By Scott Correa
Special to Leeham News
May 27, 2021, © Leeham News: Forty-two years ago this week, I puked at work.
On May 25, 1979, an American Airlines McDonnell Douglas DC-10 crashed on take off from Chicago’s O’Hare International Airport. Within minutes, it was known that the No. 1 engine separated from the airplane just after the airplane was committed.
The aircraft gained a few hundred feet before rolling over on its left wing, crashing into a trailer park. All 271 on board and two people on the ground were killed.
The Federal Aviation Administration immediately grounded all DC-10s in the US because of the engine separation. Regulators elsewhere in the world followed suit.
I was working at McDonnell Douglas Huntington Beach, in the DC-10 Pylon assembly line. I was doing heavy structures assembly drilling and fastening the firewall to the Spars and Pylon skins, the heart of the structure. Over the next few months, we got hammered.
So many fingers pointed at us for killing these people. It got real personal. There were about 30 of us and our world changed when our pylon came off the bird. As the engine separated, it went up and over the wing, as it was designed to do. But the pylon smashed the leading edge of the wing, severing hydraulic lines that held the leading edge slats in place. The slats retracted on the left wing. Those on the right wing remained extended, controlled by a different hydraulic system. The left wing stalled. The pilots followed the book explicitly in trying to fly through the emergency. They powered back, as trained. The book and training were wrong. The reduced airspeed allowed the left wing to stall, causing the plane to roll over and crash.
Ultimately, the National Transportation Safety Board ruled that the mechanics at American erred in a new, short-cut procedure for engine removal and installation. The process was designed as two-step: remove the engine, then the pylon. Install the pylon then attach the engine. American (with FAA approval) adopted a procedure to do this all in one step.
American’s reinstallation had to be absolutely precise. But it wasn’t. Mechanics did it wrong, cracked the pylon part holding the aft portion of the pylon to the wing. It eventually broke, allowing the engine at take-off power to thrust forward and up. The front part failed, and the sequence of events killed the airplane and everyone on board.
I have lost a number of aircraft in my career with stuff very close to my work, and you always wonder, was it me. This time it wasn’t thank God.
A lot of good people stood beside, behind and around us. We were sheltered. Weird things happened. Boeing engineers showed up and asked if they could help.
Years later, I was at Boeing and we lost a 747F when the pylon mid-spar fuse pins failed. The KLM aircraft crashed returning to Amsterdam for an emergency landing.
McDonnell Douglas engineers returned the favor and just showed up. The engineers from my old pylon shop led the group and it was so good to know they had our back.
Aircraft manufacturing is a small world where a community of dedicated professionals do miracles every day. It is a seriously personal business where your fiercest competitor is in many cases a respected friend. Airplane guys will go to war with our products, but when the issue is safety and people, the companies are there for each other behind the scenes. But by the Grace of God go I….
That was then
Today, I can completely empathize with the Boeing 737 MAX engineers and production crews and what they went through. As bad as the media was during the DC-10 crash and investigation, the media today is bigger faster and more voracious than anything we old guys experienced. But it looks like the story was the same. The industry again hit the pause button, and help arrives arrived from your competitors. I can’t prove it, but the suggestion of a synthetic instrumentation addition looks to have Airbus fingerprints all over it, especially when EASA looks to already have the skids greased, so to speak. That doesn’t just happen to materialize across the pond without someone championing it.
So today, we remember our industry in the darkest of times and at their best simultaneously. Competitors who can put aside everything to keep people safe, because without that, we have nothing.
Editor’s note: Airbus offered assistance to Boeing during the MAX crisis. Neither company confirmed whatever help was accepted.
Additional reporting by Scott Hamilton.
Scott Correa was a structures assembler at McDonnell Douglas when the DC-10 crashed. He was a senior manufacturing planner at Boeing upon his retirement.
Editor: “Years later, I was at Boeing and we lost a 747F when the pylon mid-spar fuse pins failed. The KLM aircraft crashed returning to Amsterdam for an emergency landing.”
I believe you may be referring to the crash of El Al 1862 — which is erroneously labeled as being a KLM incident.
Thanks for sharing first hand experiences and observations with younger generations, highly appreciated! Safety first needs to remain our primary driver.
The industry is competing fiercely, but meeting up with colleagues is always nice, you speak the same language, need half a word to understand what’s on and usually they have ideas, cats and gaming sons too.
