Divided Loyalties: The 737 Max Warning Light Glitch

In the sixth chapter of the Gospel of Matthew, Jesus is quoted as saying "No man can serve two masters; for either he will hate the one and love the other, or he will be devoted to one and despise the other."  The context is the impossibility of serving both God and mammon (money), but one does not have to be a Christian to recognize the shrewdness of Jesus' observation that divided loyalties sooner or later lead to trouble. 

A report from Bloomberg News this week makes this saying particularly relevant to the ongoing woes of Boeing Inc., whose 737 MAX airliner is still grounded after two fatal crashes led to investigations revealing serious problems with the plane's software.  Now it appears that a warning light which could have helped mechanics fix the problem that contributed to the crashes wasn't even working, again due to software problems.

As we have mentioned in this blog before, both the Indonesian Lion Air crash in October 2018 and the Ethiopian Airlines March 2019 crash occurred when problems arose with the angle-of-attack sensors.  Specifically, one of them malfunctioned, and as a result, the defective software responded by essentially flying the plane into the ground, despite the pilots' efforts to stay aloft.  The warning light in question would have illuminated if the two angle-of-attack sensor readings disagreed, showing that one of them had a problem.  An alert pilot might have gotten a mechanic to fix the problem, which would have avoided the issue that led to the two fatal crashes.

But due to a separate software glitch, the warning light turned out not to work unless the customer also asked for an optional display showing each angle-of-attack sensor reading independently.  And 80% of 737 MAXes sold did not have that option, and so also had a defective warning light.  It's a little like if you ordered a car and found out that unless you also asked for optional fog lights, your brake lights wouldn't work. 

By itself, the sensor disagreement warning light's malfunction was not a safety violation.  But in a letter written to Congress last July, the U. S. Federal Aviation Administration (FAA) acting head Daniel Elwell said, "A manufacturer cannot alter the airplane’s features after it has been certified."  The FAA is contemplating assessing fines against the company, and such fines can range up to the tens of millions of dollars.

That is a comparative drop in the bucket in relation to the estimated $18 billion that the firm has lost so far in the 737 MAX debacle since that fleet was grounded last year.  But the details of how Boeing discovered the warning-light glitch back in 2017 and decided not to fix it immediately reveal the glaring defects in a practice that the FAA decided to halt last November:  allowing Boeing-paid engineers to act as FAA inspectors for certain aspects of the certification and approval process.

Regardless of the details, the intended relationship between the FAA and private airplane manufacturers such as Boeing is inherently adversarial, to the extent that the point of having a regulatory agency is to ensure that the entity regulated doesn't get away with murder, or its corporate equivalent.  A simple example is the state of food manufacturing and sale in the U. S. prior to the establishment of the U. S. Food and Drug Administration, the history of which can be traced back to 1906.  Before then, it was perfectly legal to sell candy colored with arsenic-containing dyes to children, or fruit with traces of the arsenic-containing insecticide Paris green.  Once laws were passed against such abominations, the laws had to be enforced, which meant that chemists and inspectors paid by the government went out, collected samples, and tested them for harmful ingredients.  If found, the government used the evidence to levy fines and other penalties against the firms, and the U. S. food supply took a notable turn for the better.

But note that the integrity of the inspectorate—those charged with checking the output of the private manufacturers—owed their livelihood not to the manufacturers directly, but to the government.  This is a sound principle to ensure against corruption and divided loyalties, but one that was neglected when Boeing convinced the FAA to allow some of its employees to do inspections that the FAA would normally undertake.

According to the Bloomberg report, one such "inspector"—a Boeing employee authorized by the FAA to decide such matters—chose to let the warning-light glitch go until a future software update rather than issuing an immediate order to repair all the defective planes.  A clearer case of letting the fox watch over the henhouse would be hard to find. 

This lax procedure is probably not unrelated to the fact that Boeing is the only U. S. maker of large commercial aircraft.  Its only serious global competitor is the European combine Airbus.  If there were three or four viable U. S. airline manufacturers, the FAA would be in a stronger position to levy serious and even firm-threatening penalties against Boeing, the reason being that the other hypothetical firms could take up any slack and still allow the U. S. airline manufacturing business to function. 

But both Boeing and the FAA know that is not the case, and that whatever Boeing does, the FAA isn't going to do anything on its own that would threaten the company's existence and put the U. S. out of the international airliner business. 

There are many bad things about monopolies, and one of the worst is that they encourage laziness, both on the part of the monopoly itself and on any agency charged with keeping an eye on it.  In surrendering some of its authority to Boeing employees, the FAA preserved the appearance of vigilance while relinquishing the reality.  When it ended such cozy arrangements last November, it took a step in the right direction of putting a respectable distance between itself and the industry it is charged with regulating.

But cultures and perceptions do not change overnight, and both Boeing and the FAA have a long way to go before they recover some of the public trust that went down in flames in the 737 MAX crashes. 

Sources:  The Bloomberg report on the prospect of FAA fines for the warning-light glitch was carried on the Fortune website on Feb. 21, 2020 at https://fortune.com/2020/02/21/boeing-737-max-warning-light-new-faa-fines/.

Boeing Chief Fired Over 737 Max Controversy

On Sunday, Dec. 22, members of the board of directors of Boeing held a conference call and decided to fire Boeing CEO Dennis Muilenburg.  Since the grounding of the company's 737 Max jetliners last spring after two crashes that killed over 300 people, Muilenberg has faced increasing criticism.  At issue is the jetliner's Maneuvering Characteristic Augmentation System (MCAS), a software patch that was intended to make the 737 Max fly more like its predecessor airframes, which date back to the 1960s.  But in documents released last October, Boeing's former chief test pilot Mark Forkner wrote in an email as long ago as 2016 about "egregious" behavior of the MCAS in flight-simulator tests.

