Accident Boeing 737 Max in the eyes of a software developer
I present to you the translation of Greg Travis's article “How the Boeing 737 Max Disaster Looks to a Software Developer”. It’s about how Boeing’s desire to save and cut corners for commercial gain, as well as the culture of incompetence and unethical ’in the developer community, resulted in the death of 346 people. I do not fully share the position of the author (in particular, I believe that the human factor is much more evil than software), but it’s hard to disagree with the main arguments.
There are a lot of letters below. If you read too lazy, but you want to familiarize yourself with the topic, then on Habré there is the first, shorter version of this article in the translation by Vyacheslav Golovanov , you can read it here .
Now all the news is full of headlines about the crashes of the new model of the Boeing 737 Max (Eng.) , Which occurred literally one by one with the new aircraft. For an industry whose existence rests entirely on customers' sense of total control and security, these two wrecks present a great existential danger. And despite the fact that over the past decades the number of deaths in air crashes has decreased, this achievement is not at all a cause for excessive self-confidence.
')
WestJet Boeing 737 MAX 8, acefitt , Creative Commons Attribution 2.0 Generic
The first model Boeing 737 first appeared in 1967, when I was 3 years old. It was a small aircraft with small engines and relatively simple control systems.
Airlines (especially the American Southwest) fell in love with them for their simplicity, reliability and flexibility. In addition, for piloting in the cockpit instead of the usual at the time, three or four people needed only two crew members, which allowed the airlines to start significant savings. Together with the development of the air transport market and the advent of new technologies, the 737 rapidly grew in size, and the complexity of electronics and mechanics increased. Ros, of course, was not only 737. Airliners require gigantic investments from both the aviation industry and the airlines buying them, therefore both of them have also constantly been consolidated.
Most of these market and technological forces, however, acted on the basis of the economic interests of companies, and not in the interests of passenger safety. Engineers worked tirelessly to reduce what the industry calls the “passenger-kilometer cost” - that is, the cost of transporting a passenger from point A to point B.
Very much in this optimization story is related to engines. Carnot's theorem on the efficiency of heat engines says that the more you heat an engine, the more efficient it becomes. This principle is equally true for the chainsaw engine and the jet engine.
Elementary. The easiest and fastest way to make the engine more efficient in terms of fuel consumption per unit of power is to make it bigger. That is why in the Lycoming O-360 engine of my small Cessna aircraft there are pistons the size of a large plate. Therefore, diesel engines on ships are made the size of a three-story house. And for exactly the same reason, Boeing wanted to install the huge CFM International LEAP engines in the new model 737.
There is only one small problem: the original 737 was equipped with very small engines by today's standards, which made it easy to place them under the wings. However, as the 737 grew in size, its engines also grew, and the ground clearance between them and the ground became less and less.
To circumvent this problem, many tricks were invented (or “hacks,” as software developers would call them). For example, the most visible and visible to the public is to change the shape of the air intakes from round to oval in order to provide more space under the engine.
In the case of the 737 Max, the situation became critical. The diameter of the blades of the engines installed on the original 737 was 100 cm (40 inches); in new engines for 737 Max, the diameter increased to 176 cm. With a difference in the center line of more than 30 cm, you can no longer make the air intake oval so that the engine did not begin to scrape the ground.
Then it was decided to build up the engine from the top and move it forward and upward relative to the wing. This, in turn, led to the displacement of the thrust line of the engine. Now, with an increase in engine power, the aircraft has received a tendency to pitch up, that is, to raise the nose.
For reference: the angle of attack of the aircraft is the angle between the direction of the velocity vector of the oncoming airflow and the plane of the wing. Imagine that you put your hand out of an open window of a car moving along a highway. If you keep your palm almost parallel to the ground, this will be a small angle of attack; turning your palm relative to the plane of the earth, you increase the angle of attack. When the angle of attack becomes too large (supercritical), aerodynamic stalling occurs as a result of disruption of the air flow. You can verify this yourself all by putting your hand out of the window of a moving car: slowly turning your palm you will feel an ever-increasing lift, pushing your hand up until your hand suddenly drops down - this is disruption of the flow followed by stalling.
Thus, it turns out that the tendency to cabbing with increasing engine power in practice means the risk of further development of the aircraft stall if the pilots "squeeze the gas" (as my son likes to say). Such a development becomes especially probable at low airspeed.
Worse, due to the fact that the engine nacelles are pushed so far forward and so large, they themselves create lift, especially at high angles of attack. That is, the gondolas made the already bad situation worse.
I emphasize that at 737 Max, the engine nacelles themselves at high angles of attack work like wings and create lift. Moreover, the center of application of this force is displaced far forward relative to the center of application of the wing lifting force, which, in turn, leads to the fact that 737 Max with an increase in the angle of attack tends to further increase the angle of attack. And this is the worst example of incompetence in aerodynamics.
In itself, the change in pitch when the engine power changes is a fairly common phenomenon when operating airplanes. Even my little Cessna lifts her nose a little when gas is applied. During training pilots talk about such difficulties and teach them to overcome. There are, however, certain safe limits set by the regulators with which the pilots themselves are willing to put up.
It is quite another thing when the pitch changes with increasing angle of attack. An airplane that is already approaching the aerodynamic stalling point should under no circumstances have a tendency to further develop this effect. This property is called “dynamic instability”, and the only class of aircraft, where it is permissible - fighters - is equipped with catapults for pilots.
Every person in the aviation community dreams of an airplane that would be as natural and simple to fly as possible. For example, when the engine power is changed, the flap is lowered, or the landing gear is extended, the flight conditions should not change significantly, rolls should not occur, or pitch should be changed - the behavior should remain predictable.
The body of the aircraft (the iron itself) should work initially as predictably as possible, and not require additional “bells and whistles”. This aviation canon was founded during the first flights of the Wright brothers to Kitty Hawk.
Obviously, the new model of the Boeing 737 Max is too nagging with increasing thrust, especially when the already high angles of attack. They violated the oldest law of aviation, and, possibly, the criteria of FAA (Federal Aviation Administration) certification in the USA. But instead of going back to the drawing board and fixing the body of the aircraft, Boeing decided to rely on a kind of “Maneuvering Characteristics Augmentation System” (English) , MCAS.
Boeing solved an iron problem with software.
I will leave the discussion of the emergence of a corporate language ( note lane. Apparently, the author has in mind that the name “System for improving maneuvering characteristics” does not indicate how it makes it absolutely nothing that is unusual for aviation terms ) in aviation language . Lexicon for another article, but let's note that this system could have been called differently, for example, “A cheap way to prevent a stall when the pilots decided to push the gas” (CWTPASWTPPI). However, probably worth staying at MCAS.
