It’s becoming more evident that the 737 MAX Lion Air and Ethiopian Airlines crashes implicate airplane design, flight testing, and certification. And regardless of how crew performance in these events is eventually adjudged, there’s a growing consensus that airline pilot training is an important issue that needs addressing.
Questions yet to be answered are how the 737 MAX 8 with such different handling characteristics got certified as just another 737 model and, whether during design, testing and certification, all failure modes were fully explored. Also why after more than two years in airline service didn’t the MCAS draw deep scrutiny because of its unusual malfunction pitching characteristics? How often did pilots resort to runaway stabilizer procedures to address such conditions? Hard to believe that, after all this time, a multitude of similar events wasn’t written up as post-flight discrepancies and flagged back to Boeing for a remedy.
The latest information is that the 737 MAX 8’s MCAS malfunctions cause much more pronounced pitch disruptions than the standard flight simulator runaway stabilizer scenarios. Yet, according to media reports, pilots on the previous flight before the Lion Air crash experienced irregular stabilizer activity and, after switching the stabilizer trim system off, trimmed manually and continued to destination.
But if the stabilizer was allowed to get very far out of trim, which is what appears to have occurred in the Ethiopian crash when stabilizer trim switches were re-engaged, air loads on the stabilizer might have been enough to prevent manual trimming. Old timer 707 and 727 pilots knew that in runaway stabilizer situations, hand cranking the stabilizer would be impossible if too much opposite force was simultaneously applied to the control wheel. The wheel had to be relaxed to unjam the stabilizer jackscrew. Findings are still preliminary.
First, a discussion about pilot training, which transcends even the last two 737 MAX accidents, then we’ll discuss airplane design. With airlines expanding around the world, staffing airline cockpits is a mounting challenge particularly in less developed countries. Airbus forecasts the need for more than a half million new airline pilots to accommodate airline growth and pilot retirements in the next 20 years. In a recent Aviation Week & Space Technology article, Airbus’s head of training, Michel Bigarre, expressed concern that the level of training and standards around the world needs to be reckoned with. According to the article, Airbus safety experts see “strange things in poor countries where air transport is growing fast and there’s suspiciously quick pilot qualification and fraudulent flight hour accounting.”
According to press reports, the Lion Air captain had about 5000 hours and the copilot had 6000. The Ethiopian Air Lines captain, according to the preliminary report, had 8122 and the copilot 361. That’s right, 361! But, hours in the seat are at best only a component of competence. Mastering flying basics academically and in the cockpit and building on that in more complex aircraft in a structured syllabus should be the minimum common denominator of every airline pilot. Hopefully, final accident reports will define how the crews performed and to what degree their experience weighed on events.
Airbus, to its credit, is the first major airliner manufacturer to acknowledge that new pilots coming to airlines, particularly in less developed areas of the world, do not necessarily have the basic competencies to operate their planes and that the burden to provide the training shouldn’t fall entirely on airlines. Accordingly, they’ve started affiliated ab-initio pilot training schools with about an 18-month ground school and flight syllabus focused on key pilot technical and behavioral skills. The first opened in Mexico last December; another is planned to open in May at the Airbus Flight Academy in France.
Military flight training programs use this approach, starting with a rigorous pre-admission exam and flight physical before entering the program. More than a half century ago when I went through naval flight training, the washout rate was about 30% for all reasons. It’s intense, compressed and demanding – and turns out young aviators with about 250 hours in 18 or so months who feel as comfortable flying upside down as right side up and can safely land a jet on an aircraft carrier.
As to how flight control design might have contributed to the two 737 MAX accidents, the conflicting philosophies of Boeing and Airbus are worth a discussion. Both manufacturers incorporate fly-by-wire (FBW) flight controls on their newest planes. The 737 MAX, a derivative of earlier 737s dating back more than 50 years, is the exception. It has the same basic analog direct control arrangement as earlier 737s except for the MCAS.
Boeing’s philosophy affords pilots full unrestricted control authority. There is a difference in control feel on Boeing FBW planes when limits are reached, but one has only to tug or push harder to go beyond those limits. Boeing acknowledges that pilots may not perform perfectly in those times when perfection is required. For example, on FBW planes like the 777, automation assists in engine failure emergencies with a thrust asymmetry compensation (TAC) system to automatically trim out yaw. Such a system would have prevented the 747SP high dive incident that will be discussed shortly.
