www.digitalmars.com         C & C++   DMDScript  

digitalmars.D - [OT] =?UTF-8?B?4oCcUmFpc2U=?= the nose,

reply Paolo Invernizzi <paolo.invernizzi gmail.com> writes:
I'm finding this article [1] amazing, looking at all the 
anecdotical stories that Walter has told us during all that 15 
years regarding engineering in avionic industry.

Without specifically discussing the Boing case, but looking at 
industry in general...
Really, things will go horribly wrong, before starting to go 
better again?

Happy Easter to everybody!

[1] 
https://spectrum.ieee.org/aerospace/aviation/how-the-boeing-737-max-disaster-looks-to-a-software-developer
Apr 21
parent reply Walter Bright <newshound2 digitalmars.com> writes:
On 4/21/2019 10:18 AM, Paolo Invernizzi wrote:
 I'm finding this article [1] amazing, looking at all the anecdotical stories 
 that Walter has told us during all that 15 years regarding engineering in 
 avionic industry.
 
 Without specifically discussing the Boing case, but looking at industry in 
 general...
 Really, things will go horribly wrong, before starting to go better again?
 
 Happy Easter to everybody!
 
 [1] 
 https://spectrum.ieee.org/aerospace/aviation/how-the-boeing-737-max-disaster-looks-to-
-software-developer 
I have my beefs with the article. For example, "They want to have one airplane that all their pilots can fly because that makes both pilots and airplanes fungible, maximizing flexibility and minimizing costs." Safety is a factor in having different airplanes fly the same. Many accidents have occurred because the pilot, in a moment of stress, applied a solution that would have been correct on the aircraft type he had more experience on. He argues that airplanes are stable without augmentation. This isn't true for any jetliners, they have an active yaw damper: https://en.wikipedia.org/wiki/Dutch_roll In particular: https://en.wikipedia.org/wiki/Dutch_roll#Accidents He argues that it would be safer to develop a whole new airframe. Any new airframe, by definition, will be an unproven design, and everything in it would need to be re-proven, which has its limits. "Neither such coders nor their managers are as in touch with the particular culture and mores of the aviation world as much as the people who are down on the factory floor, riveting wings on, designing control yokes, and fitting landing gears. Those people have decades of institutional memory about what has worked in the past and what has not worked. Software people do not." This is sheer nonsense. People on the shop floor assembling airplanes do indeed have institutional knowledge about what works in manufacturing. They have no idea what works when flying or various failure modes. They have zero experience with stability issues. They do not do design work. Even more ignorant, the 757 I worked on back in 1980 had many computer systems that controlled the airplane, such as the autopilot. Last I checked that was 4 decades ago, and software programmers and managers implemented it. Boeing did indeed make mistakes with the MCAS software design. I won't defend that, I don't understand the causes of those mistakes. But it wasn't about cost saving, another scurrilous charge by the author. The fact that the fix is a software update is evidence enough that it was a mistake, not some blind greed. Absent from his article is anything about Airbus. Airbus has had crashes due to avionics software problems, too. The author is a pilot, but has never flown airliners and has no experience with them. There's more, but I should stop here. I'm just tired of these hit pieces from people who only partially know what they're talking about. I'll fly in a 737Max any day.
Apr 21
next sibling parent Walter Bright <newshound2 digitalmars.com> writes:
Since I griped about the qualifications of the author, I suppose I should say 
what mine are:

1. My degree is in Mechanical Engineering, with a minor in Aero and
Astronautics.

2. I'm not a pilot. I've "flown" flight simulators. That doesn't mean squat.

3. I spent 3 years working on the 757 stabilizer trim system design. I also did 
verification work on the stability of the elevator system. I had many long and 
enjoyable conversations with the "old salts" there who were passing on their 
institutional knowledge to me. It was probably the best part of my experience
there.

4. I've been writing software professionally for 40 years. None of it was
flight 
control software.

5. My father was a career military pilot. I grew up hearing all about flying
all 
the time. I'm interested in it, and have read extensively on aviation, mostly 
about design. None of this is quantifiable.

Many facets of this have crept into D's design :-) You'd think there'd be 
nothing in common, but that is incorrect. The software industry and best 
practices could learn a lot from aviation experience.
Apr 21
prev sibling next sibling parent reply Paolo Invernizzi <paolo.invernizzi gmail.com> writes:
On Sunday, 21 April 2019 at 19:52:58 UTC, Walter Bright wrote:
 On 4/21/2019 10:18 AM, Paolo Invernizzi wrote:
 I'm finding this article [1] amazing, looking at all the 
 anecdotical stories that Walter has told us during all that 15 
 years regarding engineering in avionic industry.
 
 Without specifically discussing the Boing case, but looking at 
 industry in general...
 Really, things will go horribly wrong, before starting to go 
 better again?
 
 Happy Easter to everybody!
 
