Briefly: It could be, but that would mean reclassifying the airplane.
Maybe think about it like anti-lock brakes. Cars without ABS can be driven safely in many/most circumstances, but most drivers are accustomed to ABS. (This is necessarily a limited analogy)
Also, there are government requirements per aircraft type, and removing this system would change the aircraft type, triggering a significant amount of required re-training.
---
Not directly related to your question, but I think [pure speculation/psychological theory] one thing that went badly wrong here was engineers thinking about this as a convenience system. Because it was thought of as a convenience system, they didn't fully consider the safety aspect of it.
No, it's still obvious fail-deadly insanity. Having to say that the pilots would need to quickly notice issue is even worse (have you seen how you disable the system? It's not a button that you push).
The point of the plane variant was to not perform any additional training, too.
Anyone saying that to the engineers should be considered a criminal. There is probably a whole incentive structure that lead to this and that should be upended completely.
That doesn’t make it a safety system. It wasn’t integrated as part of any kind of flight envelope protection and it wasn’t necessary to fly a plane of that design safely.
The issue was they decided to use automation to avoid training pilots on how the plane actually behaves. That kills people.
It makes you wonder why such a seemingly important alert is optional. Cars these days can't come without seat belts, brakes, ABS, traction control, ESC, and more, but apparently seemingly essential safety features on planes are optional??
That's true, but some aircraft are now equipped with TCAS and GCAS which will automatically seize partial control from the pilot and maneuver to avoid some types of crashes. So far I think those systems have been 100% reliable but the manufacturers would be liable if they caused a crash.
Yes, it's truly a case of inadequate engineering IMO. If an automated system designed to prevent crashes (stalls, as I understand it) merely changes the failure mode into something harder to detect and correct manually, it's a poorly designed system.
A sibling comment mentioned that the sensors fail constantly. Seems that it might be possible to operate such a system with a significant number of critical inputs in a degraded state which could lead to unknown effects IMO.
In many ways, automated driving is much more complex than successfully piloting an aircraft in regulated airspace.
I'm questioning whether a system as the one I described can be abused to the point where redundancy is offloaded to pilot flying the plane even when it shouldn't be?
It seems to me that aircraft with a lot of automation should have a single big red button to turn it all off.
In most situations, of course, the automation is good, preventing pilot errors like stalling or exceeding safe control inputs, but these are fundamentals that every pilot learns in the first few hours of flight training. Unlike some fighters that are inherently unstable, a 737 can be flown safely without the computer overriding the pilot's control inputs so long as the pilot flies reasonably.
I've had a similar experience in a car. Antilock brakes are designed to override an erroneous control input: braking too hard for the available traction. In the event of a wheel speed sensor malfunction, they can override a reasonable control input: moderate braking well within the limits of the available traction. This is terrifying, and there's no way to override it in the moment. It can, however be overridden in most cars by pulling out the fuse for the ABS.
Disabling the system is a possibility, but then they have to train all pilots to fly the plane without that system. Of course there is no training program in place, it would only take a few months to design it, then a few more to get the program certified as enough, then a few more months to teach the trainers how to teach it, then teach the pilots... It is much faster to fix the system once and for all.
Aircraft anti-skid is more complicated than a car. There are a lot of hydraulics and sensors working with extremely high loads.
To simplify how things work, there are two sets of systems in the plane.
There are the computers controls that move all of the surfaces. They have no connection to the various other sensors, because they only move things as they are ordered to. These form the base flight-by-wire system.
On top layer, you have the three flight computers handling all of the automation. A triply redundant system with all of the plane's sensors available to them, not just the sensors in the braking system.
So, the ABS is handled by the flight computers and the flight computers are their own backups. The automation will attempt to degrade gracefully into alternate law. If they all go, the plane reverts to direct law and the pilots interact with the base fly-by-wire system which has little to no automation.
Failure of the flight computers are rare. Every other part of the braking system is less reliable than the flight computers.
From another angle, if a failure caused the flight computers to crash, is there also a problem with the braking system? By having a clear, defined failure mode, a pilot only needs to be trained to land the plane with manual braking.
When the flight computers drop out, the fly-by-wire system becomes directly connected with the flight controls. This includes the anti-skid functionality.
With the above design, it doesn't make a lot of sense to add a layer of complexity between the flight computers and the fly-by-wire system. The redundant flight computers are the backup systems. They can run with partial functionality. If they all fail, the plane reverts to a known, extremely well tested, working systems.
There are multiple overlapping failure modes already. Adding another failure mode is a bad idea.
I think the problem is that this whole automatic system is to prevent crashes because the engines change how the plane behaves compared to a normal 737 which is the training Boing was trying to avoid in the first place.
So for them to turn off the automatic system, they really need to be training on how to fly this variant of the 737.
If it only were that simple. Airbus in particular has a lot of systems which PREVENT the human from doing things.
One plane actually crashed because the prevention system disabled itself and the pilots believed it was still there to protect them from bad actions on their part:
> caused the autopilot to disconnect, after which the crew reacted incorrectly and ultimately caused the aircraft to enter an aerodynamic stall, from which it did not recover
Training is extensive and regular re-certification is not optional. However, modern airliners are complex machines with many weird failure modes that rarely occur. Many of these scenarios are covered only occasionally during certifications since there is no chance to cover them all. Many of these scenarios never occur during a pilot's career but when they do they only may have seconds to take action. Instructors have to choose what to focus on. I'd say this is an example of something that slipped through as something worthy of focusing on.
