Why FAA and EASA didn't require any procedure changes in the interim to prevent the issue is a very good question.
I like Mentor Pilot and Air Disasters, so I know I’ve heard of a few where the problem that caused an accident was already known and a fix was available but the airline just chose not to do it because they had that option. Or it was scheduled but hadn’t been performed yet because it wasn’t thought to be that critical.
Having the FAA mandate the fix seems like it would be a much better option.
The timeframe could be anything, but common forms are like:
- Within the next X (flight) hours or Y calendar days
- You don't have to, but additional inspection needed every X hours or Y days until you do
- At next annual inspection
- Immediate/before flying again (usually called an Emergency AD)
I haven’t heard of any similar successful court cases in recent years in the US.
For USA [4], Title 14 of Code of Federal Regulations, Chapter I Subchapter C, Part 39
For EU [5] Article 76 (6) of the Basic Regulation (EU) 2018/1139
[1] https://www.icao.int/publications/pages/doc7300.aspx [2] https://ffac.ch/wp-content/uploads/2020/09/ICAO-Annex-8-Airw... [3] https://ffac.ch/wp-content/uploads/2020/09/ICAO-Annex-6-Oper... [4] https://www.ecfr.gov/current/title-14/chapter-I/subchapter-C... [5] https://www.easa.europa.eu/en/document-library/regulations#b...
I read through the 787 Dreamliner manual for setting up the software for patch distribution to the planes, and there are checks and overrides at every step. The whole thing is physically controlled by the owning airline or maybe the leasing company, but not Boeing.
I wasn’t thinking a “we’re pushing an update too bad” kind of thing but more a “hey you have to do this to be allowed to fly, your choice” with the weight of law behind it.
The security is dialed up to 11 as well. It explicitly calls out the following scenario:
1) The plane is leased. 2) the maintenance is outsourced. 3) The plane at an airport in an "unfriendly" country. 4) The plane is not allowed to take off until it is patched due to an emergency directive.
That scenario is handled, securely!
There is encryption between the plane and the airport WiFi.
The maintenance crew can also plug in to an Ethernet port near the front landing gear.
There is a VPN back to the patch server managed by the airline.
The VPN host certificate is explicitly whitelisted in the plane.
The plane won't accept a patch unless it has been digitally signed by Boeing, the FAA, the Airline, and potentially the manufacturer and the local equivalent of the FAA!)
The pilot has to enter a 4-digit pin code in the plane.
Most of the associated wiring is only physically connected if there is weight on the front landing gear. You can't "hack" a plane in-flight and patch it with malware, the required cabling isn't connected.
They are coordinated with applicable certification bodies (civil aviation authorities) and distributed as airworthiness directives that can, in fact, force a specific action to be taken.
[1] (writing from memory unfortunately) an airflow modification for 737 NG (iirc, could be older 737, pre-MAX definitely) avionics bay was "optional", as in mandatory only for aircraft flying in hot enough regions. After a near miss in Poland when steadily overheating avionics essentially slowly lobotomized a plane after takeoff. Turned out europe got hot enough for it.
After that incident, Boeing issued a change in safety information bulletin that the modification was now mandatory.
https://simpleflying.com/boeing-cfm-international-update-737...
The recommendations include very basic procedure changes that mitigate the near term risks without any significant impact to operation, as well as recommendations for what probably amounts to a software change and upgrades to some of the pilot oxygen masks to effect a permanent fix.
The only reason that we even know about the internal recommendations is that they were leaked to the press.
Boeing released a pilot bulletin that basically says to go through the checklist quickly and to treat smoke in the cabin as a major failure, but stops short of recommending some very, very simple steps in aircraft configuration prior to takeoff that would completely mitigate the issue without negatively effecting flight performance.
The major recommendation in the internal FAA bulletin is to use the APU bleed instead of the main engine bleed air to power the air conditioning and cabin pressurisation during the takeoff phase of flight, below 3000 feet AGL. I can see no reason to drag feet on this recommendation, other than the uncomfortable suggestion that perhaps this issue should have been addressed during certification. (It is yet another difference from older 737 design , like the deadly MCAS system, that was not disclosed to pilots transitioning to the new aircraft)
Well, the configuration changes during takeoff mitigate the issue if it happens during takeoff. If it happens at any other time then they don’t do anything to help.
> I can see no reason to drag feet on this recommendation […]
I can. Perhaps the FAA believes that it is better to minimize change fatigue. Since the problem can apparently be fixed in software, and Boeing has decided to make that fix, they might want to write just one airworthiness directive requiring everyone to install it instead of two, one telling pilots to adopt some procedure followed by another telling them to abandon it.
> (It is yet another difference from older 737 design , like the deadly MCAS system, that was not disclosed to pilots transitioning to the new aircraft)
Keep in mind that for most aircraft the airline can pick and choose between different engines. The pilots don’t have to learn the myriad different engineering decisions that go into those engines; from the pilot’s perspective they are supposed to be interchangeable.
Additionally you might want to avoid the association that specific pack supplies air to the cockpit, as it varies across generations. https://en.wikipedia.org/wiki/Kegworth_air_disaster
There are no birds at higher altitudes
737 Max can only have CFM Leap engines.
A320 can have either Leap or PW GTF.
It looks like only the LEAP-1b engines are affected by this, and I was under the impression that LEAP-1b was 737-MAX-only?
(A320 has LEAP-1a as far as I can see).
