As of this writing, the ill-fated Boeing 737 Max series of
jetliners is still grounded after two fatal crashes in which the pilots lost a
battle with the plane's Maneuvering Characteristics Augmentation system (MCAS). The U. S. Federal Aviation Administration
(FAA) grounded the planes last March, and current estimates are that the planes
will not be flying again before at least 2020.
This is a huge blow to Boeing and its customers who bought the planes,
as billions of dollars of assets are sitting idly on the runway instead of
making money.
Only a month after the planes were grounded, a software
engineer named Gregory Travis, who is also a pilot, wrote his thoughts on what
happened with the Max 8 and why he thinks the problem may be intractable. A version of his article appeared on the
website of IEEE Spectrum recently, and to my mind it is the most
comprehensive and damning examination yet of a situation that put thousands of
lives at risk and ended up killing 346 people.
Travis points out that the 737 series was introduced all the
way back in 1967. Designing an airframe
from the bottom up is a costly enterprise, so Boeing understandably would like
to make incremental changes to an existing design rather than coming up with a
whole new airplane every few years. As
fuel economy became more important for airlines, Boeing decided to go with more
efficient engines, which for fundamental physical reasons have to be
larger. But eventually, the newer
engines got so big that the ground clearance in their original positions was
too small—the front fans were going to hit the ground if they didn't move the
engines. So they did move them upward
and back. But that caused another
problem.
Travis drew on his experience as a pilot to note that you
start playing with the fundamental handling characteristics of an aircraft when
you move the engines around. Stable
flight is a complex interplay between the engine thrust vector and the center
of gravity, the drag on the wings and other surfaces, and many other
factors. When the engines were moved, it
made the plane tend to pitch upward with increased power, and this is not a
good thing. Upward pitch is to an airplane
what tilting your head up is to your head.
If an aircraft's pitch exceeds a certain angle, depending on
the angle of attack (the angle between the plane's fuselage and the air moving
past it), it can stall, which basically makes it fall out of the air. The modified 737 was edging dangerously close
to a dynamically unstable condition, which is not something a commercial
airliner should do. Travis said that the
right thing to do at this point would have been to redesign the whole airframe
to deal with the changed position of the engines. In his words, "The airframe, the
hardware, should get it right the first time and not need a lot of added bells
and whistles to fly predictably. This has been an aviation canon from the
day the Wright brothers first flew at Kitty Hawk."
But instead of doing that, Boeing chose to develop a software
patch that included the MCAS—a complicated system of interacting compensation fixes,
pilot warnings, and poorly considered feedback loops that were vulnerable to
faulty inputs from angle-of-attack sensors, which can easily be fooled by
surface winds or other transient phenomena.
Most modern airliners are
"fly-by-wire" systems in which there is no direct mechanical
connection between the pilot's stick and pedals, and the airplane's control
surfaces. Instead, a computer both takes
in the pilot's commands and feeds back to the pilot something approximating the
"feel" of manually operated controls, so that the pilot senses he or
she is flying a plane and not a video game.
But the MCAS was apparently designed so that when it sensed a situation
in which the nose needed to be pointed down, it would in effect grab the
controls away from the pilot and do what it knew was right—even if it was
wrong. And the feedback motors that
would do this were simply too powerful for the pilots to overcome. In a reference to the famous HAL 9000
computer in the film 2001: A Space Odyssey, in which the computer tries
to kill everyone on board for its own rather obscure purposes, Travis writes "MCAS
gaslights the pilots. And it turns out badly for everyone. 'Raise the nose,
HAL.' 'I’m sorry, Dave, I’m afraid I can’t do that.'"
We are well down the road
that leads to 100% control of airplanes by robotic systems. Nevertheless, we are far from arriving, and
in the meantime there has to be effective and safe cooperation, not competition,
between the human pilots and the software that runs the plane. But in trying to cut corners by fixing an
airframe problem with software, and poorly designed software at that, Boeing
may have painted itself, and all its customers who bought 737 Max 8s, into a
corner that it can't get out of. Every
month that goes by without an FAA-approved plan to fix or retrofit Max 8s so
they can fly safely again is an indication that the problem revealed by the
MCAS-related crashes may be deeper and more far-reaching than most people
thought at first. The fact that an
engineer with deep expertise in both software and flying saw what was evidently
going on within a month of the groundings tells me that he's probably on to
something.
The historian of technology
Henry Petroski says that engineers often learn more from failures than from
successes. We should learn a lot from the
737 saga, but it may prove to be an expensive lesson. The 737 Max began commercial flights only in
2017, and I'm sure Boeing and its customers were counting on many years of
revenue from their purchases. If the
design ends up being scrapped, it will amount to the largest recall in aviation
history. But if even just most of what
Travis says is true, that is well within the realm of possibility. Regardless of what patches Boeing may come up
with, I'm never going to feel entirely comfortable flying in a 737 Max again.
Sources: Readers are urged
to see Travis's complete article, which goes into greater depth than I have
been able to here. It is on the website
of IEEE Spectrum at https://spectrum.ieee.org/aerospace/aviation/how-the-boeing-737-max-disaster-looks-to-a-software-developer.
No comments:
Post a Comment