[V.Narayan]

^^^^^
There may have been a political reason for Germany to have said no. I would not rule that out. After USA, France has the best facilities and engineering sleuths to do this kind of accident investigation. It is the natural go to place if you don't trust the Americans.

[Sutripta]

'Intelligent Electronics' are so much part of our lives that we are constantly being exposed to what runs them - the software, and by extention its associated bugs. And its correction by means of 'patches'.

It is very very difficult to have (nontrivial) software bugfree. Somehow the ubiquity of bugs has made it seem a part of nature, and vastly increased our tolerance for it. A tolerance we would not have for conventional engineering products.

Software is very expensive because it is (even with all the coding aids) essentially handwritten, and takes an inordinate amount of time. This time impacts all aspects of a projects timeline, and thus costs. So there is also always tremendous pressure to shorten software development times. No matter what the methodology used for software development/ engineering, software done in a hurry is likely to have significantly more bugs than software developed (including testing and validation) under less pressure cooker situations.

There are likely to be thousands of bugs in the full software suite of the Max. But the general view that bugs in the software brought down the Maxs, and it is being corrected with a patch is IMHO disingenuous, sophistry. What brought down the two planes is a deliberate (commercially driven) design decision of only using one AoA sensor at a time even when two were installed and connected to the flight computers.

Decisions of this magnitude come from engineers with domain knowledge - knowledge of aircraft, and knowledge of high reliability/ fault tolerant systems. And deep insights into man-machine interactions. Not really the domain of scrum masters etc.

The ramifications of using only one AoA sensor were
either not given any thought - criminal negligence
thought of, but not given the importance it deserved - incompetence
thought through, understood, but then downplayed/ swept under the carpet/ 'lost' in a filing cabinet - criminal conspiracy.

I would think that this is of vital importance, and an agency other than the FAA does a forensic sweep of all Boeing's internal correspondence regarding this.

One other information which I thought would come out by now, from Boeing is
In what areas (in detail) does the offered patch differ from the existing software?
What exactly do these changes address?
Why were these changes necessary/ why do these issues need to be addressed now?
Were these aspects considered before, and discarded, or were these not considered at all.

Regards
Sutripta

[Jeroen]

Quote:

Originally Posted by Sutripta

' But the general view that bugs in the software brought down the Maxs, and it is being corrected with a patch is IMHO disingenuous, sophistry. What brought down the two planes is a deliberate (commercially driven) design decision of only using one AoA sensor at a time even when two were installed and connected to the flight computers.

I agree, this was not a bug. It was deliberately designed this way. Boeing has always admitted to that. Their justification has always been that normal operating procedures would be adequate to keep the situation under control. I do not think we have seen any evidence that they have validated this to be true during design stage or certification period. (it might not have been a formal require, although with hind sight it would have been very prudent to do so)

On the matter of American pilots being better/more experience pilots than the rest of the world. Well, the USA certainly has more strict requirement on commercial pilots than most of the world. The Ethiopian co-pilot had 361 hours of flying experience (about the same as me!). In the USA you would not find such a pilot in the right hand seat of a commercial aircraft. The minimum hours flown for an ATPL (Airline Transportation Pilot License) is 1500 hours for most (few exception with lower hours required for military pilots.

To date a lot of American pilots have come from a military aviation background, although that number (percentage) is coming down. (I have listed the percentages in some other thread). Your typical American pilot c.v. would have a long list of different flying experiences listed before making it into a commercial regional liner such as the 737. They will have amassed flight time on several GA type of aircraft, some will have military flying time, most have done a stint as Certified Flying Instructor (because that is how you make a living, whilst building flying hours), and most will have flown multiple types with small regional carriers, including business jets, before moving into the 737, Airbuses of this world

I know of no other countries where your typical commercial pilot will have such a diverse and extensive training along their career before making it into the right seat of a commercial jet. It is something unique to the USA aviation eco-system that no other country can match

As stated, this is changing in the USA as well. But even so, the USA does have more strict requirements on obtaining an ATPL than the rest of the world and to date, most American pilots would have a very different, more diverse C.V. than most other pilots.

Whether that contributes to a better safety record is something different altogether. We know that in General aviation experience (expressed in flying hours) is not really a factor. To be more precise, the change of meeting with a fatal accident does not have a correlation with total hours flown. There are probably some good reasons why this is the case. In commercial aviation there is such a correlation (at least there are several studies indicating such to some extend).

In both environments the overal safety culture and mindset is what makes the difference. That goes way beyond the formal and legal requirements. I do not think there is an independent way of validating and or comparing one pilot to another or one carrier to another. All we have is accident reports and they most definitely show up certain carriers. And of course we have the ratings of individual countries on the ICAO scale. Again, certain countries are shown at the bottom.

One of the things to look for in these accidents report is how stringent the existing procedures were followed. Again, being a safe pilot is way more than that. But a safe pilot / maintenance mechanic will follow procedures to the latter as a bare minimum. Comes natural.

Irrespective, Boeing has a lot to account for, so does the FAA.

