I found this to be a fascinating dive into a potentially serious safety concern. I was impressed how simple the mitigations could be based on the recommendations in the report. I find the evidence credible for an attempt to burry the issue, but honestly I don't understand the motivation. At this stage I feel Boeing and the FAA could really stand to gain some good press from being extra proactive about such issues. Especially when the proposed mitigations seem like they would be relatively easy to implement, and should not be expensive for airlines from what I can see. It seems like the source being the engine manufacturer and consequently having the potential of affecting other jets including potentially the airbus A320 would only improve the incentives for Boeing to get out ahead of this, and demonstrate a safety culture. Does anyone understand the motivations that could lead to the response we have seen from the FAA and Boeing?
Why FAA and EASA didn't require any procedure changes in the interim to prevent the issue is a very good question.
MBCook 31 days ago [-]
Can they force an install? Or will it be a choice?
I like Mentor Pilot and Air Disasters, so I know I’ve heard of a few where the problem that caused an accident was already known and a fix was available but the airline just chose not to do it because they had that option. Or it was scheduled but hadn’t been performed yet because it wasn’t thought to be that critical.
Having the FAA mandate the fix seems like it would be a much better option.
V99 31 days ago [-]
Yes the FAA can issue what are called Airworthiness Directives and require an issue be resolved in the timeframe and manner they specify.
The timeframe could be anything, but common forms are like:
- Within the next X (flight) hours or Y calendar days
- You don't have to, but additional inspection needed every X hours or Y days until you do
- At next annual inspection
- Immediate/before flying again (usually called an Emergency AD)
MBCook 31 days ago [-]
I know the FAA can, I was referring to the manufacture. If Boeing makes a software patch do they have any way of forcing everyone to install it other than asking the FAA to issue a directive?
AdamJacobMuller 31 days ago [-]
They might be able to, but, if they are effectively saying "our product is broken and you can't use it until you do X" they could be responsible for massive contractual liabilities.
MichaelZuo 31 days ago [-]
Based on what legal reasoning…?
I haven’t heard of any similar successful court cases in recent years in the US.
p_l 31 days ago [-]
Based on aviation law they can notify the certification authority of a mandatory fix which will be then required to be applied for users to aircraft operators to apply. If necessary with 0 deadline, i.e. "if the plane is on the ground it's not flying till the following change is applied"
MichaelZuo 31 days ago [-]
Can you cite which parts of “aviation law” could have a decent chance of leading to the aformentioned outcome?
p_l 31 days ago [-]
General worldwide: Chicago Convention aka ICAO convention (currently under auspices of UN), Annex 8 [2] and Annex 6 [3].
For USA [4], Title 14 of Code of Federal Regulations, Chapter I Subchapter C, Part 39
For EU [5] Article 76 (6) of the Basic Regulation (EU) 2018/1139
I read through the 787 Dreamliner manual for setting up the software for patch distribution to the planes, and there are checks and overrides at every step. The whole thing is physically controlled by the owning airline or maybe the leasing company, but not Boeing.
MBCook 31 days ago [-]
That sounds smart.
I wasn’t thinking a “we’re pushing an update too bad” kind of thing but more a “hey you have to do this to be allowed to fly, your choice” with the weight of law behind it.
jiggawatts 30 days ago [-]
That guide book was genuinely amazing, it was easily the best-written technical document of any kind that I had read.
The security is dialed up to 11 as well. It explicitly calls out the following scenario:
1) The plane is leased.
2) the maintenance is outsourced.
3) The plane at an airport in an "unfriendly" country.
4) The plane is not allowed to take off until it is patched due to an emergency directive.
That scenario is handled, securely!
There is encryption between the plane and the airport WiFi.
The maintenance crew can also plug in to an Ethernet port near the front landing gear.
There is a VPN back to the patch server managed by the airline.
The VPN host certificate is explicitly whitelisted in the plane.
The plane won't accept a patch unless it has been digitally signed by Boeing, the FAA, the Airline, and potentially the manufacturer and the local equivalent of the FAA!)
The pilot has to enter a 4-digit pin code in the plane.
Most of the associated wiring is only physically connected if there is weight on the front landing gear. You can't "hack" a plane in-flight and patch it with malware, the required cabling isn't connected.
TheRealPomax 31 days ago [-]
That is to say, they used to. Whether they still do is rather entirely up in the air (wahey).
p_l 31 days ago [-]
Sometimes the vendor will provide an optional fix in a safety information bulletin, sometimes they will be mandatory (Sometimes the optional ones become mandatory [1]).
They are coordinated with applicable certification bodies (civil aviation authorities) and distributed as airworthiness directives that can, in fact, force a specific action to be taken.
[1] (writing from memory unfortunately) an airflow modification for 737 NG (iirc, could be older 737, pre-MAX definitely) avionics bay was "optional", as in mandatory only for aircraft flying in hot enough regions. After a near miss in Poland when steadily overheating avionics essentially slowly lobotomized a plane after takeoff. Turned out europe got hot enough for it.
