I'm not an aviation expert, but their reasoning seems to be "it's a tiny chance and we reaaaaaallllly want to use these planes".
We are talking about a known bug that could lead to deaths.
This isn't some critical military aircraft or a cargo plane that without which food and goods can't be transported. The only "harm" will be to shareholders.
That's not absolutely true. People lives have a value, around $10M for US transport. It means that if the cost of potentially saving one human life is more than $10M, it isn't worth it, as in, there are more important things to do with that money, including improving safety in other areas.
Now profits are important too. Companies need money. That's how they pay their employees, do R&D, stuff like that. If they don't make money, employees will get fired, and they won't be able to develop new, better and potentially safer planes. For airlines, they may be forced to make tickets more expensive or lower their standards to compensate for the costs of planes that don't fly. Talking about shareholders, you may be a shareholder too if your savings include Boeing stocks. Less profits has an avalanche of undesirable effects. Some of them affect the 1% but the majority of it make things slightly worse for the 99%.
Now profits are important too. Companies need money. That's how they pay their employees, do R&D, stuff like that. If they don't make money, employees will get fired, and they won't be able to develop new, better and potentially safer planes.
Wow, I'd have a variety of responses to this remarkable post.
Obviously, safety regulations should allow for the profitable production of planes and they clearly do, the rest should be up to the plane manufacturer. Now, profits as such aren't what creates jobs as such. Rather it's the productive use of capital - a patent troll making a mint creates zero jobs for example. Now, if a particular form of investment doesn't create jobs one place, it should be able to create them elsewhere. Guaranteeing profits in one sector has many pernicious effects, often including a lack of job growth rather than the reverse.
Just as much, the profit/safety equation is more complex than "more profits, more safety spending" (to say the least). For example, if safety regulations can always be ignored for profits, plane manufacturers will build less safe planes over time.
Finally, a management which responds to not being able to produce a new, unsafe design by making their present line of planes unsafe by "lowering standard" should be looking at jail time.
Would you fly on an airplane that had a reputation for crashing? Me neither. Crashing airplanes is very, very bad for profits.
Would you bet your life that reputation alone was enough to keep an airliner from crashing? We know right now airlines shave every possible extra cost to achieve the lowest prices because passengers are very price sensitive.
Even more, right now a lot of people don't know they're flying on any number of regional airlines, some of which may have terrible reputations when they fly "United express" [1]. Consider that one of those airlines beating a passenger to get them off the plane didn't change the situation.
Of course, now we have safety standards rather than just reputation preventing crashes, which seems like the appropriate thing.
Quite right. Yet it's something of a taboo to speak of that reality.
Boeing people in particular know well just how thin-skinned a public in deep denial can be.
Back in the 2000s, a manager uttered the words "torture flights" in a private corporate meeting. Within days his words were leaked to the populist press by rivals within the bureaucracy.
Boeing higher-ups dealt with the ensuing firestorm by disposing of the truth-teller.
If it’s government money it makes sense to save $10m here to apply it there (in theory). But when it’s Boeing’s money it makes no sense at all. Boeing isn’t going to take the $10m they’re not spending and put guardrails on dangerous highways.
It's not really Boeing's money, they aren't a charity, any increase in the price of an aircraft gets passed on to airlines (and from the airlines to passengers)
If unlimited safety improvements are required without regard to cost, it could drive the cost of the aircraft so high that airlines can't afford to upgrade, so they keep their older fleet in service for longer. Which works for a while, but airframes do age and need to be retired.
That's only true if Boeing was the only manufacturer that builds this category of planes (they are not).
Boeing has an issue in their planes that the A350 doesn't have. So if the price of 787's goes up because it needs to go from unsafe to safe, then airlines can buy A350s instead.
Smaller increases in cost also result in some passengers choosing alternate modes of transportation (for example, driving) which are invariably less safe.
That only holds if accepting the higher risk actually comes with the savings and if you are aware of the higher risk you're accepting.
Mostly people don't do safety comparisons of different planes when booking trips overseas and, TBH, pushing that sort of investigation off on consumers creates huge inefficiencies in our economy. It's simply better for the government to hold all options to a certain safety level then try and rely on market forces to balance it out.