But overall, Boeing’s logic is that engineers can’t anticipate all possible inflight irregularities and pilots need unrestricted ability to do what needs to be done, even if it exceeds basic transport certification design limits of -1g to +2.5g. A Boeing pilot could, if he or she wanted to, roll their plane 360 degrees. Done properly, it’s a perfectly safe 1g maneuver.
That’s exactly what happened at Seattle’s Boeing Field 64 years ago in front of Boeing’s chairman, Bill Allen, and a group of airline executives gathered to watch a fly by of the four-engine Dash 80 (precursor to the Boeing 707). To Allen’s horror, chief test pilot “Tex” Johnson came in low and fast pulling up into a shallow climb while gracefully rolling the Dash 80 360 degrees. Airline executives were impressed and awed at the Dash 80’s performance and maneuverability. The story passed down among airline executives is that Allen called Tex into his office and demanded to know: “What the hell were you doing up there?” Tex responded: “Selling planes!”
A more serious event occurred in 1985 which according to Boeing validates its design philosophy. A China Airlines 747SP en route from Taipei to Los Angeles cruising at FL410 had a number 4 engine failure accompanied by the autopilot disconnecting. The surprised crew failed to correct with left rudder and the plane rolled right, entering a steep dive. After descending over 30,000 feet in a steep rolling dive, the captain was able to recover control at 9500 feet.
During the high g recovery, horizontal stabilizer and elevator parts separated but enough of the stabilizer and elevators remained to permit the plane to divert and land safely at San Francisco Airport. Maximum vertical g’s were +4.8 at FL305 and +5.1 at FL 190! The NTSB concluded that the captain’s over-reliance on the autopilot following loss of the number 4 engine, and failure to monitor flight instruments, caused the loss of control and subsequent dive. Had the controls been flight envelope g-restricted, recovery wouldn’t have been possible.
Airbus takes an opposite view on flight control design, constraining maneuverability to structural (g) limits and aerodynamic stall limits. Lots of redundant flight control computers (FCC) do all the thinking and protect the plane’s normal flight envelope. For example, A330s and A340s have three primary flight control computers and two secondary computers, all dual channel, making a total of 10. They limit pitch to +30 and – 15 degrees and bank to 67 degrees (which equates to +2.5 g in level flight).
Single or multi computer failures are “voted out” by the remaining primary and secondary flight control computers. Computers control airplane response as a function of side stick direction, rate, g loading, and range of side stick movement. Airbus’s FBW FCC pitch and roll responses are uniform throughout the Airbus fleet from the A320 to the A380. There’s no need for something like the 737 MAX’s MCAS because flight control laws make pitch and roll response the same from model to model.
An A380 or A340 number 4 engine failure in cruise flight like the 1985 China Airlines 747SP event wouldn’t have progressed to a yaw-coupled rolling dive even if the pilots sat on their hands and watched. Thrust would have increased to maximum climb in an attempt to hold cruise speed while rudder trim automatically zeroed out yaw. If the plane was above its three-engine ceiling, speed would bleed off while the plane flew straight ahead in trim. If the pilots continued to sit on their hands rather than declaring an emergency and descending to a three-engine cruising level, speed would decrease to a minimum angle of attack value called Alpha Prot, at which point the autopilot would disconnect and the plane would descend at Alpha Prot angle of attack speed until reaching its three-engine service ceiling. Then, if pilots still didn’t react, it would level off and slowly climb as fuel burned off.
In an emergency requiring immediate and aggressive control response, such as avoiding a collision with an aircraft, or inadvertently flying toward rising terrain, maximum control deflection would yield a maximum airplane response up to the plane’s 2.5 g design maneuvering limit, without stalling. A pilot flying a non-envelope protected plane in similar circumstances would have to rely on experience to instantly decide how much control input was needed. Being unfamiliar with high g airliner maneuvering, he/she might not use all the plane’s available energy and control authority… or use too much and stall.
Just such an extreme event occurred December 20, 1995, when an American Airlines Boeing 757-200 en route from Miami to Cali, Colombia, struck a mountain while descending for landing. Multiple factors, from lack of ATC radar coverage to FMS navigational data irregularities, contributed to the plane being off course. Twelve seconds before impact, the plane’s ground proximity warning system activated. The crew responded immediately, pulling up steeply – intermittently activating the stick shaker – but forgot to retract the speed brakes. Impact occurred about 110 feet below the mountain top. Had the plane’s maximum energy been tapped and the speed brakes retracted, investigators believe the plane would have cleared the summit. With full back side stick, the Airbus FBW envelope protected system would have automatically retracted the speed brakes and pitched to maximum climb using the plane’s available energy.