After that incident, Boeing issued a change in safety information bulletin that the modification was now mandatory.
dz0ny 33 days ago [-]
This is a issue that may also affect Airbus aircraft, but so far, it has only caused problems on two Boeing planes. Like MCAS, it was not disclosed to pilots, prompting the FAA to recommend design changes and notify flight crews.
Unfortunately, it seems that the internal FAA recommendations were not allowed to make their way into any kind of airworthiness directive.
The recommendations include very basic procedure changes that mitigate the near term risks without any significant impact to operation, as well as recommendations for what probably amounts to a software change and upgrades to some of the pilot oxygen masks to effect a permanent fix.
The only reason that we even know about the internal recommendations is that they were leaked to the press.
Boeing released a pilot bulletin that basically says to go through the checklist quickly and to treat smoke in the cabin as a major failure, but stops short of recommending some very, very simple steps in aircraft configuration prior to takeoff that would completely mitigate the issue without negatively effecting flight performance.
The major recommendation in the internal FAA bulletin is to use the APU bleed instead of the main engine bleed air to power the air conditioning and cabin pressurisation during the takeoff phase of flight, below 3000 feet AGL. I can see no reason to drag feet on this recommendation, other than the uncomfortable suggestion that perhaps this issue should have been addressed during certification. (It is yet another difference from older 737 design , like the deadly MCAS system, that was not disclosed to pilots transitioning to the new aircraft)
db48x 31 days ago [-]
> […] stops short of recommending some very, very simple steps in aircraft configuration prior to takeoff that would completely mitigate the issue […]
Well, the configuration changes during takeoff mitigate the issue if it happens during takeoff. If it happens at any other time then they don’t do anything to help.
> I can see no reason to drag feet on this recommendation […]
I can. Perhaps the FAA believes that it is better to minimize change fatigue. Since the problem can apparently be fixed in software, and Boeing has decided to make that fix, they might want to write just one airworthiness directive requiring everyone to install it instead of two, one telling pilots to adopt some procedure followed by another telling them to abandon it.
> (It is yet another difference from older 737 design , like the deadly MCAS system, that was not disclosed to pilots transitioning to the new aircraft)
Keep in mind that for most aircraft the airline can pick and choose between different engines. The pilots don’t have to learn the myriad different engineering decisions that go into those engines; from the pilot’s perspective they are supposed to be interchangeable.
garaetjjte 31 days ago [-]
>Perhaps the FAA believes that it is better to minimize change fatigue.
> Well, the configuration changes during takeoff mitigate the issue if it happens during takeoff. If it happens at any other time then they don’t do anything to help.
There are no birds at higher altitudes
db48x 31 days ago [-]
Fewer perhaps, but not none. :)
K0balt 31 days ago [-]
Right? I remember there was a bird strike incident at 37,000 feet, a vulture iirc. Hard to imagine how they can get enough oxygen to fly up there.
himinlomax 30 days ago [-]
> Keep in mind that for most aircraft the airline can pick and choose between different engines.
737 Max can only have CFM Leap engines.
A320 can have either Leap or PW GTF.
berkut 31 days ago [-]
It's not clear that is does affect Airbus does it?
It looks like only the LEAP-1b engines are affected by this, and I was under the impression that LEAP-1b was 737-MAX-only?
(A320 has LEAP-1a as far as I can see).
unsnap_biceps 31 days ago [-]
he covers this in the video, but both engines have the same LRD (Load reduction device), but it's more about how the bleed system is done on if it's an impact or not, and he doesn't know if the other planes have the same flaw or not.
fransje26 31 days ago [-]
From [1], it looks like the 737 flight deck ventilation bypasses the mix manifold.
This does not seem to be the case for the A320 family of jets. [2]
Of course MCAS was disclosed to pilots, the idea that it wasn’t is ridiculous to the point of absurdity.
Boeing has gone off the rails, but the general lack of nuance in the common narrative about their failures is really over the top.
MCAS is how a fundamentally different plane behaves (in most cases) like a normal 737. The fact that such a system exists is described, and disclosed, in minute detail to pilots when they get their mandatory training on the 737-MAX.
The specific name wasn’t used in the training, and that’s where this ridiculous narrative came from.
cameldrv 31 days ago [-]
The manual described Elevator Feel Shift, Speed Trim, and Stall Management Yaw Damper. It describes the scenarios in which each of these systems activate and what effect they have.
MCAS uses the same hardware but has different scenarios in which it activates and has a different effect. Not knowing of the existence of MCAS and not having a viable procedure to deactivate it if it went haywire was critical to the two accidents. I've looked into this a lot and to my knowledge this was never disclosed to pilots.
Can you provide a reference to MCAS being disclosed prior to the two accidents?
DrNosferatu 31 days ago [-]
Fascinating how many people had to actively shove this to the side so that it became potentially life threatening:
- CFM designed an engine that, in certain emergencies, dumps oil into the quite possible (actually traditional, if I understand correctly?) human-breathing stream of the aircraft, apparently, without the relevant human-breathing system shutdown mandate when said (or any) emergency system is triggered;
[truth be told, we never heard their complete story]
- Boeing integrating said new engines into their new 737MAX without appropriately checking for possible new emergency mode interactions with their life-support (in this case, breathing) systems.