Safe and unsafe is not a binary. Any plane is unsafe for certain values of unsafe. Any plane is safe for certain values of safe. There is always a tradeoff, and there is always an acceptable risk, whether you are Boeing or a normal person deciding whether to drive, bike, or take the bus to work.
You could make it a reasonable binary if you define unsafe as "has known bugs that could lead to deaths", which is what the top comment was doing. Not sure if any already-in-use planes satisfy that criterion though.
There are a vast number of “known bugs that could lead to deaths” in these devices.
But when the bug is known to be hit only is astronomically slim scenarios, they don’t rework the entire stack to eliminate it because, well perhaps it is more likely to cause more harm than good?
Maybe it depends on what you'd call a "bug". Even a flip-flop always has a nonzero probability of failure via metastability, but I wouldn't classify every system that uses a flip-flop as "buggy". Though to be honest now I'm not really sure what a consistent and useful definition of a "bug" is, if it's even clear and noncircular. (Maybe the best definition is "has a failure mode unaccepted by the users"? Not sure.)
The state of "Bug" vs. "not a bug" is similarly non-binary.
"unaccepted by users" is circular in this particular discussion, because it started with trying to tease out whether a rare* safety* risk was "acceptable."
* All these debatable words tell me GuB-42's comment is taking the right approach.
You would be incentivizing them to not look very hard as finding a bug would ground the fleet and be extremely expensive. The same way a lawyer will tell you never to see if your violating a patent lest you pay treble damages for "knowing".
That sounds terrible. This would push toward non-redundant “perfect” designs which are more likely to kill you when they fail. I’d rather have two imperfect engines than one engine with zero known bugs.
Wait what? With your reasoning we could leave those Thai schoolchildren in that cave.
We are not arguing that money spent on wars are wasted and that same money should be better spent on lowering heart disease, we are talking purely about increasing profit.
Well, the meme isn’t that far off. This community is starting to sound like the Soviet Union. Did everyone read that thread this morning and take it as a challenge or something? It’s not a goal to which to aspire.
These are lives you’re talking about here, kids, kids that happen to be currently sharing the same planet as you. Human beings are not figures on a balance sheet, and I lament anyone’s soul that would dispute me on that point. The pillars of this community sit on billions and get hospitals named after them, but some brown kids in a cave are a theoretical exercise to think about economics? They have memories. Families. Hopes. Should we debate your worth? What’s the figure where you are no longer considered worthwhile?
If I can’t meet you on something as fundamental as every life is worth saving, we simply aren’t having the same conversation, and I’ll be honest, your side gives me pause. And I see it far too often among people here who simply consider themselves pragmatic. Many throughout history have convinced themselves of their pragmatism, and we have all paid for it for centuries.
What unfortunate times to live in where the scions of high tech debate the value of individual lives in a far flung part of the world. This thread should disgust.
You are misreading me and the poster above. I was simply explaining what he meant and why it could be seen as rational.
The issue is really not as simple as you describe. Of course every life is worth saving, especially the lives of children. However, given a finite set of resources, would you rather save more or fewer children? The amount of money that goes into a long shot at saving a child with terminal cancer in the US would provide clean water and mosquito nets for many children in sub-Saharan Africa.
Am I saying that we should enforce this reallocation of resources? No. But I am saying that it is complicated.
Seriously, how many kids have died from thirst, starvation, or disease curable with under $10 of medication worldwide in the time it’s taken to try to rescue the kids from that cave?
But people love a spectacle. And heroics. So we just have to figure out how to make mosquito netting seem spectacularly heroic...
Sure, but was money diverted from mosquito netting programs to pay for this rescue? It certainly doesn't seem that way. Rather it the resources seem to have mostly come from the Thai military.
Why weren't you asking the Thai military to divert its resources to mosquito netting programs last week?
Surely that can't be true either or we'd be spending all our time saving people.
No the truth is more grim, we will save people until it costs more than we are willing to spend. Over time that threshold has increased with our wealth - but it remains in place as it must. Most people don't consciously think about it and it's upsetting to many.
It would because there are people we don't know how to save yet. The only way to save a cancer victim is to spend all of our time on cancer research. I think what most people mean is that they are willing to go to first order efforts to save people where immediately possible. But that is really just a form of triage and cost saving measure. Practicality still rules in the end.