Certainly, MCAS is a much cheaper alternative to deep processing of the glider, given the need to accommodate new large engines. Such processing could require, for example, lengthening the front landing gear (which could then not get into the fuselage when being drawn into the body), bending the wings up or some other similar changes. It would be monstrously expensive.
All the development and production of the Max 737 took place under the auspices of the myth “this is still the same good old 737”. Admit to Boeing that this is not the old model, and then re-certification would take years and require millions of dollars.
Worse, such major changes could require not just re-certification at the FAA, but also the development of a completely new glider by Boeing. Now we are talking about really big money, both for aircraft manufacturers and for airlines.
And all because Boeing’s 737 Max’s main argument was that it’s still the same 737, and any pilot flying on previous models can control and Max without expensive retraining, getting a new certificate and a new rating. Airlines — and Southwest is a prime example — usually prefer a fleet of one “standard” type of aircraft. They prefer to have a single model of aircraft that can be controlled by any of their pilots, since then both the pilots and the aircraft become interchangeable, maximizing flexibility and minimizing costs.
It all comes down to money in one way or another, and MCAS has become another opportunity for Boeing and its clients to ensure that money flows in the right direction. The need to insist that the flight characteristics of the 737 Max do not differ from previous models of the 737 was the key to the interchangeability of the 737 Max fleet. It was probably the reason that the documentation about the very existence of MCAS was hidden.
If suddenly this change became too noticeable, for example, was reflected in the manual for the aircraft or paid special attention to it when the pilots passed the training, then someone - probably one of the pilots - would stand up and say: Hey, something's not like the 737. ” And the money would flow in the wrong direction.
As I have already explained, you can conduct an experiment with the angle of attack yourself, simply by putting your hand out of the window of a moving car and twisting your palm. So, such a complex machine as an airplane also has a mechanical equivalent of a hand exposed from a window — an angle of attack sensor.
You may notice it when boarding an aircraft. As a rule, there are two of them, one on each side of the aircraft, usually right under the windows of the cockpit. Do not confuse them with Pitot tubes (read about them below). The angle of attack sensor looks like a weather vane, and the Pitot tube looks like ... hmm, a tube. The sensor of attack angle looks like a weather vane precisely because it is a weather vane. Its mechanical wing moves in response to changes in the angle of attack.
Pitot tubes measure the force with which the air flow "pushes" onto the aircraft, and the angle of attack sensor determines which direction this flow comes from. Since the Pitot tubes, in fact, measure pressure, they are used to determine the speed of the aircraft relative to the air. The angle of attack sensor determines the direction of movement of the aircraft relative to the flow.
There are two sets of attack angle sensors and two sets of pitot tubes, one on each side of the fuselage. Typically, devices installed on the side of the main pilot take their readings from sensors on the same side of the hull; similarly, instruments from the co-pilot show values from sensors on his side of the vessel. This approach creates a natural redundancy in the equipment, which allows you to quickly and easily conduct a cross-check by any of the pilots. If the co-pilot believes that his indicator of airspeed is odd, he can compare it with the indicator of a similar device on the side of the main pilot. If the readings diverge, then the pilots find out which of the instruments shows the truth and which lies.
A long time ago there was a joke that when in the future aircraft could fly by themselves, a pilot and a dog would still have to sit in the cockpit. The pilot is needed so that the passengers are calmer with the realization that there is someone ahead. The dog must bite the pilot if he tries to touch anything.
In the 737th Boeing not only made backup aircraft instruments and sensors, but also a backup on-board computer, installing one computer from the side of the main and second pilots. The flight computer does a lot of different useful things, but its main task is to autopilot it when it was told to do it, and check that the pilot did not make mistakes in the manual piloting mode. The last item is called “flight range protection”.
But let's call things by their names - this is the very “biting dog” from the joke.
What does MCAS do? This system should lower the nose of the aircraft, if it believes that the vessel is outside the permissible angles of attack to avoid aerodynamic stalling. Boeing installed the MCAS at 737 Max due to the fact that larger engines and their new layout made stalling more likely than in previous generations of the model.
At that moment, when MCAS notices that the angle of attack has become too large, he commands the trimmers of the aircraft (the system that causes the aircraft to move up or down) direct the bow of the vessel down. She also does one more thing: indirectly, using what Boeing calls the Elevator Feel Computer (elevator sensing computer, EFC), she pushes the pilot’s steering wheel controls (the steering wheels that the pilots push or pull to lift or lower the nose) aircraft) down.
In 737 Max, like most other modern airliners and even cars, the computer observes all the processes, or even controls them directly. In many cases, there is no longer a direct mechanical connection (that is, cables, hydraulic lines and tubes) between the control instruments of the pilot and the actual aerodynamic tailings of the aircraft, the keel and other devices that cause the aircraft to fly. And if such a mechanical connection is, then the computer decides for itself what it is permissible for the pilot to do with them (and again that biting dog).
However, it is important that the pilots receive a physical response about everything that happens. In the good old days, when the cables tied the pilots' controls with the tail, they had to pull the steering wheel with great effort if the plane was going down. They had to push it with force if the plane gained altitude. Under the supervision of a computer, the same natural sensations of control disappeared. In 737 Max, there is no longer a “natural sensation”.
Yes, in 737 there are backup hydraulic systems connecting the controls with which the pilot interacts, and the ailerons directly working and other parts of the aircraft. However, these hydraulic systems are so powerful that they do not transmit direct feedback from the aerodynamic forces acting on the ailerons. Pilots will only feel what the computer will allow them to feel. And sometimes the feeling is not so pleasant.
When the flight computer sends the plane to a decline due to the fact that the MCAS system has decided that it is about to enter the stall, the chain of little motors and compensators forces the steering wheels in the cockpit to move forward. And it turned out that the computer can make so much effort to the wheels that the pilots, trying to pull them to him and show the computer that he is doing something completely wrong, quickly get exhausted.
In fact, the fact that the system does not allow the pilot to control the aircraft by pulling the steering wheel over was the conscious decision of the 737 Max designers. Because if the pilots can pull the control column and re-direct the nose of the aircraft upwards, when the MCAS system says that it should be directed downwards, then what is the point in such a system?
Despite the fact that the MCAS is integrated into the flight computer, it intervenes even when the autopilot is turned off and the pilots are confident that they are operating the aircraft themselves. In the struggle between the pilots and the on-board computer for who is in charge, the latter exhausted people to death (literally).
Finally, it was necessary to hide the very existence of the MCAS system so that no one would say: “Hey, this is no longer the old man 737,” and the necessary bank accounts are not affected.
A flight computer is just a computer. This means that inside it there are no aluminum parts, no cables, no fuel lines, or other attributes of aviation. They are filled with lines of code. This is where everything becomes dangerous.
These lines of code are undoubtedly written by people under the control of bosses.Neither programmers, nor their chiefs are familiar with the particular culture and customs of the aviation world as much as people working in factories, rivetting wings, developing control brackets and installing landing gear in the fuselage. These people have a common “industry” memory of what worked in the past in aviation, and what went wrong. Software developers are not.