- FAA dropped the ball upon accident investigation;
- FAA removed their employee that then picked up the ball;
- EASA swallowing what they were told by FAA without asking further questions;
Well...
I have worked in many no-harm potential software projects that employed more careful engineering than this.
All hardware projects I worked on employed more careful engineering than this.
Conclusion:
It becomes more and more difficult to falsify that Boeing, nowadays, simply abandoned engineering design reviews, and, relies solely on some blend of "agile" methods to design people-carrying airplanes.
tl;dw: when a particular engine design used by the 737 MAX (but also other Boeing and Airbus planes) ingests a bird, if there's enough damage, it starts burning oil before the cabin bleed air intake. The cockpit and cabin have air supplied from different engines. Since the cockpit is relatively small, if the cockpit engine was damaged, smoke would fill the cockpit quickly, reducing the pilots' visibility and requiring them to don air masks. Bird strikes only happen at takeoff and landing--times when pilots don't have time to be fiddling with masks and seeing through smoke and trying to shut off the damaged engine. Regulators in the US and EU don't seem especially concerned.
db48x 31 days ago [-]
It’s not actually burning the oil, just dumping it into the airstream in the form of tiny droplets. Some of that gets sucked up by the bleed air system, the rest continues on to the combustion chambers to be burned.
beAbU 31 days ago [-]
>Regulators in the US and EU don't seem especially concerned
Presumably because a bird strike at TO would prompt an immediate go-around and land. With landings the runway is right there.
Not an aviation expert at all, so I am talking out of my ass on this.
agsnu 31 days ago [-]
Doesn't help you if the pilot flying is incapacitated by the toxic air in less than a minute, or crash in to mountains, as in the scenario posited in the video. Climbing out to an appropriate height to join the approach, reconfiguring the plane for landing etc, takes several minutes; an immediate forced 180 teardrop back to land is very challenging to execute successfully (see the tragedy at Jeju just before new year).
rounce 31 days ago [-]
They don’t have to be incapacitated, simply having to deal with reduced cockpit visibility and/or minor impairment during an emergency while in a critical phase of flight is a significant elevation of risk.
hypothesis 33 days ago [-]
I wonder what was the thought process there: hey we save an engine maybe, but everyone inside the plane gets cooked in 39 seconds. Ship it!
Comments on that youtube video are filled with industry insiders and it’s just wild. They even think someone has died from a similar fuming event back in December…
K0balt 33 days ago [-]
It doesn’t save the engine, it keeps it from ripping the wing off. It’s a good system.
The part about filling the cabin with smoke because they couldn’t be bothered to make the software that detects the extreme vibration tell the AC units from that engine to shut down (which they already do if the rpm drops, indicating an engine failure-just not soon enough or reliable enough to prevent the smoke issue) - not so much.
The system for the ECU to detect the engine mount failure condition already exists. The function to shut down the air handlers in response to a different indicator of engine failure already exists in the ECU. It’s just literally “also shut down if the engine mounts fail”, but the guys that sit around and think about the what ifs were given early retirement to make room for more MBAs.
hypothesis 33 days ago [-]
> It doesn’t save the engine, it keeps it from ripping the wing off. It’s a good system.
Sure, I get that it was added to prevent plane from disintegrating, but like you said integration thinking is gone and now we have those individual components that sure look homicidal from outside.
The other issue is that regulators are missing in action or worse. It’s no way to run the industry by relying on concerned youtubers..
adgjlsfhk1 31 days ago [-]
I think a lot of the problem here is that all of the forward looking design is looking at the 787 dreamliner where the air conditioning is done electrically rather than with bleed air. It seems entirely plausible to me that this situation arose due to a descoping halfway through the project, where an initial version of the design wasn't going to use bleed air, they then decided that doing that much design work would be expensive, and put the bleed air system back in "because it's exactly the same as what we've been doing for the past 100 years" and no one realized that in the meantime, someone else on the engine team had designed a system that would dump a couple gallons of oil into the bleed air system if there was an engine failure.
chipsa 31 days ago [-]
The air handling is exactly the same between the various 737 versions. The difference is that the engines are different. The CFM Leap is designed to shear the bolts on the fan if it goes sufficiently unbalanced, and incidentally the shock of this causes an oil leak. The A320neo will have a very similar problem of filling the plane with smoke if the LRD shears the fan bolts. It just does the air handling slightly differently, so it fills with smoke slower, and the entire cabin, rather than the flight deck first (if it’s the left engine that fails).
ngcc_hk 31 days ago [-]
Guess if I have to choose killing the pilot last is better … I am not a pilot
aunty_helen 31 days ago [-]
Nah bleed air is a pretty major system. 787 was a ground up design, so benefitted from lots of new tech. 737 max was something that they hoped wouldnt need a recert.
