> One possibility is incompetence. But Boeing engineers are smart people, so I'm not convinced by this.

That's still a possibility. Stupid decisions can emerge out of smart people.

Boeing is huge, and what they develop is incredibly complex. There are a lot of people with differing level of competence, ethics, and goals.

For example (I am not saying that happened), the engineers designing MCAS didn't expect incorrect AoA data, thinking the checks were done elsewhere. At the same time, the "sensors" team thought that raw, unchecked data was expected. The integration guy didn't read the specs correctly (sometimes, it comes down to a single word), didn't catch that, and checked the OK box. His manager, focused on a more pressing issue took that as granted and it went to production.

It is possible that the engineers did an excellent work, but didn't question the specs they had. The integration guy is normally super reliable but he just had a bad day. And his manager handled the other problem beautifully and overlooked the MCAS/AoA because, normally, the integration guy is reliable. A series of small mistakes that ended up in a catastrophe.

There are a lot of safeguards but the complexity is so high that sometimes, something goes through. Especially if the company is under pressure.

I agree with you that this was ALL about keeping type rating. I wish the government would offer a whistleblower award to anyone inside Boeing who could prove that this was indeed true especially since it seem that that is how the software originally operated. Companies will do whatever it takes to drive sales and revenue and stock price. Employees don't want to raise their hand and get fired as they have families to support. A true whistleblower program with WITSEC level provisions for protection and monetary support would help cut this down. Once it happens once or twice companies are very disincentivized to continue down this road.

As I understand a simple software fix is not possible according to regulation.

The problem is as follows, as you described it partly: 2 sensors are not enough. If the MCAS is an important part for the flight safety, a simple redundant safety system is not enough. Because an airplane is not about functional safety but mission critical safety. In functional safety, if there is an error the safety function is triggered and the system is transferred into a safe state. But there is no safe state here. If the system is mission critical, then it is not safe to assume to switch it off in case of an error. That means for mission critical system we need at least 3 readings and with a vote can decide on which reading is most likely the correct reading.

If the MCAS would not be part of the mission critical path, then we could ask why is there in the first place? There must be reason why it was introduced.

I assume, it is not done by a simple software update, if there are only 2 sensors. It will be partly redesigned to fit the requirements and regulations. But of course, this will not be publicly announced. Think about the share price. They will maintain a communication that assumes that this is an easy (and cheap) fix, a software update.

> The problem Boeing face is that with MCAS disabled when this occurs, the plane no longer flies like an older 737.

The other problem Boeing faces is that with MCAS enabled the plane no longer necessarily flies like an older 737 - it can try to force its nose down unexpectedly.

God am I blessed to be building webapps and not be responsible for autopilot systems flying fellow humans 11Km above ground.

> Suppose they did originally do what the fixed software does now, and disable MCAS if the AoA sensors disagree. The problem Boeing face is that with MCAS disabled when this occurs, the plane no longer flies like an older 737....

But it’s been reported that this was an option you could buy when you bought the planes. And the crashed planes didn’t have this option.

So if that’s correct, then any plane shipped with this optional package would require the recertification. But it appears they don’t either.

If they did it would show up as very suspicious and I’m surprised nobody has reported on it:

Here buy this plane without this optional package and you don’t need new training.

Or buy it with the optional package and you need to learn about these new components we’ve added that may be disabled and undergo new training.

It seems too obvious.

Yes it all comes back to the requirement from on high to not require any retraining or recertification even though they were delivering essentially a different airplane. Trying to simulate the feel of a different plane via software is adding a huge new layer of complexity and failure risk.

> If they'd done this, they'd have needed to provide additional training, and this must have concerned Boeing management that it might jeopardize the common type rating.

Yes. There were no simulators to train pilots (only 4 delivered up to now, vs. 376 planes delivered! -- by the way, the value of all MAX orders, including these still not delivered, is around 600 billion with a b dollars!) and if I'd guess the simulators can't simulate the plane behavior when MCAS is off. Because the selling point is "MAX behaves the same as the old one." Which is just not true.

> The problem Boeing face is that with MCAS disabled when this occurs, the plane no longer flies like an older 737.

The bigger problem is the MCAS was only added to fix a major design fault, where by the aircraft would automatically pitch up when accelerating.

So with the MCAS disabled, the aircraft then runs the risk of stalling when accelerating.

I don't understand how design engineers would ever think a software workaround would be a suitable fix for what appears to be a major aerodynamic design flaw.

According to Blancolirio on YT (a wholehearted thumbs up for his journalism, e.g. the video on atlas prime air is worth a watch, he currently flies as FO on the 777 I believe), there exists an angle of attack disagree light already in the 737max options sheet. There's also an option to purchase an AoA indicator dial, and he said one of the major us carriers did buy that option on their aircraft.

When politics and egos come into play, even teams of very smart software engineers can end up making silly, seemingly incompetent decisions.

Agreed. I think what this may mean going forward is that the CAAs are going to have to consider demanding that the training specifications be designed around a scenario where some (as-yet-to-be-defined) subset of the smart systems are disabled, and if the airframe behaves differently in that configuration, it demands re-training.

I'm somewhat surprised acceptance criteria weren't already there. You don't plan for the common case when lives are on the line.

> If they did require a separate type rating, this would likely kill 737 sales

Would it, though? I'm genuinely asking because I don't know how much all this costs. Certainly certifying pilots for a new aircraft isn't free, and probably isn't cheap, but the MAX line promises significant savings in fuel cost. In the long run, would the latter outweigh the former?

This is pretty much it in a nutshell as far as I can tell. If the sensors don't agree, and MCAS switches off, then the pilots have to be ready to deal with the plane trying to pitch up and stall on their own.

When would that happen? Take off and go-arounds.

Pilot is coming in for a landing, something goes wrong (too much cross wind, plane on the taxiway, Etc.) what they do is they pull back on the stick and push the throttles up to max to get into a climb. If MCAS is disabled and the pilot hasn't trained to fly the plane without it, there is a risk it will pitch up and stall onto its tail. Not a good place to be.

"Boeing's software fix, announced today, is to compare readings from both angle-of-attack sensors and disable MCAS if they disagree significantly. The obvious question is why they didn't do this in the first place?"

Because you had to pay for the second sensor and the disagree light.

https://www.nytimes.com/2019/03/21/business/boeing-safety-fe...

> this would likely kill 737 sales, regardless of whether the plane is now safe.

I suspect a 737 Max is now as saleable as a Samsung Note 7 phone.

IIRC the two planes that crashed only had a single AOA sensor (the 2nd redundant one being only present in a premium add-on that those airlines didn't purchase), so this software fix would have not changed anything.

EDIT: alright thanks for the replies.

I was under the impression the "base model" only came with a single AoA sensor. Adding a second sensor and the warning light if they disagreed was an expensive upgrade that neither of the planes that crashed were equipped with.

Are the angle-of-attack sensors so unreliable to have caused two crashes?