Jeroen

[Sutripta]

Quote:

Originally Posted by Jeroen

I agree, this was not a bug. It was deliberately designed this way. Boeing has always admitted to that. Their justification has always been that normal operating procedures would be adequate to keep the situation under control. I do not think we have seen any evidence that they have validated this to be true during design stage or certification period. (it might not have been a formal require, although with hind sight it would have been very prudent to do so)

...

Irrespective, Boeing has a lot to account for, so does the FAA.

Jeroen

Us plebs have hindsight. World leaders/ are supposed to have foresight.

Let's look at it from the opposite end. What would have been the cons of using both AoA sensors?

Boeing and the FAA embarked on this slippery slope having each other's back. This strategy will see both coming out of this essentially unscathed, with nothing more than a slap on the wrist. This is different from the certification process itself which is likely to see major changes.

Regards
Sutripta

[Jeroen]

Quote:

Originally Posted by Sutripta

Let's look at it from the opposite end. What would have been the cons of using both AoA sensors?

No idea, i certainly could not tell if the outcome would have been any different. E.g. say they were using both sensors and both sensors would be wonky, everything else would likely remain the same?

To my earlier point; what happened here was probably all perfectly legal. Whether it was smart and or safe is very different matter. Just being within legal boundaries when it comes to aviation safety is not good enough. Aircraft manufacturer should have their own safety design philosophy that take legal requirements as just the basic default from which they start.

Jeroen

[Sutripta]

^^^
Goes wonky, as in does not give the correct reading, yet give the same wrong reading?
I'm sure the probability of that happening is not zero. But I think it will be close to zero.
And because of this nonzero probability it is better not to use both sensors?

Legal? Of course. Because together the FAA and Boeing rewrote the laws. Which is why both will come away unscathed.

Regards
Sutripta

[the_skyliner]

Quote:

Originally Posted by Jeroen

No idea, i certainly could not tell if the outcome would have been any different. E.g. say they were using both sensors and both sensors would be wonky, everything else would likely remain the same?

Sorry, I disagree.

Using two sensors instead of one is one of the classic ways of mitigating risk in aviation. Of course as Sutripta mentioned it won't be zero but very close to it and that's the whole purpose of risk mitigation.

I pretty sure Boeing has no reasonable justification of not using two sensors instead of one or else it would have been one of the first things in the news from Boeing side.

I am also pretty sure Boeing must be working intensely to resolve this issue and bring in preventive measures to avoid such mishaps but this incident and the aftermath of denial from their CEO has left a bad taste.

[Jeroen]

Quote:

Originally Posted by the_skyliner

S
Using two sensors instead of one is one of the classic ways of mitigating risk in aviation. Of course as Sutripta mentioned it won't be zero but very close to it and that's the whole purpose of risk mitigation.
.

Yes, I agree. What I really meant to say; You need to think this design through from more than just having two sensors rather than one. You still need to think through how that would be brought to the pilot’s attention, what they should do, and what they should do if the second one fails as well. Or you end up in the same situation. Just building in redundancy doesn’t solve the basic design flaw of this airplane. It only mitigates the risk of a single sensor failing to a certain extend.

Statistically speaking two is of course better than one. But there are plenty of examples in aviation (and other industries) where dual redundancy turned out to be not sufficient.

As it is, the chances of these two planes encountering the same problem are already minute. Thousands of take offs without problem. The conditions under which it can occur are limited. But in aviation, and any other industry, Murphy still rules. If shit can happen, it will happen!

Jeroen

[Sutripta]

Quote:

Originally Posted by Jeroen

You need to think this design through from more than just having two sensors rather than one.

I would think thinking a design through is independent of the number of sensors used. One will land up with different solutions because the resources at hand are different, but the thinking through has to be done.

But this is digressing. I'm still in the dark on the (non-commercial) cons of using both the sensors.

Regards
Sutripta

[Jeroen]

Quote:

Originally Posted by Sutripta

I would think thinking a design through is independent of the number of sensors used. One will land up with different solutions because the resources at hand are different, but the thinking through has to be done.

But this is digressing. I'm still in the dark on the (non-commercial) cons of using both the sensors.

Maybe I did not think my answer through enough? It is the total solutions/design that determines how much safety margin adding a second sensor would bring. And that design includes everything including, (maintenance) procedures, check lists, operational procedures etc. (E.g. would you be allowed to dispatch an aircraft with one known broken sensor and if so what are the operational limitations/procedures)

Back to your (non-commercial) cons of using two sensors. Off hand, but also with hind sight I can’t really think of a single reason why not.

MCAS is considered part of the trim system. Which makes it a secondary flight control system. Secondary flight control system do have different design rules (and legal requirements) than the primary flight control. So redundancy on secondary system is likely to be less than on primary systems.

Due to the two crashes we now know how much autonomous impact MCAS could have on the trim in a non normal scenario. Did Boeing engineer not know, overlook? Boeing made a conscious call on having one sensor and having pilot interference as a remedy. That has been their design philosophy all along.

What I do not understand is, why they never tested this design as such in a non normal situation. At least I have not seen or read that they did. In fact I have seen / read evidence that at least during all formal flight testing as part of the certification this was not tested.

I do not know whether they did simulation or any desk top study, but again, I have not seen or heard of any.