But deficiencies in basic airmanship, over-reliance on automation, and just plain forgetting can flummox even the most creative FBW envelope protection systems. The June 1, 2009, Air France A330 crash into the Atlantic is an example. The Rio to Paris flight was cruising at FL 370 when it encountered icing in clouds that caused pitot tube icing which in turn resulted in erroneous airspeed indications and automatic disconnection of the autopilot. The captain was out of the cockpit, leaving two copilots in control.
With the autopilot off, flight control computers reverted to what Airbus calls “alternate law” with pitch control computers providing neutral stability and the plane trimmed for 1 g level flight. Roll control is direct, meaning it’s just like an analog plane responding to side stick commands. In alternate law, the plane can be stalled.
Had the pilots been familiar with the plane’s cruise pitch attitude and thrust settings correlated with the plane flying level, they likely would have let well enough alone and pressed on flying manually. Instead, seeing high airspeed from the erroneous pitot system, the pilot pulled back hard on the side stick, pitching the plane up at 1.7 g until it stalled. It then descended quickly at about 15000 ft/min at low airspeed with engines spooled up at 100 % until impact.
In another case, on June 26, 1988, at Mulhouse-Habsheim Airport, France, a then-brand new A320 with an Air France captain at the controls crashed on a low level publicity flight demonstration. The plane had just been introduced to the public about a month earlier and this was a chance to show the plane to thousands of onlookers gathered at the airport. It came in low over the runway with thrust at idle and airspeed decreasing with the plane’s FBW system keeping the plane just above a stall.
What the captain apparently forgot was that the plane’s FBW low speed thrust protection cut out below 100 feet radio altitude in order to allow the plane to flare and make a normal idle thrust landing. As the end of the runway approached, the captain attempted to spool up the engines but they couldn’t accelerate fast enough. The plane continued ahead with engines accelerating through the 70% range and the FBW system keeping the A320 just above a stall, when, as a former test pilot put it, “The first bird strike occurred… but the bird was in its nest.” The A320 plowed straight ahead, wings level through the trees and crashed in flames.
Airbus’s FBW arrangement, artful as it is, has its quirks. For example, Airbus pilots can “help out” with “subtle assistance” on the side stick controls by giving a little nudge while the other pilot is flying but side sticks are not coupled! They move independently and if moved simultaneously their motions are algebraically summed. In such circumstances, a cockpit speaker loudly asserts “ DUAL INPUT” accompanied by illumination of glare shield lights. Such an action would be like differing parents simultaneously disciplining a child with the result that neither approach succeeds exactly as desired. Of course, it’s contrary to the way airliners are flown with strict protocols requiring pilots to announce who has the controls. But, on an Airbus, it’s important to know because a nudge on the controls by another pilot can be counter-productive.
Whether one control philosophy is better than the other is pretty much a wash in normal operations because cockpits are so highly automated and pilots do so little hand flying. My impression is that Boeing is moving more in the direction of Airbus to intervene with automation in emergencies, and that’s a good thing. It’s an ironic tragedy that the company advocating most for pilots being in ultimate control should have two loss-of-control accidents because an add-on automatic stall prevention system caused pilots to lose control.
The reality is that less experienced pilots are staffing cockpits today, especially in less developed countries, and well-designed automation to ameliorate inadequate or inconsistent pilot performance should make flying safer for everyone. The challenge for airline pilots is to keep hands-on flying skills sharp and not be dulled by automation. For airlines, it’s providing the ground school and simulator training so that pilots have the skills and a full understanding of their aircraft to safely fly the line. For manufacturers, it’s doing what needs to be done at every step of design, testing, and manufacturing so that passengers don’t have to anxiously ask what kind of plane they’re on. And also not nickel and diming airlines on cockpit warning systems.
Updated 4/10/19 to clarify the 747 incident.
- Navy primary flight training—the instructor had it coming - October 7, 2024
- Flying in night skies - December 7, 2022
- Flying with the famous and infamous - June 8, 2020
> The latest information is that the 737 MAX 8’s MCAS malfunctions cause much more pronounced pitch disruptions than the standard flight simulator runaway stabilizer scenarios.
