[conspire] 737 MAX story keeps getting more fractally bad

Rick Moen rick at linuxmafia.com
Fri Jul 12 16:21:04 PDT 2019


Quoting Paul Zander (paulz at ieee.org):

> The saga at Boeing is portrays a very different mindset from
> my experience with makers of medical devices.

I'm very glad that the latter people have an appropriate focus on
consequences for patients' lives.  I mean, in both cases you are
trusting to the competence of strangers, but there's something rather
more direct about knowing that, say, a pacemaker was carefully planned
out and engineered.

> To use a hypothetical example from the airline industry.  Some planes
> have a thing called angle of attack sensor.  If the sensor just gives
> an indication to the pilot, and the plane has lots of other instruments,
> perhaps pilot training can tell him when to ignore AoA and how to use
> other information to safely fly the plane.  And the documentation system
> will track the training requirement to the actual training.

To make the matter more vivid for readers, an AoA sensor is just
basically a weathervane sticking out of the fuselage, tilting in the
wind.  In the 737 MAX series, there's one on either side of the nose,
sticking out just a bit like a pair of pivoting whiskers.  Now, picture
such an airframe repeatedly landing and taking off.  All it would take
is a glancing blow from any object, such as a bird, to knacker one of
the AoA sensors and make it report completely wrong angle information.

In the MAX, as in all Boeing designs, the controls are duplicated, a set
on the left for the pilot, and one on the right for the co-pilot.  With
this traditional principal in mind, the path of least resistance in
designing the MAX was to left the left-side AoA sensor reporting to the
pilot's controls and flight management computer & related electronics,
and the right-side AoA sensor to the co-pilots, and that's what they did
-- apparently without anyone thinking hard about the hideous single
point of failure problem an absence of cross-checking or sanity checking
creates.  During flight, anyway, the convention is that one of the two
officers is in control, and the other monitors/assists, at any given
time, with explicit handoff of responsibility.  'I have the plane.'
'OK, you have the plane.'

Specifically within the Boeing passenger-jet tradition (as opposed to
Airbus with its very different 'fly by wire' design), there's also a
strong cultural assumption that the pilots are and should be in full
direct control, that the electronics will never and should never
override that control -- which made the covert role of MCAS particularly
pernicious, because it sandbagged the crews of the two doomed flights. 
Suddenly, the plane itself was introducing uncontrolled downward trim,
repeatedly, the pilots didn't even know what was doing it, and the
mechanism responsible wasn't even mentioned anywhere in the flight manual.


> Mediation would require multiple sensors, using different technologies. 

At minimum.

The Air Force equivalent of the 737 MAX also has a pair of AoA vanes and
software performing MCAS's function, but it checks _both_ AoA sensors 
before considering intervening.  The MAX doesn't; it just punts on that
problem.

There's something more fundamental that might be getting lost here,
though:  A dynamically unstable passenger jet is just not OK.  Dynamic
instability is OK to some degree in a fighter jet, because they are
deliberately made to have unbelievably fast, hair-trigger handling, and
the pilots know all about that.  A passenger jet having a natural
tendency to go nose-up and enter aerodynamic stall, just because its
fuselage and wings are low to the ground, and the engines are too large,
too far forward, and too high up, is unacceptably dangerous from the
get-go.  Attempting to kludge away that gross design defect by making
software counteract the craft's power-pitch coupling problem is, um,
nuts.  And thus, it needs to be said:  The software fix Boeing is
currently trying to sell will ignore the big underlying problem, that
a dynamically unstable passenger jet is just not something that should
ever be approved and taken to market.  _That_ is a red flag.

The old Boeing would have said 'Gee, we can't go forward with this.  We
have to fix the aerodynamics, because this just isn't safe.'  That's
what the chief test pilot initially in charge of the MAX program _tried_
to, making changes to the airflow, but those changes weren't producing
enough effect, so somebody in management OK'd the 'Eh, let's just kludge
it using software' alternative.

I recommended the IEEE Spectrum piece, and I'll do it again.  It's an
eye-opener, a frankly worded takedown of the MAX project's hideous
missteps by someone who's both a (general aviation) pilot and a senior
software developer:
https://spectrum.ieee.org/aerospace/aviation/how-the-boeing-737-max-disaster-looks-to-a-software-developer

Some snippets:

  An airplane approaching an aerodynamic stall cannot, under any
  circumstances, have a tendency to go further into the stall. 
  This is called “dynamic instability,” and the only airplanes that 
  exhibit that characteristic -- fighter jets -- are also fitted with
  ejection seats.

and

  MCAS is certainly much less expensive than extensively modifying the
  airframe to accommodate the larger engines.  Such an airframe
  modification would have meant things like longer landing gear (which
  might not then fit in the fuselage when retracted), more wing dihedral
  (upward bend), and so forth.  All of those hardware changes would be
  horribly expensive.
 
  What's worse, those changes could be extensive enough to require not
  only that the FAA recertify the 737 but that Boeing build an entirely
  new aircraft. Now we’re talking _real_ money, both for the manufacturer 
  as well as the manufacturer's customers.

Bingo.  The MAX was, essentially, a soothing _lie_.  'Hey, FAA, this is
the same old 737, just newer and better.  Please don't require a new
type certification, more training, and consequently require pilots to
get recertified for a new type.  It's all the same, trust us!  In 
fact, may we please remove mention of this new MCAS thing from the
flight manual?  It's just background infrastructure, and it'd just
confuse the pilots to read about it.'