So no this wasn’t the victim of a rescope.
dboreham 31 days ago [-]
But it was the victim of MBAs eating the world, since the 737-of-theseus concept wouldn't exist and we'd be flying in newer design planes.
K0balt 31 days ago [-]
“737 of Theseus” is my new favorite aviation phrase. Right up there with “unscheduled disassembly event”.
K0balt 33 days ago [-]
I’m with you on all of this. It’s like all of the grownups left the building and the inmates are running the asylum.
Frikken clown world hijinks.
aqueueaqueue 31 days ago [-]
I am with you but that is quite a mixed up metaphor!
K0balt 31 days ago [-]
Exactly.
DrNosferatu 31 days ago [-]
If engine detects malfunction -> close its breathing air pathway to humans.
How difficult is that?
K0balt 31 days ago [-]
That’s gonna cost tree fiddy.
Actually, I think this was less about cost and more about systemic creep of operational differentiation from earlier versions of the 737. A big selling point for the MBAs was that this was a 737 and pilot recertification was not necessary. So the MCAS system and its deadly potential was hidden from the pilot manual, as was the new failure mode introduced by this system. Acknowledgement that these systems required additional or different contingencies or checklists, or intruding an automatic shutdown of a pressurization would require recertification in type, or potentially even recertification of the aircraft if the changes were significant enough.
Significantly, for MCAS, the reason that the stability of the aircraft had to be patched in software, leading to hundreds of deaths, was that changing the empennage to reestablish aerodynamic stability might have been a big enough change to require recertification of the airframe. That would have been expensive, but it would have also opened the door to fixing all of these other issues that resulted from trying to pretend that the aircraft was not significantly different from earlier versions.
Its bean counters all the way down, and dead passengers is the price of that.
DrNosferatu 31 days ago [-]
Absolutely: I’m sure the engineers proposed a solution or mitigation - and then it was buried at management level to keep away any possible need of recertification.
sgtlaggy 31 days ago [-]
> everyone inside the plane gets cooked in 39 seconds
From the video, the 39 second figure is for the cockpit if the pilots don't get their masks on in time. The passenger cabin would be uncomfortable but wouldn't (or just didn't in that case) reach lethal levels given the volume.
schiffern 31 days ago [-]
> They even think someone has died from a similar fuming event back in December…
Interesting, I hadn't heard of this before. Looks like it's a different type of engine failure (not related to LRD), but the same basic problem.
I wonder if they just need formaldehyde sensors in the bleed air line...
cduzz 31 days ago [-]
Not cooked -- poisoned.
As far as I understand, the people in the cabin or the cockpit will breath the oil that's now been aerosolized -- in the cockpit it's really hazardous because it's such a small air volume. The oil's full of all kinds of things you wouldn't ever want to breathe in, and in the cockpit it's enough to poison you really fast.
lukevp 31 days ago [-]
Yeah but there’s 2 people in there, and 180 people in the rest of the plane. Isn’t the volume of air relative to the amount of people breathing it relevant as well?
cjbprime 31 days ago [-]
Why do you think it would be? If 200 humans share enough air to dilute the relative concentration of poison in that air effectively, none of those humans will receive lethal doses of poison.
sureIy 31 days ago [-]
Only if the concentration reduces over time and the oil isn't enough to poison everyone in 69 seconds anyway.
The people can keep filtering a certain volume of oiled air, but at some point it's too much oil in their body.
cduzz 30 days ago [-]
I'm certainly worried about the health of those people in the bigger part of the airplane.
If the people in the cockpit are incapacitated, though, it's a problem for everyone on the plane. The oil has nasty stuff that kills the pilots, but it's also hard to see through.
Basically, at the very very least, let's not dump the oil into the cockpit. Ideally let's not dump the oil into the passenger compartment either, but sheesh, let's not kill or blind the pilots as table stakes..
Havoc 33 days ago [-]
Maybe they were thinking the Russian solution. If it crashes fast enough nobody finds out what happened
pxeger1 31 days ago [-]
This guy says he doesn’t understand why the issue isn’t taken more seriously, and that he’s tried to cover every possible hole in his logic. Here’s a possible reason:
None of the sources he references about the danger of the smoke itself appear to be very confident that it genuinely could kill you in 39 seconds, and they all seem to be from sites that likely have an incentive to sensationalise. Maybe he had better sources for that claim, but didn’t show them (or maybe I didn’t watch the video carefully enough), but I wasn’t convinced that it’s actually true.
But if not, It’s possible the FAA/Boeing have better data or other reasoning that makes them sure that the smoke is not that dangerous. In which case their inaction (but not necessarily their PR strategy...) seems more justifiable.
mrob 31 days ago [-]
Even if it doesn't kill them, thick smoke in the cockpit is obviously going to impair pilot performance, and that's a big problem when it's most likely to happen during the most dangerous phases of flight (takeoff and landing) when they already have a lot to deal with. It seems strange to ignore it when the risk could be mitigated with a simple change of procedures.
beAbU 31 days ago [-]
Or... Alternatively... This YouTube video is incentivised to sensationalise as well. It is on YouTube after all, and there is an algorithm to please.
lupusreal 31 days ago [-]
I haven't watched this channel recently, but from what I saw I the past he seems to have a bias of reassuring the public that air travel is safe and problems are uncommon and usually not as bad as they might seem to the uninitiated. E.g. airline mechanics on the wing applying "duct tape" is normal, not shoddy maintenance.
gus_massa 31 days ago [-]
I agree. I was going to write a similar comment. The guy is slightly in the "FAA is always right" camp, so I got surprised that he disagree now. He must be really worried.