I’m not sure I understand this. Does the stab trim motor run faster when MCAS activates it? Everything I’ve read says approx 2.5 degrees nose-down movement over 9.5 seconds. That seems the same as commanded stab trim movement. I believe the stab trim motor speed changes with airspeed, so perhaps what is meant is that MCAS-commanded stab trim movement speed does not changed with airspeed. 2.5 degrees over 9.5 seconds has a great deal more impact on pitch control when the aircraft is flying at Vmo, which is apparently the speed the Ethiopian Air 737 was flying before the final MCAS activation. There is speculation that the excessive speed is ultimately what sealed this crew’s fate; the hydraulic actuators that move the elevator cannot overcome the air load at those speeds. The preliminary report says the throttles were never moved following takeoff, and the aircraft was 40 degrees nose down for the final 30 seconds of flight.
That aside, the Ethiopian aviation authority claims the Ethiopian Air pilots failed to retain control of the aircraft despite following Boeing’s procedure. I believe this is not supported by the evidence in the preliminary report. According to the report, the pilots allowed MCAS to move the stab trim for its full 9.5 second/2.5 degree cycle every time it activated. According to Boeing, MCAS is deactivated for five seconds if either pilot moves the stab trim switch on the control yoke to the nose up position while MCAS is moving the stab trim. The report says the aircraft trim was 4.6 degrees prior to the first MCAS activation, and around 2.1 degrees after. A few seconds after that the pilot trimmed nose up to 2.3 degrees. Five seconds later MCAS activated and over nine seconds moved the trim to .4 degrees. A few seconds later the pilot asked the first officer to trim with him, and they trimmed nose up to 2.3 degrees, which is still more than two degrees nose down from what I assume was the trimmed condition of 4.6 degrees prior to the initial MCAS activation. It was at that point the crew moved the stab trim cutout switches to the cutout position. So not only did the crew allow MCAS to run nose-down trim for nearly 10 seconds, they didn’t re-trim the aircraft using the trim switches before cutting out electric stab trim.
The FAA Emergency AD issued prior to the Ethiopian Air crash (which was made available to the crew according to the airlines) tells pilots in the event of unwanted MCAS-commanded stab trim movement to use the control column AND the electric trim controls to control pitch. It also warns the crew to trim the aircraft using electric trim BEFORE moving the stab trim cutout switches to cutout. The preliminary report does not make clear whether the crew attempted to manually trim using the trim switches DURING MCAS-commanded stab trim movement (which Boeing says should deactivate MCAS). That seems truly remarkable to me. Take a moment and count out loud to yourself, “One one thousand, two one thousand…” for 10 seconds. What was a crew supposedly aware of a potential malfunction that could result in uncommanded nose-down trim doing for nearly 10 seconds while that trim wheel was spinning away and control column forces were building?
At any rate, the crew failed to re-trim the aircraft before cutting out the stab trim motor, and they ultimately chose to put the stab trim cutout switches back to the normal position, thus giving MCAS control of the stab trim motor. Both of these are directly contrary to the emergency AD.
Something doesn’t smell right to me on this. Either the report is purposefully vague about the crew response, or Boeing is not correct that actuation of the yoke-mounted trim switch in the nose-up direction deactivates MCAS. The only reason I can think of for the pilot to move the stab trim cutout back to normal was so he could attempt to re–trim the aircraft using the yoke-mounted trim switch (the first officer had already unsuccessfully attempted to move it by hand). That tells me the pilot should have been on that trim switch IMMEDIATELY. Yet somehow MCAS was able to trim nose down for another 10 seconds.
If I were a crash investigator on this I would want to know if MCAS was able to override the pilots’ trim switches. The publicly available information is not clear on this, and it seems key to understanding what happened on these two aircraft.
Seems to me that the entire concept of “artificial feel” and “artificial buffet” (AKA stickshaker) was envisioned many decades ago assuming pilots had stick and rudder skills ingrained and whose muscle instincts would guide them to do the right thing if their hands were provided with the correct aerodynamic, albeit artificial clues.
Today, the artificial manual feedback stuff is degrading the primary flight control ergonomics, and distracting and stressing the crew. Instead of providing clues, it may even make pilots loose the trim switch with their thumb as a result of a hydraulically shaken column with massive artificial pull on top.
MCAS could then be seen as the ultimate perversion of that concept. Abuse a secondary flight control to create artificial stick force, give it a delay of 5 s so the pilot will not intuitively get the message, and give it so much authority, that it effectively overrides the primary control.