Leaders in an engineering-intensive industry face constant conflicting pressures.  On the one hand, there is the need to make a profit so that your organization can continue its existence and benefit the public in some way with its products and services.  On the other hand, demands for resources to ensure safety and reliability of those products and services cost money, and the trick is to strike a balance between excessive engineering that runs profits into the ground, and skimping on due diligence that leads to shoddy products.  Not being qualified to run a lemonade stand myself, I have nothing but admiration for executives who manage this balancing act, and until recently, Dennis Muilenburg was apparently doing it well enough for the Boeing board of directors to keep him on.

But no longer.  After the fatal 737 Max crashes in Malaysia and Ethiopia were shown to be due to unexpected actions of the MCAS, both the U. S. Federal Aviation Administration (FAA) and eventually the U. S. Congress began investigations into the development of the aircraft and the reasons why MCAS was designed in the first place.  As we mentioned in an earlier blog, a series of physical design changes involving bigger engines made the 737 MAX airframe behave very differently than its predecessors.  According to Gregory Travis, a software engineer and pilot who examined the issue, the right thing to do at this point was for Boeing to undertake a complete mechanical redesign of the aircraft, which would have been very costly in terms of both time and money.  Instead, Boeing chose to create a software patch—MCAS—that sought to make the plane handle more like it used to handle.

The problem was that under some combination of instrument failures, MCAS drew the wrong conclusions about what was going on with the plane, and took over the flight controls from the pilots in a way that was both startling and extremely difficult to overcome.  The Malaysian and Ethiopian crews were not able to do this, and their planes crashed. 

At first, Boeing blamed inadequate pilot training for the crashes, but as the firm has released more internal documents in response to Congressional inquiries and FAA requests, it's beginning to look like at least some people inside Boeing had grave doubts about the viability of the MCAS for safe flying.  Although the public has not yet obtained access to most of these documents, some emails released in October reveal that back in 2016, test pilot Mark Forkner had doubts about the MCAS even when it was only incorporated into the controls of a flight simulator.  The U. S. House committee familiar with the documents says that "the records appear to point to a very disturbing picture of both concerns expressed by Boeing employees about the company’s commitment to safety and efforts by some employees to ensure Boeing’s production plans were not diverted by regulators or others."

An organization's culture is one of the hardest things to describe, but it can be one of its most important assets, or just as easily a liability.  In the quasi-military structure of most commercial firms, leadership sets the overall tone of a culture, but it's a constant struggle to maintain that tone throughout all parts of the organization. 

"Transparency" is a word that shows up a lot when a firm like Boeing appears to have been concealing information that might have made it look bad, or caused regulatory problems and delays in production.  Obviously, transparency is a relative goal.  No firm in a competitive market can afford to be completely transparent about its plans and specialized technologies.  At various times, engineering-intensive companies have tried this in the form of technical newsletters, in which their engineers bragged about their latest developments in enough detail to allow competitors to copy and improve upon them.  Needless to say, such newsletters are found today only in the dusty shelves of libraries that keep material from defunct companies, such as General Radio and the original incarnation of Hewlett-Packard. 

But transparency is a necessity when it comes to issues that affect safety.  On an individual level, the moment you feel a need to hide something you're doing, this can serve you as an alarm to lead you to question why you're hiding it.  But in an organization in which the immediate pressures tend to be in favor of shipping products and minimizing any issues that would stand in the way of that goal, it's easy to simply not say something you ought to say, or not deliver the bad news that will disrupt the schedule that marketing wants to keep. 

The buck stops at the CEO's office, and in firing Muilenburg, Boeing's board of directors has acknowledged that the company's culture has to change from the top down.  Whether a new leader can take the company back to a point where its 737 MAX jetliners can be flown safely again is still very much an open question, however.  Scrapping them or recalling them for a major mechanical redesign would probably spell an end to Boeing as a commercial-aircraft firm, leaving the field to Airbus.  But it's hard to see how anyone is going to have a great deal of confidence in a fix that is mainly software, which is how the 737 MAX got into this mess in the first place. 

Sources:  I referred to an Associated Press article about Muilenburg's resignation carried by the Minneapolis Star-Tribune at http://www.startribune.com/boeing-ceo-dennis-muilenburg-to-step-down-immediately/566430512/ as well as articles in USA Today at https://www.usatoday.com/story/news/nation/2019/12/24/boeing-reveals-new-very-disturbing-documents-737-max-jetliner-faa-house/2743402001/ and https://www.usatoday.com/story/news/nation/2019/10/18/boeing-737-max-faa-outraged-over-test-pilot-mcas/4024504002/.  I last blogged on this matter on Oct. 28 at https://engineeringethicsblog.blogspot.com/2019/10/a-pilot-and-software-engineers-take-on.html.

Pilot Overload and the Boeing 737 Max Accidents

In the last couple of months, new information about the factors leading to crashes of two Boeing 737 Max aircraft and the loss of 346 lives has emerged.  All such aircraft were grounded indefinitely last March after investigators found that a software glitch combined with faulty data from airspeed indicators to start a chain of events that led to the crashes.  Airline companies around the world have lost millions as their 737 Max fleets sit idle, and Boeing has been under tremendous pressure from both international regulatory bodies and the market to come up with a comprehensive fix for the problem.  But as long as both humans and computers have to work together to fly planes, the humans will need training to deal with unusual situations that the computers come up with.  And in the case of the Lion Air and Ethiopian Air crashes, it looks like whatever training the pilots received left them inadequately prepared to deal with at least one situation that led to tragedies.

Modern fly-by-wire aircraft are certainly among the most complex mobile systems in existence today.  It is literally impossible for engineers to think of every conceivable combination of failures that pilots would have to handle in an emergency, simply because there are so many subsystems that can interact in almost countless ways.  But so far, airliner manufacturers have done a pretty good job of identifying the major failure conditions that would be life-threatening, and instructing pilots about how to deal with those.  The fact that Capt. Chesley Sullenberger was able to land a fly-by-wire Airbus A320 plane in the Hudson in 2009 after experiencing failure of all engines shows that humans and computers can work together cooperatively to deal with unusual failures.

But the ending was not so happy with the 737 Max flights, and recent news from regulators indicates that a wild combination of alarms, stick-shakings, and other distractions may well have paralyzed the pilots of the two planes that crashed after faulty readings from angle-of-attack sensors set off the alarms. 

