[MENTION=14516]bocastephen[/MENTION]

My company works in software testing in Avionics. So, I have a nuanced view here.

I know that from a programming perspective, the folks at Honeywell, Rockwell and others (because, yeah, a lot of these systems are not actually created by Boeing, just like a lot of the software going in a car is not actually made by the OEMs) need to meet the toughest quality standard known to man. It is stringent yet well thought. And the reason why so much software goes inside vehicles now, whether they are plane or cars, is because it is advantageous - saves on gas, provides more safety, etc...

Until it doesn't. Because this is the flip side of software: it is relatively complex. A FMS can be 500K lines of code. Sure, it is often Ada (very well-defined, constrained language), it is arch-verified, but the system remains very complex. That's why any level A system has triple redundancy. The thought is, for the most critical systems, if one computer has a flaw, at least the two others will have it right, and the third one can be rebooted.

But in a case like this, could it be either that a faulty hardware provided the wrong information to the computer, which assumed command based on that faulty data? Or perhaps there is a use case when hitting just the right numbers the software came to the wrong conclusion and again took command? In both cases, and I am not an expert here, why wasn't the pilot, who is supposed to be the ultimate fail safe for all these computers, not be able to override the computer's decisions if it is obviously wrong? Shouldn't it be easy for a pilot to take command?

We don't know what happened, and there is plenty of bright experts working on this right now. So it is best to keep judgment for later. But if it turns out to be such a problem, then somewhere in the design there has been perhaps a wrong philosophy at work. Instead of seeing the pilot as a faulty decision maker that must be prevented from making mistakes (which may happen...), perhaps this should have been designed with the opposite philosophy: ultimately the pilot knows best. From a standard perspective I can see lively debates happening to ensure such problems are engineered out of the systems in the future.

This article implies something that, on the surface at least, is much different:

https://phys.org/news/2019-03-ethiop...oeing-max.html

I think one problem here is that when you turn off the MCAS (and/or the stabilizer auto trim in general), the flying characteristics of the MAX are very different from the older 737s in at least some aspects -- and pilots have *not* been trained on those differences and as extensively practiced flying the plane under those conditions (because that was the whole point, MCAS allowed it to keep the same type certification). Yes, some additional information and training was rushed out after Lion Air, but was it enough?

I'd think of it as if the power steering freeze in my car and I had to switch it off (if there were such a switch) while driving on a fast curvy narrow mountain road. Yes, I recognized the steering problem and turned off the system, and I've driven *different* cars without power steering in the past, but this car handles very differently and Honda said there was no need to train on those differences even though the power steering seems to freeze more than in other cars. I may or may not get the "feel" right on those first curves -- who wants to be in the passenger seat?

Not really. The article is clearly written by someone with a limited (or nonexistent) aviation background that is regurgitating content from different sources. It doesn't tell us anything new or suggest anything that we haven't thoroughly analyzed here.

That procedure is to complete the runaway stab checklist, which has been in place for generations. You'll see the very same stab cutout switches, in almost the same location, on the pedestal of the 737-200. Additionally, with respect to electric trim, Boeing designed MCAS to disengage with electric trim inputs from the control yoke, and the FCC will reevaluate the MCAS activation factors after 5 seconds. If the computer determines the airplane is still flying into a stall (whether in reality or the result of a faulty probe), the MCAS re-engages with nose-down pitch inputs. That's where the 'fighting' or 'battle' of the Lion Air flight comes in. The PF likely kept trying to trim out the nose-down input from the MCAS, but the MCAS continued to engage every few seconds, until eventually they ran out of trim and no longer had enough elevator to command a climb. It's worth noting that the Lion Air flight the night before the crash encountered the same issue, but the PF only went through three MCAS activation cycles before the auto stab trim was cut out and controlled flight (with manual trim) was re-established.

That's what Boeing is suggesting should happen, in the event of an unwanted MCAS activation. The truth is, considering human factors, it might be asking too much of pilots, especially if combined with a high workload, potential fatigue and possibly limited experience and/or inadequate training, to timely diagnose the issue and execute the proper corrective actions.

I haven't seen anything indicating a software defect. The Lion Air accident appears (so far) to have resulted from an improper pilot response to the MCAS activation due to faulty hardware (AoA sensor/sender). I presume that the software "fix" is to attempt to better identify bad data from a faulty sensor to reduce the probability of an MCAS activation due to faulty data. The bigger question regarding Lion Air, IMO, is why did they keep sending the airplane out for additional flights when the previous four flights had reported similar problems?