MCAS is not interrupted by the control column cutout switches, while all other runaway stabilizer movements are. The first step of the runaway stabilizer procedure is Control Column – Hold Firmly. This is intended to cause the column cutout switches to momentarily depower the trim motor, giving the crew time to shut off the master trim cutout switches. This will not stop the MCAS; hence a more severe stabilizer movement when the MCAS actuates errorneously.
The Lion Air captain overrode the MCAS with the yoke thumb switches 21 times. The Ethiopian captain overrode the MCAS 5 times before they shut it off. I am not sure whether he captain knew the trim was re-powered; it appears that he did actuate the thumb switches twice afterward, but only very briefly.
The Boeing procedure calls for autopilot off and autothrottle off. It does not appear that the autothrottles were ever disengaged; in any event, the power remained at the N1 climb limit, which is why they were moving so fast…which in turn may have created a high load on the stabilizer.
Only 8 seconds elapsed between the captain’s instruction to try the manual trim and the FO’s response that it was not working. It isn’t particularly easy to move in normal flight, but can be done without any trouble using the crank handle. I really don’t know whether the FO had ever used the manual trim before; my guess is probably not, so he may not have understood how hard he was going to have to crank it…and how many times (a lot). Without more detail from the cockpit voice recorder, we can’t know. However, Boeing does state in their Flight Crew Training Manual that it may take both pilots effort and/or the stabilizer may have to be unloaded (in extreme cases…their language).
> MCAS is not interrupted by the control column cutout switches, while all other runaway stabilizer movements are.
And the Ethiopian Air crew should have been aware of this if they had been briefed on the FAA’s emergency AD, right?
> The Lion Air captain overrode the MCAS with the yoke thumb switches 21 times.
This highlights a point and raises two questions. The point is that MCAS can be overridden (at least on that aircraft) using the trim switches. The questions are: 1) Why did the Lion Air crew allow MCAS to move the trim 21 times? And two, why didn’t the Ethiopian Air crew override MCAS using the trim switches, especially given that they were aware of the potential for MCAS-commanded trim movement and the FAA’s emergency AD which informed them to maintain pitch control (in part) using the trim switches?
Guy Norris has an article up over at Aviation Week which suggests vane detachment of the AOA sensor (likely due to a bird strike) is the primary cause of the erroneous AOA indications. He also cites “sources close to the [accident] probe” who say that contrary to airline statements the FDR data shows the crew did not follow Boeing’s recommended procedure for runaway stabilizer.
https://aviationweek.com/commercial-aviation/ethiopian-crash-data-analysis-points-vane-detachment
Thank you Steve, can you or anyone else inform us whether similar MCAS events have occurred and been handled appropriately in first world countries. We’re talking a relatively mature airframe operated in some number and I feel the dead hand of politics leading the fight for action. I appreciate that it is a sensitive question but I cannot believe the major players have not seen the problem or have their SOPs and Training kept them from trouble.
Boeing should have simply used the same system as I believe they used on their Boeing 767 a yoke pusher? What do you think? Used the elevator instead of the stabilizer? Hum…..?
In my limited knowledge of big iron, that would seem to make sense…
Very informative. Martha Lunkin did a column on the woeful lack of training required of foreign captains.
I was in Everett at the Boeing plant in the 90’s taking the tour. They kept talking about how they were trying to make the planes easier to fly. As a Lear pilot at the time I finally said “hey what’s the big deal, we’re talking airline pilots here”.
The response was to the effect “oh no, we have some foreign customers with very inexperienced flight crews”. I pictured the sultan’s 25 year old nephew in a gaudy captain’s uniform.
Thanks, Mr. Reiner, for the best analysis of the situation I’ve come across. Here is a question for you and everyone who’s commented. Given the concerns about decaying airline pilot stick-and-rudder skills, do you think there would be value in having all airline pilots to be trained in GA aircraft and particularly in unusual attitudes and upset recovery? And to fly light aircraft periodically as part of staying current? I know airline pilots who love airplanes and fly all kinds of them when not at work, while others apparently see flying the line as “just a job.” I’d certainly rather fly behind one of the former rather than the latter.
Aerobatic training tends to stay with a pilot. It would be beneficial in initial training.
But pilots need to understand that some recovery procedures such as high pitch-low air speed recovery procedures appropriate for straight wing light planes would not be appropriate for a large swept wing jet because of the likelihood of precipitating a spin.
I’d love too fly GA more often… and although is a totally different animal, I think it might be helpful. What airlines are doing is to bring these maneuvers to their simulator training syllabus more often. And this looks great to address the issue. But the whole change that would maybe bring back “stick and rudder” is both in culture, sops, policies. Something that not would only allow, but encourage airline pilots to fly more manually. Honestly, I am not sure if this is even plausible in the nowadays industry, both from the safety and commercial perspective.
