The MAX’s safety record when it was grounded, after two years in service, roughly amounted to two catastrophic accidents for every one million flights, according to estimates by industry officials relying on unofficial data. By contrast, the model of 737 that came before the MAX has suffered one fatal crash for every 10 million flights, according to data from Boeing.
Put another way, the 737 Max has a statistic of 1 catastrophe per 500k flights, whilst the 737 was 1 per 10 million, basically 20 times as much.
This is criminal behaviour, and people need to go to jail. The MAX should never be allowed to fly again.
On the other hand, generalizing from two incidents to a rate isn't great statistics. The list of accidents and incidents with the previous generation [1] shows some 9 fatal problems spread over more than a decade, which is closer to a rate. But saying that the 737 Max is known to be 20 times worse when the real value might be anywhere between 2 and 200 if it had been allowed to continue flying is a little imprecise.
Put people in jail for negligence, sure. But we should be criminalizing based on that negligence and not on its results.
They would have looked at the failure rate of the AoA sensor and the failure rate of the recovery procedure and the fact that there had been one fatal crash. That gave them a reasonable estimate of the risk. Based on that analysis they should have grounded the plane, but Boeing apparently convinced them that with pilot awareness of the problem that the recovery procedure would be more effective. Unfortunately that was overly optimistic.
No, it was fraudulent. Boeing didn't make even the slightest attempt to identify all the potential failure modes, and it's still unclear if the plane is even safe to fly with MCAS disabled.
The plane cannot be certified without MCAS or some other stability augmentation. This is not unusual in itself, almost every jet aircraft has some kind of instability. The problem was that MCAS is not reliable and doesn’t fail safe. The fix they’re testing actually makes it less reliable, but when it fails it will disable itself instead of making a smoking hole in the ground.
Agree overall, one thing to note is that 737 Max already capitalizes on all errors corrected from 737.
Max is 20 worse with all off the old system being already excluded from possibilities of malfunction (as long they are not affected by mcas or other new additions).
> Put people in jail for negligence
The higher ups new this was a tragedy waiting to happened they just hope its going to be their successors that will have to pay. Negligence is definitely too light or a term for this. This is knowingly putting people lives in jeopardy in the name of extra % in profits.
The fault doesn't lie with the engineers who built the system...not to mention I would be very surprised if they were professionally certified.
It lies with the managers who wrote the specification that
said that for business reasons the new plane must not require any additional training or type certifications, and cut costs by implementing the required systems with a non-redundant sensor.
In other words, if all new plane models were as safe as the 737 (1 catastrophe per 10 million flights), about 5% of those new plane models would have at least one catastrophe within the first 500k flights.
I could see justification for clawback on any stock awarded or exercised for the executives responsible for 737 Max problems, but I don’t see any evidence that the 737 Max is unredeemable.
There likely appears to be only 1 way the Max can be redeemed, and that is for Boeing to accept it's a different enough plane that 737 pilots need new training for it.
As a consumer there is no way I will never book a flight on a 737 Max (even if those planes are allowed to fly again), and if I have the choice between flying a Boeing and an Airbus, I will buy the flight on an Airbus. Boeing clearly needs to get back the flyers trust.
Yes, this is negligent behavior, yes, Boeing and the FAA should have their come-to-Jesus moment. But the odds of a crash on a MAX for you are one in five hundred thousand. Put another way you have a 0.0002% chance of being involved in a crash.
You have an 0.01% chance of dying each year being involved in a car accident in the United States. That's 50X higher risk. [1] On a per-trip basis it's pretty much the same.
Normally, of course, driving is much more dangerous than flying. On a MAX8 it's ball-park (based on an incredibly limited sample size).
Right but plane is not the only thing that matters. For instance Allegiant has no 737s (only Airbus equipment) but one of America’s worst safety records. Take care you’re not cutting off your nose to spite your face. Policy, training, hub locations, safety culture all matter too.