At 737 Max, only one of the flight computers is active at the same time, either on the side of the main pilot or on the side of the co-pilot. The active computer receives data only from the sensors installed on its side of the aircraft.
If a person, while piloting, notices that computer data is diverging, he examines the control panel, evaluates the readings of other devices, and understands what is wrong. In the system installed on Boeing, the on-board computer does not "inspect other devices." He trusts only the instruments on his side. He does not do the same. He is super modern. He is software.
This means that even if a specific sensor of the angle of attack fails - as is always the case with instruments subject to transitions from one extreme environment to another, constant vibrations and shaking - the control computer will simply believe it.
Worse. There are several other devices that can directly and indirectly determine the angle of attack, for example, the pitot tube, artificial horizon, and so on. The pilot would check all these devices to quickly diagnose a faulty angle of attack sensor.
In extreme cases, the pilot can always look out the window and visually make sure that no, the nose of the aircraft is not dangerously raised up. This is the final test, and it must remain the exclusive and absolute privilege of the pilot. Unfortunately, the current version of MCAS deprives him of this right. She takes away the ability of pilots to respond to what they see with their own eyes.
As a person with a narcissistic personality disorder, MCAS overshadows the decisions of the pilots. And this in the end turned out to be bad for everyone.
The MCAS-based on-board computer remains blind to any evidence that he is wrong, including what the pilot sees with his own eyes, and when he desperately tries to level the plane and pulls the robotic steering wheel towards himself, the computer “bites” the pilot and his passengers to death .
In the old days, an army of aviation engineers worked at the FAA. They worked shoulder to shoulder with aircraft manufacturers to ensure that the aircraft was safe and ready for certification.
As aircraft became more and more complex, the gap between how much FAA and aircraft manufacturers could pay to their employees was steadily increasing. More and more engineers moved from the public to the private sector. Soon the FAA had no opportunity to figure out how safe a particular model of aircraft was, and whether it could be made.
Then the FAA offered the aircraft designers: “What if your people themselves tell us how safe the project is?” The manufacturers replied: “It sounds good.” And the FAA: “And say hi to Joe, we miss.”
Thus the concept of “Designated Engineering Representative,” DER) was born. These representatives are mercenaries from aircraft manufacturers, engine manufacturers, and software developers who certify to FAA that everything is safe and good.
It looks like a clear conflict of interest, but this is not entirely true, yet no one is interested in aircraft falling. The airline industry relies heavily on public confidence, and every plane crash poses an existential threat to the industry. None of the manufacturers will not hire DER just to sign any papers. On the other hand, after a long day of work, someone can take a word to believe the guys from the software development department, that “yes, everything is fine there.
Amazingly, it seems that none of the software developers for MCAS in 737 Max raised the question of using not one, but several data sources, including the angle of attack sensor located on the other side, in determining the evolving stall. As a lifelong member of the fraternity of software developers, I don’t understand what an explosive mixture of incompetence, arrogance and lack of understanding of aviation culture could lead to such an error.
But I know for sure that this is an indicator of a much deeper problem in the industry. The people who wrote the code for the original MCAS system were obviously infinitely far from the level of professional maturity that was required of them, and did not even know about it. How can you now trust them to fix this software, and generally believe in the reliability and security of the rest of the flight management software?
So, Boeing created an aerodynamically unstable body of the aircraft - 737 Max. The first big mistake. Boeing then tried to disguise the emerging problem of the dynamic instability of the new 737 using software. The second mistake. Finally, the software was based on indications of systems known for their tendency to failures (angle of attack sensors), and did not even have primitive procedures for cross-checking not only with other types of devices, but even checking with the readings of the second set of sensors. Big mistake number 3.
Any of these problems would not have passed the quality check. Any of them would be enough to not get an “OK” not only from DER, but also from the youngest engineer.
This is not just a big problem. This is a political, social, economic and technical sin.
It so happened that in the interval between the first and second 737 Max crashes, I had to install a new digital autopilot for my own aircraft. This is the 1979 Cessna 172, the most popular aircraft in history by the number of samples produced. He received the first flight certificate almost a decade earlier than the first Boeing 737 (1955 vs. 1967).
My new autopilot consists of several ultramodern components, including a backup on-board computer (with two Garmin G5s) and an intricate communication bus (CAN, Controller Area Network), allowing different components of the system to communicate with each other, regardless of their location in the body of the aircraft. CAN bus was developed in the automotive industry to implement Drive-by-Wire technology (electronic digital vehicle control system), but in terms of goals and implementation, it is similar to ARINC tires connecting components in 737 Max.
My autopilot also includes electronic trimmers. Consequently, it can make the same corrections to the configuration of my flight 172, as well as flight computers with the MCAS system in 737 Max. I remember that after the first crash of the 737 Max, during the installation of the autopilot, when talking with a friend, I noted that I was probably adding a potential source of danger similar to the one that led to the death of the Lion Air flight.
Finally, my new autopilot also has a “protective shell” (the same defense of the range of flight modes), where the “shell” is the schedule of the aircraft's maximum operational properties. While the autopilot is not controlling my Cessna, the system nevertheless continues to monitor the condition of the aircraft in order to make sure that I do not dump it into a corkscrew, do not fly up the landing gear, or do a lot of other things. Yes, he also has a "biting dog" mode.
As you can see, the similarities between my $ 20,000 autopilot and the multi-million autopilot in each are 737 straight, tangible and relevant. What are the differences?
To begin with, installing a new autopilot required obtaining a new certificate (“Supplemental Type Certificate,” STC). That is, both the autopilot manufacturer and the FAA agree that my 1979 Cessna 172 with built-in autopilot from Garmin is so significantly different from that aircraft that it once came off the assembly line that it is not the same Cessna 172. It is a completely different aircraft .
In addition to the fact that my aircraft now has a new (additional) aircraft type certificate (and a new certification process), we needed to obtain, revise and supplement a pile of documentation on it, including the aircraft operating manual. As you understand, for the most part these additions contain information about autopilot.
Especially it should be noted that this documentation, with which anyone who is going to fly on this plane should become familiar, explains in detail the operation of the autopilot and how it controls the trimmers, and also describes the features of the protection of the range of flight modes.
It explains in detail how to determine that the system is functioning incorrectly and how to quickly turn it off. The lines that need to be pulled out of the autopilot system for shutdown are repeated again and again on almost every page of the new documentation. Any pilot who wants to fly on my 172, it becomes immediately clear that it is different from any other 172.
This is a huge difference between what pilots say, who are going to sit at the helm of my Cessna for the first time, and those who sat in 737 Max .