DrNosferatu 31 days ago [-]
One more reason not to fly Ryanair!
xeonmc 32 days ago [-]
Could this also have been activated in the Jeju air crash from the initial bird strike?
No, that aircraft was a 737-800 (NG), whereas the LRD is only on the LEAP engines of the 737 MAX...
alistairSH 31 days ago [-]
IIRC, that was a 737-800 not a 737 MAX 8.
31 days ago [-]
exabrial 31 days ago [-]
[flagged]
nottorp 31 days ago [-]
No, it's because they blamed an undocumented system that killed two plane loads of people on pilot error...
Also because later they were caught forgetting to screw down things... see that lost door.
There's about zero trust in Boeing.
wobfan 31 days ago [-]
> No, it's because they blamed an undocumented system that killed two plane loads of people on pilot error...
And kept hiding and sabotaging the court process against them to hide that they and their pilots knew, even before the first crash, that this might happen. Like, I don't think Russia or anyone else did even have to do anything at all here, if they would've had any reason to. Boeing fucked up themselves.
greggsy 31 days ago [-]
Boeing has been in the media for a variety of corporate misconduct reasons, and the court cases were held in the US, which attracts the attention of the American media, which is a self-amplifying echo chamber which global consequences.
I don’t doubt there were similar Airbus cases, but to suggest that the redirected attention is wholly due to an interference campaign is a bit far fetched in my opinion.
sho_hn 31 days ago [-]
These are the most comparable times in the history of Airbus:
Unlike with Boeing they didn't feature intentional obfuscation and fraud, but very similar themes of the airplane's software model of what's going on diverging from the pilots' and resulting in disaster.
Along with stories like the Therac-25, this is one of my "favorite" engineering stories relevant to my profession.
Sakos 31 days ago [-]
From the article:
> Although it got off to a rocky start, the A320 went on to achieve a better safety record than most traditional aircraft types. And although there have been a couple of close calls, no Airbus has ever crashed because of the sort of computer failure that skeptics so deeply feared.
Airbus didn't just fight the need to improve their designs. They just kept improving on their designs and fixed what needed to be fixed.
I'm not sure why Boeing and Airbus are being treated equivalently by you and the other commenter. Especially since the two situations are nothing alike. Boeing hid MCAS to avoid a new type rating. The Airbus A320 just had new types of systems that would continue to be iterated on over time and were simply new.
sho_hn 31 days ago [-]
> I'm not sure why Boeing and Airbus are being treated equivalently by you and the other commenter.
I think you misunderstood my intention in posting these links. I'm actually not sure how, since I pointed out clearly in the original text how the cases are very different. I posted them with the intent of "this is arguably the most like that, which is still very different". Maybe to hammer it down more, I gauge the Boeing case to be criminal, the Airbus examples not, and it's worth comparing the manufacturer conduct in these cases.
The common theme is software assists increasing complexity and the likelihood of the operator's thinking to diverge from the machine. I find that interesting personally and professionally (I make safety-critical vehicles with high degrees of automation for a living). If you want some interesting reading, I still recommend them.
Sakos 31 days ago [-]
> very similar themes
implies that Airbus and Boeing should be treated similarly. When the issue isn't necessary the automation or software, it's how each company behaves in situations where there are serious faults or deficiencies with their designs.
sho_hn 31 days ago [-]
> implies that Airbus and Boeing should be treated similarly.
Honestly, I think that's you misreading the language.
> how each company behaves in situations where there are serious faults or deficiencies with their designs
Which the comparison can illustrate. Rather than downvoting me and somehow trying to hide information, why don't you just double-down on what I did and extend the argument? I see exactly no reason for conflict here. What I originally wrote (this is misconduct, this is not) seems to exactly agree with you.
In any case, I suppose I have more of a creator's view and am more interested in what makes a good software assist vs. a bad one, and for me any assist implicated or involved in an incident are interesting data points in the spectrum.
MBCook 31 days ago [-]
Which is what Boeing used to do.
Wasn’t the original 737 the plane that had a number of early accidents and people literally didn’t want to fly on it? Maybe I’m thinking of a different model.
But they fixed it and treated it properly. And it became one of the most popular planes ever. Everyone trusts them.
Then they made the MAX version and made obviously stupid decisions like not having redundancy on the MCAS sensors. Things that the history of aviation tells you will go wrong. And they lied about it and covered it up, and lied about and covered up and obstructed the investigation into their plants not finishing planes correctly. And…
Boeing had a great reputation for a reason.
kevin_thibedeau 31 days ago [-]
Boeing has been fucking up continuously for 30 years. Airbus, not so much.