Your approach also fails to take into account the non-uniform distribution of accidents at take off and landing vs at cruise, so if you take a 3 stop itinerary on an Airbus-only airline with a worse safety track record, you may be at more risk than a nonstop on an even unpatched MAX.
Yes, although my question remains: is it worth putting yourself at more risk than flying a MAX just to protest the risk of flying the MAX? I understand these things are irrational, however humans are notoriously bad at managing the incredibly low risk of something very bad happening. There's practically no chance of anything happening to you one way or the other and I think it's easy to forget that.
Each passenger has a 0.0002% chance independently as the risk was measured per flight and not per person. Each person on a flight has an independent chance but the effect is to all passengers.
You can divide that way to yield the risk per passenger, but multiply back out to obtain the per flight amount which is what’s relevant given the group impact.
> This is criminal behaviour, and people need to go to jail.
Yes.
> The MAX should never be allowed to fly again.
No. Even at 20x the failure rate, flying in a Max -- even with an unmodified MCAS -- is still vastly safer than driving on a per-distance-travelled basis. Part of the problem is that commercial aviation has gotten so ridiculously safe that we've lost all perspective on risk assessment. The Max is actually fundamentally a safe plane. What made it unsafe was the totally fucked up attempt to make its flight characteristic the same as the old 737 so it and its pilots would not have to be re-certified. The right answer is to re-certify. That's expensive, but a lot cheaper than scrapping an entire fleet of brand new planes. Grounding the entire fleet forever is throwing out the baby with the bathwater.
Well, given that other models exist that accomplish the same job (albeit perhaps not from Boeing), it's going to be a steep climb to get European authorities to agree to certify it, I expect.
So, the correct comparison would not be to driving, but to flying in other planes with similar range that are already available. I am no expert, but I do not get the impression that it is looking good in this respect.
By "re-certify", do you just mean the pilots? Or do you include the plane itself?
The original problem was that the FAA requirement for how the stick force has to vary with angle of attack could not be met, because of the new engines having to be so far forward: instead of the stick force continuing to increase with higher AoA, it started to decrease at some point because of the pitch up moment due to the engines.
The simplest way to fix that would have been to increase the ground clearance so the engines could be moved back to where they were on previous 737s. That, of course, would have had to be done in the design stage, before planes started being built. I'm not sure if it would be possible to retrofit existing 737 MAX planes to do this.
If the physical airframe stays the same, then there has to be something in the flight controls that compensates for the pitch up moment of the engines at higher AoA in order to meet the stick force requirement. MCAS was an attempt to do that while keeping everything "close enough" to previous 737s. If that constraint is dropped, there might be a way to keep within the FAA stick force requirement without having the same failure modes as the MAX does, but that would still require a new type certification for the plane.
> By "re-certify", do you just mean the pilots? Or do you include the plane itself?
Both.
> the FAA requirement for how the stick force has to vary with angle of attack could not be met
No, that's a myth. There is no such requirement for aircraft in general. Many aircraft do not have this characteristic. But it happened to be true for the old 737, and so it had to be true for the Max in order for it to operate under the old 737's type certificate.
The Max could easily be certified as-is without MCAS as a new aircraft type (assuming no further nasty surprises turn up of course). That will be neither cheap nor easy. If it were, Boeing would have just done that in the first place. But it will be a hell of a lot cheaper than scrapping the fleet.
> that's a myth. There is no such requirement for aircraft in general.
14 CFR Part 25 Subpart B contains a number of requirements for stick force and gradient of stick force. In particular, section 25.255(b) says the stick force vs. g curve must have a positive slope and that the direction of the primary longitudinal control force must not reverse. IIRC that's the one that bit the MAX, but, as below, I'll have to go dig up references to see.
It's true that this is not the same as stick force vs. AoA, but under the conditions for which MCAS was intended, stick force vs. g works out to be basically the same thing.
It's been a while since I looked up references for all this, so I'll have to go back and see if I can dig up where I got the info that because of the pitch up moment of the engine the MAX could not meet one of the stick force gradient requirements without some kind of modification.
