I'm finding this article [1] amazing, looking at all the anecdotical stories that Walter has told us during all that 15 years regarding engineering in avionic industry.

Without specifically discussing the Boing case, but looking at industry in general...
Really, things will go horribly wrong, before starting to go better again?

Happy Easter to everybody!

[1] https://spectrum.ieee.org/aerospace/aviation/how-the-boeing-737-max-disaster-looks-to-a-software-developer

On 4/21/2019 10:18 AM, Paolo Invernizzi wrote:
> I'm finding this article [1] amazing, looking at all the anecdotical stories that Walter has told us during all that 15 years regarding engineering in avionic industry.
> 
> Without specifically discussing the Boing case, but looking at industry in general...
> Really, things will go horribly wrong, before starting to go better again?
> 
> Happy Easter to everybody!
> 
> [1] https://spectrum.ieee.org/aerospace/aviation/how-the-boeing-737-max-disaster-looks-to-a-software-developer 

I have my beefs with the article.

For example,

"They want to have one airplane that all their pilots can fly because that makes both pilots and airplanes fungible, maximizing flexibility and minimizing costs."

Safety is a factor in having different airplanes fly the same. Many accidents have occurred because the pilot, in a moment of stress, applied a solution that would have been correct on the aircraft type he had more experience on.


He argues that airplanes are stable without augmentation. This isn't true for any jetliners, they have an active yaw damper:

  https://en.wikipedia.org/wiki/Dutch_roll

In particular:

  https://en.wikipedia.org/wiki/Dutch_roll#Accidents


He argues that it would be safer to develop a whole new airframe. Any new airframe, by definition, will be an unproven design, and everything in it would need to be re-proven, which has its limits.


"Neither such coders nor their managers are as in touch with the particular culture and mores of the aviation world as much as the people who are down on the factory floor, riveting wings on, designing control yokes, and fitting landing gears. Those people have decades of institutional memory about what has worked in the past and what has not worked. Software people do not."

This is sheer nonsense. People on the shop floor assembling airplanes do indeed have institutional knowledge about what works in manufacturing. They have no idea what works when flying or various failure modes. They have zero experience with stability issues. They do not do design work. Even more ignorant, the 757 I worked on back in 1980 had many computer systems that controlled the airplane, such as the autopilot. Last I checked that was 4 decades ago, and software programmers and managers implemented it.


Boeing did indeed make mistakes with the MCAS software design. I won't defend that, I don't understand the causes of those mistakes. But it wasn't about cost saving, another scurrilous charge by the author. The fact that the fix is a software update is evidence enough that it was a mistake, not some blind greed.

Absent from his article is anything about Airbus. Airbus has had crashes due to avionics software problems, too.

The author is a pilot, but has never flown airliners and has no experience with them.

There's more, but I should stop here. I'm just tired of these hit pieces from people who only partially know what they're talking about. I'll fly in a 737Max any day.

Since I griped about the qualifications of the author, I suppose I should say what mine are:

1. My degree is in Mechanical Engineering, with a minor in Aero and Astronautics.

2. I'm not a pilot. I've "flown" flight simulators. That doesn't mean squat.

3. I spent 3 years working on the 757 stabilizer trim system design. I also did verification work on the stability of the elevator system. I had many long and enjoyable conversations with the "old salts" there who were passing on their institutional knowledge to me. It was probably the best part of my experience there.

4. I've been writing software professionally for 40 years. None of it was flight control software.

5. My father was a career military pilot. I grew up hearing all about flying all the time. I'm interested in it, and have read extensively on aviation, mostly about design. None of this is quantifiable.

Many facets of this have crept into D's design :-) You'd think there'd be nothing in common, but that is incorrect. The software industry and best practices could learn a lot from aviation experience.