Another difference between my autopilot and the system with the 737 Max MCAS is that the devices connected via the CAN bus constantly communicate and perform cross-checks, which MCAS doesn’t seem to do. For example, the autopilot constantly polls both G5 on-board computers to determine the location. If the data diverges, the system notifies the pilot and turns off, going into manual control mode. She does not send the plane to the ground if she suddenly starts to think that he is about to start falling.
And, probably, the biggest difference is the force that the pilot has to apply to suppress the autopilot commands on my plane and on the 737 Max. In my 172 there are still cables that directly connect the controls with aerodynamic surfaces. The computer is forced to press the same levers as I, and it is much weaker than me. If the computer incorrectly decides that the plane begins to fall, I can easily overcome its resistance.
In my Cessna, the man still always comes out the winner from the autopilot battle. Exactly the same philosophy has always professed and Boeing in the development of their aircraft, moreover - used against their arch-rival Airbus competitor, who acted directly the opposite. However, with the release of 737 Max, Boeing did not seem to say anything to anyone, decided to change the strategy of the relationship between a person and a machine and just as quietly change the instruction manual.
This whole 737 Max saga should teach us not only that complication leads to additional risks, and that technology has its limits, but also what our real priorities should be. Today, the main thing is money, not security. People think about it only insofar as it is necessary for the continuation of the movement of money in the right direction. The problem is becoming more acute with each passing day, as devices are increasingly dependent on what is too easy to change - software.
Defects in the device technology and hardware, whether it is poorly located engines or sealing rings, crumbling in the cold, certainly difficult to fix. Speaking "difficult", I mean "expensive." On the other hand, software defects can be fixed quickly and cheaply. All that is required is to simply post the update and release the patch. Moreover, we have ensured that customers now consider all this as the norm - and updates for the operating system on the computer, and patches that are automatically installed on my Tesla while I sleep.
In the 1990s, I once wrote an article comparing the relative complexity of Intel Pentium processors, expressed in the number of transistors on a chip, with the complexity of the Microsoft Windows operating system, expressed in source code lines. It turned out that they were relatively equally complex.
At about the same time, it turned out that early versions of Pentium processors were subject to a bug called FDIV error . Only a small number of Pentium users could have experienced any problems with it. Similar defects were found in Windows, which also affected only a small part of the OS users.
However, the implications for Intel and Microsoft were radically different. Small software patches were systematically released for Windows, but Intel had to withdraw all defective processors in 1994. It cost the company $ 475 million - more than 800 million in today's prices.
In my opinion, the relative simplicity and lack of significant material costs for software upgrades has led to the development of a culture of laziness in the developer community. Moreover, due to the fact that the software is increasingly controlling "iron", this culture of laziness is beginning to penetrate the development of technology - for example, in aircraft construction. More and more rarely, we pay due attention to the development of a correct and simple design of the equipment, because it is so easy to fix the defect with the help of software.
Every time a new update is released for my Tesla, the Garmin flight computer in my Cessna, the Nest thermostat or the TV in my home, I once again understand that none of these things were released from the factory really ready. Because their creators have realized that this is not at all necessary. Work can be finished sometime later, releasing the next update.
First, teach the software how to cross-check devices, as pilots do. That is, if one sensor of the angle of attack starts reporting that the plane is about to fall, and the other sensor does not, then there is hope that the system will no longer immediately send the plane to the ground, but will still notify the pilots first in sensor readings.
The second is to abandon the strategists “shoot first, ask questions later,” that is, start looking at different sources instead of one.
For the life of me, I don’t understand how it turned out that these two basic principles of the aviation industry, the foundations of thinking that have served the industry correctly until now, could have been forgotten during the development of MCAS. I do not know and do not understand what process in the work of DER is so broken that he allowed such a fundamental defect in the project.
I suspect that the reason lies roughly in the same place as the reason for Boeing’s desire to install larger engines and to avoid the associated large costs - the desire to eat free cheese , which, as everyone knows, happens only in a mousetrap.
The emphasis on the need to develop the simplest systems is well shown by Charles Perrow, a sociologist at Yale University, the author of the book “Normal accidents: life with high-risk technologies” (Normal Accidents: Living With High-Risk Technologies (Eng. ), 1984. The whole essence of the book is already contained in the title. Parrow argues that a system failure is the normal result of the work of any complex system with closely related components, when the behavior of one component directly affects the behavior of another. Despite the fact that separately such errors may seem to be caused by a faulty technique or a broken process, in fact they should be considered as integral features of the system itself. These are “expected” accidents.
This problem is nowhere felt as acutely as in systems designed to increase safety. Every new change made, every complication becomes less and less effective, and ultimately leads to completely negative results. Overlaying one patch on top of another in an attempt to increase security ultimately reduces it.
This is exactly what the old engineering design principle, “The simpler the better” ( “Keep it simple, stupid” , KISS), and its aviation variant: “Simplify, then add lightness” tells us. ).
One of the main principles of the FAA in the certification of aircraft during the time of Eisenhower was a kind of simple covenant: airplanes should not demonstrate significant changes in pitch with changes in engine power. This requirement appeared during the existence of a direct connection between the controls of the pilot in the cockpit and the aircraft empennage. This requirement - when it was written - rightly imposed the requirement of simplicity on the design of the airframe itself. Now, a software layer has appeared between the man and the machine, and no one really knows what is actually happening there. Things have become too difficult to understand.
I can’t knock out the parallels between the 737 Max catastrophes and the space shuttle Challenger. The Challenger accident happened because people followed the instructions, and not vice versa - another illustration of “normal” disasters. The rules said that it was necessary to hold a conference before launching the shuttle to ensure full readiness for the flight. No one said that in making a decision one should not give too much weight to the possible political consequences that could arise from the launch launch. All input data were carefully weighed according to the established process, most agreed to launch. And seven people died.
In the case of the 737 Max, everything was done according to the rules. The rules say that the pitch of the aircraft should not change too much when the engine power is changed and that the designated engineer (DER) has the right to sign any changes aimed at solving this problem. There is nothing in the rules that DER should not be guided by business considerations when making a decision. And now 346 people are dead.
It is very likely that the MCAS system, designed to improve flight safety, killed more people than it could have ever saved. No need to try to fix it with a further increase in complexity, additional software. It just needs to be removed.
Greg Travis is a writer, a software engineer, a pilot, an airplane owner. In 1977, at the age of 13, he created Note - one of the first social media platforms; his raid is more than 2000 hours, he managed everything from gliders to a Boeing 757 (in a simulator with a full imitation of movement).
There are a lot of letters below. If you read too lazy, but you want to familiarize yourself with the topic, then on Habré there is the first, shorter version of this article in the translation by Vyacheslav Golovanov , you can read it here .
The views expressed in this article are exclusively the views of the author and are not the position of IEEE Spectrum or IEEE ( note. - and the translator, too :) ).I am a pilot with 30 years of experience and a software developer for 40 years. I wrote a lot about aviation and software development. It's time to write at the same time about that, and about the other.
