still 70x more dangerous.
Now of course you can claim that you're just a better driver than the average person (like 93% of Americans do [3]), but no matter how good of a driver you are, I doubt if it would come anywhere close to making up for a 70x difference.
Sure, since the speed of the plane is about 8 times higher than an automobile cruise speed, obviously deaths per mile will be lower as each successful trip puts a lot of death-free miles in the books.
Also, these statistics are about commercial flights on perfect routes v.s. all the drivers on all kind of roads. I looked a bit and it seems like the accidents on the highways are significantly less likely and the deaths rete per crash is lower too.
A fairer comparison would be small chartered jets v.s. Uber, commercial coach services v.s. commercial flights on similar routes and so on.
I don't know even if it's a meaningful comparison anyway, on long journeys or on short ones they do not overlap.
When you are driving, it's not just your own driving and skill that's the risk. Almost anyone can decide to get into the driver seat of a car with any skill level, health status or level of intoxication. This person is now a risk to you. There are also factors like weather and obstacles.
When you are in an aircraft, the biggest risk is takeoff and landing. After that, assuming a well maintained aircraft, most of the risk is mitigated by the fact that your flight deck has thousands of hours of experience and most major components of the aircraft have some level of redundancy. The crew are not even allowed to eat the same meal to rule out food poisoning.
The difference here is that Subaru didn't strap a rocket engine to the back of my Forrester, tell me I didn't need extra training to use it, and then have a sensor that automatically steered me into a wall when it engaged.
I am pretty sure that you can avoid risks during driving but cannot avoid risks when flying commercially.
"Flying is safer than driving" claim probably comes from some metric that is relevant to insurance companies when calculating premiums but irrelevant to private travellers because they can choose not do drive drunk or take risks.
You can't make decisions for other drivers though. There is no FAA-like organization making sure all the other drivers on the road are as safe and responsible as the people operating your airliner.
The claim that "flying is safer than driving" is based on fatalities/mile traveled.
I don't believe that's accurate. The 737 Max failed re-certification multiple times with additional fixes being needed (the most recent of which was in the last week[0], with the wire harness issue).
Translation: Safety is not our highest priority. It's up there, but profitability is higher.