
Ethiopian Airlines Boeing 737 pilots 'could not stop nosedive' - jfk13
https://www.bbc.co.uk/news/business-47812225
======
matt4077
I’d love to see those people who accused the airline and crew of being
incompetent to apologize in the light of these reports.

It was shameful to see Boeing actively encouraging that narrative behind the
scenes. Especially considering it plays on racist stereotypes equating
„Africa“ with bad training/bad safety record/…. The idea of „dingy third world
airline“ was ridiculous on its face, considering how bad a fit flying the most
modern airliner is with it.

And it was also contradicted by the factual record of Ethopian being a
competent airline on par with any in Europe or North America. Their safety
rating is better than easyjet, Ryanair, Spirit, WOW, and Southwest:
[https://www.airlineratings.com/safety-rating-
tool/](https://www.airlineratings.com/safety-rating-tool/)

~~~
CaptainZapp
Totally agree.

Some of the sentiments expressed here was borderline racist. (badly trained,
overworked cluelless third world pilots not even capable to follow a
checklist).

One of the worst smear jobs was actually by the New York Times accusing the
captain of the Ethiopian plane not having trained in a 787-MAX simulator.

Hello? Wasn't that the whole sales pitch that the plane requires no training
at all for certified 787 pilots? In addition the MCAS crash scenario was
neither part of the manuals nor of simulator training.

Great smear job, NYT! I'm sure Boeing will thank you with a ton of ads.

This[1] fascinating piece outlines what happened to a US pilot who felt
uncomfortable with the minimal training provided and wanted additional
simulator training or at least an instructor on his first flight. Spoiler: It
was not a great carreer move.

If I sound angry as hell, I am. That Boeing didn't ground the plane after the
Lion Air crash (they were busy smearing the airline an the pilots instead) is
nothing short of criminal.

What a disgusting company!

[1] [https://qz.com/1584233/boeing-737-max-what-happened-when-
one...](https://qz.com/1584233/boeing-737-max-what-happened-when-one-us-pilot-
asked-for-more-training/)

~~~
Yetanfou
Please stop looking for racism in each and every aspect of public discourse,
it does way more harm than it has the potential to do good. The harm lies in
the ever larger focus on things which have the potential to divide people, be
they race or sex or gender or religion or any other section. In this case
there may have been a suggestion of the pilots having undergone less rigorous
training and the aircraft being maintained at a lower standard than would be
the case for 1st world airlines. These things may be true or they may not be,
the airline safety records are among the potential ways to ascertain the
veracity of such statements. This has nothing whatsoever to do with race so it
does not make sense to try to draw this in as a factor unless someone made
explicit claims in that direction. I have not seen any such claims, if you can
point at them - and I do mean explicit claims, not so-called 'dog whistles' as
those are subjective - please do so, otherwise keep race out of this
discussion.

~~~
CaptainZapp
Fine. Not racism then.

Can we agree on xenophobic and bigoted?

The discussions here provide ample evidence for that.

------
mhandley
Will be interesting to see the details when the report is actually public. It
does sound like the scenario that Mentourpilot explored in the simulator is
close to what happened, namely:

Bad AoA probe causes MCAS to trim down, and also to indicate IAS disagree.
Pilots increase throttle as per non-normal checklist to reduce the risk of
stalling due to unreliable airspeed. Pilots disable electric stabilizer trim,
as per Boeing's advice, without trimming back to neutral trim. Plane is now
low, accelerating, and trimmed nose down. Pilots likely started to trim up
with the manual trim wheels, but that's very slow, and gets harder as airspeed
increases. And you don't want to reduce power, because that will cause a
pitch-down, and you're close to the ground. At this point you've run out of
options that are recommended by Boeing. The only remaining option is to re-
enable electric stabilizer trim, and use that to trim nose-up.

Now, from what I understand, appying nose-up electric trim should override
MCAS, and so this course of action should be possible. However, at this point,
you're basically a test pilot - this is not on any of Boeing's checklists or
training. Why didn't it work? We'll have to wait for the full report for that
I think.

~~~
alkonaut
I'm an armchair non-expert at best: but shouldn't planes always be
controllable by the column so long as the plane is mechanically OK? I.e. max
power + pull stick should always just take the plane up, regardless of _any_
amount of misconfiguration such as being out-of-trim etc?