(fyi: AMS 747F : EL AL)
The photos of the time show the plane without airline name ( just says Cargo) and its a sort of KLM blue colours but the registration number is 4X… which is Israel. It was anonymous for security reasons.
An even earlier example of Industry ‘ brotherhood’. Look up the details of the Lockheed Electra 1959-1960 crashes due to a subtle issue with turboprop engines and engine mounts- now referred to as ‘ whirl mode ‘. Short version was that engine mount design allowed the engine- prop combination under certain conditions act like a gyroscope and set up a major vibration sufficient to excite the wing structure at its ‘ natural’ frequency ( flutter) with ever increasing amplitude until failure. As part of the hair raising airborne test program to ensure a fix, Boeing supplied engineers and some hydraulic ‘ vibrators’ attached to ‘ wingtips’ which could be actuated in flight.
A land based equivalent of the ‘ flutter’ issue is known locally as ‘ Galloping Gertie ‘ [ Tacoma Narrows bridge(S) ]
There are many books and reports about that. Electras later morphed into Navy antisub aircraft and also storm chasers after the fix which also found the wing was much stronger- stiffer than planned.
Aerospace workers l found, take their careers very seriously, like medical people, structural engineers, and so forth. When it happens that they don’t, it’s truly an anomaly. Of course there are the exception – case in point – the leadership at Boeing in the recent past decades who put profits over safety.
Not just the managers…there’s something wrong with the (senior) engineers there also.
Whoever conceived/approved MCAS 1.0 doesn’t deserve to be called an engineer.
Personally, I think the same applies to MCAS 2.0, with its even number of sensor inputs (a no-no in control theory)…also unpalatable to EASA.
Similarly, whoever conceived/approved the manufacturing process changes that caused the recently emerged electrical grounding problem…that person does not deserve to be labeled as an engineer.
We’re talking about very basic errors here, of a totally different magnitude to the issues highlighted in the article above.
Airbus has had it’s issues with it’s flight control laws and air data as well
“When the A330 reached an altitude at which this false angle-of-attack data exceeded a critical threshold, the aircraft’s stall-protection mechanism responded by automatically commanding nose-down.
Investigation of the incident revealed that not only could the flight-control laws command a nose-down pitch, but pilots might not be able to counter the attitude – even if they pulled fully back on the sidestick.”
Jamming of two or three sensors at the same angle could cause the stall-protection system to activate, investigators stated.
Sure, it is hard to design a system that can’t fault in any situation even if you put a dozen sensors. Still, designing a system that can push the nose down with no redundancy at all throws away 30 years of accepted good practice.
I don’t really understand how so basic design error could have been ignored by everybody at Boeing. It is not some obscure, overlooked corner case in a complicated algorithm – redundancy is the most basic rule of safety.
Imagine them deciding that a single hydraulic system is good enough (what could possibly go wrong?) and fire suppression system in cargo is just unnecessary expense.
Don’t forget how far the airframer went to hide MCAS from regulators and pilots; “jedi mind tricked” Lion Air from putting its pilots thru simulators ….
To blame foreign pilots for inadequate training/experience sounds like a hypocrite.
In addition to the A330 issues
“With two of the three angle-of-attack sensors jammed at a consistent, albeit wrong, position the A321’s air data reference system eliminated the apparently spurious readings from the third sensor. As a result the elevator aileron computer – which controls pitch through the elevators and horizontal stabiliser – took into account only the two incorrect sensors.”
The idea that 3 sensors means the issues from only 2 go away, is unfounded.
In my industry it’s called a common mode failure. The way around it is to include sensors of a different brand or better type. For instance instead of vanes pressure null seeking sensors could be used (often used in military fighters) ie two holes offset that generate pressure difference and are driven to balance by a servo. Synthetic air data using inertial navigation unit, gps, thrust and flap settings to provide a robust 3rd sensor that is reasonably accurate . Triplication is not enough to avoid common mode faults. In fact an accident waiting to happen and then there will be carrying on: blaming pilot error, blaming lack of training.
Giving infinite overriding authority in a safety-critical system with only one input from a sensor type that has a reputation for being unreliable — that’s absolutely inexcusable. It’s clear that no (meaningful) Failure Mode Analysis was done in this case.
Using two sensors is also unacceptable, because there’s no mechanism for dealing with sensor disagreement.