Well, I could be wrong. I remember reading in what I considered an authoritative source that MCAS was needed to preserve the type cert, not to comply with the FARs. But I can't find the reference right now.
If it's true that the Max can't be certified at all without MCAS that would be a whole nuther kettle of fish.
The specific issue seems to be the sentence: "No abnormal nose-up pitching may occur." The 737 MAX engines cause abnormal nose-up pitching at high enough AoA, if their pitch up moment is not compensated somehow.
Here is the page that first led me to that section:
I haven't read that there is an abnormal pitch up, which would directly contradict (a).
Nevertheless, I have a very serious problem about any kind of computer compensating for the lack of either static or dynamic stability as required in FAR 25. Those stability requirements are there to ensure an intrinsic aerodynamic behavior of the airplane. The instant your augmentation fails for any reason, including electrical failure, now your airplane is legally not airworthy and your pilots are legally not certified to fly it, because their training is predicated on that augmentation always being available.
That is why I think the central issue is not a violation of airworthiness standards regulations. If that were true, it seems like that would be known already, and there'd be hell to pay. Clear cut and dried.
Whereas it's a more complicated matter when it comes to type certifications. There are many nuances including the little detail that the FAA gets to decide the conditions under which a (new) aircraft type certificate is required (or not), and what kind of mitigations are required (or not). Only if the aircraft gets a new type certificate, is a pilot required to have a type rating and the commensurate training and currency requirements that go with it. I still think that's what all of this (being the problem with the airplane and the on-going delays) is about, and negotiating this with all the other civil air authorities.
I bet Brazil and EU regulators have resisted a sweep it under the carpet approach. And I also bet that somewhat recently the regulators, even at FAA, got to a point where they decided they needed to see the NTSB report. Otherwise, they could plausibly roll out a "fix" that doesn't adequately fix the problem per NTSB. And if that happened, while I could see FAA paper over it these days, I'd expect other civil aircraft authorities say no. And plausibly reground the airplane until it does get a proper fix.
> That is why I think the central issue is not a violation of airworthiness standards regulations. If that were true, it seems like that would be known already, and there'd be hell to pay. Clear cut and dried.
The airworthiness regulations are tested in flight, so if Boeing flight tested a 737 MAX with MCAS active and it passed, there would be no violation. The regulations do not say the airplane has to pass the flight test with no automated compensation systems active.
> it's a more complicated matter when it comes to type certifications
Yes, the judgment of when a new variant is different enough that it requires a new type certification is not cut and dried. That might come into play if the FAA's judgment of whether the 737 MAX with MCAS should have required a new type certification were the question; but it isn't. The question is what it would take to make the 737 MAX without MCAS qualify to fly. At this point I don't think anyone believes that will happen without a new type certification for the 737 MAX; the question is whether even with a new type certification it will be possible to convince the FAA that the plane qualifies to fly.
I don't know if the per-distance-traveled basis is really that meaningful. If air travel didn't exist, people would simply not undertake these trips under the same "cheap" circumstances they do now, and our attitude toward long distance travel would be very different as a result. It's not like, if I want to go to Europe for a week, I'm choosing between flying and driving. I'm flying or I'm not going at all.
> Even at 20x the failure rate, flying in a Max -- even with an unmodified MCAS -- is still vastly safer than driving on a per-distance-travelled basis.
I don't think people are making the comparison of Max vs driving. They are making the comparison of Max vs other air planes.
We finally know fuller details* about the as proposed MCAS fix not-a-fix >
There are four main changes to the B737 MAX flight control system software that have been developed to prevent future accidents like the ones that happened with the Lion Air and Ethiopian Air flights. They include the following:
1. Angle of Attack (AoA) comparison – an addition to MCAS that will now compare readings from both angle of attack sensors on the aircraft. If there is a difference of more than 5.5 degrees the speed trim system will be disabled. Also included in this change is something known as a “midvalue select” which uses data from both sensors together to create a third input that will help to filter out any AOA signal oscillatory failures or spurious sensor failures. This modification will prevent MCAS from commanding nose down trim when a single AoA sensor reports a false AoA as it happened in the two accident flights.