Flying a modern jetliner is a little bit like what I am told it was like being in the army during World War II.  For many soldiers, the experience was a combination of long stretches of incredible tedium interrupted by short but terrifying bursts of combat.  It's psychologically hard for a person to remain alert and ready for any eventuality when the norm is that pretty much nothing out of the routine ever happens the vast majority of the time.  So when the unusual failure of both angle-of-attack sensors led to a burst of alarms and the flight computer's attempt to push the nose down, the pilots on the ill-fated flights apparently failed to cope with the confusion and could not sort through the distractions in order to do the correct thing.

A month after the Lion Air crash in 2018, the FAA issued an emergency order telling pilots what to do in this particular situation.  Read in retrospect, it resembles instructions on how to thread a needle in the middle of a tornado: 

            ". . . An analysis by Boeing found that the flight control computer, should it receive faulty readings from one of the angle-of-attack sensors, can cause 'repeated nose-down trim commands of the horizontal stabiliser'.  The aircraft might pitch down 'in increments lasting up to 10sec', says the order.  When that happens, the cockpit might erupt with warnings.  Those could include continuous control column shaking and low airspeed warnings – but only on one side of the aircraft, says the order.  The pilots might also receive alerts warning that the computer has detected conflicting airspeed, altitude and angle-of-attack readings. Also, the autopilot might disengage, the FAA says.  Meanwhile, pilots facing such circumstances might need to apply increasing force on the control column to overcome the nose-down trim. . . . They should disengage the autopilot and start controlling the aircraft's pitch using the control column and the 'main electric trim', the FAA say. Pilots should also flip the aircraft's stabiliser trim switches to 'cutout'. Failing that, pilots should attempt to arrest downward pitch by physically holding the stabilizer trim wheel, the FAA adds."

If I counted correctly, there are six separate actions a pilot is being told to take in the midst of a chaos of bells and whistles going off and his plane repeatedly trying to fly itself into the ground.  The very fact that the FAA issued such a warning with a straight face, so to speak, should have set off alarms of its own.  And after the second crash under similar circumstances, reason prevailed, but first with regulatory agencies outside the U. S.  Finally, the FAA complied with the growing global consensus and grounded the 737 Max planes until the problem could be cleared up.

When software is rigidly dependent on data from sensors that convey only a narrowly defined piece of information, and those sensors go bad, the computer behaves like the broomstick in the Disney version of Goethe's 1797 poem, "The Sorcerer's Apprentice."  It goes into an out-of-control panic, and apparently the pilots found it was humanly impossible to ignore the panicking computer's equivalent of "YAAAAH!" and do the six or however many right things that were required to remedy the situation. 

It is here that an important difference between even the most advanced artificial-intelligence (AI) system and human beings comes to the fore.  It is the ability of a human being to maintain a global awareness of a situation, flexibly enlarging or narrowing the scope of attention as required.  Clearly, the software designers felt that once they had delivered an emergency message to the pilot, the situation was no longer their responsibility.  But insufficient attention was paid to the fact that in the bedlam of alarms that the unusual simultaneous sensor failure caused, some pilots—even though they were well trained by the prevailing standards—simply could not remember the complicated sequence of fixes required to keep their planes in the air.

Early indications are that the 737 Max "fix," whatever software changes it involves, will also involve extensive pilot retraining.  We can only hope that the lessons learned from the fatal crashes have been applied, and that whenever such unusual sensor failures happen in the future, pilots will not have to perform superhuman feats of concentration to keep the plane from crashing itself.

Sources:  A news item about how Canadian regulators are looking at the pilot-overload problem appeared on the Global News Canada website on Oct. 5, 2019 at https://globalnews.ca/news/5995217/boeing-737-max-startle-factor/.  The November 2018 FAA directive to 737 Max pilots is summarized at https://www.flightglobal.com/news/articles/faa-order-tells-how-737-pilots-should-arrest-runawa-453443/.  I also referred to Wikipedia's articles on the Boeing 737 Max groundings, Chesley Sullenberger, and The Sorcerer's Apprentice. 

What Price Safety? The 737 Max 8 Saga Continues

In March and April, I blogged on the tragic and costly software problems plaguing Boeing's 737 Max 8 jetliner.  Briefly, after two crashes in Ethiopia and Malaysia in which a total of 346 people died, evidence pointed to a software problem in the fly-by-wire plane, and the U. S. Federal Aviation Administration (FAA) grounded the plane after numerous other nations did the same in March.  In May, Boeing claimed that they had fixed the software problem, and since then Boeing and the FAA have been running extensive tests to verify that the problem has in fact been solved.  On June 3, Boeing CEO Dennis Muilenberg said that he expected the FAA to declare the plane flightworthy by the end of the year, but declined to give a specific timeline. 

In the meantime, all 387 existing MAX 8s are sitting on the ground instead of flying and generating revenue for the airlines that own them.  This has caused big headaches for both American Airlines and Southwest, which recently announced that it is terminating service to New Jersey's Newark Airport simply because it doesn't have enough planes owing to the MAX 8 groundings.  And American's losses are running in the range of $400 million, largely due to the groundings.

Most of the time, when software fails to do what it should, the consequences are fairly minor.  If it's one feature on some software on your laptop that acts up, maybe you lose some work, or even get so turned off by the problem that you swear never to buy that software again. But you remain healthy and nobody dies.

Then there's the whole issue of software security, and making sure malevolent attacks don't disable or otherwise inconvenience users.  Software companies are used to dealing with such things by now, and generally stay up to date with patches that prevent hackers from doing major damage, as long as the users install the patches.

These kinds of environments are what most software developers are used to working in.  The bigger the organization and the more critical the software, the more bureaucracy is involved, but that's not necessarily a bad thing.  I spoke with a software engineer many years ago who worked for a regional telecommunications company.  She told me that she'd been spending most of the previous year on changing exactly one line of code.  The reason it took so long was that a bunch of other engineers had to take that change and try it out in all sorts of other situations and find out what its ramifications were, and whether it would cause problems down the road. 