We are dual qualified. 329 NGs, 14 MAXs. Southwest had to retire their remaining 737-300s before introducing the MAX because the FAA would not let them maintain a single qualification on the Classic, NG, and MAX. They could do Classic+NG or NG+MAX but not all three simultaneously.

The biggest difference for me to adjust to is that the audio panel (controls what we're listening to and on which radio we're transmitting) has been moved from the outboard panels to the center console. The MAX has significantly better weather radar and an expanded vertical situation display which aids in situational awareness regarding the planned vertical profile. Both important safety advances, IMO.

I enjoy learning from the comments of people with the expertise in aviation and software. I also trust the pilot flying the plane and his/her primary concern is the safety of their passangers. I also believe the pilot is as concerned with getting safely to the destination as I am and does not have a death wish.(I cannot imagine the horror for the pilot and FO in either of the accidents with the 737MAX)
I understand there can be pilot error for a number of reasons.

The 737MAX was presented as a pig with lipstick whereas I actually think it was a hog (using an analogy that keeps coming to mind when reading about the 737MAX). You can call it a 737 with enhancements but those enhancements make it sound like it was actually a 740..

I hope the investigations also carefully consider the certification and training for the 737MAX and not blame the pilots if it truly were a new aircraft for which they were inadequately trained (through no fault of the pilots).

I agree that this has been an excellent discussion, one of the best in recently memory (IMO) on FlyerTalk.

Sadly, a rather macabre, unfortunate topic.

Have you reviewed the FDR and CVR to see if they followed it?

Until then your post/link has little to do with my post.

Exactly... the JT610, ET302 and every other type-rated 737 pilot since the 60s has as least been introduced to the runaway stab procedure. The widely-held misconception is that this is some all-new training program hastily developed by Boeing in response to Lion Air, when in reality, the Lion Air crew who brought PQ-LQP to CGK the night before (safely) got it right. The travesty is everything that happened in the following 12 hours...

I mean, there still isn't a real procedure for such a scenario. It just has to be approached case by case.

And I agree, I don't think social pressure or political influence should be a reason to ignore safety, however this case is the opposite and one could argue that the FAA was protecting Boeing's interests for too long and should have grounded the aircraft days earlier when the rest of the world did.

FYI, The Atlantic has some of the most responsible reporting I've seen on the 737MAX issues. A very recent piece is below, but the work in this instance (a few other articles by several writers, too) is sober, thoughtful journalism and deserves a plug, IMO.

https://www.theatlantic.com/notes/20...pilots/584941/

Outstanding article. I especially like the final words from the 2nd pilot "This is incredibly disturbing, as it strongly suggests a primary interest in body count and sensationalism, as opposed to genuine public interest."

Wouldn't the training requirement to be:

1) Train pilots on the MCAS system -- how to detect that it is malfunctioning and what steps to take to disable it, and quickly enough to prevent not just crashing but violating altitude restrictions, causing passenger injuries/discomfort, etc

2) Train pilots how to *safely* fly the plane with MCAS disabled. Do all of the airlines involved have access to the right simulators to do this, how much time is needed to become aware/proficient in the differences between the raw aerodynamics of the MAX and previous 737s to avoid stalls in all weather conditions, altitudes, airspaces etc?

I'm not saying that's not the right answer, but I think it's more than just turning off MCAS and flying what is now might be a different plane than you're certified to fly.

My car has an anti-aquaplaning system. The idea is if the car senses it is aquaplaning it will activate the wheels in a certain order in order to prevent lost of control.

One day, I am driving in a snowstorm. Suddenly, with people left and right on the freeway, the system activates... and suddenly it starts acting like I will lose control.

This may be something similar. Usually, the system helps. But then under certain conditions, it starts working against you.

I learned from my mistake on time. I keep the system on unless it is snowing heavily. Never had a problem.

What is happening here may be something similar. There is a lot of talk about NA airlines providing training for the MAX to their pilots. Maybe they are OK because they know exactly when and how to override that MCAS. Still, if it requires a "training patch", one may still wonder if the system is well designed. Usability bug? Design flaw?

Above engineering, there is also institutions and people. Was enough done after Lion Air? Could that other tragedy have been avoided?

I'm not a pilot but know one who flies 737s for UA very well. He continues to claim that MCAS was "new" on the MAX series and Boeing did not provide adequate flight crew documentation/training on MCAS when it came out. They did provide it after and, supposedly, in response to the Lion Air crash.