Isn't that a reasonable expectation? That is: a pilot in panic at low altitude
should never be required to do anything more than he basically can with hands
on throttle and stick, to avoid disaster?

~~~
Shank
> but shouldn't planes always be controllable by the column so long as the
> plane is mechanically OK?

The problem is that you can easily exceed the aircraft flight specifications
if you enable unlimited control. If you pull the stick back at max power you
can seriously risk the creation of a stall, which is why MCAS exists in the
first place. The whole goal Boeing had was to create a safe plane by letting
software ensure it was always flying within the safe envelope for mechanical
stress.

> That is: a pilot in panic at low altitude should never be required to do
> anything more than he basically can with hands on throttle and stick, to
> avoid disaster?

You would hope this, but what makes the determination that the pilot is at a
low altitude? The altimeter tells you where you are in relation to sea level,
not the nearest distance to terrain. You could be 10,000 feet above sea level
but only 1,000 above a mountain. There's a lot of sensor data you'd have to
take into account if you were to try to enable a higher degree of control
based on how safe/dangerous it is to give that control.

~~~
CaptainZapp
_The problem is that you can easily exceed the aircraft flight specifications
if you enable unlimited control. If you pull the stick back at max power you
can seriously risk the creation of a stall, which is why MCAS exists in the
first place._

That's manifestly wrong.

MCAS was introduced because of the design decision to place the larger and
more powerfull power plants further in front and higher up.

The reason for this was that Boeing wanted to grandfather the 737
certification into this model and wanted to avoid pilot retraining in the
simulator, which was an important sales argument.

The problem with this redesign was that the airframe tended to point the nose
up, since its aerodynamical characteristics changed due to the redesign.

MCAS was introduced in order to simulate the same behavioral characteristics
of the older 737s.

This is proven by the fact that the system was neither documented nor was it
part of the scenarios in the 737 MAX simulator. The idea was that the
functionality is completely transparent to the pilots so that the could fly
the new plane after a minimal presentation on an iPad, which was less thank
one hour if they were already 737 certified.

The problem was not pilots pulling the nose too high. The problem, which MCAS
tried to correct was the tendency of the plane to pull the nose high and
correct for it.

Boeing tried to cram a 50 year old airframe into a new plane with engines too
big to fit that airframe and wanted to avoid recertification and retraining.

That's the whole issue we're discussing here.

edit: clarification

~~~
cmurf
>MCAS was introduced in order to simulate the same behavioral characteristics
of the older 737s.

Sounds plausible, but something with the story is still super screwy because a
nose down "push" every 15 seconds is nothing like older 737 approach to stall
behavior. If the idea is you want the same stick forces at approach to stall
as 737NG, then you need some kind of motor or brake in the yoke mechanics to
simulate it on a MAX.

If it were really simulating the 737NG stick forces, and this were erroneously
triggered in an appropriate angle of attack state, the pilot would simply be
getting weird/unexpected control stick forces - rather than a fight to the
death, possibly at low altitude.

And if that simulation were to fail when needed (real high angle of attack),
well yeah you're fucked if it's a necessary simulation to help the pilot avoid
a developed stall. But at least in that case I would expect even slightly
delayed recovery from stall is a better scenario than forcing the nose down.

I just don't like this feature pretty much as designed when working, when it's
disabled, and when it's confused. It all smells like bullshit. Now I could
easily be wrong and it's actually duck farts. But something stinks. I don't
see how it gets around either FAR 25 airworthiness certification requirements,
because it can be disabled. Or around FAR 61.31 type rating requirement,
because it can be disabled. Disable it, and now your airplane is not airworthy
and your pilot possibly not suitably type rated? Come on.

~~~
CaptainZapp
_But something stinks. I don 't see how it gets around either FAR 25
airworthiness certification requirements, because it can be disabled._

That's easy. When the manufacturer rubberstamps his own ariworthyness
certification this is not really a problem.

 _Disable it, and now your airplane is not airworthy and your pilot possibly
not suitably type rated?_

That's the exact crux of the issue. Boeing panically wanted to avoid
recertification of the plane and the pilots in order to be competitive with
Airbus' A320 NEO.

------
segmondy
I thought this was a software failure initially, but upon following the case,
I have come to realize it's not. I still see plenty of people saying this is a
software failure in this thread. This is not a software failure. This is a
system/process failure on many level.