The last four paragraphs are so striking and dead-on that I'll just
quote them verbatim:

  The original FAA Eisenhower-era certification requirement was a
  testament to simplicity: Planes should not exhibit significant pitch
  changes with changes in engine power.  That requirement was written when
  there was a direct connection between the controls in the pilot's hands
  and the flying surfaces on the airplane.  Because of that, the
  requirement -- when written -- rightly imposed a discipline of
  simplicity on the design of the airframe itself.  Now software stands
  between man and machine, and no one seems to know exactly what is going
  on.  Things have become too complex to understand.

  I cannot get the parallels between the 737 Max and the space shuttle
  Challenger out of my head.  The Challenger accident, another textbook
  case study in normal failure, came about not because people didn't
  follow the rules but because they did.  In the Challenger case, the rules
  said that they had to have prelaunch conferences to ascertain flight
  readiness.  It didn't say that a significant input to those conferences
  couldn't be the political considerations of delaying a launch. The
  inputs were weighed, the process was followed, and a majority consensus
  was to launch.  And seven people died.

  In the 737 Max case, the rules were also followed.  The rules said you
  couldn't have a large pitch-up on power change and that an employee of
  the manufacturer, a DER [Designated Employee Representative], could 
  sign off on whatever you came up with to prevent a pitch change on 
  power change.  The rules didn't say that the DER couldn't take the
  business considerations into the decision-making process.  And 346
  people are dead.

  It is likely that MCAS, originally added in the spirit of increasing
  safety, has now killed more people than it could have ever saved.  It
  doesn't need to be "fixed" with more complexity, more software.  It needs
  to be removed altogether.


There's been a tendency to treat the MAX disaster as just a technical
problem.  My point is that that's _absolutely_ the wrong framing -- even
though it's the one the money people are pushing and that will probably
be crammed down our throats.  As the IEEE Spectrum author points out, 
MCAS was a kludge designed to magic away (cheaply) a fatal flaw in an
airframe design without addressing the fatal flaw.  And this is OK...
why?

The surrounding meta-question is:  What the Gehenna happened to Boeing?
The answer is covered in another aritcle
(https://mattstoller.substack.com/p/the-coming-boeing-bailout).  What
happened to Boeing was the 1997 merger with military contractor
McDonnell Douglas.

Military procurement has long been deeply politicised and
corruption-driven.  After the merger, the finance people from McDonnell
Douglas ended up in control over the combined company, driving out the
veteran engineers and ending Boeing's engineering focus and engineering
culture.  Suddenly, everything was done the military-procurement way:

o  Squeezing production costs, rushing product to market, poor 
   quality and safety standards, project cost overruns (all the 
   shenanigans that have plagued the F-35 Joint Strike Fighter, to 
   pick one of innumerable examples).
o  Outsourcing production to countries and places where the 
   firm needed to buy off a customer or some politicians, rather than
   where the firm can monitor, control, and assure quality.
o  Mass-firing senior engineers on grounds that it's a 'mature company',
   leading to gross loss of institutional knowledge.
o  Punishing and firing inside critics.
o  Addressing engineering problems through PR and political pull 
   rather than fixing the problem.

Author Matt Stoller frankly states that the only long-term fix is to
re-split the company into commercial and military aviation firms.  I
think he's right -- and that there's no way this will happen.  So, get
used to more planes falling from the sky.  Too big to fail, so, hey,
let's do nothing.  There are record profits to maintain.


On another note, in the middle of this omnishambles, look what suddenly
popped into my life about a month ago -- another tale about the death of
Captain Arthur Moen and his crew:

https://en.wikipedia.org/wiki/Pan_Am_Flight_799

When I discovered it in May, it had recently popped into existence as a
translation of most of a longer Russian-language article on ru.wikipedia.org,
and it looked like this:
https://en.wikipedia.org/w/index.php?title=Pan_Am_Flight_799&oldid=895495705

It was frankly a quite bad article in many ways, but the most hurtful
bit was where it (falsely) claimed that the root cause was pilot error
-- which dead-victim-blaming spinal instinct is so much of an infamously
bad and convenient tradition that Boeing is still, to this day, trying
to cast blame on the crews of the two 737 MAX flights that recently
killed 346 people. 

Now, there are two interesting things to note about Wikipedia:  

(1) Wikipedia articles freely commit libel against dead people _all the time_.
Dead people cannot sue, you see -- no standing in court.  (Thus,
technically it isn't even libel.)  By contrast, Wikipedia has a
carefully enforced Biographies of _Living_ Persons policy
(https://en.wikipedia.org/wiki/Wikipedia:BLP), because living subjects
could take away Wikimedia Foundation's figurative lunch for such things.

(2) If you happen to be extremely well informed about gross inaccuracies
in a Wikipedia article because you're a family member of someone
discussed in it, and are motivated to fix it, like if you're the son of
the captain of a crashed commercial jet the article covers and libels,
you are effectively forbidden to touch the article, because you have a
conflict of interest ('COI', 
https://en.wikipedia.org/wiki/Wikipedia:Conflict_of_interest).  Persons
found to have indulged COI editing about, e.g., their famously dead
fathers, are likely to find their IP addresses locked out of
further contributing to the encyclopaedia.

Instead, COI persons are told that they should beg on the talk page for
someone else to implement a fix for the article, or make a similar
request at Wikipedia's COI noticeboard -- where, of course, strangers
care deeply about slights against pilots killed over 50 years ago who
cannot sue.</deadpan>

So, of course I didn't painstakingly fix and improve the article.
Because that would be wrong.

Whoever fixed it did a pretty reasonable job, though.

-- 
Cheers,                                     The Viking's Reminder:
Rick Moen                                   Pillage first, _then_ burn.
rick at linuxmafia.com
McQ!  (4x80)



More information about the conspire mailing list