This does not seem to be the case for the A320 family of jets. [2]
[1] https://www.youtube.com/watch?v=AAy_ch6sfOQ&t=1707s
Boeing has gone off the rails, but the general lack of nuance in the common narrative about their failures is really over the top.
MCAS is how a fundamentally different plane behaves (in most cases) like a normal 737. The fact that such a system exists is described, and disclosed, in minute detail to pilots when they get their mandatory training on the 737-MAX.
The specific name wasn’t used in the training, and that’s where this ridiculous narrative came from.
MCAS uses the same hardware but has different scenarios in which it activates and has a different effect. Not knowing of the existence of MCAS and not having a viable procedure to deactivate it if it went haywire was critical to the two accidents. I've looked into this a lot and to my knowledge this was never disclosed to pilots.
Can you provide a reference to MCAS being disclosed prior to the two accidents?
- CFM designed an engine that, in certain emergencies, dumps oil into the quite possible (actually traditional, if I understand correctly?) human-breathing stream of the aircraft, apparently, without the relevant human-breathing system shutdown mandate when said (or any) emergency system is triggered; [truth be told, we never heard their complete story]
- Boeing integrating said new engines into their new 737MAX without appropriately checking for possible new emergency mode interactions with their life-support (in this case, breathing) systems.
- FAA dropped the ball upon accident investigation;
- FAA removed their employee that then picked up the ball;
- EASA swallowing what they were told by FAA without asking further questions;
Well...
I have worked in many no-harm potential software projects that employed more careful engineering than this.
All hardware projects I worked on employed more careful engineering than this.
Conclusion: It becomes more and more difficult to falsify that Boeing, nowadays, simply abandoned engineering design reviews, and, relies solely on some blend of "agile" methods to design people-carrying airplanes.
Presumably because a bird strike at TO would prompt an immediate go-around and land. With landings the runway is right there.
Not an aviation expert at all, so I am talking out of my ass on this.
Comments on that youtube video are filled with industry insiders and it’s just wild. They even think someone has died from a similar fuming event back in December…
The part about filling the cabin with smoke because they couldn’t be bothered to make the software that detects the extreme vibration tell the AC units from that engine to shut down (which they already do if the rpm drops, indicating an engine failure-just not soon enough or reliable enough to prevent the smoke issue) - not so much.
The system for the ECU to detect the engine mount failure condition already exists. The function to shut down the air handlers in response to a different indicator of engine failure already exists in the ECU. It’s just literally “also shut down if the engine mounts fail”, but the guys that sit around and think about the what ifs were given early retirement to make room for more MBAs.
Sure, I get that it was added to prevent plane from disintegrating, but like you said integration thinking is gone and now we have those individual components that sure look homicidal from outside.
The other issue is that regulators are missing in action or worse. It’s no way to run the industry by relying on concerned youtubers..
So no this wasn’t the victim of a rescope.
Frikken clown world hijinks.
How difficult is that?
Actually, I think this was less about cost and more about systemic creep of operational differentiation from earlier versions of the 737. A big selling point for the MBAs was that this was a 737 and pilot recertification was not necessary. So the MCAS system and its deadly potential was hidden from the pilot manual, as was the new failure mode introduced by this system. Acknowledgement that these systems required additional or different contingencies or checklists, or intruding an automatic shutdown of a pressurization would require recertification in type, or potentially even recertification of the aircraft if the changes were significant enough.
Significantly, for MCAS, the reason that the stability of the aircraft had to be patched in software, leading to hundreds of deaths, was that changing the empennage to reestablish aerodynamic stability might have been a big enough change to require recertification of the airframe. That would have been expensive, but it would have also opened the door to fixing all of these other issues that resulted from trying to pretend that the aircraft was not significantly different from earlier versions.
Its bean counters all the way down, and dead passengers is the price of that.
From the video, the 39 second figure is for the cockpit if the pilots don't get their masks on in time. The passenger cabin would be uncomfortable but wouldn't (or just didn't in that case) reach lethal levels given the volume.
> They even think someone has died from a similar fuming event back in December…
https://en.wikipedia.org/wiki/Swiss_International_Air_Lines_...
I wonder if they just need formaldehyde sensors in the bleed air line...
As far as I understand, the people in the cabin or the cockpit will breath the oil that's now been aerosolized -- in the cockpit it's really hazardous because it's such a small air volume. The oil's full of all kinds of things you wouldn't ever want to breathe in, and in the cockpit it's enough to poison you really fast.
The people can keep filtering a certain volume of oiled air, but at some point it's too much oil in their body.
If the people in the cockpit are incapacitated, though, it's a problem for everyone on the plane. The oil has nasty stuff that kills the pilots, but it's also hard to see through.
Basically, at the very very least, let's not dump the oil into the cockpit. Ideally let's not dump the oil into the passenger compartment either, but sheesh, let's not kill or blind the pilots as table stakes..
None of the sources he references about the danger of the smoke itself appear to be very confident that it genuinely could kill you in 39 seconds, and they all seem to be from sites that likely have an incentive to sensationalise. Maybe he had better sources for that claim, but didn’t show them (or maybe I didn’t watch the video carefully enough), but I wasn’t convinced that it’s actually true.
But if not, It’s possible the FAA/Boeing have better data or other reasoning that makes them sure that the smoke is not that dangerous. In which case their inaction (but not necessarily their PR strategy...) seems more justifiable.