The plane was rushed to beat a competitor.

A mismatch between the plane & engine happened which can cause it to be off
balance.

A system was added in place to correct it, but this system only used one
sensor instead of 2.

The display could have displayed angle of attack which is a safety gauge, but
it's optional and was charged for. $80k on a $120 million plane. It's now
standard.

The display could also display a disagree light if the 2 sensors disagree, but
that is also an optional feature, which will now be made standard.

The MCSA was only suppose to adjust for .5 degrees and when Boeing & FAA
worked together, this was the agreed parameter, but Boeing changed it after
the fact to I believe 2.5 and never informed the FAA. FAA only discovered this
after the Lion crash.

This new system was not documented. It was not in the flight manual or
training.

Boeing lied to pilots when they asked if there's any new system they should
know about.

FAA wasn't through in certification process and allowed Boeing to sign off
some things themselves.

The failure was on so many levels it's ridiculous. It's a whole collapse of a
system.

Boeing, FAA, certification, QA, hardware design, etc.

If anything I won't even blame the software team much, software has no choice
but to rely on the signal it's reading from the sensor if invalid. My concern
is that the plane wasn't tested with faulty sensor. A happy path was followed.
Testing with faulty sensor data might have shown the tug of war that would
have happened between the pilot & plane. All in all, failure is across so many
levels, it's terrible.

~~~
salawat
This has been just about my exact conclusion. I've just been checking things
off as the evidence rolls in.

------
raverbashing
Funny how people were saying that it was just a matter of pilots shutting off
the system...

Looks like 1) Ethiopian pilots were up to date in training (good for them) 2)
MCAS should have never been shipped

------
dis-sys
With such new evidence, how FAA which refused to ground the 737 Max should be
allowed to walk away from all these for nothing?

~~~
jki275
The FAA did ground the 737 Max.

~~~
dis-sys
FAA defended 737 Max to the very last minute, FAA is nothing else but a cheap
tool for big corporations like Boeing.

~~~
jki275
The last minute when they grounded them?

I don't recall them "defending" anything, anyway, they simply held off
grounding them until they got a little bit of data to back it up.

~~~
dis-sys
> they simply held off grounding them until they got a little bit of data to
> back it up

In my dictionary I have the following term which FAA and Boeing both actively
ignored/violated.

pre·cau·tion /prəˈkôSH(ə)n/ noun a measure taken in advance to prevent
something dangerous, unpleasant, or inconvenient from happening.

~~~
jki275
You have to balance "precaution" with "knee-jerk".

------
prmph
Maybe this is a naive question, but why can't the automated controls on plane
be designed such that: 1\. They can be independently disabled? 2\. For MCAS in
particular, disabling it will automatically revert to the previous trim level
before it shuts off? 3\. They can rely on sensors that are kept in enclosed
storage (thus much less likely to fail due to freezing, etc) and immediately
deployed when there is a problem with the usual sensors? Like the RAM air
turbine? Most auto-pilot malfunctions seem to be due to sensors going bad.

Edit: Sorry I wasn't clearer the first time, but I meant the enclosed
redundant sensors would be brought outside when needed, and retracted when not
in use. Even the pitot tube could benefit from such a scheme

~~~
crocal
Implementor of similar systems here.

1\. It's possible, but you have to understand that a pilot, however bright he
may be, cannot be overloaded with too many modes of operations. You can't
always have Neil Armstrong driving...

2\. We have to wait for the conclusions of the investigation. There is
obviously still a lot of question marks about what /should/ occur and what
/did/ occur, so it's difficult to speculate (at least for me) on what a
correct implementation of the system should have been.

3\. Each sensor has pros and cons. For an AOA, I am not an expert, but well,
it's supposed to measure the lift under the wing, so I don't see how you can
avoid being outdoor to get a direct measure of this quantity. I believe
someone on HN more expert could give more insight here, but my experience when
you try to use indirect sensors is that it générâtes the need for /more/
computational complexity to deduce the intended measure from indirect sources.

For your last comment, I would complement that auto pilots malfunction due to
sensors going bad /unnoticed/.

We should take "going bad" very broadly: either the sensor is broken, or it is
not picking up something that it should because, well, the designer just did
not think about it.

------
WheelsAtLarge
This is a software screwup. It's buggy software due to rush to market. I hope
they do an analysis of the whole project. We can all learn from it.