 [1] 
 https://spectrum.ieee.org/aerospace/aviation/how-the-boeing-737-max-disaster-looks-to-a-software-developer
I have my beefs with the article. For example, "They want to have one airplane that all their pilots can fly because that makes both pilots and airplanes fungible, maximizing flexibility and minimizing costs." Safety is a factor in having different airplanes fly the same. Many accidents have occurred because the pilot, in a moment of stress, applied a solution that would have been correct on the aircraft type he had more experience on. He argues that airplanes are stable without augmentation. This isn't true for any jetliners, they have an active yaw damper: https://en.wikipedia.org/wiki/Dutch_roll In particular: https://en.wikipedia.org/wiki/Dutch_roll#Accidents He argues that it would be safer to develop a whole new airframe. Any new airframe, by definition, will be an unproven design, and everything in it would need to be re-proven, which has its limits. "Neither such coders nor their managers are as in touch with the particular culture and mores of the aviation world as much as the people who are down on the factory floor, riveting wings on, designing control yokes, and fitting landing gears. Those people have decades of institutional memory about what has worked in the past and what has not worked. Software people do not." This is sheer nonsense. People on the shop floor assembling airplanes do indeed have institutional knowledge about what works in manufacturing. They have no idea what works when flying or various failure modes. They have zero experience with stability issues. They do not do design work. Even more ignorant, the 757 I worked on back in 1980 had many computer systems that controlled the airplane, such as the autopilot. Last I checked that was 4 decades ago, and software programmers and managers implemented it. Boeing did indeed make mistakes with the MCAS software design. I won't defend that, I don't understand the causes of those mistakes. But it wasn't about cost saving, another scurrilous charge by the author. The fact that the fix is a software update is evidence enough that it was a mistake, not some blind greed. Absent from his article is anything about Airbus. Airbus has had crashes due to avionics software problems, too. The author is a pilot, but has never flown airliners and has no experience with them. There's more, but I should stop here. I'm just tired of these hit pieces from people who only partially know what they're talking about. I'll fly in a 737Max any day.
It wasn't my intention to touch a nerve, nor my intention was to turn it in a derby between Boing or Airbus (frankly speaking, who cares?). To be honest, I'll fly any day only on something with NASA code running on it :-P We will see the reports of the investigation process, but it seems really probable that it was the MCAS that crashed the planes, and it seems plausible that: - there's no check from redundancy input coming from the left sensor - there's no check from other inputs too - there's no a second "unit" running to check for output differences. Walter, you are an engineer, but I'm a manager, so I believe that cost saving _could_ be a cause, and a major one. For example, the quote you have made about "one airplane that all their pilots can fly" is related to airlines, not airplane builder, and that's a basic rule in organisation to be more efficient. I'm not interested in the specific case. What I'm wondering is if software is still not so under the lens of regulation as hardware of mechanical engineering in general, so that's a "trend" in shifting "weight" from traditional engineering to software engineering, and that's starting to be a problem. - Paolo
Apr 21
parent reply Walter Bright <newshound2 digitalmars.com> writes:
On 4/21/2019 1:45 PM, Paolo Invernizzi wrote:
 We will see the reports of the investigation process, but it seems really 
 probable that it was the MCAS that crashed the planes, and it seems plausible
that:
 - there's no check from redundancy input coming from the left sensor
 - there's no check from other inputs too
 - there's no a second "unit" running to check for output differences.
Yes, and all that is correctable with software changes.
 Walter, you are an engineer, but I'm a manager, so I believe that cost saving 
 _could_ be a cause, and a major one.
 
 For example, the quote you have made about "one airplane that all their pilots 
 can fly" is related to airlines, not airplane builder, and that's a basic rule 
 in organisation to be more efficient.
It's both a cost saving and a safety improvement. There's a very good reason why cars have the brake on the left and the gas on the right and this is standardized.
 I'm not interested in the specific case. What I'm wondering is if software is 
 still not so under the lens of regulation as hardware of mechanical
engineering 
 in general, so that's a "trend" in shifting "weight" from traditional 
 engineering to software engineering, and that's starting to be a problem.
There's been constant upheaval in aircraft systems since the very beginning. There's not really any such thing as "traditional". For example, the switch from cable operated surfaces to hydraulic boost to fully powered surfaces. The pilot moving the surfaces directly was abandoned with the 747, for obvious reasons. It's important to realize that the MCAS problems were not due to bugs in the software implementation. It was bugs in the design specification. The spec seems to contradict principles of aircraft design which Boeing holds dear, and I cannot explain how such a design got approved. Cost savings do not explain it at all.
Apr 21
next sibling parent Paolo Invernizzi <paolo.invernizzi gmail.com> writes:
On Sunday, 21 April 2019 at 21:05:43 UTC, Walter Bright wrote:
 On 4/21/2019 1:45 PM, Paolo Invernizzi wrote:
 I'm not interested in the specific case. What I'm wondering is 
 if software is still not so under the lens of regulation as 
 hardware of mechanical engineering in general, so that's a 
 "trend" in shifting "weight" from traditional engineering to 
 software engineering, and that's starting to be a problem.
There's been constant upheaval in aircraft systems since the very beginning. There's not really any such thing as "traditional". For example, the switch from cable operated surfaces to hydraulic boost to fully powered surfaces. The pilot moving the surfaces directly was abandoned with the 747, for obvious reasons.
That's my point, that's not software engineering... and the evolution worked well!
 It's important to realize that the MCAS problems were not due 
 to bugs in the software implementation. It was bugs in the 
 design specification. The spec seems to contradict principles 
 of aircraft design which Boeing holds dear, and I cannot 
 explain how such a design got approved.
Again, that's the point! It does not resemble you all the discussion in the forum around the meaning of "assert", recovering from UB, catching errors, and so? I'm full on your boat! So the question: are there so many people leaving that boat? And I'm talking about design and implementation. I think mechanical engineering is still "sane" in that respect...
 Cost savings do not explain it at all.
Au contraire, costs are floading inside a company from holes that not anybody knows, if does not have the proper information... don't exclude that...
Apr 21
prev sibling parent Walter Bright <newshound2 digitalmars.com> writes:
Just to be clear, I don't speak for Boeing, my opinions are mine alone, and I 
have no direct knowledge of what went on with the design of MCAS, just what I 
read in the media.
Apr 21
prev sibling next sibling parent reply rikki cattermole <rikki cattermole.co.nz> writes:
Very interesting take thanks!

I'm glad that I have ignored this article until now.
Apr 21
parent Walter Bright <newshound2 digitalmars.com> writes:
On 4/21/2019 5:24 PM, rikki cattermole wrote:
 Very interesting take thanks!
 