Three (or even five) — of different types / makes / models — should be regarded as a minimum acceptable approach. In that regard, it’s unfathomable that the FAA gave a green light to a two-sensor system…and it’s criminally negligent that the original one-sensor system was approved.
The two alpha vanes on the 737-MAX-8 that crashed each had two transmitters (synchros or RVDT) to transmit data. That’s 4 sensors total. In theory they should have been able to detect an electrical fault and some mechanical faults and impeach the sensors. Unfortunately sensor disagree alert was not annunciated due to a claimed software bug except in the case that AOA display had been ordered as an option. Not that it mattered as MCAS was not mentioned in the manuals for the pilots to understand that sensor disagree might cause MCAS to dive the aircraft. The worse flaw was that MCAS did not monitor sensor disagree, in fact it acted on only 1 sensor (alternated with landing cycles). I agree with you that triple redundancy should be the minimum but had MCAS simply deactivated (it didn’t add much to flight worthiness or handling) upon sensor disagree the crashes may never have happened in the life time of the MAX.
Nobody said that 3 sensors means that “the issues from 2 go away”.
But using only 2 sensors is inadequate because there’s still no reliable input when one is defective — after all, there’s no “tie-breaker” present.
And using only 1 sensor is an accident waiting to happen.
3 sensors is the current minimum norm — 5 would be even better.
Preferably of different types / makes.
That of course is prudent design. But senior engineers and management have to work under budget constraints. The MAX people appear from the start to be trying to put square pegs in round holes.
“— after all, there’s no “tie-breaker” present.”
What happened in the Airbus situation of the 2 erroneous sensors agreed and the one good one disagreed, the system followed the majority even though it was wrong.
The final decider , which was the situation in Boeing too, was the PILOT.
The advice from Airbus and regulators ?
“Pilots were issued with new emergency procedures which instructed them to turn off two of the three air data reference units, forcing the reversion to alternate flight law, if they observed symptoms of jammed angle-of-attack sensors.”
So how come having one operative sensor is ‘inexcusable’
There were a lot of things with the 737Max that were inexcusable, but techno-babble about one specific item isnt useful.
Having one inoperative sensor is a severe problem when it’s the only input to a safety-critical system with infinite overriding authority — particularly when the PILOT didn’t know of the existence of that system. That was the whole crux of the MCAS fiasco.
As regards multiple sensors: having bad sensors in the majority is always going to be a *possibility*…but the *probability* of that decreases with every additional sensor added. This failure probability has its highest value when there’s only one sensor present.
Could GPS determine AOA? If that being so, that could be the fall back when all else fails; the pilot could reference it and take over all flight commands…
sam 1 said later ” Could GPS determine AOA?”
Puuuhhhhleese-GPS locates your x, y, and z coordinates relative to earth.
But INS ( inertial navigation systems ) are usually part of the GPS system.
Properly adjusted and referenced , the INS system can determine reasonably close AOA
Matter of fact, 787 systems do use part of the INS to provide a ‘ backup’ AOA
Introducing the 787 Tom Dodt
Chief Engineer –Air Safety Investigation
ISASI September, 2011
•Calculated from angle of attack and inertial data
-AOA –voted dual sensors plus inertial data
-Accurate Coefficient of Lift (CL)
-Airplane Mass from FMC -Validated after Takeoff
Smith, 7-April-2011, ESASI-Lisbon | 41
COPYRIGHT ©2010 THE BOEING COMPANY
My Father was an Aerospace Engineer. He worked for a time at Boeing and later on at subcontractors to Boeing. He mostly worked on the military side of the business, but, did some work on the 747 when military contracts were in a lull. Boeing used to have auditorium size, design review meetings, where you may only present your piece of the project, for a few minutes, but, it was listened to by all groups, with attention to how any changes affected their component or system. It was a good method
to discover problems and suggest alternative solutions early, before various parts were assembled and then tested. He’d fly into Seattle for these design review meetings.