Sakos 31 days ago [-]
This is still being investigated. It also doesn't seem to be a widespread and common issue requiring the full brunt of internet outrage. I'm beginning to wonder if you're arguing in good faith.
You realize that the difference between this incidence and the one in this HN post is that the FAA made a recommendation in a report (IN 2023) for how to resolve the smoke issue, and it still hasn't been implemented by Boeing? That couldn't be the issue, it must be a conspiracy.
Why FAA and EASA didn't require any procedure changes in the interim to prevent the issue is a very good question.
I like Mentor Pilot and Air Disasters, so I know I’ve heard of a few where the problem that caused an accident was already known and a fix was available but the airline just chose not to do it because they had that option. Or it was scheduled but hadn’t been performed yet because it wasn’t thought to be that critical.
Having the FAA mandate the fix seems like it would be a much better option.
The timeframe could be anything, but common forms are like:
- Within the next X (flight) hours or Y calendar days
- You don't have to, but additional inspection needed every X hours or Y days until you do
- At next annual inspection
- Immediate/before flying again (usually called an Emergency AD)
I haven’t heard of any similar successful court cases in recent years in the US.
For USA [4], Title 14 of Code of Federal Regulations, Chapter I Subchapter C, Part 39
For EU [5] Article 76 (6) of the Basic Regulation (EU) 2018/1139
[1] https://www.icao.int/publications/pages/doc7300.aspx [2] https://ffac.ch/wp-content/uploads/2020/09/ICAO-Annex-8-Airw... [3] https://ffac.ch/wp-content/uploads/2020/09/ICAO-Annex-6-Oper... [4] https://www.ecfr.gov/current/title-14/chapter-I/subchapter-C... [5] https://www.easa.europa.eu/en/document-library/regulations#b...
I read through the 787 Dreamliner manual for setting up the software for patch distribution to the planes, and there are checks and overrides at every step. The whole thing is physically controlled by the owning airline or maybe the leasing company, but not Boeing.
I wasn’t thinking a “we’re pushing an update too bad” kind of thing but more a “hey you have to do this to be allowed to fly, your choice” with the weight of law behind it.
The security is dialed up to 11 as well. It explicitly calls out the following scenario:
1) The plane is leased. 2) the maintenance is outsourced. 3) The plane at an airport in an "unfriendly" country. 4) The plane is not allowed to take off until it is patched due to an emergency directive.
That scenario is handled, securely!
There is encryption between the plane and the airport WiFi.
The maintenance crew can also plug in to an Ethernet port near the front landing gear.
There is a VPN back to the patch server managed by the airline.
The VPN host certificate is explicitly whitelisted in the plane.
The plane won't accept a patch unless it has been digitally signed by Boeing, the FAA, the Airline, and potentially the manufacturer and the local equivalent of the FAA!)
The pilot has to enter a 4-digit pin code in the plane.
Most of the associated wiring is only physically connected if there is weight on the front landing gear. You can't "hack" a plane in-flight and patch it with malware, the required cabling isn't connected.
They are coordinated with applicable certification bodies (civil aviation authorities) and distributed as airworthiness directives that can, in fact, force a specific action to be taken.
[1] (writing from memory unfortunately) an airflow modification for 737 NG (iirc, could be older 737, pre-MAX definitely) avionics bay was "optional", as in mandatory only for aircraft flying in hot enough regions. After a near miss in Poland when steadily overheating avionics essentially slowly lobotomized a plane after takeoff. Turned out europe got hot enough for it.
After that incident, Boeing issued a change in safety information bulletin that the modification was now mandatory.
https://simpleflying.com/boeing-cfm-international-update-737...
The recommendations include very basic procedure changes that mitigate the near term risks without any significant impact to operation, as well as recommendations for what probably amounts to a software change and upgrades to some of the pilot oxygen masks to effect a permanent fix.
The only reason that we even know about the internal recommendations is that they were leaked to the press.
Boeing released a pilot bulletin that basically says to go through the checklist quickly and to treat smoke in the cabin as a major failure, but stops short of recommending some very, very simple steps in aircraft configuration prior to takeoff that would completely mitigate the issue without negatively effecting flight performance.
The major recommendation in the internal FAA bulletin is to use the APU bleed instead of the main engine bleed air to power the air conditioning and cabin pressurisation during the takeoff phase of flight, below 3000 feet AGL. I can see no reason to drag feet on this recommendation, other than the uncomfortable suggestion that perhaps this issue should have been addressed during certification. (It is yet another difference from older 737 design , like the deadly MCAS system, that was not disclosed to pilots transitioning to the new aircraft)
Well, the configuration changes during takeoff mitigate the issue if it happens during takeoff. If it happens at any other time then they don’t do anything to help.