Telecomm companies are rather shielded from competition, and so taking a year to change one line of code may be fairly routine, I don't know.  So maybe we shouldn't be that surprised if it now takes six more months for the FAA to make sure that the changes Boeing has made in their 737 MAX 8s are really going to make things better and not otherwise. 

Thing is, the phone company didn't have to shut down and wait for my software engineer friend to finish her job.  But when software is intimately tied in with a multimillion-dollar piece of hardware that you can't use just a little of, and the software makes the whole thing unusable, it creates a spectacle that we haven't seen since the week or so after 9/11/2001 when all domestic U. S. flights were grounded.  And that period, plus the general fear of flying it engendered, hit the airlines with an economic punch that took them years to recover from.

Fortunately, the MAX 8 problem doesn't appear to have frightened people away from flying in general.  Because of the scarcity of seats, the airlines have been able to charge more, and so revenues at American and Southwest are actually up, despite the shortage of planes.  Nevertheless, Boeing has set aside nearly $5 billion in case it ends up having to pay its customers for loss of revenue, and lots of airlines around the world are going to think very hard before they place any more orders with Boeing.

Unlike mechanical failures, software failures are not simply a function of physics.  Software is so dynamic and dependent on the exact conditions and history of its environment that it is virtually impossible to "prove" it won't fail under any circumstances, except in rare and rather academic cases.  Some day, I hope the whole history of this fiasco will come out, as it will be a fascinating study in how software engineering ethics failed in this instance, and it will harbor lessons for how safety-critical software should not be written. 

The problem with such a story may be that it could be too hard for anybody except specialized software engineers to understand.  But then again, it may boil down to management problems, as so many ethical issues do.  Already there has been speculation that the FAA was allowing Boeing to conduct too many of its own safety tests, and basically just taking Boeing's word for it that everything was okay.  Only when we have enough details about how the problems happened and how they were fixed, can we judge whether the FAA has been lax or negligent in this area.

In the meantime, software engineers everywhere except Boeing can be glad that their work is not going under the microscope of the FAA's inspection.  But there are plenty of other types of software that are life-critical:  for example, software for medical devices, automotive software, even the software that lets first responders communicate with each other.  A failure with any of these products can have life-threatening implications. 

So maybe the lesson here for software engineers is:  program as though your life depended on it.  If more programmers had that attitude, we'd all have much better software.  Maybe not so much of it, but that might not be a bad thing either.

Sources:  The report describing CEO Muilenberg's comments appeared on the CNBC website on June 3, 2019 at https://www.cnbc.com/2019/06/03/boeing-plans-to-fly-a-boeing-737-max-certification-flight-soon-ceo-says.html.  Reuters reported on Southwest leaving Newark at https://www.reuters.com/article/us-american-airline-results/boeing-737-max-groundings-plague-u-s-airlines-frustrated-southwest-exits-newark-idUSKCN1UK1N5.  I also referred to the Wikipedia articles "Boeing 737 MAX" and "Boeing 737 MAX groundings."

Hot-Air Ballooning Needs Down-to-Earth Regulation

On the morning of Saturday, July 30, 2016, a group of sixteen people gathered in a Wal-Mart parking lot in Central Texas before sunrise for what they hoped would be a thrilling and memorable experience.  Several of them were married couples or newlyweds.  Ross and Sandra Chalk were 60 and 55 but recently married, while John and Stacee Gore were both in their 20s and celebrating their third wedding anniversary that week.  Others showed up as a result of a birthday present given by a loving friend or relative.  All fifteen passengers were trusting balloon pilot Alfred Nichols to take them up in his hot-air balloon, give them a wonderful experience, and return them safely to earth.  But two out of three wasn't going to be good enough.

As often happens on summer mornings in this part of Texas, low clouds drifted through the sky.  But after a short delay, Nichols decided to fly anyway, and around 7 AM, shortly after sunrise, the balloon took off with fifteen passengers and the pilot.

Photos taken during the flight show patchy clouds and fog beneath the balloon.  Evidently Nichols decided to land near Maxwell, Texas, about forty miles southeast of Austin.  Utility-company records show that at 7:42 AM, something happened to trip a protective relay on a high-voltage transmission line crossing a cornfield.  First responders soon discovered that the balloon became entangled in the transmission line, caught fire, and crashed, killing all sixteen people aboard, including Nichols.  This was the worst balloon crash ever in the U. S., in terms of fatalities, and subsequent investigations have revealed some unsavory facts about Nichols and about the industry in general.

At a hearing held Friday, Dec. 9 in Washington, D. C., the National Transportation Safety Board (NTSB) presented documentation and evidence about the crash, which is still under investigation.  Toxicology reports show that Nichols had seven different prescription drugs at detectible levels in his body.  Prior to the crash, he had been convicted in Missouri of four charges of driving while intoxicated, and at the time of the crash was not allowed to drive a car in Texas.  Nevertheless, he held a valid commercial balloon pilot certificate.  Weather reports from the day of the crash show that the cloud ceiling had lowered to only 700 feet at the time of launch, and other balloon pilots present at the hearing agreed that they would not have flown under such conditions.  Nichols appears to have been a disaster waiting to happen.

We may be seeing a pattern that is all too familiar:  a new activity or business arises with no or minimal regulation, a tragedy results in headline-grabbing deaths, and only after the tragedy laws are amended to more properly regulate the activity or business.  Although hot-air balloons were the first form of human flight to be invented back in the 1700s, balloon rides were so infrequent, and the number of people involved so small, that a light-handed regulatory environment seemed to have sufficed for decades.  But this tragedy may mark the point at which regulations will catch up with the larger volume of customers taking rides in larger balloons that present a greater danger to more people than ever. 