Now a days, it seems that companies have what I refer to as Spreadsheet Management. It’s affected a large part of businesses. Instead of “walk around” management, Managers in Chicago, or wherever, ask for weekly spreadsheets of a projects status. They can label them Green, Yellow and Red and other reporting Managers, spend their time filling them out, rather than walking around daily, touching base with line supervisors, to hunt out issues before they become major problems. You can’t reduce some seemingly small bugs, that may, over time, risk blowing up into a very large headache into a simple Red/Yellow/Green spreadsheet cell. Sharp “Walk around” Management can spot these issues, but, “spreadsheet reporting” Managers will never see, hear or report these bugs. I’ve seen it time and again. They try and make a “one size fits all”, spreadsheet reporting system feeding some sort of dashboard with the goal of showing that all things are fine, and we are on schedule, rather than a reporting of problems to be addressed. Imagine if this was done in the military? You’d end up with ‘things are fine here, very quiet before the Tet holiday celebrations’. You need tight, cohesive communications between
working groups to have a plan come together. This can’t be achieved by separating units and sending fixed Red/Yellow/Green template spreadsheets back and forth. Outsourcing
a design across different companies can lead to large issues, if good communications aren’t used.
Which brings up RONA (Return on Net Assets). Income to Net Assets (over what time period?) A good quick read is here, in 3 parts
(excellent link to Dr. John Hart-Smith’s infamous paper on Boeing’s RONA within the first article)
Boeing has outsourced a large part of their manufacturing, and in-sourced a large part of the FAA inspection process.
And broken the important communication/management aspect in both.
I totally share this feeling of fraternity in adversity at the level of production jobs “on the tarmac” which goes beyond commercial competition and transcends individuals beyond their basic nature. Nevertheless, I have some doubts about the effective mutual aid – beyond various signs of compassion in moments of great doubt such as an aeronautical accident – between white-collar workers of opposite blocks, as organizations are made to compartmentalize the transfer of information, even at the level of structures that should favor the sharing of data to address critical cases. If it happens , it should likely be made in secret like you tell us. Wonderful message . Thanks
“But the pylon smashed the leading edge of the wing, severing hydraulic lines that held the leading edge slats in place”
I’ve often wished some kind of automation had of detected the asymmetric hydraulic pressure loss and retracted the slat.
Ive never liked pure hydraulic systems, too many times even tripple redundant systems have bled out. Many of the worst wide body disasters are associated with multiple hydraulic failure. Electro hydraulic is much more robust because it doesn’t bleed out and can be isolated. It’s a puzzle that these primitive system have been tolerated in regulations decades longer than needed.
Check valves in the right location or a lock pin might be a couple of the right solutions.
Pure hydraulic systems are completely hopeless in cases of airframe damage. They can’t be improved. We saw that with Japan Airlines 123 and United Airlines 232. With a tertiary electro hydraulic systems crews certainly would have had control of ailerons and wing controls on both aircraft and very likely could have had some tail control. Hydraulics only is a half measure even with “hydraulic fuses”. More Fault tolerance and redundancy is essential. There are plenty of times in my career I’ve wondered whether I’ve done enough. Some folks in management don’t want to know.
Most of us who worked around life and safety critial equipment take it seriously.
I was always grateful I never had a failure that threatened anyone life.
I did find a terrible mess up due to gross stupidity by an installing contractor on a Hot Water Boiler. I figured out what he did and fixed it before it could manifest into a disaster (he wired around the Operating control and it was shutting down on the high temp safety which is the last line of defense and you NEVER use a safety as an operating control which is what he had done).
We had one of those 747 Pylons let go on an Evergreen 747 freighter over Anchorage.
The crew saved the aircraft, the engine hit in an Apartment parking lot 1/4 of a mile from where we lived (my wife was outside and saw the whole thing).
Magnificat flying to keep it in the air from a full loaded takeoff in nasty turbulence.
They had not done the maint on the pin.
I have to stand corrected. While the pylon did separate the cause seems to have been a crack in the structure. The immediate response at the time was the pins.
We were flying from Europe to JFK with DC-10s that time. After the accident and grounding had to muster a fleet of DC-9s to fly transatlantic with a stop in Iceland. Crazy times.
‘Boeing to pay $17 million to settle 737 jet production issues’:
“Federal officials say Boeing will pay at least $17 million and take steps to fix production problems on its 737 jets including the Max.
The Federal Aviation Administration said Thursday that the settlement covers the installation of unapproved sensors and other parts on some Boeing 737 NG and 737 Max planes built between 2015 and 2019.
The settlement, while not a large sum for Boeing – the company had $15 billion in revenue in 2020, a down year — is the latest black eye for the iconic American manufacturer. Boeing is still struggling to recover from two deadly crashes that led to a long grounding of Max jets worldwide and other problems that have plagued the Max and other aircraft models..”