So for me it comes down to two options:

Somewhere they genuinely just overlooked it. They thought they had a neat solution, did what it was suppose to do, but for some reason overlooked or underestimated the consequences of a single sensor failure. This was a secondary flight control system. They complied with legal and probably their own design criteria etc. (sort of a false sense of safety/accomplishement)

Or:

They did know and did test (at least desk top). For some reason they thought the results were satisfactorily. Which would be extremely difficult to believe. It would have shown that it takes considerable skills to deal with and close to the ground it becomes even more difficult. So they must have taken a conscious decision to live with it and not mention it. Maybe lulled by a very small probability of this scenario happening?

Either of the two options is bad and leaves much room for improvement. But important (safety) aspects in designs are sometimes genuinely overlooked. That still means you have a major design process flaw of course.

I would add that any design process is usually subject to commercial and or at least budget/financial constraints, no matter what. You let engineers build a complex system with no financial and or commercial constraints the design will either be never completed, or can never be made commercially/financially viable.

Being able to balance business type of decisions/criteria with solid engineering insights is not easy. (E.g. Space shuttle blowing up at launch due to too low ambient temperature, the engineers knew, the business men pressed on)

Jeroen

[Sutripta]

Quote:

Originally Posted by Jeroen

Did Boeing engineer not know, overlook? Boeing made a conscious call on having one sensor and having pilot interference as a remedy. That has been their design philosophy all along.

What I do not understand is, why they never tested this design as such in a non normal situation.

Control back to pilot : let us take a car analogy. Which we have discussed before!
What would you think of a cruise control implementation where the cruise control does not disengage despite the driver hitting the brakes repeatedly? It can only be disengaged by pushing some buttons.

Regarding the no testing : US patent law (actually the philosophy of the law) comes to mind. There is a world of difference (in terms of punitive damages and retribution) between knowingly and unknowingly violating patents.

Maybe Boeing knew that if they formally tested it (ie documented it) they would not be able to pull off the 'does not need both sensors' stunt.

Mind you I'm not for one moment suggesting that they thought it would lead to crashes. They most probably thought that regulations were unnecessarily restrictive and stupid. And they were cleverly working their way round them.
Hubris. Remember VW?

I also do not for a moment think that Boeing is incompetent. Thus my suggestion of a forensic sweep of all Boeing's (and add FAA) internal correspondence.

Regards
Sutripta

[Jeroen]

Quote:

Originally Posted by Sutripta

Control back to pilot : let us take a car analogy. Which we have discussed before!
What would you think of a cruise control implementation where the cruise control does not disengage despite the driver hitting the brakes repeatedly? It can only be disengaged by pushing some buttons.

On most if not all aircraft the autopilot and auto throttles are disengaged primarily through a push of a button on the yoke or stick. Comes natural to pilots. On most aircraft but not all I believe, putting a certain amount of force on the yoke / stick would also disengage the autopilot. Although considered a safety feature, ironically, tragically it has let to a crash.

Just about all he other systems usually require multiple pushes on buttons and or levers to disengage them when they are not doing what they are supposed to. (Eg Speed trim is always on auto and you need to disable the auto trim to disengage. Which mean flicking some switches, and that is the only option! Nothing else short of disconnecting the respective electrical bus will disengage it)

To our earlier discussion and points, Boeing seems to have misinterpreted the effects of the one sensor failure and it's subsequent effect of the level of flight control. Secondary system do affect flight control characteristics but not necessarily as abrupt and impactful as we have seen on these crashes. It seems to have caught out Boeing.

Another part of the designing it through and through!

(Eg I have flown for many hours on our Cessna with flaps inoperable. Not a big thing as long as you are aware and take it into consideration during flight planning

Jeroen

[Sutripta]

^^^
So what would you think of a cruise control implementation which would not disengage even though the the driver is trying to override it by braking multiple times?

Regards
Sutripta

[Jeroen]

Quote:

Originally Posted by Sutripta

^^^
So what would you think of a cruise control implementation which would not disengage even though the the driver is trying to override it by braking multiple times?

I would hope there is a button too and hope I remember! But seriously, on a car it is simple and straight forward. On airplanes it is a bit more complex which systems can be handed back to pilot control and how to accomplish it.

Check the non normal procedures of any plane and you will see many examples where the pilot needs to go through a sequence of steps and throw switches before assuming manual control. It nearly always involves throwing one or more switches.

You get it wrong, wrong sequence and you might make the situation worse.

One of the things with planes is that it not always immediately obvious what system is causing what problem. These two crashes are sad examples. So there are procedures and checklist to follow and sequence to override parts of the automation.

Irrespective as a rule you would like to keep things as simple as possible. But no planes exist today where you just push a button and all automated systems would go to manual and control would revert to the pilot.

Jeroen

[Sutripta]

Let's stick to cars for the moment.

Quote:

Originally Posted by Jeroen

I would hope there is a button too and hope I remember!

Sure. In all cases there is also a button.
But (sorry if I sound like a broken record) what would you think of a car which did not disengage it's cruise control when a driver overrode it by using the brakes?

Regards
Sutripta