 I'm glad that I have ignored this article until now.
Thanks for the kind words! Some more I wrote about it: https://news.ycombinator.com/item?id=19695091
Apr 21
prev sibling next sibling parent Tony <tonytdominguez aol.com> writes:
On Sunday, 21 April 2019 at 19:52:58 UTC, Walter Bright wrote:
 But it wasn't about cost saving, another scurrilous charge by 
 the author. The fact that a fix is a software update is 
 evidence enough that it was a mistake, not some blind greed.
Which software system is cheaper to design and test, one that uses ONE sensor for input, or one that uses TWO sensors (one that is part of the "other side of the cockpit system"), and makes sure they both agree - and then notifying the pilots something was wrong and then automatically taking MCAS out of the equation? Which software system is cheaper to design and test, one that keeps track of whether the pilot is fighting its attempts to move the nose down or one that just ignores what the pilot is doing and keeps on blindly moving the nose down? Which software system is cheaper to design and test, one that keeps track of previous movements of the "nose-down" system to see if further movement would be indicated or makes sense, or one that just keeps going "more nose-down" with no care about what has already transpired? The fact that a software fix is "part of the fix" does not demonstrate that "no cost savings took place in software development". In addition to changing the software, they are going to not charge $80,000 for an indicator light that notifies the pilots when the angle-of-attack sensors disagree. Boeing actually charged $80,000 dollars for them to let you know their system was destined for failure. Boeing is also now stating that they will give extra training for the 737 MAX 8, something they avoided previously due to the cost.
 There's more, but I should stop here. I'm just tired of these 
 hit pieces from people who only partially know what they're 
 talking about. I'll fly in a 737Max any day.
Boeing management's reaction to two similar fatal crashes of the 737 MAX 8 was "let us keep flying them". There should be people in jail after this fiasco and once let out they should be forbidden from working in the aviation industry (includes FAA personnel). But, as we saw in the Space Shuttle Challenger disaster, no one will do jail time or be punished with fines or being forbidden to work in the industry for "business decisions" that ultimately killed people.
Apr 21
prev sibling next sibling parent reply Tony <tonytdominguez aol.com> writes:
On Sunday, 21 April 2019 at 19:52:58 UTC, Walter Bright wrote:

 I have my beefs with the article.

 For example,

 "They want to have one airplane that all their pilots can fly 
 because that makes both pilots and airplanes fungible, 
 maximizing flexibility and minimizing costs."

 Safety is a factor in having different airplanes fly the same. 
 Many accidents have occurred because the pilot, in a moment of 
 stress, applied a solution that would have been correct on the 
 aircraft type he had more experience on.
Safety being a factor in making planes fly the same doesn't remove cost as a factor in Boeing not making the MCAS well-known and not requiring that pilots learn about and be trained on the "sequence" that was necessary to override MCAS. But there are claims that the Ethiopian pilots did go through that sequence more than once, suggesting that any override was temporary and futile. But there are other reports that the Indonesian airliner that crashed had had an off-duty pilot riding shotgun who knew the "disable sequence" and successfully disabled the faulty MCAS system the day before the fatal crash.
 He argues that airplanes are stable without augmentation. This 
 isn't true for any jetliners, they have an active yaw damper:
I don't know which part you are referring to as suggesting "are stable without augmentation" (a phrase not in the article), but I see him saying "The airframe, the hardware, should get it right the first time and not need a lot of added bells and whistles to fly predictably". I don't read that as planes should have "zero pilot augmentation". I think his point is you don't design an aircraft, and when you find it has a tendency to stall on takeoff more than a typical or historical aircraft, go ahead and produce it anyway. "Other than a higher than normal tendency to stall on takeoff..." is not what most people want to hear in a design review of a proposed production aircraft.
Apr 21
parent reply Uknown <sireeshkodali1 gmail.com> writes:
On Monday, 22 April 2019 at 01:59:31 UTC, Tony wrote:
 On Sunday, 21 April 2019 at 19:52:58 UTC, Walter Bright wrote:

 [snip]
 He argues that airplanes are stable without augmentation. This 
 isn't true for any jetliners, they have an active yaw damper:
I don't know which part you are referring to as suggesting "are stable without augmentation" (a phrase not in the article
What Walter is referring to is the fact that planes in general are not machines that fly "in a straight line". They have a tendency to bank, roll, or yaw. These are fixed by using hardware, or as most modern designs do, in software. When the pilot yanks the controller, he dooesn't actually move any control surfaces, he just gives an input. This input is then translated into movement of control surface by software. If the pilot thinks that specific flight control surfaces need to be moved, he can do that too, but its not the default.
 , but I see him saying "The airframe, the hardware, should get 
 it right the first time and not need a lot of added bells and 
 whistles to fly predictably".
That is something that hasn't been true for a long time. The early planes were all unstable designs. Modern military jets are all "relaxed stability". The MD-11 was also similarly unstable. It had an "LSAS" to keep it stable. This design isn't something that's unheard of or bad. At least we can't say that based on publicly available info. The NTSB report will be necessary to say anything about this.
 I don't read that as planes should have "zero pilot 
 augmentation". I think his point is you don't design an 
 aircraft, and when you find it has a tendency to stall on 
 takeoff more than a typical or historical aircraft, go ahead 
 and produce it anyway. "Other than a higher than normal 
 tendency to stall on takeoff..." is not what most people want 
 to hear in a design review of a proposed production aircraft.
The point is that such designs really aren't as radical or unheard of as the article suggests. These things have been done before and will be done again. The MD-11 is an example of another commercial aircraft that did it. The MD-11 was also controversial in its decision. The real issue here is that the software (MCAS) which was supposed to fix the pitch up, was poorly designed.
Apr 23
parent reply Walter Bright <newshound2 digitalmars.com> writes:
On 4/23/2019 2:42 AM, Uknown wrote:
 Modern military jets are all "relaxed stability".
The 1903 Wright Flyer was highly unstable. The Wrights didn't know anything about stability :-) The pitch instability is likely what made their first flight so short. The WW1 Sopwith Camel was famously unstable, killing some high percentage of its pilots because of that (I forgot the percentage). But in the hands of a competent pilot, he could use that instability to enable high maneuverability in combat. The P-51 liked to flip on its back if you applied power too fast. The WW2 Me-262 had control problems with flying too fast, you could lose all pitch control. The Korean War F-80 was also unstable, it would abruptly pitch up and the wings would come off if you flew it too fast. It had an engine powerful enough to do that in level flight, you just had to watch it.
Apr 23
parent Uknown <sireeshkodali1 gmail.com> writes:
On Tuesday, 23 April 2019 at 11:05:46 UTC, Walter Bright wrote:
 On 4/23/2019 2:42 AM, Uknown wrote:
 Modern military jets are all "relaxed stability".
The 1903 Wright Flyer was highly unstable. The Wrights didn't know anything about stability :-) The pitch instability is likely what made their first flight so short. The WW1 Sopwith Camel was famously unstable, killing some high percentage of its pilots because of that (I forgot the percentage). But in the hands of a competent pilot, he could use that instability to enable high maneuverability in combat. The P-51 liked to flip on its back if you applied power too fast. The WW2 Me-262 had control problems with flying too fast, you could lose all pitch control. The Korean War F-80 was also unstable, it would abruptly pitch up and the wings would come off if you flew it too fast. It had an engine powerful enough to do that in level flight, you just had to watch it.
Indeed. i'm agreeing with you here. The F-16 was supposedly controversial for being both relatively small and more manoeuvrable (used "relaxed stability"). Infact wiki states that its the first to use it to achieve better manoeuvrability. Pretty much all fighters since have used this. The Su-27/MiG29 families have both used this along with TVC for some fantastic post stall manoeuvrers at aero-shows. The Eurofighter Typhoon used it to achieve better manoeuvrability at most dog fight relevant speeds, and is rumoured to be among the best dog fighters because of its agility. The F-22 similarly is relaxed stability. The F-117 is probably the most obnoxious designed fighters to have flown, and is similarly unstable. The B-2 is also unstable. The LCA Tejas is supposedly the most longitudinally unstable. In short I'm having a hard time finding exceptions to military fighters that don't have an unstable design, especially those designed after the F-16 came out.
Apr 23
prev sibling next sibling parent Gilter <Gilter gmall.com> writes:
On Sunday, 21 April 2019 at 19:52:58 UTC, Walter Bright wrote:
 On 4/21/2019 10:18 AM, Paolo Invernizzi wrote:
 I'm finding this article [1] amazing, looking at all the 
 anecdotical stories that Walter has told us during all that 15 
 years regarding engineering in avionic industry.
 