The Federal Aviation Administration (FAA), recognizing these dangers, has established regulations for commercial hot-air balloon pilots, and makes them undergo rigorous tests, both on paper and practical ones in a working balloon.  But beyond that, pilots are largely left on their own to follow the elaborate advice in the 252-page Balloon Flying Handbook issued by the FAA.  Most commercial balloon operations are small, like the one-man show that Nichols ran, and lack the natural supervision that working for even a small charter-plane company would entail.  The solo nature of balloon flying, plus the fact that the same person piloting the balloon is probably the one who stands to profit the most if a full-capacity flight goes forward in hazardous conditions, means that there are built-in conflicts of interest in this type of flying that are not faced by pilots who work for major airlines, for example.  For this reason alone, one would hope that regulatory oversight would be at least as rigorous as it is for commercial charter-flight pilots of fixed-wing aircraft, not less.  As it is, however, there are not even any reliable statistics on how many flight hours are logged by commercial balloon pilots in the U. S., as some public-health experts researching the problem found in 2013. 

Part of the problem is that the regulatory question is caught in a turf war between the NTSB, which investigates transportation accidents of all kinds, and the FAA, which issues flight safety regulations and requirements for both flight equipment and pilots.  The NTSB has been pushing for tighter balloon-pilot regulations for years, but the FAA has so far refused to act, trusting to private balloon-pilot organizations to do self-enforcement.  In Nichols' case, at least, this kind of enforcement failed.

It's all very well to publish books of regulations and advice, but if enforcement is left solely up to the person who also stands to profit personally if the rules are flouted, the FAA is guilty of putting too much trust in fallible human nature.  Something along the lines of periodic background checks and even surprise drug tests should be implemented for commercial hot-air balloonists who take the lives of others into their hands.  Commercial balloons can carry as many as 32 passengers, and newspaper reports have pointed out that many charter and common-carrier fixed-wing aircraft don't carry that many passengers.  The bottom-line purpose of flight regulation is to protect the lives of passengers, and the FAA's creaky system for doing that for hot-air balloon riders crashed along with the sixteen people who lost their lives on that summer day.

Balloons tend to be associated in the public mind with fun, frivolity, and pleasant times.  The balloon Nichols was piloting had a big smiley face with sunglasses painted on it.  If people are going to continue to ride balloons for pleasure, we should make sure that they aren't putting their lives into the hands of someone who can't drive them to the takeoff point because of drunk-driving convictions.  I hope the FAA and the NTSB can work out their differences to revise hot-air ballooning regulations and policies so that the tragic crash last summer is the last one of that magnitude for a long, long time.

Sources:  I referred to reports of the NTSB hearing held Dec. 9, 2016 on the San Antonio Express-News website at http://www.mysanantonio.com/news/local/texas/article/NTSB-holds-hearing-on-balloon-crash-that-killed-10777463.php and KXAN-TV at http://kxan.com/2016/12/09/witnesses-recall-lockhart-hot-air-balloon-crash-that-killed-16/and http://kxan.com/2016/10/07/hot-air-balloon-regulations-unchanged-despite-deadly-crash/.  The paper "Hot-Air Balloon Tours:  Crash Epidemiology in the United States, 2000-2011" by S.-B. Ballard, L. P. Beaty, and S. P. Baker, was published in Aviation Space and Environmental Medicine in 2013 in vol. 84, pp. 1172-1177, and is available online at 

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC4888601/

  The FAA's "Balloon Flying Handbook" is available as a download at https://www.faa.gov/regulations_policies/handbooks_manuals/aircraft/media/FAA-H-8083-11.pdf.

Drone Delivers to Doorstep: What Next?

Last Friday, Mar. 25, the Nevada startup Flirtey announced that it had made the first successful package delivery to a residential area in the U. S. with an autonomous drone (not steered by a person on the ground).  The demonstration flight, which was completed Mar. 10, carried a package of emergency supplies half a mile through the air to the porch of a vacant house outside Reno, Nevada.  Although large corporations such as Amazon and Wal-Mart have been toying with the idea of drone deliveries, Flirtey attributed its first to experience it has gained with similar tests in Australia and New Zealand.  It turns out that several other countries are more welcoming to commercial drones than the U. S., where strict FAA rules are still in place that are limiting commercial drone operations involving deliveries to test flights such as this one.

What does this achievement mean for a number of groups that may be affected by it:  consumers, companies in the delivery business, and people who earn a living delivering packages?

First, the consumer.  Whenever I thought of drone delivery in the past, I couldn't help but imagine how things could go wrong:  inadvertent haircuts from the propeller blades, for example.  Flirtey plans to avoid this sort of thing by keeping the drone itself at an altitude of around 40 feet (12 meters) while the package itself is lowered to the ground on a retractable cord leading to some sort of grappling hook that releases when the package hits the ground.  So unless you're asleep on the porch and the drone happens to land your box of live Maine lobsters on your head, chances are small that the drone will run afoul of living creatures on the ground.  Birds are another matter, of course, but I'm sure the Flirtey engineers have ways of dealing with them too. 

Although an engineer was killed in an accident involving a large experimental drone in 2013, no injuries or fatalities have so far resulted from a civilian drone colliding with a standard aircraft.  The FAA would like to keep it that way, and news reports of the Flirtey flight also mention that NASA is working on air-traffic-control software for drones.  It's possible that the authorities will work out something like the present direction-altitude rules for large-scale aircraft, but on a smaller scale.  Commercial pilots follow the "odd north east" rule:  if your plane's heading is anywhere from north to east to south, your altitude must be an odd number of thousand feet plus 500 feet, and if your bearing is westerly, you have to be at an even number of thousand plus 500.  So it would be easy to make a similar rule for tens of feet instead of thousands for drones.  It wouldn't solve every potential collision problem, but it would help.

Large organizations whose business includes deliveries of small packages are eagerly awaiting the day when they can take advantage of drones.  While computerized scheduling and routing has improved the efficiency of manned delivery operations, the actual physical delivery process of packages to homes hasn't changed much since the invention of the automobile.  Currently, the FAA rules require that delivery drones always be within sight of the operator.  That's going to involve an operator for a while yet, but you can picture one delivery guy getting a lot more done with the help of two or three drones in a densely populated neighborhood.  Of course, a package on a string can't go into an apartment complex and take the elevator to the 14th floor, but you've got to start somewhere.  So the initial operations will probably be a hybrid thing, with the delivery driver going to a central location, loading drones, and sending them to do the last run of a few hundred feet to individual houses.