> I can see no reason to drag feet on this recommendation […]
I can. Perhaps the FAA believes that it is better to minimize change fatigue. Since the problem can apparently be fixed in software, and Boeing has decided to make that fix, they might want to write just one airworthiness directive requiring everyone to install it instead of two, one telling pilots to adopt some procedure followed by another telling them to abandon it.
> (It is yet another difference from older 737 design , like the deadly MCAS system, that was not disclosed to pilots transitioning to the new aircraft)
Keep in mind that for most aircraft the airline can pick and choose between different engines. The pilots don’t have to learn the myriad different engineering decisions that go into those engines; from the pilot’s perspective they are supposed to be interchangeable.
Additionally you might want to avoid the association that specific pack supplies air to the cockpit, as it varies across generations. https://en.wikipedia.org/wiki/Kegworth_air_disaster
There are no birds at higher altitudes
737 Max can only have CFM Leap engines.
A320 can have either Leap or PW GTF.
It looks like only the LEAP-1b engines are affected by this, and I was under the impression that LEAP-1b was 737-MAX-only?
(A320 has LEAP-1a as far as I can see).
This does not seem to be the case for the A320 family of jets. [2]
[1] https://www.youtube.com/watch?v=AAy_ch6sfOQ&t=1707s
[2] https://youtu.be/4Yf-0_UTbRs?feature=shared&t=311
https://youtu.be/4Yf-0_UTbRs?feature=shared&t=311
Boeing has gone off the rails, but the general lack of nuance in the common narrative about their failures is really over the top.
MCAS is how a fundamentally different plane behaves (in most cases) like a normal 737. The fact that such a system exists is described, and disclosed, in minute detail to pilots when they get their mandatory training on the 737-MAX.
The specific name wasn’t used in the training, and that’s where this ridiculous narrative came from.
MCAS uses the same hardware but has different scenarios in which it activates and has a different effect. Not knowing of the existence of MCAS and not having a viable procedure to deactivate it if it went haywire was critical to the two accidents. I've looked into this a lot and to my knowledge this was never disclosed to pilots.
Can you provide a reference to MCAS being disclosed prior to the two accidents?
- CFM designed an engine that, in certain emergencies, dumps oil into the quite possible (actually traditional, if I understand correctly?) human-breathing stream of the aircraft, apparently, without the relevant human-breathing system shutdown mandate when said (or any) emergency system is triggered; [truth be told, we never heard their complete story]
- Boeing integrating said new engines into their new 737MAX without appropriately checking for possible new emergency mode interactions with their life-support (in this case, breathing) systems.
- FAA dropped the ball upon accident investigation;
- FAA removed their employee that then picked up the ball;
- EASA swallowing what they were told by FAA without asking further questions;
Well...
I have worked in many no-harm potential software projects that employed more careful engineering than this.
All hardware projects I worked on employed more careful engineering than this.
Conclusion: It becomes more and more difficult to falsify that Boeing, nowadays, simply abandoned engineering design reviews, and, relies solely on some blend of "agile" methods to design people-carrying airplanes.
https://www.airliners.net/forum/viewtopic.php?t=1497965
Presumably because a bird strike at TO would prompt an immediate go-around and land. With landings the runway is right there.
Not an aviation expert at all, so I am talking out of my ass on this.
Comments on that youtube video are filled with industry insiders and it’s just wild. They even think someone has died from a similar fuming event back in December…
The part about filling the cabin with smoke because they couldn’t be bothered to make the software that detects the extreme vibration tell the AC units from that engine to shut down (which they already do if the rpm drops, indicating an engine failure-just not soon enough or reliable enough to prevent the smoke issue) - not so much.
The system for the ECU to detect the engine mount failure condition already exists. The function to shut down the air handlers in response to a different indicator of engine failure already exists in the ECU. It’s just literally “also shut down if the engine mounts fail”, but the guys that sit around and think about the what ifs were given early retirement to make room for more MBAs.
Sure, I get that it was added to prevent plane from disintegrating, but like you said integration thinking is gone and now we have those individual components that sure look homicidal from outside.
The other issue is that regulators are missing in action or worse. It’s no way to run the industry by relying on concerned youtubers..
So no this wasn’t the victim of a rescope.
Frikken clown world hijinks.
How difficult is that?
Actually, I think this was less about cost and more about systemic creep of operational differentiation from earlier versions of the 737. A big selling point for the MBAs was that this was a 737 and pilot recertification was not necessary. So the MCAS system and its deadly potential was hidden from the pilot manual, as was the new failure mode introduced by this system. Acknowledgement that these systems required additional or different contingencies or checklists, or intruding an automatic shutdown of a pressurization would require recertification in type, or potentially even recertification of the aircraft if the changes were significant enough.
Significantly, for MCAS, the reason that the stability of the aircraft had to be patched in software, leading to hundreds of deaths, was that changing the empennage to reestablish aerodynamic stability might have been a big enough change to require recertification of the airframe. That would have been expensive, but it would have also opened the door to fixing all of these other issues that resulted from trying to pretend that the aircraft was not significantly different from earlier versions.
Its bean counters all the way down, and dead passengers is the price of that.