GREAT article Arnold. As a pilot, having flown for ~60 years…Piper cub, T-28, T-bird in Air Force pilot training, B-47’s, F-84 & F-86H in Mass. ANG, and finally owned and flew Cessna 182. Born on Staten Island, and got interested in aviation at the ‘tender’ age of 9; worked at the one remaining airport on Staten Island washing, etc airplanes, and received my first ride in an airplane; that got me ‘hooked’ on becoming an Aeronautical Engineering…. and becoming a pilot. Finally, I would like to have a ~5 minute conversation with Arnold to ‘chat’ about aviation ‘stuff’, etc…. PLEASE help me do that? M
Hello, Arnie,
Been a long time. Very good, perceptive piece on the MAX, one that cuts through a great deal of the so-called “expert” speculation. The third-world issue here is one that I think should not be ignored, and one that I think probably had something to do with the fact that the thrust levers were never moved out of the takeoff detent. At Vmo and above, there isn’t a pilot alive that could have moved the stabilizer.
John Marshall
Pan Am, Ret.
Best summary that I’ve seen. Only one thing left out. The Lion Air a/c had been griped on two previous flights for the same issue. It was flown with maintenance check only. No flight test. I’d fly a Max 8 tomorrow but not a third world airline.
Semper fi Mac
This accident demonstrates a basic lack of understanding of the flight crew of the concept of pitch, power and airspeed equals performance and the concept of first fly the aircraft in an emergency. Apparently they experienced stick shaker shortly after leaving the ground, indicating a low speed stall situation. However, with a normal takeoff pitch attitude, takeoff power and airspeed increasing, the aircraft clearly was not in a stalled condition. In fact as the speed continued to increase towards the flap limit speed, the crew raised the flaps thereby activating the MACS system. Had they recognized that the aircraft was not stalling, given the pitch attitude, take off power and airspeed, the more logical reaction would have been to level off at a safe altitude, pull the power back to the power it normally takes for level flight with that flap setting and trouble shoot the problem. Additionally they would have had normal use of the electric stab trim to keep the aircraft flying normally.
Unfortunately, the action of raising the flaps activated the MACS system, increasing their difficulties. The fact that they never thought to pull the power back from takeoff power is an indication that they were not trained or aware of the concept of first fly the aircraft in an emergency. With the MACS system activated, the ever increasing speed added more force being applied by the stab trim, which being moved by the MACS system. While they eventually turn the stab trim switches to cutoff, they never tried to use the manual trim before turning the stab trim switches back on. Eventually, with the speed continuing to increase, the forces were too much to overcome.
I believe this indicates a short coming in the training of pilots in countries that do not have a vibrant general aviation infrastructure and or a significant military air force, where pilots can learn and practice the concepts of pitch, power and airspeed equals performance and the concept of first fly the aircraft in an emergency situation.
I recently asked a newly qualified PPL holder if he new the difference between a spin and a spiral dive and what to do to recover. His answer was no – what’s the difference. It appears that spin training is no longer covered as it might be dangerous????
Gives me great cause for concern!!!
Basic flying skills training are neglected in differences training, resulting in over-reliance on automatic devices.
Bazza, spins haven’t been taught for years and years now.
Thanks Arnold. One aspect that designers of complex, software-intensive systems (like the MAX, for example) confront is that the large number of possible states (I mean really large … it’s software) makes it theoretically impossible to test them all. You try to test all the important states as best you can; even that is not really possible, you’re going to miss some. Moreover, our physical intuition about the world utterly fails us when software is involved. Software containing defects just does not follow physical laws, and let me assure you, there is no such thing as defect-free software associated with nontrivial systems. I do believe these two basic issues are at play, if not here then certainly in other aviation accidents. For example the F-22 which accidentally tested a new software mode for the first time while airborne. Sign error. Oops, controls suddenly work opposite. Test pilot left the airplane and no one could blame him for doing so.
Thoughtful article, thank you Arnold.
A note to the editor: I believe the photo caption saying “Plenty of blame to go around…” is highly inappropriate in an aviation setting where Just Culture is key to maintaining high levels of safety. There will be plenty of blame made by lawyers and authorities and politicians. No need for us to be making judgments amongst ourselves. Aviators should be concerned with finding and fixing causes, not assigning blame.