Inevitably, that will lead to layoffs among delivery personnel, although with the seasonal nature of the delivery business, at first it might just mean that UPS and similar services won't hire as many temps during the Christmas rush as they used to—they'll just add more drones.  But if the rules eventually allow more nearly autonomous operation of drones, the unattended parts of the flights will be longer, and fewer live drivers will be needed.  And one more type of job that is currently open to someone with only a high-school education will become history.

This is not unalloyed bad news.  The nation survived the demise of the milkman in most parts of the country, and before that the iceman.  But as the current election cycle is demonstrating, for some time now the U. S. economy has been doing a fairly poor job of employing people with less than a college education, and there are lots of people out there who feel that they have gotten the short end of the economic stick.  And a good many college-educated workers with degrees in non-professional areas are underemployed, doing jobs for which they are overqualified.  This is not the place to go into this complex and many-faceted problem, but we simply note that technology is often a destabilizing force.  If you are stably under the thumb of a dictatorship, destabilizing can be good.  But just making things less stable by itself is not always helpful. 

It doesn't look like we will be getting packages from Federal Express floating down from the sky any time soon.  For whatever reason, the FAA has decided to make haste slowly on commercial drones, while other countries speed ahead.  That may give time for the job market to readjust more gradually to the future realities of the delivery business, however it is affected by the advent of drones.  The fact that the first package delivered was emergency supplies reminds us that there are disaster scenarios for which delivery drones will be a Godsend.  And nobody should resent that.

Sources:  Numerous outlets carried the news of Flirtey's accomplishment. I referred to reports on the websites of the Christian Science Monitor at http://www.csmonitor.com/Business/2016/0326/Startup-Flirtey-drone-delivery-is-good-news-for-nacent-industry (by the way, the word meaning budding or fledgling is spelled "nascent," not "nacent"), and Fortune at http://fortune.com/2016/03/25/flirtey-drone-legal-delivery-urban/.  I also referred to the Lapeer Aviation website http://www.lapeeraviation.com/odd-north-east/ for information about the "odd-north-east" rule. 

ICAO To Airlines: Watch Where You're Going (Every 15 Minutes)

Once in a great while, I have the satisfaction of making a prediction or calling for a certain action in this blog, and then seeing the called-for event actually come to pass.  Last month, the International Civil Aviation Organization (ICAO) issued a new set of tracking requirements for airlines in participating countries, which means just about every airline that flies in more than one country.  While a formal vote on the requirements won't happen till later in the year, the slow-moving machinery of the United Nations—of which the ICAO is a part—has finally creaked into action.  So it may not be too much to hope that the kind of situation that has kept the destiny of Malaysia Flight 370 a mystery to this day can be avoided in the future, or at least that such incidents will produce data that will make the plane easier to find.

Flight 370, which disappeared a year ago March 8, was supposed to stay within range of ground-based tracking radars.  But when it veered way off course toward the open ocean for reasons that are still unknown, the limited-range ground radars lost contact with it, and an onboard satellite-tracking system was not working, possibly because it was intentionally disabled.  The upshot was that once the flight disappeared, investigators had to use some arcane technical tricks to estimate the flight's last known location, and the resulting poor accuracy and long gaps between known locations have left searchers stuck with many thousands of square miles of ocean to cover.  The plane may never be found.

Back in January, I blogged on this tragedy and noted that the U. S. National Transportation Safety Board (NTSB) was urging the Federal Aviation Administration (FAA) to adopt improved flight-location technology.  I also noted that while this move would help us to find international flights operated by US carriers, a truly international solution would have to await action by the ICAO, which has now begun to act.

As reported in a recent Associated Press article, the ICAO rules would require each airline to get location updates for all their flights every 15 minutes.  How they get the updates is up to the airlines.  Deep-pocketed operations such as Air France already have automatic satellite-location systems in place, and probably either already meet the requirements or can change their operations slightly to comply.  Less well-funded airlines can fall back on having their pilots look at their pocket GPS they mail-ordered from Walmart and use their shortwave radios to report their position.  Any way will do, says the ICAO, but you have to update your flight locations every 15 minutes.  If the rules are approved, this requirement will go into effect in 2016, which is by UN standards almost instantaneously. 

A second part of the ruling pertains to automatic flight-location technology, typically a satellite link.  By 2020, all new airplanes carrying more than 19 passengers will have to go into a minute-by-minute location transmission mode if an emergency occurs such as a steep dive or significant deviation from the flight plan.  The five-year delay from now would give airframe manufacturers and their customers time to ready the technology and the money to pay for it, respectively. 

By specifying in the 15-minute rule the desired outcome rather than the technology required to achieve it, the ICAO has done a clever thing.  Each airline can tailor its response to its own circumstances and adopt an approach that doesn't place an undue burden either on the flight crew or on the airline's budget for new equipment.  For reasons that are not clear, but may have to do with relationships between large avionics companies and the federal government, FAA rules tend to be much more prescriptive of exactly how certain goals are to be achieved technologically.  Historically, the FAA owned and operated much of the technology itself, so naturally the agency got in the habit of telling the airlines what matching equipment they needed.  But nowadays, the central-control model is pretty old-fashioned and is being superseded by distributed technologies that rely upon a combination of public, private, and open-source resources to work.  Safety-critical technologies are a breed apart, and a certain level of standardization and certification is reasonable.  But I wonder if things might move a little faster in domestic aviation technology if the FAA took a hint from the ICAO, and moved toward simply telling airlines what is to be achieved, and let the firms themselves figure out how to achieve it.

All this comes too late to help those on the ill-fated Flight 370, which is probably—but not for sure—somewhere at the bottom of the Indian Ocean.  The death of a loved one is always a tragedy, but there must be a special pain associated with not knowing anything about the person's final hours, and what mischance caused their demise.  Sooner or later, someone will probably find the wreckage, and if enough evidence can be recovered it may be possible to reconstruct what happened.  But in the meantime, I hope that the proposed new ICAO rules will make it much less likely that airlines will simply lose track of a plane while someone runs off with it, and can even prevent such incidents from occurring in the future.