 Without specifically discussing the Boing case, but looking at 
 industry in general...
 Really, things will go horribly wrong, before starting to go 
 better again?
 
 Happy Easter to everybody!
 
 [1] 
 https://spectrum.ieee.org/aerospace/aviation/how-the-boeing-737-max-disaster-looks-to-a-software-developer
I have my beefs with the article. For example, "They want to have one airplane that all their pilots can fly because that makes both pilots and airplanes fungible, maximizing flexibility and minimizing costs." Safety is a factor in having different airplanes fly the same. Many accidents have occurred because the pilot, in a moment of stress, applied a solution that would have been correct on the aircraft type he had more experience on.
You can't have two planes fly the same, if they did they wouldn't be different then. You could say there's risk factor in that you try and do something with one plane, it is so similar for that one minuet difference that could cause an accident cause the pilot thinks it is doing something else. There have also been incidents where the pilot was because in a moment of stress he applied a solution from another aircraft to the aircraft he was flying. A technique used by gliders, a single/two seater aircraft that has no engines, was applied to a boeing 767.
 He argues that airplanes are stable without augmentation. This 
 isn't true for any jetliners, they have an active yaw damper:

   https://en.wikipedia.org/wiki/Dutch_roll

 In particular:

   https://en.wikipedia.org/wiki/Dutch_roll#Accidents


 He argues that it would be safer to develop a whole new 
 airframe. Any new airframe, by definition, will be an unproven 
 design, and everything in it would need to be re-proven, which 
 has its limits.


 "Neither such coders nor their managers are as in touch with 
 the particular culture and mores of the aviation world as much 
 as the people who are down on the factory floor, riveting wings 
 on, designing control yokes, and fitting landing gears. Those 
 people have decades of institutional memory about what has 
 worked in the past and what has not worked. Software people do 
 not."

 This is sheer nonsense. People on the shop floor assembling 
 airplanes do indeed have institutional knowledge about what 
 works in manufacturing. They have no idea what works when 
 flying or various failure modes. They have zero experience with 
 stability issues. They do not do design work. Even more 
 ignorant, the 757 I worked on back in 1980 had many computer 
 systems that controlled the airplane, such as the autopilot. 
 Last I checked that was 4 decades ago, and software programmers 
 and managers implemented it.


 Boeing did indeed make mistakes with the MCAS software design. 
 I won't defend that, I don't understand the causes of those 
 mistakes. But it wasn't about cost saving, another scurrilous 
 charge by the author. The fact that the fix is a software 
 update is evidence enough that it was a mistake, not some blind 
 greed.
A mistake that could have been caught with more rigorous testing and training. From what I understand the pilots received an hour long training session about the new plane on an ipad and that was it. I wouldn't be surprised if they cut corners and costs by not testing and providing enough training. I wouldn't be surprised if they did cut costs with testing, it's something that will eat a good chunk of costs with very little benefit, unless something goes wrong, like it has. I'm skeptical that a software patch will solve all these issue. I don't have the confidence you have in these companies. Maybe they were different 40 years ago. It's easy to say, all problems that were being experienced by our aircraft were fixed with a software patch. Hope they keep these planes grounded until they actually make sure they are safe and do actual runs with the plane without any passengers on it so they don't all crash and burn.
 There's more, but I should stop here. I'm just tired of these 
 hit pieces from people who only partially know what they're 
 talking about. I'll fly in a 737Max any day.
We'll see if any country ever allows it to fly again. There's a long list of countries that have grounded the plane.
Apr 21
prev sibling parent reply Uknown <sireeshkodali1 gmail.com> writes:
On Sunday, 21 April 2019 at 19:52:58 UTC, Walter Bright wrote:
 On 4/21/2019 10:18 AM, Paolo Invernizzi wrote:
[snip]
I have my beefs with the article. For example, "They want to have one airplane that all their pilots can fly because that makes both pilots and airplanes fungible, maximizing flexibility and minimizing costs." Safety is a factor in having different airplanes fly the same. Many accidents have occurred because the pilot, in a moment of stress, applied a solution that would have been correct on the aircraft type he had more experience on. He argues that airplanes are stable without augmentation. This isn't true for any jetliners, they have an active yaw damper: https://en.wikipedia.org/wiki/Dutch_roll In particular: https://en.wikipedia.org/wiki/Dutch_roll#Accidents He argues that it would be safer to develop a whole new airframe. Any new airframe, by definition, will be an unproven design, and everything in it would need to be re-proven, which has its limits.
I think the point there was that the practical "evolutions" that could be done to the 737's airframe was done, so Boeing pretty much had to make a new airframe if they wanted to compete in the same market. I'm not an expert so I can't comment on the validity of this claim. However, I can say that the idea that a plane can leave safe controlled flight and pitch up at extreme rates, when the thrust is at max, is not something that should be an acceptable trade-off.
 "Neither such coders nor their managers are as in touch with 
 the particular culture and mores of the aviation world as much 
 as the people who are down on the factory floor, riveting wings 
 on, designing control yokes, and fitting landing gears. Those 
 people have decades of institutional memory about what has 
 worked in the past and what has not worked. Software people do 
 not."