The hits keep coming!
More from the Seattle Times:
“[…] that’s the largest fine imposed in some years, it’s a relatively small amount for Boeing. Federal law limits the maximum fine the FAA can impose to about $30,000 per defective airplane delivered.”
“Between June 2015 and April 2019, Boeing installed defective head-up guidance systems made by supplier Rockwell Collins on 618 Boeing 737 NGs and 173 Boeing 737 MAXs.”
“737 Wing Slats
The slate track assemblies guide the controllable ssurfacs on the leading edge of an airplane’s wings.
The FAA said a batch of up to 148 parts, produced by a Boeing supplier, was manufactured improperly and could crack or fail prematurely.”
“SUI notified Kencoa Aerospace, a supplier to Boeing of machined aerostructures in Eastman, Georgia, on July 6, 2018, that a batch of slat tracks had failed a quality test indicating the presence of hydrogen embrittlement.
A month earlier, the defective parts had shipped to Boeing’s major 737 supplier, Spirit AeroSystems in Wichita, Kansas, and were then delivered to Boeing’s final assembly line in Renton.
Kencoa informed Spirit of the problem on Aug. 3, 2018, and Spirit told Boeing on Sept. 11, 2018. Yet through early March 2019, when the MAX was grounded worldwide after the second deadly crash, Boeing certified the planes as airworthy and delivered them to airlines.”
Management valued delivery and thus FCF higher than safety.
Question: what happened to those 737 since then? Were they all repaired properly??
Wonderful personal account of how invested some people are in the industry. If only there were more of this ilk (on the earth, at large) I think the world would be a better place.
I think there are a lot of people that care deeply.
But you run into management that sweeps things under the rug and or flat out lies.
At times I had to decide if I kept my job when over age 55, or do the right thing.
I threaded some needles and people lucked out but that is a terrible place to be.
One was a post quake confirmation the natural gas systems (hundreds of feet of runs) was ok. I was told NOT to come into work
Then when I did I found out that they had only inspected the visible portion and large parts were hidden in ceiling they never looked at.
And the managers are patting themselves on the back as to how fantastically they had responded.
Heroes in their own minds. I am glad I don’t have to deal with that.
I could control what I did but you could throw yourselves into the breach, get fired and it would still go on.
There is an open door between OEMs on safety issues (having dealt with Airbus, Boeing and even Lockheed). Boeing training courses used to show Rule-making as being a 3-legged stool process: the OEM, the regulator and the operator. It’s a simple and accurate description (since the stool needs all 3 legs to stand), plus a great approach.
A real challenge – and potential barrier to improving safety – can be getting operators to tell the regulators and OEMs what they’re finding in-service and from maintenance. Some of this may come from some regulators having a punitive rather than inquisitive response to reports. Often known as “Blame the pilot”; easier if they’ve perished.
In 1990 I was at a Boeing Ageing Aircraft meeting and reported 20% of the findings for the world fleet of 747s – we only had 5 of them.
It is in the interest of OE’s to blame operators, pilots for not sticking to the procedures, requirements, training courses. Even if upgrades, workload changes, grandfathering made those procedures, requirements and training courses substandard/ undoable.
If it’s not the aircraft, you can clean up safety track records (TK1953) and boast high reliability, opening the door for further cost efficient grandfathered certification of design and requirements. We have seen that in combination with political forced streamlining of authorities and self certification. A road map for disaster.
I think a team of the best, deeply independent (~retirement age), certification experts from all over the world taking a fresh look at certification processes of OE’s and reporting their findings might be a good thing for the future flight safety. (ref. JATR).
In my opinion congress tackled international credibility of the FAA, since the 2012 Federal Aviation Administration reauthorization legislation, the following re-authorizations, streamlining demands and delegations. It will take years to recover & no accountability from congress. Cantwell’s and Larsen’s 180s were after the sh.t hit the fan and after they were seen dancing around the fire with Boeing as late as the 2018 FAA re-authorization act (a testimony of arrogance that everybody wants to forget ASAP).
Great comment, keesje. About the only way I see substantive and
positive change as you outline coming is if yet another 737MAX
crashes (no, I do *not* wish for this to happen, but will not be surprised if it does).
Where there’s smoke, et c.
Or if a 787 were to crash, because of some faulty design or manufacturing mistake, who does the NTSB point their recommendations at? The FAA or Boeing’s Designated Examiners for letting the fault go unnoticed? Who’s got the ultimate responsibility?