Now all the news is full of headlines about the crashes of the new model of the Boeing 737 Max (Eng.) , Which occurred literally one by one with the new aircraft. For an industry whose existence rests entirely on customers' sense of total control and security, these two wrecks present a great existential danger. And despite the fact that over the past decades the number of deaths in air crashes has decreased, this achievement is not at all a cause for excessive self-confidence.
')
WestJet Boeing 737 MAX 8, acefitt , Creative Commons Attribution 2.0 Generic
The first model Boeing 737 first appeared in 1967, when I was 3 years old. It was a small aircraft with small engines and relatively simple control systems.
Airlines (especially the American Southwest) fell in love with them for their simplicity, reliability and flexibility. In addition, for piloting in the cockpit instead of the usual at the time, three or four people needed only two crew members, which allowed the airlines to start significant savings. Together with the development of the air transport market and the advent of new technologies, the 737 rapidly grew in size, and the complexity of electronics and mechanics increased. Ros, of course, was not only 737. Airliners require gigantic investments from both the aviation industry and the airlines buying them, therefore both of them have also constantly been consolidated.
Most of these market and technological forces, however, acted on the basis of the economic interests of companies, and not in the interests of passenger safety. Engineers worked tirelessly to reduce what the industry calls the “passenger-kilometer cost” - that is, the cost of transporting a passenger from point A to point B.
Very much in this optimization story is related to engines. Carnot's theorem on the efficiency of heat engines says that the more you heat an engine, the more efficient it becomes. This principle is equally true for the chainsaw engine and the jet engine.
Elementary. The easiest and fastest way to make the engine more efficient in terms of fuel consumption per unit of power is to make it bigger. That is why in the Lycoming O-360 engine of my small Cessna aircraft there are pistons the size of a large plate. Therefore, diesel engines on ships are made the size of a three-story house. And for exactly the same reason, Boeing wanted to install the huge CFM International LEAP engines in the new model 737.
There is only one small problem: the original 737 was equipped with very small engines by today's standards, which made it easy to place them under the wings. However, as the 737 grew in size, its engines also grew, and the ground clearance between them and the ground became less and less.
To circumvent this problem, many tricks were invented (or “hacks,” as software developers would call them). For example, the most visible and visible to the public is to change the shape of the air intakes from round to oval in order to provide more space under the engine.
In the case of the 737 Max, the situation became critical. The diameter of the blades of the engines installed on the original 737 was 100 cm (40 inches); in new engines for 737 Max, the diameter increased to 176 cm. With a difference in the center line of more than 30 cm, you can no longer make the air intake oval so that the engine did not begin to scrape the ground.
Then it was decided to build up the engine from the top and move it forward and upward relative to the wing. This, in turn, led to the displacement of the thrust line of the engine. Now, with an increase in engine power, the aircraft has received a tendency to pitch up, that is, to raise the nose.
For reference: the angle of attack of the aircraft is the angle between the direction of the velocity vector of the oncoming airflow and the plane of the wing. Imagine that you put your hand out of an open window of a car moving along a highway. If you keep your palm almost parallel to the ground, this will be a small angle of attack; turning your palm relative to the plane of the earth, you increase the angle of attack. When the angle of attack becomes too large (supercritical), aerodynamic stalling occurs as a result of disruption of the air flow. You can verify this yourself all by putting your hand out of the window of a moving car: slowly turning your palm you will feel an ever-increasing lift, pushing your hand up until your hand suddenly drops down - this is disruption of the flow followed by stalling.
Thus, it turns out that the tendency to cabbing with increasing engine power in practice means the risk of further development of the aircraft stall if the pilots "squeeze the gas" (as my son likes to say). Such a development becomes especially probable at low airspeed.
Worse, due to the fact that the engine nacelles are pushed so far forward and so large, they themselves create lift, especially at high angles of attack. That is, the gondolas made the already bad situation worse.
I emphasize that at 737 Max, the engine nacelles themselves at high angles of attack work like wings and create lift. Moreover, the center of application of this force is displaced far forward relative to the center of application of the wing lifting force, which, in turn, leads to the fact that 737 Max with an increase in the angle of attack tends to further increase the angle of attack. And this is the worst example of incompetence in aerodynamics.
In itself, the change in pitch when the engine power changes is a fairly common phenomenon when operating airplanes. Even my little Cessna lifts her nose a little when gas is applied. During training pilots talk about such difficulties and teach them to overcome. There are, however, certain safe limits set by the regulators with which the pilots themselves are willing to put up.
It is quite another thing when the pitch changes with increasing angle of attack. An airplane that is already approaching the aerodynamic stalling point should under no circumstances have a tendency to further develop this effect. This property is called “dynamic instability”, and the only class of aircraft, where it is permissible - fighters - is equipped with catapults for pilots.
Every person in the aviation community dreams of an airplane that would be as natural and simple to fly as possible. For example, when the engine power is changed, the flap is lowered, or the landing gear is extended, the flight conditions should not change significantly, rolls should not occur, or pitch should be changed - the behavior should remain predictable.
The body of the aircraft (the iron itself) should work initially as predictably as possible, and not require additional “bells and whistles”. This aviation canon was founded during the first flights of the Wright brothers to Kitty Hawk.
Obviously, the new model of the Boeing 737 Max is too nagging with increasing thrust, especially when the already high angles of attack. They violated the oldest law of aviation, and, possibly, the criteria of FAA (Federal Aviation Administration) certification in the USA. But instead of going back to the drawing board and fixing the body of the aircraft, Boeing decided to rely on a kind of “Maneuvering Characteristics Augmentation System” (English) , MCAS.
Boeing solved an iron problem with software.
I will leave the discussion of the emergence of a corporate language ( note lane. Apparently, the author has in mind that the name “System for improving maneuvering characteristics” does not indicate how it makes it absolutely nothing that is unusual for aviation terms ) in aviation language . Lexicon for another article, but let's note that this system could have been called differently, for example, “A cheap way to prevent a stall when the pilots decided to push the gas” (CWTPASWTPPI). However, probably worth staying at MCAS.
Certainly, MCAS is a much cheaper alternative to deep processing of the glider, given the need to accommodate new large engines. Such processing could require, for example, lengthening the front landing gear (which could then not get into the fuselage when being drawn into the body), bending the wings up or some other similar changes. It would be monstrously expensive.
All the development and production of the Max 737 took place under the auspices of the myth “this is still the same good old 737”. Admit to Boeing that this is not the old model, and then re-certification would take years and require millions of dollars.
"In fact, pilots licensed to fly on Boeing 737s in 1967 can control all subsequent versions of the 737."
From a review for an earlier version of an article from one of the 737 pilots at one of the largest airlines.