IMHO the long term solution to improving safety is to make the pilots increasingly redundant. With the current generation of technology this is not yet feasible since they are depending on a wide range of technologies dating back decades. Also a lot of the planes flying are decades old designs. This makes them hard to automate and human-computer interaction has not evolved to the point where a computer can take over these tasks and deal with all the critical human interactions that are involved with operating a plane. In principle the problem is solvable, however. It's mostly just a matter of enough sensors and computation redundancy and improving communication technology to get humans out of the loop.
Mostly pilots these days take executive decisions that boil down to religiously following checklists for basically every scenario imaginable and programming the auto pilot to act accordingly. The auto pilot is activated right after take off and typically disabled on final moments before touch down; or in some cases after landing. Or as in this case, in an emergency.
That's not to marginalize their role. Flying an airliner is a two man operation and they tend to be extremely busy dealing with flying complex procedures, routing around weather, ad hoc queues from controllers, cross checking each other, etc. Most of that stuff requires pilots to have good situational awareness. Most of that awareness is created through reading their instruments, communicating on their radio, and looking outside (when weather permits).
All of that could be automated but it would require a complete rethink of how this business works. For example modern planes are basically equipped with multiple redundant computers and fly by wire control (i.e. a computer controls everything). Yet, critical information is passed to these computers via a non digital communications channel involving people trying to exchange crucial bits of information over a badly congested, low quality radio channel with limited range. This is a ridiculously convoluted, error prone, and hopelessly inefficient way of communicating. The only reason it exists is because agreeing and standardizing on something sensible is going to take decades and has taken decades already.
Most of the chatter on the radio is people cross verifying completely routine information. Worse, people on both sides tend to be very overloaded with information and yet lack the mechanisms to share information other than verbally. Controllers can be juggling communication with dozens of planes and pilots are bogged down in a barrage of instructions, complex procedures, and checklists. A lot of the training focuses on teaching both to stay on top of this (this is very hard). A lot of accidents result from their failure to do so. Emergencies are stressful and stress makes all this even harder.
So, a completely computer based system would do away with most of that to reduce task overload for pilots and controllers and ultimately reduce both of them to the role of remote managers that intervene by exception and very rarely. Ultimately such a system would run itself. Military drones are slightly ahead of the curve here.
I also wonder about the engineers involved, what they think about the system and whether it was created expressly for getting around retraining, realizing late into the project that the changes to the in-flight behavior of the plane may have been too much.
That's a set of goalposts that move automatically to render any argument against it invalid.
No matter how counter-intuitive, error-prone, or difficult the control interface of an automobile is made to be, you can always say: "Well, if you can't figure it out, don't drive!"
Would you fly on a plane designed with this attitude? "It'll drop out of the sky if you accidentally bump anything, without a noticeable warning, but pilots that can't handle flying shouldn't be in the cockpit anyway!"
But seriously: would you get on a 737 MAX without the MCAS fixed?
Would you get in a 737 MAX with an unfixed MCAS a decade after the MCAS incident, when people have forgotten? With a new pilot that had never heard of the two specific crashes?
Or would you insist in flying in a plane designed not to crash into the ground in ways that's counterintuitive for the pilots to deal with?
Similarly, would you let your relatives drive a 2014 model Jeep Grand Cherokee that hadn't been recalled and had the parking brake changed to be automatic? Would you trust your Grandmother to check the tiny little light every time that will stop her dying, or would you take it to the shop for her so that she doesn't have to?
The problem is, if they drill it in their heads too much, pilots will err on the side of caution and could ice the engine. The system is there for a reason.
I tend to agree after reading the bulletin. It seems to be a safety net for the plane/engines that maybe needs better input validation so that a pilot eager to hit the brakes cant do this again. In this context its a UX bug.
So the plane is built with the assumption that the pilots are ready to jump in and override within 10 seconds, if out of the blue the auto-pilot decides to try to crash the plane. How about a no, and we re-build the system so a failure like that becomes extremely unlikely and not a regular occurrence?
Having optional safety features on an airplane (i.e. not standard equipment) strikes me as being significantly more egregious (Edit: more so than on vehicles like cars/trucks for the general population). Considering how complex these things are already, how does this not unnecessarily increase the cognitive load on pilots? "Oh, I guess I'm flying the basic trim level airplane today, I better be cognizant of the fact that it lacks features X, Y and Z"
Even if training would have prevented the crashes it's still bad design for a critical change in flight control.
Computers should never overrule manual controls. If the autopilot is on and the pilot makes an manual adjustment to the yoke, the autopilot shuts off.
They should have designed the MCAS system to recognize when the pilot was fighting it and to disable itself.
It's like the runaway Prius problem. Turning off the car might be considered an appropriate safety cutoff, but not everyone thinks of that in an emergent crisis.
Maybe think about it like anti-lock brakes. Cars without ABS can be driven safely in many/most circumstances, but most drivers are accustomed to ABS. (This is necessarily a limited analogy)
Also, there are government requirements per aircraft type, and removing this system would change the aircraft type, triggering a significant amount of required re-training.
---
Not directly related to your question, but I think [pure speculation/psychological theory] one thing that went badly wrong here was engineers thinking about this as a convenience system. Because it was thought of as a convenience system, they didn't fully consider the safety aspect of it.
reply