~~~
bobcostas55
The software did what it was supposed to, the issue was the specification
necessitated by the design change.

~~~
sundvor
Yep, the issues started way earlier than the software. In fact the software is
at the very end of the chain here, unless you also want to insert "no
training". It all started when they wanted those big engines crammed into an
airframe not designed to hold them, so as to try to quickly catch up to
shifting market demands being met by Airbus.

~~~
cdolan
How can you say “no training” caused this second crash after reading the
article? Did you read the article?

~~~
Tor3
(Edited) They had training (and sundvor didn't say otherwise), but still,
remember Boeing's decision that little or no re-training for the Max was
needed for pilots already having 737 training.

See e.g.
[https://edition.cnn.com/2019/03/22/politics/boeing-737-manua...](https://edition.cnn.com/2019/03/22/politics/boeing-737-manual/index.html)

~~~
sundvor
Thanks, that was what I was referring to. Cheers.

------
vfinn
Every time I read about these plane accidents, I wonder why planes don't have
any emergency features to save these people. Couldn't you build a plane that
would eject the cabin as a parachute module or something. Yes, I'm sure this
is naive, but why?

Edit: My point is that almost anything is better than crashing down with the
plane.

~~~
jakecopp
Hard engineering problem - where do you open up the fuselage to get the people
out? It's a tube so you can't weaken it.

You also can't open a hole at the back and let them slide out backwards, you'd
need a cylindrical tube in a tube which can then slide out. That's a HUGE
amount of extra weight and complexity.

Planes are so so much safer than cars. Before we parachute people out of
passenger planes we should be ejecting people out of the roofs of cars if an
imminent collision is detected :)

~~~
skrebbel
> Before we parachute people out of passenger planes we should be ejecting
> people out of the roofs of cars if an imminent collision is detected :)

I'd be "accidentally" driving into a lot of trees if cars had that. Sounds
like major fun!

~~~
leroy_masochist
Have fun! Me personally, I'm going to pass on the concussion and 1/2 inch of
permanent spinal compression that comes with pulling 20 G's

------
deepstream
pilots should not have to fight the system. can there not be a simple button,
"switch to manual"?

~~~
pjc50
Naive question, but is the plane actually possible to fly in "manual"?

~~~
mhandley
The 737 is still mostly 1960s technology, despite all the tweaks over the
years. With autopilot off, autothrottle off, and electric trim disabled, which
is the situation the Ethopian pilots would have ended up in from following the
checklists, all the main flight controls are entirely manual. Only the engine
FADECs can't be turned off, and you wouldn't want to because modern engines
rely on computised controls.

------
rutthenut
Some other info aggregated here
[https://www.theverge.com/2019/4/4/18294317/boeing-737-max-
et...](https://www.theverge.com/2019/4/4/18294317/boeing-737-max-ethiopian-
airlines-crash-report)

Clear to most that the software has/had an appalling design for error-
handling, with tragic results, and blame from Boeing to deflect that

------
DanielBMarkham
There you have it, folks, programmers killing people. No, it wasn't on-
purpose, but that doesn't mean it didn't happen.

This, of course, has been happening for a long time, it's just getting more
and more obvious now. I feel strongly that AF 447 was an example.

It's important to understand that this is the natural result of two trends.
One, software/hardware systems continue to become more and more complex, many
times leading to unforeseen interactions. Two, programmers and programming
management teams love to bunch up the work by things not related to the end-
users: hardware component, new modules, architectural tier, underlying
technology involved.

It doesn't take very much of that at all before you have a whole bunch of
people all doing work of various quality in small enough isolated silos such
that everybody can do a wonderful job -- and the system still kill people.

There's a lot more to add here. It's nothing new, and there are a ton of ways
we've tried to fix this. My belief is that we've failed because we don't
understand exactly what goes into making successful software at scale. I am
quite concerned about it and I have been writing on this topic for several
years. If you're interested in more, see my profile.

~~~
Slartie
I am pretty sure the software here did exactly what it was supposed to do.
There was no buffer overrun, no NullPointerException, not any other kind of
bug. There was just software that reacted exactly as specified.