On Sunday, 21 April 2019 at 19:52:58 UTC, Walter Bright wrote:
> On 4/21/2019 10:18 AM, Paolo Invernizzi wrote:
>> I'm finding this article [1] amazing, looking at all the anecdotical stories that Walter has told us during all that 15 years regarding engineering in avionic industry.
>> 
>> Without specifically discussing the Boing case, but looking at industry in general...
>> Really, things will go horribly wrong, before starting to go better again?
>> 
>> Happy Easter to everybody!
>> 
>> [1] https://spectrum.ieee.org/aerospace/aviation/how-the-boeing-737-max-disaster-looks-to-a-software-developer
>
> I have my beefs with the article.
>
> For example,
>
> "They want to have one airplane that all their pilots can fly because that makes both pilots and airplanes fungible, maximizing flexibility and minimizing costs."
>
> Safety is a factor in having different airplanes fly the same. Many accidents have occurred because the pilot, in a moment of stress, applied a solution that would have been correct on the aircraft type he had more experience on.
>
>
> He argues that airplanes are stable without augmentation. This isn't true for any jetliners, they have an active yaw damper:
>
>   https://en.wikipedia.org/wiki/Dutch_roll
>
> In particular:
>
>   https://en.wikipedia.org/wiki/Dutch_roll#Accidents
>
>
> He argues that it would be safer to develop a whole new airframe. Any new airframe, by definition, will be an unproven design, and everything in it would need to be re-proven, which has its limits.
>
>
> "Neither such coders nor their managers are as in touch with the particular culture and mores of the aviation world as much as the people who are down on the factory floor, riveting wings on, designing control yokes, and fitting landing gears. Those people have decades of institutional memory about what has worked in the past and what has not worked. Software people do not."
>
> This is sheer nonsense. People on the shop floor assembling airplanes do indeed have institutional knowledge about what works in manufacturing. They have no idea what works when flying or various failure modes. They have zero experience with stability issues. They do not do design work. Even more ignorant, the 757 I worked on back in 1980 had many computer systems that controlled the airplane, such as the autopilot. Last I checked that was 4 decades ago, and software programmers and managers implemented it.
>
>
> Boeing did indeed make mistakes with the MCAS software design. I won't defend that, I don't understand the causes of those mistakes. But it wasn't about cost saving, another scurrilous charge by the author. The fact that the fix is a software update is evidence enough that it was a mistake, not some blind greed.
>
> Absent from his article is anything about Airbus. Airbus has had crashes due to avionics software problems, too.
>
> The author is a pilot, but has never flown airliners and has no experience with them.
>
> There's more, but I should stop here. I'm just tired of these hit pieces from people who only partially know what they're talking about. I'll fly in a 737Max any day.

It wasn't my intention to touch a nerve, nor my intention was to turn it in a derby between Boing or Airbus (frankly speaking, who cares?). To be honest, I'll fly any day only on something with NASA code running on it  :-P

We will see the reports of the investigation process, but it seems really probable that it was the MCAS that crashed the planes, and it seems plausible that:
- there's no check from redundancy input coming from the left sensor
- there's no check from other inputs too
- there's no a second "unit" running to check for output differences.

Walter, you are an engineer, but I'm a manager, so I believe that cost saving _could_ be a cause, and a major one.

For example, the quote you have made about "one airplane that all their pilots can fly" is related to airlines, not airplane builder, and that's a basic rule in organisation to be more efficient.

I'm not interested in the specific case. What I'm wondering is if software is still not so under the lens of regulation as hardware of mechanical engineering in general, so that's a "trend" in shifting "weight" from traditional engineering to software engineering, and that's starting to be a problem.

- Paolo

On 4/21/2019 1:45 PM, Paolo Invernizzi wrote:
> We will see the reports of the investigation process, but it seems really probable that it was the MCAS that crashed the planes, and it seems plausible that:
> - there's no check from redundancy input coming from the left sensor
> - there's no check from other inputs too
> - there's no a second "unit" running to check for output differences.

Yes, and all that is correctable with software changes.


> Walter, you are an engineer, but I'm a manager, so I believe that cost saving _could_ be a cause, and a major one.
> 
> For example, the quote you have made about "one airplane that all their pilots can fly" is related to airlines, not airplane builder, and that's a basic rule in organisation to be more efficient.

It's both a cost saving and a safety improvement. There's a very good reason why cars have the brake on the left and the gas on the right and this is standardized.


> I'm not interested in the specific case. What I'm wondering is if software is still not so under the lens of regulation as hardware of mechanical engineering in general, so that's a "trend" in shifting "weight" from traditional engineering to software engineering, and that's starting to be a problem.

