Damn....
Recognizing a problem with the automatic trim, the pilots followed emergency procedures and turned off the system. Instead, the pilots tried to use the backup manual trim wheel to adjust the trim, but the airplane was traveling too fast and the manual trim wheel would have been physically impossible to operate.
Less than two minutes later, Ethiopian Airlines flight 302 crashed, killing 157 passengers and flight crews.
The only available emergency procedure requires turning off the electrical trim motors which means you have just the manual crank wheels on the pedestal left. But, what is being reported here is that aerodynamic loads can make those wheels impossible to turn and it's also physically impossible to pull the yoke back with the trim jammed against you.
There is no software fix that resolves this. A runaway can happen for multiple reasons and there has to be a way for that event to be recoverable even if the trim is driven all the way to the stop before you realize it and yank the power or if it happens everyone on board dies .
Commercial aircraft are not allowed to have non-redundant critical fault paths such as this where the only available procedure in the event of a malfunction leaves you unable to control the airplane. Such an aircraft is not supposed to be able to be certified for commercial transport.
It took years of proof of reliability through hundreds of thousands of flight hours for manufacturers to get certification for two-engine, extended over-the-ocean flights, known as "ETOPS", which some people (myself included) have called only somewhat in jest "Engines Turn Or Passengers Swim." Critical flight control systems are supposed to be present in triplicate so that even if you lose (for example) both generators (one in each engine) you have one more "thing" available to you, either a RAT (ram-air turbine) or APU you can use to generate power.
The DC-10 that crashed in Sioux City had three hydraulic systems to provide primary flight control authority; the third engine in the tail suffered an uncontained failure (it "exploded") and the resulting pieces punctured lines that were part of all three hydraulic systems. It was the combination of two extremely unlikely events (the uncontained engine failure and then that all three hydraulic systems would be severed) that led to the incident. The pilots on board were unbelievably skilled and more than a little lucky in that they were able to somewhat control the crash-landing that followed and as a result there were plenty of survivors. Nonetheless that exposed the fact that it was possible for a triple hydraulic rupture to occur and the retrofit that came from that incident was the installation of "hydraulic fuses" that would prevent the loss of hydraulic pressure in all three systems even if lines on all three were severed in the same immediate vicinity.
Fixing the software does not resolve the base issue and thus, ultimately, the cause of both crashes. Irrespective of why if you are forced to shut off the electric trim motors there has to be a means available to regain both trim and primary flight control authority or everyone on board is dead .
There are two trim motor switches (presumably two separate motors and thus two electrical circuits) but if both are commanded to do the same wrong thing then you only have one system, not two. The requirement for triplicate control authority was never met by this design and in fact there were never even two independent systems because the mechanical backup is non-functional under some flight conditions!
No software mitigation can address this; the lack of a functional backup under some parts of the flight envelope and current trim position is a physical design issue and the lack of two completely independent electrical trim systems is a further design ****-up that should have never been able to be certified in the first place.
The provision of a manual (physical) backup is sufficient provided (1) there really are two completely independent electrical systems and (2) the manual backup is usable and capable of restoring control authority under any set of flight conditions and aircraft configuration -- but in this sort of failure situation it is not usable due to the aerodynamic loads on the stabilizer. Therefore in the situation where the trim has been driven outside of the normal range by a malfunction you can't shut off the system's capability to screw you further by yanking the power to the trim motors because if you do there's no way to restore control authority. You also can't yank power to only one motor because the computer provides drive signals to both !
Effectively, what this story asserts, is that there is no backup system available in the event of a runaway trim drive signal irrespective of the cause and that is the root issue. The crew followed the published procedures for a runaway trim, correctly diagnosing what was going on (although not why; in that situation the "why" doesn't matter.)
That didn't matter because the so-called backup was inoperative as it wasn't physically possible to manually crank the trim back and as a result everyone on board died anyway.
AGAIN: ASSUMING THE CNN REPORT IS ACCURATE THE ROOT CAUSE OF AT LEAST THE SECOND CRASH CANNOT BE FIXED IN SOFTWARE. THAT AERODYNAMIC LOADS PROHIBIT MANUAL TRIM OPERATION IN SOME AIRCRAFT CONFIGURATIONS AND PARTS OF THE FLIGHT ENVELOPE EITHER WAS KNOWN BY BOEING OR DAMN WELL SHOULD HAVE BEEN BEFORE THE PLANE WAS EVER CERTIFIED IN THE FIRST PLACE.
A MINIMUM FIX WOULD BE FOR THE COMPUTER TO ONLY DRIVE ONE OF THE TWO ELECTRICAL PATHS (WITH THE OTHER ALLOWED TO "FREEWHEEL" WHEN NOT DRIVEN) SO IF IT GOES INSANE YOU CAN SHUT IT OFF WHILE STILL HAVING ELECTRICAL AUTHORITY AND THE MANUAL SYSTEM HAS TO BE REDESIGNED TO BE PHYSICALLY OPERATIONAL UNDER ALL FLIGHT CONDITIONS. NOTHING LESS MEETS THE TRIPLICATE REQUIREMENT -- IT IS NOT POSSIBLE TO RESOLVE THE ISSUE IN SOFTWARE.
PERIOD.
Update: Here's the report -- it backs up the above, and CNN's reporting.
AGAIN: FROM THE REPORT THERE IS NO FUNCTIONAL REDUNDANCY ON THE 737MAX TRIM SYSTEM, AND THAT IS NOT A SOFTWARE PROBLEM NOR CAN IT BE FIXED WITH A SOFTWARE PATCH. REDESIGN OF THE ELECTRICAL INTERFACE SO AUTOMATION CAN ONLY DRIVE ONE OF THE TRIM MOTORS IS REQUIRED AND THE MECHANICAL BACKUP MUST BE RE-ENGINEERED SO THAT MECHANICAL OVERRIDE IS POSSIBLE ANYWHERE IN THE FLIGHT ENVELOPE. THIS PLANE MUST NOT RETURN TO SERVICE UNTIL BOTH CHANGES ARE MADE AND THOSE WHO FRAUDULENTLY CLAIMED REDUNDANCY EXISTED MUST GO TO PRISON AND FACE MANSLAUGHTER CHARGES.