2. MCAS resynchronization – this change will account for manual electric trim inputs made by the pilot while MCAS is activating. It will track whatever input the pilot makes and return the pitch trim to that setting when MCAS retrims back to normal.
3. Stab trim command limit – is an addition that will limit the maximum nose down trim that the
automatic flight control system can command to prevent the pitch trim from reaching an
uncontrollable situation.
4. FCC monitors – software monitors have been added to the flight control computers that will
cross check pitch trim commands against each other. If a difference is detected by these
monitors the automatic trim functions are disabled. This protection helps prevent erroneous
trim commands from a myriad of causes that could occur in the automatic flight control system.
These design changes in the software that controls the automatic pitch trim features including MCAS
should prevent angle of attack sensor failures from causing the pitch trim to operate when it should not.
Further, they should prevent the trim from activating erroneously for other reasons as well.
Unfortunately, we don't know if flying the plane without MCAS is even safe. MCAS was required for a reason, and disabling it at an inopportune time might be disastrous.
MCAS was required to keep a linear relationship between the force applied to the flight stick and the pitch-up control moment.
There is nothing magical about this linear relationship; it is an intuitive configuration for pilots, but many other aircraft do not follow it. The requirement makes sense for single-certification, but we must be clear in understanding what is actually happening with this system.
The system counters the hazard of pilots experienced in 'regular' 737s getting close to stalling without realizing, due to lighter stick inputs not having the intended effect. Any MCAS malfunction would direct their attention to this issue.
Actual anti-stall systems (MCAS is not anti-stall, nevermind some shoddy reporting) would still function if a pilot were to approach this flight envelope. This includes cabin alerts, stick shakers, etc.
The scenario where MCAS cuts out, and it's in the envelope of conditions where it actually functions, and the pilots fail to notice this, and the MCAS inputs were needed to avoid approaching a stall, and the pilots fail to correct and avoid the stall .. it's a contrived hypothetical.
MCAS is not a system that activates on a normal flight. Only in relatively extreme circumstances does it even function, and then it only seeks to make intuitive pilot behavior less likely to approach stall conditions. A good pilot monitoring airspeed, trim angle, AoA, etc. will be able to avoid a stall just as well without the system.
>The scenario where MCAS cuts out, and it's in the envelope of conditions where it actually functions, and the pilots fail to notice this, and the MCAS inputs were needed to avoid approaching a stall, and the pilots fail to correct and avoid the stall .. it's a contrived hypothetical.
On a 737 they are retracted early in the climb, typically between 1000 and 1250 feet. If the slight stick movement the pilot is accustomed to to bring the elevation down 2-3* fails to do so cause MCAS does not engage, there's not a whole lot of distance to recover from a stall then.
> If the slight stick movement the pilot is accustomed to to bring the elevation down 2-3* fails to do so
This is completely unrelated to MCAS, though? Since the goal of MCAS wasn't "bring the nose down" but instead "increase the pressure on the stick required to maintain a certain nose-up attitude", I'd be really flabbergasted if it was supposed to operate in a normal takeoff environment.
MCAS was required because without it the control stick feedback is incorrect in some high-power, high-AOA scenarios - scenarios not within the normal flight envelope. That's all it was for - stick feel. And that's important! But not something that'll knock a plane out of the sky.
Its pretty clear reading the article that the public now has a much higher safety standard than the FAA did internally.
Flying has become so safe that the public no longer considers it risky, but the FAA never updated its targets. So when Boeing wanted to trade safety for market share there was no basis to stop them.
To illustrate the change in attitude it used to be common for airports to sell life insurance for the flight directly at the gate. This continued as late as the 1980s.
I feel your example just illustrates that the public has always thought flying is more dangerous than it actually is. No one would be selling life insurance if flying was as dangerous as the people buying the insurance thought it was.
The FAA set a standard that makes flying way safer than driving, a risk people happily undertake all the time, but people still overestimate the risk of flying and demand more safety improvements.