There's been constant upheaval in aircraft systems since the very beginning. There's not really any such thing as "traditional". For example, the switch from cable operated surfaces to hydraulic boost to fully powered surfaces. The pilot moving the surfaces directly was abandoned with the 747, for obvious reasons.

It's important to realize that the MCAS problems were not due to bugs in the software implementation. It was bugs in the design specification. The spec seems to contradict principles of aircraft design which Boeing holds dear, and I cannot explain how such a design got approved. Cost savings do not explain it at all.

On Sunday, 21 April 2019 at 21:05:43 UTC, Walter Bright wrote:
> On 4/21/2019 1:45 PM, Paolo Invernizzi wrote:

>> I'm not interested in the specific case. What I'm wondering is if software is still not so under the lens of regulation as hardware of mechanical engineering in general, so that's a "trend" in shifting "weight" from traditional engineering to software engineering, and that's starting to be a problem.
>
> There's been constant upheaval in aircraft systems since the very beginning. There's not really any such thing as "traditional". For example, the switch from cable operated surfaces to hydraulic boost to fully powered surfaces. The pilot moving the surfaces directly was abandoned with the 747, for obvious reasons.

That's my point, that's not software engineering... and the evolution worked well!

> It's important to realize that the MCAS problems were not due to bugs in the software implementation. It was bugs in the design specification. The spec seems to contradict principles of aircraft design which Boeing holds dear, and I cannot explain how such a design got approved.

Again, that's the point! It does not resemble you all the discussion in the forum around the meaning of "assert", recovering from UB, catching errors, and so? I'm full on your boat!

So the question: are there so many people leaving that boat? And I'm talking about design and implementation. I think mechanical engineering is still "sane" in that respect...

> Cost savings do not explain it at all.

Au contraire, costs are floading inside a company from holes that not anybody knows, if does not have the proper information... don't exclude that...

Very interesting take thanks!

I'm glad that I have ignored this article until now.

On 4/21/2019 5:24 PM, rikki cattermole wrote:
> Very interesting take thanks!
> 
> I'm glad that I have ignored this article until now.

Thanks for the kind words! Some more I wrote about it:

https://news.ycombinator.com/item?id=19695091

Just to be clear, I don't speak for Boeing, my opinions are mine alone, and I have no direct knowledge of what went on with the design of MCAS, just what I read in the media.

On Sunday, 21 April 2019 at 19:52:58 UTC, Walter Bright wrote:
> But it wasn't about cost saving, another scurrilous charge by the author. The fact that a fix is a software update is evidence enough that it was a mistake, not some blind greed.

Which software system is cheaper to design and test, one that uses ONE sensor for input, or one that uses TWO sensors (one that is part of the "other side of the cockpit system"),  and makes sure they both agree - and then notifying the pilots something was wrong and then automatically taking MCAS out of the equation?

Which software system is cheaper to design and test, one that keeps track of whether the pilot is fighting its attempts to move the nose down or one that just ignores what the pilot is doing and keeps on blindly moving the nose down?

Which software system is cheaper to design and test, one that keeps track of previous movements of the "nose-down" system to see if further movement would be indicated or makes sense, or one that just keeps going "more nose-down" with no care about what has already transpired?

The fact that a software fix is "part of the fix" does not demonstrate that "no cost savings took place in software development".

In addition to changing the software, they are going to not charge $80,000 for an indicator light that notifies the pilots when the angle-of-attack sensors disagree. Boeing actually charged $80,000 dollars for them to let you know their system was destined for failure. Boeing is also now stating that they will give extra training for the 737 MAX 8, something they avoided previously due to the cost.

>
> There's more, but I should stop here. I'm just tired of these hit pieces from people who only partially know what they're talking about. I'll fly in a 737Max any day.

Boeing management's reaction to two similar fatal crashes of the 737 MAX 8 was "let us keep flying them". There should be people in jail after this fiasco and once let out they should be forbidden from working in the aviation industry (includes FAA personnel). But, as we saw in the Space Shuttle Challenger disaster, no one will do jail time or be punished with fines or being forbidden to work in the industry for "business decisions" that ultimately killed people.