I don't think I understand your comment. There are people we don't know how to save, but there are also people we do know how to save. The Against Malaria Foundation, for instance, claims that every ~$3k donated results in the prevention of the death of a child under the age of 5 (https://www.givewell.org/charities/amf#Cost_per_death_averte...).
I'm arguing against the idea that people truly believe "every life is worth saving" even by effective altruism advocates. Effective altruism is only arguing how we should ration the resources we've already allocated to helping people. It doesn't address the fact there is a quota at all.
For people who deal with this professionally the quota is defined monetarily. For the average person its an unconscious decision. But in all cases the amount of resources allocated to helping is not defined directly by the demand.
> Effective altruism is only arguing how we should ration the resources we've already allocated to helping people.
I'm not sure how to determine what "effective altruism" is arguing, but prominent EA advocates like Will MacAskill and Peter Singer are absolutely concerned with increasing the amount of money allocated to helping people. The conclusion of Singer's most famous argument is that we have a moral imperative to donate most of our money to saving the most lives. Even personally, both live modestly and donate most of their income.
If they believe the 787 is, on whole, safer than the planes they're replacing, arguably the case could be made the variance is requested for the best safety for consumers.
Not that I'm qualified to answer whether or not that's the case here, but it's arguably something the FAA would need to consider.
That's statistical. A close approximation of how we value our own life would be the value of a micromort (1 in a million chance of death).
According to Wikipedia people value one micromort of their own life at around $50 (inferred by how much they want to pay for safety features). So if I am average, I would probably value my life at around $50M, so yeah, you are right, though maybe not in the way you intended.
Still, it is difficult to make sense of comparisons between our own perception of the value of life and how much we actually value it based on our actions. The expenses on safety when chances of death are low is only one aspect.
This is a misapplication of a morally bankrupt argument.
That money cannot be spent elsewhere to save lives by Boeing in an area that is regulated by the FAA at the FAA's instruction.
So, yes, $10 million could be spent on education to prevent people making the argument that $10 million could be better spent on letting people be killed, thereby saving countless lives. But that's not what the question is here, and to pretend that it is represents a deeply bogus rhetorical move.
Of course Boeing want to deliver the planes, otherwise they get hit by significant late delivery penalties.
However, thanks to how the industry is regulated, Boeing don't take chances if there is a risk to passenger safety. In this case, the likelihood of a single engine shutdown due to this elusive bug + the failure of the automatic restart system + the failure of the manual restart procedures, _combined with the fact that all commercial aircraft needs to be able to operate with only one of the engines_, makes Boeing ask for the exemption.
The FAA, on their part, is 100% right in demanding that Boeing show their work and is unlikely to grant such an exemption unless the risk is calculated to be negligible.
The bigger issue for the FAA is culture. Flight is so safe because all of those safty measures are taken seriously. Whenever exceptions are made, there is a risk of normalizing devience, and standards will slowly erode until a disaster shakes us back (and even a disaster is no guarantee to a return to anything near our current level of standards.) Building a safety culture as strong as aviation is hard, and the FAA doesn't like risking it.
The problem sounds to me like it's triggered by environmental conditions, not random chance: "during a step climb to a higher altitude in ice crystal icing conditions". In that case, does having two identical engines really constitute redundancy?
As the probability of a condition triggering failure increases, there is a decreasing probability that redundancy helps.
e.g. volcanic ash is also an environmental trigger. But it is likely to certain to cause engine failure. No amount of ash is acceptable, but there is a density at which engine failure will happen quickly, and it's going to affect all engines at pretty much the same time. So in this extreme case, certain probability of engine failure in the triggering conditions means you have no redundancy with additional engines.
Whereas the problem sounds more variable and complex. Probably is low, therefore additional engines does provide redundancy just not as much redundancy as being in non-triggering conditions. Decent chance there's enough time to find another altitude to avoid additional failures.
> In this case, the likelihood of a single engine shutdown due to this elusive bug ... _combined with the fact that all commercial aircraft needs to be able to operate with only one of the engines_, makes Boeing ask for the exemption.