Yea, but the parent commenter was discussing the _public's_ risk tolerance for flying.
The fact that life insurance was being sold, meant the flying public _thought_ they were taking significant risks (even if they weren't).
Now, such life insurance would be laughable, which means the public _does not_ think it's taking any risks. The general public's risk tolerance for flying has dropped dramatically.
So, based on that, it seems the example perfectly demonstrates the point. The public thinks flying is much less of a risk now than it used to.
Though, presumably the FAA's tolerance for risk has also dropped tremendously over the past several decades, so I feel like the more relevant comparison is the perceived risk to the actual risk.
Although the public thinks the risk it's taking is much smaller, it still vastly overestimates the danger of flying.
I agree completely that the public thinks flying is a lot safer than they used to, which is a change, but I think they also still really overestimate the danger, which is not a change, and which I believe is borne out by the same evidence provided by the parent, people buying life insurance when it was a bad deal and people continuing to demand that the FAA make flying so much safer than activities like driving that they engage in without a second thought.
I'm also not so sure that a lot of people wouldn't still buy life insurance at the gate if it was available.
This was a massive shot in the foot by the FAA. Not only they neglected red flags after the first crash, remember that the idiots were also hesitating after the second one, allowing other regulators to ground the Max before them.
FAA's credibility is in the dumps, along with the Boeing's.
edit: I found more. In particular Pierson's attachment included emails and ends with a listing of 15 emergencies over 13 months and the Summary of Subject Matter includes a quick run-down of various Boeing happening beyond the MCAS.
They'd be a lot more useful with some hint about what's being linked to. A bare link, with an opaque URL, and with no comment, is basically saying "trust me, this points to something relevant, but I won't tell you what". If I disagree with the poster's definition of "relevant", I've wasted my time.
How about telling me what you're linking to, not just giving me a raw, opaque link?
I can't find the report itself but the submitted testimony and hearing is here* In particular Collins' submission has this:
>787 Lithium-Ion Battery Containment:
>Before the AIR Safety Review Process was implemented in mid-2015, there were other examples of FAA management accepting applicant’s positions over the concerns of FAA technical specialists, the FAA’s aerospace safety engineers. For example, during initial certification review of the new technology 787 lithium battery system design the certification of the 787, an FAA technical specialist determined the lack of a fireproof enclosure could result in catastrophic failure due to uncontrolled fire from the battery. He proposed to FAA management that the special conditions design of for the airplane system lithium-ion battery should include a requirement for a steel containment structure that would be vented overboard. FAA management overruled the specialist. The specialist worked to modify a new special condition that was applied to the battery installation so a containment system would be required. Unfortunately, FAA managers pushed to delegate 95 percent of the certification to the applicant, including the high risk, new technology, battery installation. Without FAA safety engineer oversight, the ODA found the design without an enclosure to be compliant. Sadly, after certification, the airplane system lithium-ion battery experienced two extremely dangerous fire events and the FAA mandated the 787 fleet to be grounded. The design changes the FAA mandated to allow the 787 to fly again included a steel battery containment box that was vented overboard; as originally proposed by the FAA aerospace engineer.
I saw the pictures of the 787 lithium-ion battery fire aftermath ... the entire equipment rack was a charred mess. In other words, a raging fire happened in the hold.
The only initial San Jose Terminal 3 ($1.2+ billion) international airline was JAL, and they had to stop flying for about a year. This was a terrible blow to the airport.
The engineer who advocated a battery box was not just correct, but following basic principles - even the Cessna 172 has a metal battery box:
Heck, I even tell IT departments to use a stainless-steel "bathtub" under water-cooled computer systems. Each time I'm called a Cassandra, until it starts leaking, then it's like, "Well of course. Anybody would do it that way."
Put another way, the 737 Max has a statistic of 1 catastrophe per 500k flights, whilst the 737 was 1 per 10 million, basically 20 times as much.
This is criminal behaviour, and people need to go to jail. The MAX should never be allowed to fly again.