 This is sheer nonsense. People on the shop floor assembling 
 airplanes do indeed have institutional knowledge about what 
 works in manufacturing. They have no idea what works when 
 flying or various failure modes. They have zero experience with 
 stability issues. They do not do design work. Even more 
 ignorant, the 757 I worked on back in 1980 had many computer 
 systems that controlled the airplane, such as the autopilot. 
 Last I checked that was 4 decades ago, and software programmers 
 and managers implemented it.


 Boeing did indeed make mistakes with the MCAS software design. 
 I won't defend that, I don't understand the causes of those 
 mistakes. But it wasn't about cost saving, another scurrilous 
 charge by the author. The fact that the fix is a software 
 update is evidence enough that it was a mistake, not some blind 
 greed.
Ypu need to see more than just the failure of the design of the MCAS. From many media reports, its been said that the pilots were taught that this is the same plane. That was a selling point. No need for re certifying pilots. However the plane behaves differently enough from previous planes that this is demonstrably false. Also the MCAS seems to be a "prevent the plane from crashing, *after* stall like conditions have been detected", as opposed to "make the plane fly like the previous 737 generation". To recap: - Boeing fails to tell pilots what can happen under certain situations (specifically thrust increase results in higher than acceptable pitch up) - Boeing fails to train pilots about what to do with regards to MCAS when the system makes incorrect inputs - Boeing makes MCAS with poor design decisions that never should have made it onto a production commercial airliner.
 Absent from his article is anything about Airbus. Airbus has 
 had crashes due to avionics software problems, too.
Its not just avionics problems. Many planes have suffered from avionics. Its the surrounding corporate negligence, and the incredibly bad design of the MCAS that make this incident important.
 The author is a pilot, but has never flown airliners and has no 
 experience with them.

 There's more, but I should stop here. I'm just tired of these 
 hit pieces from people who only partially know what they're 
 talking about. I'll fly in a 737Max any day.
I'm sure you wouln't fly in one until the fix has been published and the pilots have been trained.
Apr 21
parent reply Walter Bright <newshound2 digitalmars.com> writes:
On 4/21/2019 10:54 PM, Uknown wrote:
 I'm sure you wouln't fly in one until the fix has been published and the
pilots 
 have been trained.
Actually, I would even in an unmodified 737MAX. The reason is that the way to deal with it, even if pilots don't know about it, is to follow their training for runaway stab trim. This is what the pilots did in the first Lion Air incident, and they landed without incident. In the second LA incident, and in the Ethiopian one, they did not and crashed. It's simple: 1. The electric trim switches on the control column override the MCAS commands. 2. When trimmed, shut off the stab trim with the cutoff switches on the console. Both pilots in the crashes were performing (1). The mystery to me is why they did not continue to do it, then perform (2). We'll have to wait for the NTSB report which hopefully can explain that. I would expect with all this publicity even an incompetent pilot would be able to accomplish this. BTW, I only saw one article publish (1) and (2). (The wording is from memory, I don't recall the exact words in the Boeing instructions.) All the other articles leave it out and prefer to publish hysterical clickbait articles. Boeing still needs to fix the MCAS system, because how airplanes are made robust is to fix every point in the string of failures that led to a crash. BTW, I was a nervous flyer before I worked at Boeing on flight control systems. Knowing how things actually worked and how things were built changed it all for me. An awful lot about what is written in newspapers about technical airplane issues is complete trash. Journalists don't know **** about airplanes, and they garble it all up. If you want the straight dope, read the NTSB incident reports. The pilot's article linked to sounds authoritative, until one notices he's not an airline pilot, and (for instance) does not realize that all swept wing airplanes are fundamentally unstable, and that Rosie the Riveter knows nothing about stability issues. You don't need to believe anything I say - so I recommend withholding judgement until the NTSB report(s) come out. You'll learn a lot reading them. The NTSB does a good job thoroughly stating the facts and leaving off the hysteria.
Apr 22
next sibling parent Uknown <sireeshkodali1 gmail.com> writes:
On Monday, 22 April 2019 at 20:35:31 UTC, Walter Bright wrote:
 On 4/21/2019 10:54 PM, Uknown wrote:
 [snip]
Actually, I would even in an unmodified 737MAX. The reason is that the way to deal with it, even if pilots don't know about it, is to follow their training for runaway stab trim. This is what the pilots did in the first Lion Air incident, and they landed without incident. In the second LA incident, and in the Ethiopian one, they did not and crashed. It's simple: 1. The electric trim switches on the control column override the MCAS commands. 2. When trimmed, shut off the stab trim with the cutoff switches on the console.
Yes, and what you said is inline with what Boeing said after they the Ethiopian airline crash :
 In the event an uncommanded nose down stabilizer trim is 
 experienced on the 737 - 8 / - 9, in conjunction with one or 
 more of the above indications or effects, do the Runaway 
 Stabilizer NNC ensuring that the STAB TRIM CUTOUT switches are 
 set to CUTOUT and stay in the CUTOUT position for the remainder 
 of the flight.
 Both pilots in the crashes were performing (1). The mystery to 
 me is why they did not continue to do it, then perform (2). 
 We'll have to wait for the NTSB report which hopefully can 
 explain that.
I read an ars technica piece that said that they performed (1), however the MCAS they did something else that brought back the MCAS system and at this point it was too late to recover. However I would rather wait for some official report in this one.
 I would expect with all this publicity even an incompetent 
 pilot would be able to accomplish this.