From the video, the 39 second figure is for the cockpit if the pilots don't get their masks on in time. The passenger cabin would be uncomfortable but wouldn't (or just didn't in that case) reach lethal levels given the volume.
https://en.wikipedia.org/wiki/Swiss_International_Air_Lines_...
I wonder if they just need formaldehyde sensors in the bleed air line...
As far as I understand, the people in the cabin or the cockpit will breath the oil that's now been aerosolized -- in the cockpit it's really hazardous because it's such a small air volume. The oil's full of all kinds of things you wouldn't ever want to breathe in, and in the cockpit it's enough to poison you really fast.
The people can keep filtering a certain volume of oiled air, but at some point it's too much oil in their body.
If the people in the cockpit are incapacitated, though, it's a problem for everyone on the plane. The oil has nasty stuff that kills the pilots, but it's also hard to see through.
Basically, at the very very least, let's not dump the oil into the cockpit. Ideally let's not dump the oil into the passenger compartment either, but sheesh, let's not kill or blind the pilots as table stakes..
None of the sources he references about the danger of the smoke itself appear to be very confident that it genuinely could kill you in 39 seconds, and they all seem to be from sites that likely have an incentive to sensationalise. Maybe he had better sources for that claim, but didn’t show them (or maybe I didn’t watch the video carefully enough), but I wasn’t convinced that it’s actually true.
But if not, It’s possible the FAA/Boeing have better data or other reasoning that makes them sure that the smoke is not that dangerous. In which case their inaction (but not necessarily their PR strategy...) seems more justifiable.
Also because later they were caught forgetting to screw down things... see that lost door.
There's about zero trust in Boeing.
And kept hiding and sabotaging the court process against them to hide that they and their pilots knew, even before the first crash, that this might happen. Like, I don't think Russia or anyone else did even have to do anything at all here, if they would've had any reason to. Boeing fucked up themselves.
I don’t doubt there were similar Airbus cases, but to suggest that the redirected attention is wholly due to an interference campaign is a bit far fetched in my opinion.
https://admiralcloudberg.medium.com/one-hundred-seconds-of-c...
https://admiralcloudberg.medium.com/thinking-like-a-computer...
Unlike with Boeing they didn't feature intentional obfuscation and fraud, but very similar themes of the airplane's software model of what's going on diverging from the pilots' and resulting in disaster.
Along with stories like the Therac-25, this is one of my "favorite" engineering stories relevant to my profession.
> Although it got off to a rocky start, the A320 went on to achieve a better safety record than most traditional aircraft types. And although there have been a couple of close calls, no Airbus has ever crashed because of the sort of computer failure that skeptics so deeply feared.
Airbus didn't just fight the need to improve their designs. They just kept improving on their designs and fixed what needed to be fixed.
I'm not sure why Boeing and Airbus are being treated equivalently by you and the other commenter. Especially since the two situations are nothing alike. Boeing hid MCAS to avoid a new type rating. The Airbus A320 just had new types of systems that would continue to be iterated on over time and were simply new.
I think you misunderstood my intention in posting these links. I'm actually not sure how, since I pointed out clearly in the original text how the cases are very different. I posted them with the intent of "this is arguably the most like that, which is still very different". Maybe to hammer it down more, I gauge the Boeing case to be criminal, the Airbus examples not, and it's worth comparing the manufacturer conduct in these cases.
The common theme is software assists increasing complexity and the likelihood of the operator's thinking to diverge from the machine. I find that interesting personally and professionally (I make safety-critical vehicles with high degrees of automation for a living). If you want some interesting reading, I still recommend them.
implies that Airbus and Boeing should be treated similarly. When the issue isn't necessary the automation or software, it's how each company behaves in situations where there are serious faults or deficiencies with their designs.
Honestly, I think that's you misreading the language.
> how each company behaves in situations where there are serious faults or deficiencies with their designs
Which the comparison can illustrate. Rather than downvoting me and somehow trying to hide information, why don't you just double-down on what I did and extend the argument? I see exactly no reason for conflict here. What I originally wrote (this is misconduct, this is not) seems to exactly agree with you.
In any case, I suppose I have more of a creator's view and am more interested in what makes a good software assist vs. a bad one, and for me any assist implicated or involved in an incident are interesting data points in the spectrum.
Wasn’t the original 737 the plane that had a number of early accidents and people literally didn’t want to fly on it? Maybe I’m thinking of a different model.
But they fixed it and treated it properly. And it became one of the most popular planes ever. Everyone trusts them.
Then they made the MAX version and made obviously stupid decisions like not having redundancy on the MCAS sensors. Things that the history of aviation tells you will go wrong. And they lied about it and covered it up, and lied about and covered up and obstructed the investigation into their plants not finishing planes correctly. And…
Boeing had a great reputation for a reason.
You realize that the difference between this incidence and the one in this HN post is that the FAA made a recommendation in a report (IN 2023) for how to resolve the smoke issue, and it still hasn't been implemented by Boeing? That couldn't be the issue, it must be a conspiracy.