Well another key part of software/system design in the context of transportation and vehicles is not to override the human driver or pilot. If the pilot is pulling back on the yoke as hard as he can, there's probably a reason for that. If a driver is trying to floor it despite getting all types of warnings then there's probably a reason for that too (like maybe the bridge is collapsing behind you, etc.). You don't ever override the human in control and you should always, always, always give the human the ability to turn off the automation in a simple way, like by hitting a stop button. That way, if my collision avoidance system keeps trying to kill me by slamming on the brakes in the middle of the freeway, I should always be able to disable it and drive the car back to the dealership.

The requirement for something that could result in a catastrophic failure is something like 1 in a billion, so even if analysis suggests it might be that low, it may be very difficult to verify, to the extent that it's more cost effective (though still expensive and time consuming) to fix it altogether.

Not having any insight into the FAA in particular, but based on experience with large aerospace systems, is that the FAA should be being extremely rigorous about Boeing getting through the complete test program without making configuration changes, which means that every time they do make even a small change, they should be going back and redoing tests that were already completed. This can add a huge amount of time to development for even minor changes, but it's a contributing factor to why the MCAS responded as fast and as hard as it did to the failed AOA sensor. I know of multiple systems in the $100M+ to $1B+ range that failed because things weren't retested after configuration changes, or where tests had very small differences from being identical to operation and allowed fatal design features through. So they're probably (or should be, at this point) looking for a complete clean test set, plus fully completed training program design, etc. You don't have to be making very big changes for that to still take a long time.

As far as this all being a software thing - that's actually kind of a misleading distraction. It's system thing. The software could have been implemented to perfectly meet its requirements, with no bugs, and performed flawlessly, and yet the aircraft system could still have major flaws. Everything I've seen suggests that the MCAS software did exactly what it was supposed to do, and that what it was supposed to do was the problem. That's not defined by software engineers, that's defined by the systems people who are responsible for integrating the control laws with the hardware and turning it into requirements for someone to implement, then ensuring that the tests include all the failure modes.

Because until the recent cross-connection that Boeing is applying to fix the MCAS issue (computers cross checking for disagree before applying trim), the basic Boeing redundancy architecture for the 737 was dual-string, fully independent computers that alternated which was running from flight to flight, with the pilots deciding when and whether to switch from one to the other. It sounds like part of the fix is to couple the two, at least as far as MCAS operation is concerned. From the press articles, it's not clear if the cross-checking is limited to MCAS related control or much broader. If it's much broader than just the MCAS, I'd be squeamish about it given how big an architecture change that would be to implement in a relatively short time.

I agree with you for the most part, but if you were physically unable to turn the steering wheel and/or weren't able rectify the problem yourself within 30 seconds, the manual override would be useless.

Sounds like something my manager and I told to some other team members who checked-in changes without testing them and broke the entire build process. If you change even one line of code, even something you think is inconsequential, that's not an excuse to not test the code before checking it in. Sometimes, people are wrong about what they think cannot possibly break things. It's even worse when the system is a critical part of safety and its failure can kill everyone on board.

It happens a lot in hardware systems where you can't just run tests against code, but where there might have been a lot of other things integrated and tested and there just plain might not be enough time or money (or even facilities, sometimes) to do retests. You generally try to go through thorough reviews of the impacts of the changes, and if you have to, you bite the bullet and back up in schedule and spend a lot of money redoing things to make sure. Nothing I work on has risk to people as part of its operation, but little things can break very, very expensive things, and test facilities can have risks to people that have to be mitigated.

Throughout this topic, several comments were made with regards to different training standards around the world, and how a 737 MAX crash would've never happened in the US because our pilots are much more experienced.

The NTSB opened the public docket for Atlas Air Flight 3951 yesterday. As has become the norm for North-American aviation incidents in the last two decades or so, we are again heading towards pilot error as the cause of the accident. Of course, we do need to wait for the final report, but what we do know based on the data in the docket is that on approach to Houston, the B767 FO got confused, likely due to lost situational awareness in poor weather, thought he was in a stall when he was not, and dived the plane into the ground while already flying a low altitude.

The GPWS kicked in almost immediately and screamed "PULL UP," only to be ignored by the FO. The captain tried to counteract, but it was too late. A few seconds later, the plane made impact with Trinity Bay. There are no survivors. We do not know yet if this was also the cause of the accident. But it does sound eerily similar to what the MCAS did, except that it was now just a human making the disastrous decision. However, unlike MCAS, humans cannot be fixed with a software update. Instead, we have to invest many hours in remediation training, and hope for the best.

The FO had 5,073 hours of experience.

There's training, and then there's experience. I do agree that our pilots are the best-trained pilots in the world. But experience is a red herring in air crash investigations. The value of experience, no matter how much, can diminish very rapidly by many factors, such as fatigue, financial worries, or familial issues at home. Factors that simply no human on this earth is immune from.

Mentour Pilot on 737 MAX/MCAS:


At 5:00, he starts discussing what the problem is, and at around 6:00, he says that the issue is that the plane "feels" different than the 737NG. But nowhere does he ever say that this behavior isn't actually allowed; he actually says if pilots could be trained properly, it doesn't need MCAS. I'm surprised he didn't mention the regulation that was mentioned upthread since he's actually a 737 pilot.

Perhaps not quite so simple. While the investigation is not yet complete, it is also thought that the Captain, when adjusting the flaps lever, may have inadvertently and unknowingly pressed the TOGA button. This caused the engines to spool up and the aircraft to pitch up -- actions that were completely unanticipated by either pilot -- and caused the FO to try to push the nose down to counteract these alien actions.

Now while one might have expected at least one of the pilots to understand that the source of the trouble was in the engines going to full throttle and to pull back on the thrust, neither of them did this. If this course of events turns out to be true, why the correct remediation was not applied will be the big human factors question.

I am still seeing MAX9s in the calendar for March flights into and out of IAD and IAH - was expecting to see those removed with the weekend schedule update ...

Book away - UA will let you switch free. They probably haven’t finalized all the swaps yet systemwide.

I wish UA would just turn in the 14 frames and grab more Airbii from foreign LCCs. More comfortable aircraft anyway.

There probably is more money to be made in compensation from Boeing that actually flying planes. Similar to the Chase card deals.

United announced their MAXs are out until summer at the earliest, whether they’re cleared to fly by then or not.

Right, if the TOGA button was indeed inadvertently pushed, and a pilot with 5,073 hours of experience failed to notice the flashing TO/GA indication before his eyes and decided that pushing the nose to the ground at a low altitude of 6000 feet would be the best course of action to counteract the lift, all while the throttles were apparently remaining at almost full power until the last few seconds, then it really does show that experience wouldn't have necessarily prevented an MCAS accident from happening in the US. We're just lucky that it happened elsewhere first and that the plane was grounded before it could happen here.

It's still possible that the NTSB uncovers evidence that shows that these Atlas Air pilots were victims of a structural defect and could've done nothing to prevent the accident. If not, this may very well go down as one of the worst pilot error accidents in aviation history, where a flight crew with a combined 15,000 hours of experience failed to recover from an unusual aircraft attitude, a skill that is supposed to be acquired before a pilot flies his first solo.

It takes experience plus a level of competence.

The Atlas F/O had failed upgrade at Mesa, failed initial training at Air Wisconsin, failed initial training at CommutAir, and had training failures at Atlas. He was able to hide the failures at Air Wisconsin and CommutAir from Atlas when he was hired; something that he PRIA procedures should not have allowed.

The Captain had also had training failures and had been in a special monitoring program at Atlas which required checks at more frequent intervals.

A lack of experience isn't the only way you can end up with a weak pilot.