 BTW, I only saw one article publish (1) and (2). (The wording 
 is from memory, I don't recall the exact words in the Boeing 
 instructions.) All the other articles leave it out and prefer 
 to publish hysterical clickbait articles.
https://arstechnica.com/information-technology/2018/11/indonesia-737-crash-caused-by-safety-feature-change-pilots-werent-told-of/?comments=1 This one does mention it, as a press bulletin at the end. Yes media is trash and will publish clickbait about everything that is remotely technical. They trash every new military project without any knowledge of it (LCA Tejas was late, F-35 is a waste of money, etc.). No point listening to them. However many pilots have complained that they really weren't even aware of the MCAS system, with no prior training being given. That's definitely not a good sign.
 Boeing still needs to fix the MCAS system, because how 
 airplanes are made robust is to fix every point in the string 
 of failures that led to a crash.
Yes, however the question is how did such a poorly designed sytem get approved in the first place?
 BTW, I was a nervous flyer before I worked at Boeing on flight 
 control systems. Knowing how things actually worked and how 
 things were built changed it all for me. An awful lot about 
 what is written in newspapers about technical airplane issues 
 is complete trash. Journalists don't know **** about airplanes, 
 and they garble it all up. If you want the straight dope, read 
 the NTSB incident reports.
How long do they usually take? 4-6 months? I've never been interested in an air crash investigation as much as this one.
 The pilot's article linked to sounds authoritative, until one 
 notices he's not an airline pilot, and (for instance) does not 
 realize that all swept wing airplanes are fundamentally 
 unstable, and that Rosie the Riveter knows nothing about 
 stability issues.
I agree this article is nonsense. The idea that code is somehow "less safe" or just not good enough for aviation is nonsense. I presumed that the rest of the article was true, however you claim otherwise. The only true part seems to be 1. The MCAS was poorly designed 2. The plane pitches up (more than an acceptable degree) when thrust is provided, which is why the MCAS is necessary
 You don't need to believe anything I say - so I recommend 
 withholding judgement until the NTSB report(s) come out. You'll 
 learn a lot reading them. The NTSB does a good job thoroughly 
 stating the facts and leaving off the hysteria.
Apr 23
prev sibling next sibling parent reply Paolo Invernizzi <paolo.invernizzi gmail.com> writes:
On Monday, 22 April 2019 at 20:35:31 UTC, Walter Bright wrote:
 On 4/21/2019 10:54 PM, Uknown wrote:
 I'm sure you wouln't fly in one until the fix has been 
 published and the pilots have been trained.
Actually, I would even in an unmodified 737MAX. The reason is that the way to deal with it, even if pilots don't know about it, is to follow their training for runaway stab trim. This is what the pilots did in the first Lion Air incident, and they landed without incident. In the second LA incident, and in the Ethiopian one, they did not and crashed. It's simple: 1. The electric trim switches on the control column override the MCAS commands. 2. When trimmed, shut off the stab trim with the cutoff switches on the console. Both pilots in the crashes were performing (1). The mystery to me is why they did not continue to do it, then perform (2). We'll have to wait for the NTSB report which hopefully can explain that. I would expect with all this publicity even an incompetent pilot would be able to accomplish this. BTW, I only saw one article publish (1) and (2). (The wording is from memory, I don't recall the exact words in the Boeing instructions.) All the other articles leave it out and prefer to publish hysterical clickbait articles.
Here we are the details, right from Boeing... http://www.b737.org.uk/mcas.htm
 Boeing still needs to fix the MCAS system, because how 
 airplanes are made robust is to fix every point in the string 
 of failures that led to a crash.

 BTW, I was a nervous flyer before I worked at Boeing on flight 
 control systems. Knowing how things actually worked and how 
 things were built changed it all for me. An awful lot about 
 what is written in newspapers about technical airplane issues 
 is complete trash. Journalists don't know **** about airplanes, 
 and they garble it all up. If you want the straight dope, read 
 the NTSB incident reports.
That's what usually I do, but the point is another... see below...
 The pilot's article linked to sounds authoritative, until one 
 notices he's not an airline pilot, and (for instance) does not 
 realize that all swept wing airplanes are fundamentally 
 unstable, and that Rosie the Riveter knows nothing about 
 stability issues.

 You don't need to believe anything I say - so I recommend 
 withholding judgement until the NTSB report(s) come out. You'll 
 learn a lot reading them. The NTSB does a good job thoroughly 
 stating the facts and leaving off the hysteria.
And that's fine. What I want to discuss, is the last part in the link that I've included in this port, I quote it for convenience: """ The Proposed Fix Boeing have been working on a software modification to MCAS since the Lion Air accident. Unfortunately although originally due for release in January it was not released due to both engineering challenges and differences of opinion among some federal and company safety experts over how extensive the changes should be. """ Please note the "engineering challenges" and "differences of opinion". Moreover: """ Note that as MCAS is an FCC function, the modifications to MCAS are made in the FCC software. The revision will be known as FCC P12.1 There are three significant changes to MCAS software being worked on by Boeing: 1) To give the system input from both angle-of-attack sensors, Currently MCAS only uses data from the angle of attack sensor on the side of the active FCC, (see AoA source). The system will have split vane monitor and Mid Value Select (MVS) input. This will both enhance detection of erroneous AoA vane behaviour and the MVS signal selection will pick the average of ADIRU L & R and the previous MVS output. If the output of the two AoA vanes differ by more than 5.5 degrees MCAS will be disabled. """ So, only one sensor was used: no redundancy, no cross check, no taking in account other inputs to find out anomalies. Taking differences in account, it resembles me something like not having "asserts", or better, throwing 'error' in the codebase ("hey, we CAN'T reconcile that AoA with the current increasing of speed and decreasing of altitude! Assert, abort! throw 'error', abort!) Moreover: """ 2) To limit how much MCAS can move the horizontal stab to guarantee sufficient handling capability using elevator alone. In its original report, Boeing said that MCAS could move the horizontal stabilizer a maximum of 0.6 degrees. However, after the Lion Air crash, it told airlines that MCAS could actually move it 2.5 degrees, or half the physical maximum. Boeing reportedly increased the limit because flight tests showed that a more powerful movement was needed at high AoA rather than at high Mach. """ Half of the physical maximum! Moreover: """ 3) A modification to the activation and resynchronisation schedule. MCAS will be limited to operate only for one cycle per high AoA event, rather than multiple. At present it will operate for 10s, pause for 5s and repeat for as often as it senses the high AoA condition is present. Furthermore the logic for MCAS to command a nose up stab trim to return to trim following pilot eletric trim intervention or exceeding the forward column cutout switch, will also now be improved. """ What to say? In my humble opinion, that's the result of "pressure" to have a "solution" for some "not disclosed goal" (hint, the MCAS should be "transparent to pilot", as "that's simply a 737!") Pressure over engineerings coming from management, I'm meaning (again, personal opinions). So, here we are back to us: what's the current state of affair in having sloppy designed systems (or sloppy implemented system!) caused by time pressure, management pressure, cost pressure? I mean, D pushing hard, to be a memory safe language, for example, but it seems that safety and good design are falling down in the list of priorities... no?
Apr 23
next sibling parent Tony <tonytdominguez aol.com> writes:
On Tuesday, 23 April 2019 at 08:06:14 UTC, Paolo Invernizzi wrote:
 The Proposed Fix