That's not very reassuring to me. The article is light on details, but this bug is apparently triggered "during a step climb to a higher altitude in ice crystal icing conditions." The fact that the plane can operate one one engine doesn't do much good if both engines fail due to the same bug because they're experiencing the same conditions at the same time.
Maybe GE has offered to pay them a huge amount if Boeing can avoid hitting GE with the SLA penalties. From Boeing's POV, the lost profit of not getting paid off by GE would be as bad as the loss from not having an SLA in place with GE.
looks like the bug is know but they plan to deploy a fix to the airliner after it enters production, for reason unknown to me (likely having to restart some certifications?)
"The root cause of this event is the fact that ICI [ice crystal icing] accommodation logic, as it’s currently certified, is suspended with the application of climb power"
They have a mitigation in the form of an automatic engine restart system. I suspect part of their risk analysis is going to call out reliability of that function.
If the RR engine is failing prematurely then there's also an argument the be made for switching to the GE engine because the maintenance costs are going to be passed on to the passengers in the form of higher prices.
Really? Do you drive? Over 50,000 people die every year due to driving. If you are part of this culture, like most people, you are choosing convenience over lives.
The FAA does a great job with general plane safety. Boeing does a great job with Safety. It's great to see this in public, so we can understand the system that leads to aviation being a unbelievably safe form of transportation, while still being responsive to the market.
All of that said, the modern generation of engines are so complex to hit their efficency windows, it's majorly impacting airlines. The A320-NEO engines by Pratt & Whitney have huge problems that have significantly impacted airlines and carriers, while GE is struggling with this problem.
All of these are engineering problems, with a complex trade-off between efficiency (fuel), safety and cost.
I worked on engines like these about 5 years ago and they are incredibly finicky and easily require up to 8x the amount of time and attention just to process through one step than a 'standard' engine part.
I don't envy whoever is responsible for shipping these on time.
Basically, the compressor is not lasting near as long as expected, and, since it's a safety-critical part, airplanes are spending a lot of time on the ground awaiting expensive inspections and repairs that weren't in anyone's maintenance schedule.
Also everyone is futzing with business models. There are maintenance facilities from many companies all over the world that can work on airframes, engines etc. The airframe and engine manufacturers are seeing all this post-sale income go to those companies, and not back to the manufacturer. So they are "fixing" that.
For example Rolls Royce does "power by the hour" where the airline is essentially paying rent on the engine while it is in use. That means Rolls takes care of the maintenance etc (all rolled into the per hour price). There are far fewer Rolls locations that can do that work. Then suddenly a lot of maintenance work needs to be done, and planes have to wait.
For those interested in aviation, I recommend following leehamnews[1]. The industry is very similar to what is faced in the software industry but over far larger timescales. eg airframe manufacturers have constant streams of improvements, but have to work out if and how to charge for them, how to do deal with existing aircraft of the same model without them ("backwards compatibility"), and the constant spending money to make money. You even see second system effects (arguably the birth of the 787 was just that financially, manufacturing and technically).
And Rolls wants their suppliers to be doing JIT delivery of all their parts--no one in the supply chain wants to be stuck holding the bag on inventory so Rolls expects to whistle at Pratt-Whitney for parts, and Pratt expects to be able to whistle at their suppliers (and down and down the supply chain) and still be able to get parts within an incredibly short window. Oh and they don't want to pay for anything they order until 6 months after receiving delivery. Its an incredibly tough squeeze on the supply chain.
You can tell some of my customers are in aircraft engine manufacturing.
The problem with JIT is the same as the problem everywhere else: When the wrong type of bean counters look at a cost too nearsightedly, they typically address the "static" costs and miss the hidden costs that are much harder to both understand and measure - typically "dynamic" costs that are both under-reported and hard to measure, and also to understand since there are a lot of moving parts.
The whole point of JIT is to take control of the dynamic effects so it's a bit ironic.
There was a lot of coverage of the 787s problems in Polish media recently and it brought to light one thing regarding these engines that really frightens me. Quoting the (leaked?) memo:
>The experience with General Electric Engines, which had experienced perhaps two shut downs on the Boeing 767s in over 20 years, had given the airline a sense of security so that the shut down of one engine did not cause any pressure, the probability of the failure of the second engine was rated minimal.