Worse, such major changes could require not just re-certification at the FAA, but also the development of a completely new glider by Boeing. Now we are talking about really big money, both for aircraft manufacturers and for airlines.
And all because Boeing’s 737 Max’s main argument was that it’s still the same 737, and any pilot flying on previous models can control and Max without expensive retraining, getting a new certificate and a new rating. Airlines — and Southwest is a prime example — usually prefer a fleet of one “standard” type of aircraft. They prefer to have a single model of aircraft that can be controlled by any of their pilots, since then both the pilots and the aircraft become interchangeable, maximizing flexibility and minimizing costs.
It all comes down to money in one way or another, and MCAS has become another opportunity for Boeing and its clients to ensure that money flows in the right direction. The need to insist that the flight characteristics of the 737 Max do not differ from previous models of the 737 was the key to the interchangeability of the 737 Max fleet. It was probably the reason that the documentation about the very existence of MCAS was hidden.
If suddenly this change became too noticeable, for example, was reflected in the manual for the aircraft or paid special attention to it when the pilots passed the training, then someone - probably one of the pilots - would stand up and say: Hey, something's not like the 737. ” And the money would flow in the wrong direction.
As I have already explained, you can conduct an experiment with the angle of attack yourself, simply by putting your hand out of the window of a moving car and twisting your palm. So, such a complex machine as an airplane also has a mechanical equivalent of a hand exposed from a window — an angle of attack sensor.
You may notice it when boarding an aircraft. As a rule, there are two of them, one on each side of the aircraft, usually right under the windows of the cockpit. Do not confuse them with Pitot tubes (read about them below). The angle of attack sensor looks like a weather vane, and the Pitot tube looks like ... hmm, a tube. The sensor of attack angle looks like a weather vane precisely because it is a weather vane. Its mechanical wing moves in response to changes in the angle of attack.
Pitot tubes measure the force with which the air flow "pushes" onto the aircraft, and the angle of attack sensor determines which direction this flow comes from. Since the Pitot tubes, in fact, measure pressure, they are used to determine the speed of the aircraft relative to the air. The angle of attack sensor determines the direction of movement of the aircraft relative to the flow.
There are two sets of attack angle sensors and two sets of pitot tubes, one on each side of the fuselage. Typically, devices installed on the side of the main pilot take their readings from sensors on the same side of the hull; similarly, instruments from the co-pilot show values from sensors on his side of the vessel. This approach creates a natural redundancy in the equipment, which allows you to quickly and easily conduct a cross-check by any of the pilots. If the co-pilot believes that his indicator of airspeed is odd, he can compare it with the indicator of a similar device on the side of the main pilot. If the readings diverge, then the pilots find out which of the instruments shows the truth and which lies.
A long time ago there was a joke that when in the future aircraft could fly by themselves, a pilot and a dog would still have to sit in the cockpit. The pilot is needed so that the passengers are calmer with the realization that there is someone ahead. The dog must bite the pilot if he tries to touch anything.
In the 737th Boeing not only made backup aircraft instruments and sensors, but also a backup on-board computer, installing one computer from the side of the main and second pilots. The flight computer does a lot of different useful things, but its main task is to autopilot it when it was told to do it, and check that the pilot did not make mistakes in the manual piloting mode. The last item is called “flight range protection”.
But let's call things by their names - this is the very “biting dog” from the joke.
What does MCAS do? This system should lower the nose of the aircraft, if it believes that the vessel is outside the permissible angles of attack to avoid aerodynamic stalling. Boeing installed the MCAS at 737 Max due to the fact that larger engines and their new layout made stalling more likely than in previous generations of the model.
At that moment, when MCAS notices that the angle of attack has become too large, he commands the trimmers of the aircraft (the system that causes the aircraft to move up or down) direct the bow of the vessel down. She also does one more thing: indirectly, using what Boeing calls the Elevator Feel Computer (elevator sensing computer, EFC), she pushes the pilot’s steering wheel controls (the steering wheels that the pilots push or pull to lift or lower the nose) aircraft) down.
In 737 Max, like most other modern airliners and even cars, the computer observes all the processes, or even controls them directly. In many cases, there is no longer a direct mechanical connection (that is, cables, hydraulic lines and tubes) between the control instruments of the pilot and the actual aerodynamic tailings of the aircraft, the keel and other devices that cause the aircraft to fly. And if such a mechanical connection is, then the computer decides for itself what it is permissible for the pilot to do with them (and again that biting dog).
However, it is important that the pilots receive a physical response about everything that happens. In the good old days, when the cables tied the pilots' controls with the tail, they had to pull the steering wheel with great effort if the plane was going down. They had to push it with force if the plane gained altitude. Under the supervision of a computer, the same natural sensations of control disappeared. In 737 Max, there is no longer a “natural sensation”.
Yes, in 737 there are backup hydraulic systems connecting the controls with which the pilot interacts, and the ailerons directly working and other parts of the aircraft. However, these hydraulic systems are so powerful that they do not transmit direct feedback from the aerodynamic forces acting on the ailerons. Pilots will only feel what the computer will allow them to feel. And sometimes the feeling is not so pleasant.
When the flight computer sends the plane to a decline due to the fact that the MCAS system has decided that it is about to enter the stall, the chain of little motors and compensators forces the steering wheels in the cockpit to move forward. And it turned out that the computer can make so much effort to the wheels that the pilots, trying to pull them to him and show the computer that he is doing something completely wrong, quickly get exhausted.
In fact, the fact that the system does not allow the pilot to control the aircraft by pulling the steering wheel over was the conscious decision of the 737 Max designers. Because if the pilots can pull the control column and re-direct the nose of the aircraft upwards, when the MCAS system says that it should be directed downwards, then what is the point in such a system?
Despite the fact that the MCAS is integrated into the flight computer, it intervenes even when the autopilot is turned off and the pilots are confident that they are operating the aircraft themselves. In the struggle between the pilots and the on-board computer for who is in charge, the latter exhausted people to death (literally).
Finally, it was necessary to hide the very existence of the MCAS system so that no one would say: “Hey, this is no longer the old man 737,” and the necessary bank accounts are not affected.
A flight computer is just a computer. This means that inside it there are no aluminum parts, no cables, no fuel lines, or other attributes of aviation. They are filled with lines of code. This is where everything becomes dangerous.
These lines of code are undoubtedly written by people under the control of bosses.Neither programmers, nor their chiefs are familiar with the particular culture and customs of the aviation world as much as people working in factories, rivetting wings, developing control brackets and installing landing gear in the fuselage. These people have a common “industry” memory of what worked in the past in aviation, and what went wrong. Software developers are not.
At 737 Max, only one of the flight computers is active at the same time, either on the side of the main pilot or on the side of the co-pilot. The active computer receives data only from the sensors installed on its side of the aircraft.