 Boeing have been working on a software modification to MCAS 
 since the Lion Air accident. Unfortunately although originally 
 due for release in January it was not released due to both 
 engineering challenges and differences of opinion among some 
 federal and company safety experts over how extensive the 
 changes should be.
To me this is incredible. A plane crashes. The manufacturer begins working on a "software modification" as a result of the crash (if they weren't actually working on it all along knowing the design they got approved was bogus), which is actually a bug fix/design fix. Yet the plane is still allowed to fly before the fix is tested and installed and there is also no warning issued to all the airlines letting them know there is a problem that resulted in fatalities and a fix is not yet available - so get thorough training on how to handle an MCAS system failure. And then - knowing they haven't installed their fix - after a second plane crashes and with "don't have the full details yet to know if there is any relationship" as a rationale, the recommendation of the FAA and Boeing is "keep flying 737 MAX 8s".
Apr 23
prev sibling parent Walter Bright <newshound2 digitalmars.com> writes:
On 4/23/2019 1:06 AM, Paolo Invernizzi wrote:
 Pressure over engineerings coming from management, I'm meaning (again,
personal 
 opinions).
I'm very curious what led to the software specification errors, but we don't have any facts, and there's been enough uninformed speculation. We'll just have to wait for the NTSB report.
Apr 23
prev sibling next sibling parent reply Russel Winder <russel winder.org.uk> writes:
On Mon, 2019-04-22 at 13:35 -0700, Walter Bright via Digitalmars-d wrote:
[=E2=80=A6]
=20
 Boeing still needs to fix the MCAS system, because how airplanes are made
 robust=20
 is to fix every point in the string of failures that led to a crash.
[=E2=80=A6] Surely, Boeing need to remove the MCAS system by reverting the 737 design t= o be stable rather than unstable. The 737 MAX is, as far as I know, the first commercial airplane to be unstable. All military fighter airplanes are unstable but that is a militar= y fighter. To date, again as far as I know, the strategy had been that all commercial aircraft were stable. Boeing broke ranks on this strategy with t= he 737MAX simply because they were trying to put an engine that was too big fo= r the space available and so moved the engine forward and upward creating an aerodynamically unstable configuration. --=20 Russel. =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Dr Russel Winder t: +44 20 7585 2200 41 Buckmaster Road m: +44 7770 465 077 London SW11 1EN, UK w: www.russel.org.uk
Apr 23
next sibling parent reply Uknown <sireeshkodali1 gmail.com> writes:
On Tuesday, 23 April 2019 at 08:09:58 UTC, Russel Winder wrote:
 On Mon, 2019-04-22 at 13:35 -0700, Walter Bright via 
 Digitalmars-d wrote: […]
 [snip]
Surely, Boeing need to remove the MCAS system by reverting the 737 design to be stable rather than unstable. The 737 MAX is, as far as I know, the first commercial airplane to be unstable.
The McDonal Douglass MD-11 was also unstable and was used for freight transport. Wiki link : https://en.wikipedia.org/wiki/McDonnell_Douglas_MD-11 It was designed to have a smaller stabiliser, to reduce drag and thus improve fuel efficiency.
 All military fighter airplanes are unstable but that is a 
 military fighter. To date, again as far as I know, the strategy 
 had been that all commercial aircraft were stable. Boeing broke 
 ranks on this strategy with the 737MAX simply because they were 
 trying to put an engine that was too big for the space 
 available and so moved the engine forward and upward creating 
 an aerodynamically unstable configuration.
Not all are, the ones that are unstable are generally designed in that way so that they are more manoeuvrable. They use use digital fly by wire to make sure that the plane is seemingly stable. This decision by Boeing would have been fine if they had designed their software properly.
Apr 23
parent reply sclytrack <fake hotmail.com> writes:
On Tuesday, 23 April 2019 at 08:54:30 UTC, Uknown wrote:
 On Tuesday, 23 April 2019 at 08:09:58 UTC, Russel Winder wrote:
 On Mon, 2019-04-22 at 13:35 -0700, Walter Bright via 
 Digitalmars-d wrote: […]
 [snip]
Surely, Boeing need to remove the MCAS system by reverting the 737 design to be stable rather than unstable. The 737 MAX is, as far as I know, the first commercial airplane to be unstable.
The McDonal Douglass MD-11 was also unstable and was used for freight transport. Wiki link : https://en.wikipedia.org/wiki/McDonnell_Douglas_MD-11 It was designed to have a smaller stabiliser, to reduce drag and thus improve fuel efficiency.
 All military fighter airplanes are unstable but that is a 
 military fighter. To date, again as far as I know, the 
 strategy had been that all commercial aircraft were stable. 
 Boeing broke ranks on this strategy with the 737MAX simply 
 because they were trying to put an engine that was too big for 
 the space available and so moved the engine forward and upward 
 creating an aerodynamically unstable configuration.
Not all are, the ones that are unstable are generally designed in that way so that they are more manoeuvrable. They use use digital fly by wire to make sure that the plane is seemingly stable. This decision by Boeing would have been fine if they had designed their software properly.
You need a stable design for a passenger plane. It happens every now and then that the sensor fails and the plane needs to be able to fly without them. The Dutch roll effects should go away if you just fly straight, without active dampening, otherwise it is a bad design. Airbus planes have standard 3 angle of attack sensors all connected to the flight computer and you don't have to purchase any additional safety measures like Boeing is doing with their angle of attack sensors. It is one complete package. So with a single angle of attack sensor failing an airbus plane keeps flying. In case of an emergency you can switch to other "flight control modes". Lufthansa A321 FL310 Two of the angle of attack sensors frozen in the same position. Nose dive. FL270 Plane recovery. You need time to recover. In the Dreamliner Boeing places its angle of attack sensor nicely close to the door so when a jet bridge is attached then they have to be extremely careful. Just weird design decisions Boeing.
Apr 23
parent sclytrack <fake hotmail.com> writes:
On Tuesday, 23 April 2019 at 12:28:21 UTC, sclytrack wrote:
 In the Dreamliner Boeing places its angle of attack sensor 
 nicely close
 to the door so when a jet bridge is attached then they have to 
 be
 extremely careful. Just weird design decisions Boeing.
https://www.cbsnews.com/news/boeing-787-dreamliner-prompted-nearly-a-dozen-complaints-from-whistleblowers-to-faa/
Apr 23
prev sibling parent Walter Bright <newshound2 digitalmars.com> writes:
On 4/23/2019 1:09 AM, Russel Winder wrote:
 The 737 MAX is, as far as I know, the first commercial airplane to be
 unstable.
They are all unstable in certain parts of the flight envelope. All swept wing airplanes are unstable. https://en.wikipedia.org/wiki/Dutch_roll All jetliners are augmented with a yaw damper. There are other automatic systems in a jetliner to prevent the pilot from doing something stupid. For example, the faster the jet goes, the less authority the pilot has over the elevators. This is to prevent the pilot from literally ripping off the elevators. I'm not sure, but I think this device is controlled electronically. The airplane will also become uncontrollable if you fly it too fast, like in a dive. Yes, this has happened, sometimes due to other factors, sometimes because the pilot wasn't paying attention. All airplanes have a "flight envelope" that pilots had better stay inside of or they're gonna crash. The MCAS system was put in to prevent one bad part of the envelope from being accidentally entered. It is not near part of the normal flight envelope, likely why pilots had never encountered MCAS activation before.
Apr 23
prev sibling parent Uknown <sireeshkodali1 gmail.com> writes:
On Monday, 22 April 2019 at 20:35:31 UTC, Walter Bright wrote:
 On 4/21/2019 10:54 PM, Uknown wrote:
 [snip]
Actually, I would even in an unmodified 737MAX. The reason is that the way to deal with it, even if pilots don't know about it, is to follow their training for runaway stab trim. This is what the pilots did in the first Lion Air incident, and they landed without incident. In the second LA incident, and in the Ethiopian one, they did not and crashed. It's simple: 1. The electric trim switches on the control column override the MCAS commands. 2. When trimmed, shut off the stab trim with the cutoff switches on the console.
Yes, and what you said is inline with what Boeing said after they the Ethiopian airline crash :
 In the event an uncommanded nose down stabilizer trim is 
 experienced on the 737 - 8 / - 9, in conjunction with one or 
 more of the above indications or effects, do the Runaway 
 Stabilizer NNC ensuring that the STAB TRIM CUTOUT switches are 
 set to CUTOUT and stay in the CUTOUT position for the remainder 
 of the flight.
 Both pilots in the crashes were performing (1). The mystery to 
 me is why they did not continue to do it, then perform (2). 
 We'll have to wait for the NTSB report which hopefully can 
 explain that.
I read an ars technica piece that said that they performed (1), however the MCAS they did something else that brought back the MCAS system and at this point it was too late to recover. However I would rather wait for some official report in this one.
 I would expect with all this publicity even an incompetent 
 pilot would be able to accomplish this.