The problem is: those specifications were bad. It's a bad idea to just rely on
one single sensor when you actually have two, it's a bad idea to write
software that disengages on manual input counteracting its decisions, then
resume overriding pilot decisions out of the blue with a delay of a few
seconds again. And it's an absurdly bad idea to do all of this while not
telling the humans that will have to operate the machinery in the end ANYTHING
about how all of this works.

I totally get why Boeing thought all of those obviously bad ideas were "good"
\- because they helped their bottom line. It wouldn't be possible to
completely hide the existence of the MCAS if there was a potential for a
sensor disagreement that has to be solved manually by pilots, and if it hadn't
been possible to completely hide the existence of MCAS, it wouldn't have been
possible to get the new plane out on the market without requiring expensive
re-training. And that would have made a very convenient marketing claim of
Boeing impossible to make: "this new plane can be flown by all those pilots
familiar with the old plane, no re-training necessary, just read these few
pages on an iPad and you're good!".

But this clearly makes this disaster not a "programmers killing people"
incident. If any "xxx killing people" classification is to be made here, it's
"managers killing people".

~~~
kharms
Bad programming was not the sole or root cause but it was a cause, and people
died. You can't punt on that unless you want software engineer to actually
mean code monkey. The same way a building architect has to sign off on the
design demands of a a client, a software engineer on safety-critical systems
must evaluate the spec and consider the effects of edge cases.

~~~
peteradio
What do you suppose the spec was here and how did the Engineer neglect to
fulfill it? These specs are very compartmentalized, you think the Engineer is
responsible for the big picture understanding and gets to take it up with the
VP? No.

~~~
delfinom
Yea, at a company like Boeing. They compartmentalize the fuck out of the
engineering perhaps a bit too far.

------
hckr123
Old news
[https://www.bloomberg.com/news/articles/2018-03-08/american-...](https://www.bloomberg.com/news/articles/2018-03-08/american-
airlines-to-retire-45-boeing-737s-over-next-two-years)

Just retire the whole plane

------
aschwabe
Has anyone checked if there is MCAS on the 787?

~~~
raverbashing
No there isn't

~~~
dingaling
But there is on the KC-46 tanker for the USAF, but unlike the MAX it cuts-out
upon pilot control input:

[http://www.airforcemag.com/Features/Pages/2019/March%202019/...](http://www.airforcemag.com/Features/Pages/2019/March%202019/USAF-
Reviewing-Training-After-MAX-8-Crashes-KC-46-Uses-Similar-MCAS-System.aspx)

Again it derives from trying to push an older non-FBW design to new limits; a
767 wasn't designed for the large shifts in CoG which occur when offloading
fuel in flight. A FBW type like the A330 that was its rival for the USAF
contract can just subtly command constant minir trim changes.

~~~
raverbashing
Interesting, I didn't know this. Maybe the KC-46 was the prototype (though it
might be checking other inputs) to the MAX system?

> The KC-46 has a two-sensor MCAS system, which “compares the two readings,”
> the Air Force said.

> Moreover, while the MAX 8 MCAS will reset and come back on automatically,
> the KC-46’s system is “disengaged if the pilot makes a stick input,”
> according to the Air Force

So it seems someone did their homework in this case (well hadn't they done, it
would have gotten very ugly as well)

------
guylepage3
I’m a social capitalist. IMO, it seldom happens that the free market does not
punish companies who make serious errors. For those times, logic, common sense
& societal regulation should step in, punish the company with fines ratcheting
up until free market clearly loses confidence.

~~~
golergka
With this kind of publicity I don't see how can Boeing can possibly not
punished by the market itself. Even before 737 Max fleet was grounded, I
already started hearing, from a lot of different people, that they wouldn't
fly on that plane.

~~~
Dirlewanger
Can one even accurately know what plane they will be on until mere hours
before? Does flightradar help with this?

------
rocqua
If this was indeed MCAS, it is my understanding they 'could have' stopped this
by turning off power to the electronic stabilizer trim.

~~~
jpatokal
Per the friendly article, _" Pilots "repeatedly" followed procedures
recommended by Boeing before the crash, according to the first official report
into the disaster."_

~~~
lorenzobr
Exactly.

I find it embarrassing for the society as whole how many people these days
comment on articles or posts by just reading the title.

~~~
rocqua
I read the article, hence my reaction. Because to me, the claims of the
article do not match my understanding of the procedures defined for dealing
with a failing MCAS.