If a person, while piloting, notices that computer data is diverging, he examines the control panel, evaluates the readings of other devices, and understands what is wrong. In the system installed on Boeing, the on-board computer does not "inspect other devices." He trusts only the instruments on his side. He does not do the same. He is super modern. He is software.
This means that even if a specific sensor of the angle of attack fails - as is always the case with instruments subject to transitions from one extreme environment to another, constant vibrations and shaking - the control computer will simply believe it.
Worse. There are several other devices that can directly and indirectly determine the angle of attack, for example, the pitot tube, artificial horizon, and so on. The pilot would check all these devices to quickly diagnose a faulty angle of attack sensor.
In extreme cases, the pilot can always look out the window and visually make sure that no, the nose of the aircraft is not dangerously raised up. This is the final test, and it must remain the exclusive and absolute privilege of the pilot. Unfortunately, the current version of MCAS deprives him of this right. She takes away the ability of pilots to respond to what they see with their own eyes.
As a person with a narcissistic personality disorder, MCAS overshadows the decisions of the pilots. And this in the end turned out to be bad for everyone.
- HAL, raise your nose.
“Sorry, Dave, I'm afraid I can't do this for you.”
The MCAS-based on-board computer remains blind to any evidence that he is wrong, including what the pilot sees with his own eyes, and when he desperately tries to level the plane and pulls the robotic steering wheel towards himself, the computer “bites” the pilot and his passengers to death .
In the old days, an army of aviation engineers worked at the FAA. They worked shoulder to shoulder with aircraft manufacturers to ensure that the aircraft was safe and ready for certification.
As aircraft became more and more complex, the gap between how much FAA and aircraft manufacturers could pay to their employees was steadily increasing. More and more engineers moved from the public to the private sector. Soon the FAA had no opportunity to figure out how safe a particular model of aircraft was, and whether it could be made.
Then the FAA offered the aircraft designers: “What if your people themselves tell us how safe the project is?” The manufacturers replied: “It sounds good.” And the FAA: “And say hi to Joe, we miss.”
Thus the concept of “Designated Engineering Representative,” DER) was born. These representatives are mercenaries from aircraft manufacturers, engine manufacturers, and software developers who certify to FAA that everything is safe and good.
It looks like a clear conflict of interest, but this is not entirely true, yet no one is interested in aircraft falling. The airline industry relies heavily on public confidence, and every plane crash poses an existential threat to the industry. None of the manufacturers will not hire DER just to sign any papers. On the other hand, after a long day of work, someone can take a word to believe the guys from the software development department, that “yes, everything is fine there.
Amazingly, it seems that none of the software developers for MCAS in 737 Max raised the question of using not one, but several data sources, including the angle of attack sensor located on the other side, in determining the evolving stall. As a lifelong member of the fraternity of software developers, I don’t understand what an explosive mixture of incompetence, arrogance and lack of understanding of aviation culture could lead to such an error.
From the translator: In the comments to the article, one of the users pointed out that MCAS, among other things, did not just reduce the angle of attack by 0.8 degrees after it first determined the evolving stalling process, as expected, but did it in a loop to the stop with each new dimension.
But I know for sure that this is an indicator of a much deeper problem in the industry. The people who wrote the code for the original MCAS system were obviously infinitely far from the level of professional maturity that was required of them, and did not even know about it. How can you now trust them to fix this software, and generally believe in the reliability and security of the rest of the flight management software?
So, Boeing created an aerodynamically unstable body of the aircraft - 737 Max. The first big mistake. Boeing then tried to disguise the emerging problem of the dynamic instability of the new 737 using software. The second mistake. Finally, the software was based on indications of systems known for their tendency to failures (angle of attack sensors), and did not even have primitive procedures for cross-checking not only with other types of devices, but even checking with the readings of the second set of sensors. Big mistake number 3.
Any of these problems would not have passed the quality check. Any of them would be enough to not get an “OK” not only from DER, but also from the youngest engineer.
This is not just a big problem. This is a political, social, economic and technical sin.
It so happened that in the interval between the first and second 737 Max crashes, I had to install a new digital autopilot for my own aircraft. This is the 1979 Cessna 172, the most popular aircraft in history by the number of samples produced. He received the first flight certificate almost a decade earlier than the first Boeing 737 (1955 vs. 1967).
My new autopilot consists of several ultramodern components, including a backup on-board computer (with two Garmin G5s) and an intricate communication bus (CAN, Controller Area Network), allowing different components of the system to communicate with each other, regardless of their location in the body of the aircraft. CAN bus was developed in the automotive industry to implement Drive-by-Wire technology (electronic digital vehicle control system), but in terms of goals and implementation, it is similar to ARINC tires connecting components in 737 Max.
My autopilot also includes electronic trimmers. Consequently, it can make the same corrections to the configuration of my flight 172, as well as flight computers with the MCAS system in 737 Max. I remember that after the first crash of the 737 Max, during the installation of the autopilot, when talking with a friend, I noted that I was probably adding a potential source of danger similar to the one that led to the death of the Lion Air flight.
Finally, my new autopilot also has a “protective shell” (the same defense of the range of flight modes), where the “shell” is the schedule of the aircraft's maximum operational properties. While the autopilot is not controlling my Cessna, the system nevertheless continues to monitor the condition of the aircraft in order to make sure that I do not dump it into a corkscrew, do not fly up the landing gear, or do a lot of other things. Yes, he also has a "biting dog" mode.
As you can see, the similarities between my $ 20,000 autopilot and the multi-million autopilot in each are 737 straight, tangible and relevant. What are the differences?
To begin with, installing a new autopilot required obtaining a new certificate (“Supplemental Type Certificate,” STC). That is, both the autopilot manufacturer and the FAA agree that my 1979 Cessna 172 with built-in autopilot from Garmin is so significantly different from that aircraft that it once came off the assembly line that it is not the same Cessna 172. It is a completely different aircraft .
In addition to the fact that my aircraft now has a new (additional) aircraft type certificate (and a new certification process), we needed to obtain, revise and supplement a pile of documentation on it, including the aircraft operating manual. As you understand, for the most part these additions contain information about autopilot.
Especially it should be noted that this documentation, with which anyone who is going to fly on this plane should become familiar, explains in detail the operation of the autopilot and how it controls the trimmers, and also describes the features of the protection of the range of flight modes.
It explains in detail how to determine that the system is functioning incorrectly and how to quickly turn it off. The lines that need to be pulled out of the autopilot system for shutdown are repeated again and again on almost every page of the new documentation. Any pilot who wants to fly on my 172, it becomes immediately clear that it is different from any other 172.
This is a huge difference between what pilots say, who are going to sit at the helm of my Cessna for the first time, and those who sat in 737 Max .