Sources:  The article "Airlines move to better track their planes" by Scott Meyerowitz and David Koenig was carried by numerous newspapers, including the Deseret News on Mar. 3, 2015 at http://www.deseretnews.com/article/765669470/Airlines-move-to-better-track-planes-a-year-after-Flight-370.html.  My post "High Time for SatelliteTracking of All International Flights" appeared on Jan. 26, 2015.

High Time for Satellite Tracking of All International Flights

This coming March 8 will mark one year since Malaysia Airlines Flight 370 disappeared from radar en route from Kuala Lumpur to Beijing somewhere over the Indian Ocean.  The wreckage has never been found, although communications experts used some almost accidental satellite-transponder data to estimate the last known location of the plane.  At the time, I recall thinking that if I was an airline and owned a number of high-value mobile assets known as airliners, I would want some way of knowing where each one was every minute or so, anywhere in the world.   After all, the technology for tracking the much cheaper assets called semi-trailer trucks has been around for years.  The little white domes on truck cabs report minute-by-minute locations to a data center where operators can pay a monthly fee to any one of a number of firms to keep tabs on shipments, and truck drivers too, for that matter.  But there is no international requirement for airlines to do the same.

Last week, the U. S. National Transportation Safety Board (NTSB) waded in with a recommendation for all passenger airliners to be equipped with improved location technology.  The board admitted it was motivated partly by Flight 370's disappearance, and called both for improvements in in-flight tracking and in "black-box" technology. 

The in-flight tracking part seems to be pretty straightforward technologically.  It would operate more or less the same way as the truck-tracking system.  Every minute or so, a GPS receiver on the plane would send its location to a satellite in view, and the satellite would relay that information to a data center, where it would be logged and made available in the event of an incident of interest.  The only slightly tricky part would be identifying which satellite to use.  But there are already geostationary satellites in orbit such as Inmarsat which provide virtually world-wide coverage, and the missing bits of Earth near the poles could be made up for by linking to numerous low-earth-orbit satellites in polar orbits. 

The technology is not nearly so much a hurdle as the cost and the peculiar structure of international aviation regulations.  The NTSB's recommendations went to the U. S. Federal Aviation Administration, and if the FAA adopts them they will be obligatory for all U. S. airlines—but nobody else.  Because the U. S. operates only a fraction of international flights over large bodies of water where the technology would be most useful, the idea will not succeed without international cooperation, and that means the International Civil Aviation Organization, or ICAO.

The ICAO is a United Nations body in charge of international standards for, well, civil aviation, as you might expect.  As such, its rulings have no force of law in individual countries unless the countries' own aviation regulations require that its carriers follow ICAO rules as well, which most do.  It was a 2008 ICAO ruling, for example, that required all air traffic controllers and flight crew members involved in international flights to be proficient in English.  I'm rather surprised that it took until 2008, but after all, everything takes a while at the UN.

The question is whether and when the ICAO might follow the NTSB's lead if the NTSB prevails with the FAA to make international-flight GPS tracking mandatory.  Enough alphabet soup for you?  The whole process—from tragic accident to technical recommendations to changes in laws and regulations—is typical of how safety technology develops in coordination with regulations requiring its use.  And the regulatory part is particularly tricky when it involves spending money.  The requirement that pilots speak English can be met by changing hiring practices, but GPS tracking will involve both up-front and ongoing expenses for new hardware—which itself needs to be standardized somehow—and rental fees to the commercial firms that operate the satellite transponders used to convey the location data.  Fortunately, we are not talking about large bandwidths here—the equivalent of a single cellphone text message every minute or so would be sufficient.  But coordinating all this will take some doing, and coordination of any kind at the level of the ICAO is a challenging and slow-moving process at best.  If they took till only seven years ago to agree on a common language for radio communications from international flights, the ICAO isn't going to churn out new GPS-location rules overnight, you can be sure. 

The other part of the NTSB recommendations concerns the nature of the onboard flight data recorders.  Now that video cameras and recording equipment are so inexpensive, the NTSB says we should have cockpit video as well as audio recorders, and that controls for the entire system should be inaccessible from the cockpit.  (There is some suspicion that the radar-transponder system of Flight 370, which works only within range of ground-based tracking radars, was intentionally disabled by the pilot.)  Also, the NTSB floated the idea (so to speak) that the flight recorders should be housed in buoyant housings and ejected upon impact so that they can remain on the surface, where their radio signals could be more easily received than the limited-range and limited-time sonar emissions that the units currently send out underwater. 

All these are good ideas, and if the FAA adopts them they will make an already safe U. S. air-travel system even safer, or at least increase the likelihood of finding any flights that go down in deep water.  And the information from such accidents is always valuable in preventing the next one, whether it was caused by mechanical failure, human error, or evil intent.

Nevertheless, I am not going to be holding my breath until the ICAO follows suit.  You would think that the international carriers themselves would have adopted something similar to the truck-tracking systems years ago, but there may be a mentality in place that makes such a system seem unnecessary because of the vanishingly small number of incidents in which it would turn out to be useful.  But once GPS tracking for international flights is in place, I bet folks find other uses for it, for things like fuel-economy efforts and even weather tracking.  But first, the ICAO has to get in gear, so stay tuned.

Sources:  The article "NTSB:  Planes Should Have Technologies So They Can Be Found" by Joan Lowy of the Associate Press was carried by numerous outlets, including ABC News on Jan. 22 at http://abcnews.go.com/Politics/wireStory/ntsb-planes-technologies-found-28409934.  I also referred to Wikipedia articles on Malaysia Airlines Flight 370, Inmarsat, and the ICAO.