>Rolls Royce on the other hand had taught the airline however, that this was not true. From RR bulletins it is clear that the shut down of one engine dramatically increases the likelihood of the other engine failing. This forces us to revise our approach to ETOPS.
Similarly, the Leap CFM56 engine (used on the 737 max) has failed (ie, boom) several times now, once fatally un-contained. I think they have quality issues with blades fatiguing and letting go.
The CFM56 (that failed on the Southwest flight recently) is actually a fairly old engine design - it ran for the first time in the 1970s, and has been in service on the 737 for decades. Based on total run time, it's actually one of the more reliable jet engines ever created.
The equivalent product for the A320NEO/737 Max is called the Leap 1A/1B. It's doing better than many of the new generation of jet engines, but it also has a flaw that requires a certain part to be replaced on all ~500 or so in-service engines.
Hey! This is regulation at work when it's working. That's awesome. I gotta say, I'm a pretty big fan of the FAA in terms of taking their approach of to safety and regulation.
This seems kinda weird though to authorize for a commercial passenger craft? I'm curious, why would they authorize such a thing?
Indeed, the FAA have no real reason to authorize that; I would also not expect them to want to grant any exemptions on a blanket basis: usually aviation authorities make rulings on specific aircraft, based on the flight and maintenance data.
It's entirely possible that no one at Boeing believes the FAA will grant this exemption. However, if they don't make the attempt, then when Boeing gets dinged with contract penalties or loses deals because of this problem the responsible person needs to be able to prove that they did everything possible.
> The GEnx-1B engine has a software bug that in one instance prompted the computer to shut down the engine during a step climb to a higher altitude in ice crystal icing conditions.
> Boeing said on 4 March that GE’s fix for the shutdown problem is included in a broad software update called “B200”, and it’s not scheduled for delivery until December 2019. But GE has told FlightGlobal and the FAA that the B200 software update will be ready by the first quarter of 2019.
Safety critical software has longer lead times than other software. There are often code coverage requirements, code review requirements, and extensive automated and human testing cycles.
Edit: I gave you an upvote since this is an area that people should try to learn more about.
While working at NASA on code related to the Space Shuttle I once found a piece of Fortran that jumped into assembler. The assembler bit used a parameter to decide where to re-enter the Fortran code. Over time every exit but one was commented out. I asked "Can we just patch the software to jump from here to there instead?" and the answer was "Your six month project is to replace Fortran with 'C' and that's about how long it'll take to get a code change through the committee." People take flight safety very seriously.
This isn't a matter of just tweaking some code, running your test suite and having someone buddy your check-in. Once they've identified the bug and come up with a solution they probably have to fly an airliner around for a while, deliberately trying to break it, to confirm that it worked.
> 6 months to a year and a half before Boeing thinks they'll have a software patch... That seems silly long
IIRC, SQLite is flight certified...which means that they have to show that every machine code branch is tested by their test suite [1]. This stuff is not developed with the same lax processes as "move fast and break things" web apps.
[1] From some Youtube talk by one of the lead SQLite developers.
That seems extremely quick in this sort of space. This isn’t fixing a bug in a shopping cart or some “silly” web app. This is code upon which millions of lives will ultimately depend.
Agreed. I would have expected 3m. I have a feeling they are also busy with a ton of other issues. The Q is whether this is top priority or not in light of all those other issues and it's chance of occurring.
They may have privately requested an extension to the deadline, or they may have submitted the response and the FAA are reviewing the evidence. I don't expect to see any official response until at least end of July.
With safety critical software, the devil you know may sometimes be the better choice. Changing the code to fix a known problem with a known workaround may make things worse by introducing unknown bugs. So which chance do you take? Sometimes not fixing a bug is the right thing to do.
I think a simpler solution would be to require them to post an enormous bond that would tank the company if it came due in the result of a failure in the field.
They can ask for engineering data, but that can fudged. Asking them to bet the company on it is a much surer bet, imho.
We are talking about a known bug that could lead to deaths.
This isn't some critical military aircraft or a cargo plane that without which food and goods can't be transported. The only "harm" will be to shareholders.
People are more important than profits.