: , , 737 Max , . , MCAS , , , . MCAS …
Another difference between my autopilot and the system with the 737 Max MCAS is that the devices connected via the CAN bus constantly communicate and perform cross-checks, which MCAS doesn’t seem to do. For example, the autopilot constantly polls both G5 on-board computers to determine the location. If the data diverges, the system notifies the pilot and turns off, going into manual control mode. She does not send the plane to the ground if she suddenly starts to think that he is about to start falling.
And, probably, the biggest difference is the force that the pilot has to apply to suppress the autopilot commands on my plane and on the 737 Max. In my 172 there are still cables that directly connect the controls with aerodynamic surfaces. The computer is forced to press the same levers as I, and it is much weaker than me. If the computer incorrectly decides that the plane begins to fall, I can easily overcome its resistance.
In my Cessna, the man still always comes out the winner from the autopilot battle. Exactly the same philosophy has always professed and Boeing in the development of their aircraft, moreover - used against their arch-rival Airbus competitor, who acted directly the opposite. However, with the release of 737 Max, Boeing did not seem to say anything to anyone, decided to change the strategy of the relationship between a person and a machine and just as quietly change the instruction manual.
This whole 737 Max saga should teach us not only that complication leads to additional risks, and that technology has its limits, but also what our real priorities should be. Today, the main thing is money, not security. People think about it only insofar as it is necessary for the continuation of the movement of money in the right direction. The problem is becoming more acute with each passing day, as devices are increasingly dependent on what is too easy to change - software.
Defects in the device technology and hardware, whether it is poorly located engines or sealing rings, crumbling in the cold, certainly difficult to fix. Speaking "difficult", I mean "expensive." On the other hand, software defects can be fixed quickly and cheaply. All that is required is to simply post the update and release the patch. Moreover, we have ensured that customers now consider all this as the norm - and updates for the operating system on the computer, and patches that are automatically installed on my Tesla while I sleep.
In the 1990s, I once wrote an article comparing the relative complexity of Intel Pentium processors, expressed in the number of transistors on a chip, with the complexity of the Microsoft Windows operating system, expressed in source code lines. It turned out that they were relatively equally complex.
At about the same time, it turned out that early versions of Pentium processors were subject to a bug called FDIV error . Only a small number of Pentium users could have experienced any problems with it. Similar defects were found in Windows, which also affected only a small part of the OS users.
However, the implications for Intel and Microsoft were radically different. Small software patches were systematically released for Windows, but Intel had to withdraw all defective processors in 1994. It cost the company $ 475 million - more than 800 million in today's prices.
In my opinion, the relative simplicity and lack of significant material costs for software upgrades has led to the development of a culture of laziness in the developer community. Moreover, due to the fact that the software is increasingly controlling "iron", this culture of laziness is beginning to penetrate the development of technology - for example, in aircraft construction. More and more rarely, we pay due attention to the development of a correct and simple design of the equipment, because it is so easy to fix the defect with the help of software.
Every time a new update is released for my Tesla, the Garmin flight computer in my Cessna, the Nest thermostat or the TV in my home, I once again understand that none of these things were released from the factory really ready. Because their creators have realized that this is not at all necessary. Work can be finished sometime later, releasing the next update.
» — , , . , , , ( « Windows» « ++»). , 10 , , ."Currently, Boeing is installing a new update for the onboard computer and the MCAS 737 Max. I don’t know for sure, but I suppose that this update will mainly be focused on two things:
— ,
First, teach the software how to cross-check devices, as pilots do. That is, if one sensor of the angle of attack starts reporting that the plane is about to fall, and the other sensor does not, then there is hope that the system will no longer immediately send the plane to the ground, but will still notify the pilots first in sensor readings.
The second is to abandon the strategists “shoot first, ask questions later,” that is, start looking at different sources instead of one.
For the life of me, I don’t understand how it turned out that these two basic principles of the aviation industry, the foundations of thinking that have served the industry correctly until now, could have been forgotten during the development of MCAS. I do not know and do not understand what process in the work of DER is so broken that he allowed such a fundamental defect in the project.
I suspect that the reason lies roughly in the same place as the reason for Boeing’s desire to install larger engines and to avoid the associated large costs - the desire to eat free cheese , which, as everyone knows, happens only in a mousetrap.
The emphasis on the need to develop the simplest systems is well shown by Charles Perrow, a sociologist at Yale University, the author of the book “Normal accidents: life with high-risk technologies” (Normal Accidents: Living With High-Risk Technologies (Eng. ), 1984. The whole essence of the book is already contained in the title. Parrow argues that a system failure is the normal result of the work of any complex system with closely related components, when the behavior of one component directly affects the behavior of another. Despite the fact that separately such errors may seem to be caused by a faulty technique or a broken process, in fact they should be considered as integral features of the system itself. These are “expected” accidents.
This problem is nowhere felt as acutely as in systems designed to increase safety. Every new change made, every complication becomes less and less effective, and ultimately leads to completely negative results. Overlaying one patch on top of another in an attempt to increase security ultimately reduces it.
This is exactly what the old engineering design principle, “The simpler the better” ( “Keep it simple, stupid” , KISS), and its aviation variant: “Simplify, then add lightness” tells us. ).
One of the main principles of the FAA in the certification of aircraft during the time of Eisenhower was a kind of simple covenant: airplanes should not demonstrate significant changes in pitch with changes in engine power. This requirement appeared during the existence of a direct connection between the controls of the pilot in the cockpit and the aircraft empennage. This requirement - when it was written - rightly imposed the requirement of simplicity on the design of the airframe itself. Now, a software layer has appeared between the man and the machine, and no one really knows what is actually happening there. Things have become too difficult to understand.
I can’t knock out the parallels between the 737 Max catastrophes and the space shuttle Challenger. The Challenger accident happened because people followed the instructions, and not vice versa - another illustration of “normal” disasters. The rules said that it was necessary to hold a conference before launching the shuttle to ensure full readiness for the flight. No one said that in making a decision one should not give too much weight to the possible political consequences that could arise from the launch launch. All input data were carefully weighed according to the established process, most agreed to launch. And seven people died.
In the case of the 737 Max, everything was done according to the rules. The rules say that the pitch of the aircraft should not change too much when the engine power is changed and that the designated engineer (DER) has the right to sign any changes aimed at solving this problem. There is nothing in the rules that DER should not be guided by business considerations when making a decision. And now 346 people are dead.
It is very likely that the MCAS system, designed to improve flight safety, killed more people than it could have ever saved. No need to try to fix it with a further increase in complexity, additional software. It just needs to be removed.
about the author
Greg Travis is a writer, a software engineer, a pilot, an airplane owner. In 1977, at the age of 13, he created Note - one of the first social media platforms; his raid is more than 2000 hours, he managed everything from gliders to a Boeing 757 (in a simulator with a full imitation of movement).
Source: https://habr.com/ru/post/449564/
All Articles