Addendum Feb. 1:  Edwin Doetzal wrote me on Jan. 31 as follows:

"Your analysis of MH370 contained a couple issues:
Airliners do often have SATCOM tracking 'like trucks'.  On MH370, this system was turned off along with the radio transponder.
ADS-B is the new satellite based air traffic control system that will replace the radio based air traffic control system and is already being implemented through efforts by NAVCanada and ICAO.
What is currently in discussion are new systems such as AFIRS that would stream amounts of data automatically or by trigger in an emergency as well as explosive jettisoned FDR/CVR units.  Knowing where an aircraft was is of course not enough without the detailed DAQ information that might explain why the emergency happened and what action was taken by the flight crew.  A truck's limited DAQ can be retrieved from the ditch.  Please be assured that an airliner is a much more sophisticated system than a truck.
It was somewhat troubling to see such an article on an 'engineering ethics' blog.  With respect, it would seem that you are speaking outside your professional scope.  A retraction would appear appropriate.
Regards,

Edwin Doetzel

Lay Person"

It was careless of me to imply that airliners had no such tracking systems, and I apologize
for leaving that impression.  In the space I had, I meant to concentrate not so much on the technology as on the international coordination that would be needed to implement it uniformly so that flights such as MH370 would not slip through the cracks.  My thanks to Mr. Doetzel for the correction.  

Will 2015 Be The Year Commercial Drones Take Off?

If you had been in Boulder City, Nevada last December 19, you would have found Governor Brian Sandoval, a U. S. senator, U. S. Federal Aviation Administration (FAA) officials, and representatives of a company that manufactures the Magpie, an unmanned aircraft, all gathered to watch the first official test flight at one of six new test facilities the FAA has established to explore how "unmanned aircraft systems" (UASs for short) can safely use the same airspace that is now occupied by manned aircraft.  A video of the test flight shows a man holding what looks like a large model plane.  At a signal, he heaves it into the air.  It flies about twenty feet and nose-dives into the gravel, bending its nose propeller and eliciting a groan from the crowd.

It wasn't exactly an auspicious start to a program that the FAA has undertaken to fast-track new regulations that will accommodate the increasing pressure on the agency to allow legal commercial use of UASs, commonly called drones, far beyond what present regulations permit.  But at least nobody was hurt, except maybe in the pride department.  As I noted in this space over a year ago, experimental drones can be deadly—a large one went amok in South Korea in 2013 and killed an engineer. 

What we are seeing in commercial drone development is a pattern that has played out repeatedly in one form or another whenever a potentially profitable technology outpaces the ability of a regulatory agency to adapt to it.  True to its generally good reputation among government agencies, the FAA is trying to catch up to the rapid advances in commercial drone technology.  But if history is any guide, we are in for some stirring times first.

Something similar happened when advances in radio technology during World War I led to the explosion of radio broadcasting stations in the early 1920s.  The creaky regulatory mechanism of the time stated that the Department of Commerce, which was charged with the task of regulating the new medium, could not deny licenses to any qualified applicant.  As a result, the airwaves got so crowded that in some locations radios were practically unusable.  Congress eventually acted, first by establishing the Federal Radio Commission in 1927, and then following it with the Federal Communications Commission in 1934, under whose ministrations we still operate today. 

Fortunately, the FAA is already up and running, so the situation is not as wild-westish as it could be.  The main issue facing the agency is not lack of regulatory authority—it has plenty of that—but the question of how to allow drones into the air in a way that both allows innovative commercial uses and preserves the exemplary safety record of U. S. air flights that has been achieved in recent years.  The experimental test sites the FAA has set up (besides Nevada, there are locations in Alaska, New York, North Dakota, Texas, and Virginia) can play a critical role in both uncovering unknown potential problems and in finding practical solutions to them.

Just as radio benefited from wartime technology advances, commercial drones benefit from the longer history and huge development effort that has gone into military drones.  In addition, advances in high-density batteries, software, and navigational aids such as GPS systems make it technically possible for drones to travel long distances autonomously.  However, the FAA is still uncomfortable with that.

The way things stand now, there are three classifications of drone regulations.  The only one that doesn't require the operator to obtain special permission is the hobby and recreational class, which has applied to operators of model aircraft for decades.  If you are a researcher, drone developer, or someone who has other good reasons to do not-for-pay work with drones, you can apply for a "civil UAS" permit.  Law enforcement agencies and other public organizations can obtain Certificates of Waiver or Authorization to conduct operations relating to their work.  But before the likes of Jeff Bezos can start delivering Amazon orders via drone, the rules—and maybe the technology too—will have to change. 

I'm going to go out on a limb here, but the start of a new year is a good time for making predictions, and if the following pans out, you heard it here first.  Let it be understood at the outset that I think the following would be a bad idea.  But that doesn't mean that somebody won't try it.  In 1982, a guy with more bravado than sense named Larry Walters tied a few dozen helium balloons to a lawn chair and floated over Long Beach until his balloons got tangled in a power line and he made it safely back to the ground.  I don't know what the payload capability of current small quadcopter-like drones is, but at some point, somebody will have the idea of ganging a bunch of them together to lift the weight of a small person.  This would be more of a stunt than a practical way of transporting people, but if the machines get cheap and powerful enough, it will happen. 

Of course, the FAA would disapprove of such a thing, and rightly so.  But if we do start seeing small packages being delivered by drones, it will happen only if the FAA and industrial interests figure out how to have all that air traffic moving safely and keeping out of the way of buildings, power lines, and giraffes, for that matter.  And if that infrastructure problem is solved, and battery technology advances to the point that you could safely build a helicopter-like backpack that was totally under software control, maybe we could see the day when people could literally fly to work.  Unless it rains, of course.

Sources:  The FAA's overall UAS website is https://www.faa.gov/uas/, and their site stating the rules for hobby and recreational model-airplane flying is http://www.faa.gov/uas/publications/model_aircraft_operators/.  I referred to a report on the Nevada test flight of Magpie carried by Gizmodo at http://gizmodo.com/first-drone-launches-at-faa-test-site-in-nevada-crashe-1673586255.  The six FAA UAS test locations are given at http://gizmodo.com/federal-drone-testing-is-coming-to-these-6-scenic-locat-1491708151.  Business Insider was the source of the commercial drone market estimate at http://www.businessinsider.com/the-market-for-commercial-drones-2014-2.  My blog "Drones, Air Safety, and the FAA" appeared on Nov. 4, 2013.