 BTW, I only saw one article publish (1) and (2). (The wording 
 is from memory, I don't recall the exact words in the Boeing 
 instructions.) All the other articles leave it out and prefer 
 to publish hysterical clickbait articles.
https://arstechnica.com/information-technology/2018/11/indonesia-737-crash-caused-by-safety-feature-change-pilots-werent-told-of/?comments=1 This one does mention it, as a press bulletin at the end. Yes media is trash and will publish clickbait about everything that is remotely technical. They trash every new military project without any knowledge of it (LCA Tejas was late, F-35 is a waste of money, etc.). No point listening to them. However many pilots have complained that they really weren't even aware of the MCAS system, with no prior training being given. That's definitely not a good sign. And everything points to the fact that the MCAS is poorly designed.
 Boeing still needs to fix the MCAS system, because how 
 airplanes are made robust is to fix every point in the string 
 of failures that led to a crash.
Yes, however the question is: how did such a poorly designed system get approved in the first place?
 [snip] Journalists don't know **** about airplanes,
Journalists generally don't know anything about anything technical, and will report it in a way to increase views/clicks. See also science reporting in general.
 and they garble it all up. If you want the straight dope, read 
 the NTSB incident reports.
How long do they usually take? 4-6 months? I've never been interested in an air crash investigation as much as this one. I'd love to read the official report.
 The pilot's article linked to sounds authoritative, until one 
 notices he's not an airline pilot, and (for instance) does not 
 realize that all swept wing airplanes are fundamentally 
 unstable, and that Rosie the Riveter knows nothing about 
 stability issues.
I agree this article is nonsense. The idea that code is somehow "less safe" or just not good enough for aviation is nonsense. I presumed that the rest of the article was true, however you claim otherwise. The only true part seems to be 1. The MCAS was poorly designed 2. The plane pitches up (more than an acceptable degree) when thrust is provided, which is why the MCAS is necessary.
 You don't need to believe anything I say - so I recommend 
 withholding judgement until the NTSB report(s) come out. You'll 
 learn a lot reading them. The NTSB does a good job thoroughly 
 stating the facts and leaving off the hysteria.
I think most of the stuff wrt relaxed stability in a commercial plane is gibberish. Its OK for a plane to have relaxed stability, as long as it has a properly designed flight system that can keep the plane stable and flying in a controlled manner. I suspect that the report will confirm this, but blast Boeing for doing a poor job designing the MCAS. From what I understand the MD-11 aslo has some degree of relaxed stability.
Apr 23