Is there no shame at all at that company?
Thanks for that link, RD.
Almost wishing that one commenter were still around to explain it all [away] to us.. almost.
The “theory” that India’s refusal to un-ground the MAX has something to do with the CoViD situation in the country, can be assigned to the trash can: Indian airlines are taking delivery of A320 neos, despite CoViD…
On the subject of pilot training and professionalism, pilots in the US are SO much more professional than their counterparts in developing countries…
BBC: “Ex-US airline pilot admits lewd act in cockpit mid-flight”
“A former US airline pilot has admitted committing a “lewd, indecent, or obscene act” during a flight last year.
Michael Haak, 60, exposed himself to the female first officer in the cockpit and watched pornography on a laptop, prosecutors said.
As the Southwest Airlines flight continued, Haak engaged in further “inappropriate conduct” in the cockpit.
A judge in Maryland sentenced him to one year’s probation and ordered him to pay a $5,000 (£3,500) fine.
The incident happened during a flight from Philadelphia International Airport to Orlando International Airport on 10 August 2020, the court heard.
When the flight reached cruising altitude, Haak got out of the pilot’s seat, “intentionally disrobed” and watched pornographic media on a laptop.”
I’m not sure how pilot training came into this discussion, but I wouldn’t judge the pilot community of any country on the actions of one individual pilot. How the airline and judiciary responded might be a more appropriate topic.
Pilot training is a common topic here with regard to automation and regulatory issues, and pilot blaming is a regular indulgence by some commenters to try and detract attention from the MAX’s shortcomings. The common narrative is that pilots in the US are a “gold standard”, and that pilots in other countries are somehow inferior. No harm in showing that the US also has its share of cowboys in the cockpit.
With regard to your statement “I wouldn’t judge the pilot community of any country on the actions of one individual pilot” — I totally agree. Others, however, have no problem ignoring this credo when it comes to “foreign” pilots.
May 20, 2021
‘ It’s a difficult day for Envoy Air (MQ), American Airlines’ (AA) largest regional carrier.
Several news outlets, including CNN and The Hill, report that the FAA has issued a warning to MQ and is investigating the carrier over multiple instances of pilot error.
The CNN story says that it obtained a document from January that cites “consistent evidence showing potential lack of airmanship, and unsafe and poor piloting by multiple Envoy Air flight crews over the past two years.” ‘
Well, well, well…isn’t that something!
Of course there’s absolutely no doubt that, if these crews had been on MAXs two years ago, they’d have performed flawlessly during an MCAS emergency…right?
BA fallen behind on every measure on every issue every day in day out
Pilot blaming revealed as their fantasy porn
787 FAA recent action an illustration of how not to co operate with the regulator
No news on their upcoming chip shortage, which effects every industry worldwide
No news on their 5G manufacture plans – un surprising since few in the US have heard of 5G or are planning to hear, whereas another country is already well advanced
“Ericsson is set to light up a private network in Toulouse, France for Airbus, the world’s second-largest aircraft manufacturer. The network will launch on LTE, but Ericsson and Airbus will test mmWave throughout 2021 in preparation for the launch of 5G on the network.
The network will operate in the 700 MHz and 2600 MHz TDD spectrum bands. The French government made frequencies in the 2600 MHz TDD band available for private companies to use starting in 2019. Part of the 700 MHz spectrum band was allocated to public safety in 2016, and the French government said at the time that it wanted the spectrum to also accommodate critical infrastructure operators and the French defense ministry. (Airbus makes Tetra radios and base stations for public safety and is a defense contractor.)”
“Chinese manufacturers have installed about 5,000 private 5G networks and will add tens of thousands more this year as 5G broadband enables Fourth Industrial Revolution applications, according to mainland industry leaders.
China already has 70% of the world’s installed 5G base stations and 80% of the world’s 5G smartphone users.”
> Giving infinite overriding authority in a safety-critical system with only one input from a sensor type that has a reputation for being unreliable — that’s absolutely inexcusable. It’s clear that no (meaningful) Failure Mode Analysis was done in this case. <
How that could have "happened", caused two crashes costing 346 lives, and no one goes to jail as a result (oopsie!) is a severe indictment of several systems here in the US, and a prime example of corporatist impunity, impunity, impunity.
"should be fine.."