Hacker News new | past | comments | ask | show | jobs | submit login
Boeing Withheld Information on 737 Model, According to Safety Experts and Others (wsj.com)
398 points by SREinSF 5 months ago | hide | past | web | favorite | 209 comments



Before this incidence, at least 3 to 4 accidents occurred where the pilot was in fault. Like : They were pulling the sticks too high. The autopilot was screaming "Stall" "Stall". But the pilots were too busy or incompetent to notice. And ultimately crashed the plane.

I remember here in HN, there were cries why auto pilot didn't take over at that time and save lives. "Pilots should never be allowed to stall the plane."

Well, Boeing's new software did exactly that. Correct the situation when the pilot wasn't. And that crashed the plane.

Interesting indeed. Lesson: There's a lot to look beyond before taking a decision, even when the obvious decision is just in front of everyone.


That analogy doesn’t hold up. All Airbus and most Boeing aircraft have systems to push the nose down in event of a stall.

The problem here is: in the transition from the -NG to the -MAX, Boeing added this protection and didn’t tell anyone.

Imagine someone added Adaptive Cruise Control to your existing car without telling you - the first time the car braked on its own, you’d freak out. The car is suddenly behaving in a way it should be able to.

If you know the system exists, you can recognise what’s happening and deal with it. If you don’t know it exists, the behaviour is going to be absolutely baffling, and no in-flight diagnostic procedure has a step for “did the manufacturer add an important safety device and not tell me?”


Something similar happened in the past: Scandinavian Air 751 (MD-81 with twin engine aft-mounted) had both engine surged due to ice ingestion shortly after takeoff. Pilots were not aware of auto throttle control, which revert pilots’ action of reducing throttle (to fix the engine surging). Both engines ultimately failed and aircraft crash landed. Luckily all survived.

https://en.m.wikipedia.org/wiki/Scandinavian_Airlines_Flight...


For those interested in a video breaking down SA 751: https://www.youtube.com/watch?v=a6oJUt4WWdQ


Well, the throttle control was one issue, but it is far from certain that it would have saved the engines. The main issue was still the ice that went in to the engines to begin with. The full report is available here:

https://www.havkom.se/assets/reports/English/C1993_57e_Gottr...


I agree. Improper de-icing + aft-mounted engine is the main cause of this disaster (although ice on wing itself is already a problem as it reduces lift and could cause stalls). My (rather subtle) point is that Boeing can’t really go “oh this has never happened before”.

In fact, as a general rule of thumb, I believe any safety feature that would automatically change the state of the aircraft should be well educated to the pilots.


I understand how the term 'ingestion' got to be used but given how turbines react to foreign objects, 'indigestion' seems more accurate.


You have to ingest something to get indigestion, resulting in sentences like "ice ingestion gave the turbines indigestion". At that point it's long-winded and would be shortened to "ice ingestion", making the point somewhat moot.


> The problem here is: in the transition from the -NG to the -MAX, Boeing added this protection and didn’t tell anyone

Totally out of my depth here, but how is it possible that they "didn't tell anyone" about a feature so crucial, how could pilots not know how the plane's computer will behave in such a fundamental, non edge-case scenario?


Boeing specifically marketed this as not requiring new training. So they did everything they could to hide it in order to satisfy marketing’s desire.

The FAA signed off. I guess the lawyers will argue if it was legal or not.


But it's right there in the Terms of Service box! The pilot probably just clicked right through it without reading.


Wow. Your statement is so true on so many levels and applicable to so many industries that it seems unfair that I can only upvote you once.


That's what I'm wondering about. How did Boeing get away without disclosing it. Or if they disclose it how did FAA agree that this is not something that pilots need to know and train for. If they signed off on Boeing not letting pilots know FAA should be on the hook for this too.


A stick Pusher is not a new feature, if you're right, and the FAA signed off that operators of the NG did not need any supplementary training and that caused the accident that will be very ugly for Boeing


MCAS is not a stick pusher -- and that's the crux of the problem. A stick pusher would essentially adjust the elevator to pitch the plane down. MCAS trims the stabilizer. At full stabilizer travel you may not have sufficient elevator authority to overcome the downward pitch. Put another way, you can counteract the stick pusher by pulling back (although this may take a strong pilot). If you don't catch MCAS doing something stupid and the plane ends up fully trimmed down you cannot counteract this by pulling back.

Here's some other examples of what happens when the stabilizer is trimmed without the pilot knowing. Sadly Capt. VanderBurgh died a couple years ago. Had he not it would have been fascinating to see his take on the Lion Air wreck.

https://www.youtube.com/watch?v=WfNBmZy1Yuc

And here's a quick overview of how the stabilizer functions in a 737:

https://www.youtube.com/watch?v=l62NvkRWa5E


The first video is fantastic (and terrifying). Thanks for sharing.


> At full stabilizer travel you may not have sufficient elevator authority to overcome the downward pitch.

Do the stabilizer trim tabs really have more authority than the elevator? That seems odd.


They aren’t “trim tabs” — it moves the entire stabilizer.


This article from 2013 outlines the differences quite nicely. It's a subtle point (that I hadn't appreciated before reading the article), but trim on a Cessna (on which many pilots learn) and modern jet work quite differently, though you rarely ever notice the difference in normal ops (because you never go massively out of trim). The author speculates that several accidents might be attributable to this.

Do you really understand how your trim works? Many do not, and why it matters. Alex Fisher - GAPAN

https://www.skybrary.aero/bookshelf/books/2627.pdf


I only really appreciated this while reading while reading about https://en.wikipedia.org/wiki/Alaska_Airlines_Flight_261

It's quite an interesting one if you are into that kind of thing.


Well an MD-80 does use trim tabs.


Not really. It trims via a moving stabiliser. You are confused because it has flying elevators and the pilot only directly controls the servo tabs which look a lot like trim tabs.


Ah yes, brain fart. Tabs for the elevator, jackscrew for the stabilizer.


Ah ok, that make sense.


Yes (but it's not tabs)


> Totally out of my depth here, but how is it possible that they "didn't tell anyone" about a feature so crucial, how could pilots not know how the plane's computer will behave in such a fundamental, non edge-case scenario?

I couldn't even hazard a guess. Boeing told the Brazilian authorities about it. See the table on Page 18 under MCAS.

http://www.anac.gov.br/assuntos/setor-regulado/profissionais...

For comparison here's the FAA equivalent:

http://fsims.faa.gov/wdocs/fsb/b-737_rev%2014.pdf

Note that MCAS is distinctly absent from the difference tables (also) on page 18.

The FAA signed off on the NG to MAX training as "B" level differences. This means no sim time necessary[1] (although apparently American Airlines doesn't have a MAX sim in the first place). The Brazilians were made aware of MCAS and thought that also qualified as a "B" level difference. The question then is: did the FAA think MCAS constituted a C or D level difference?

1: See the table on page 14 for a list of the FAA definition of different categories of differences


Boeing can self certify[0]. I'm not sure where this enhancement/feature would fall but they seem to have at least some latitude.

[0] https://www.seattletimes.com/business/boeing-aerospace/faa-e...


> Imagine someone added Adaptive Cruise Control to your existing car without telling you - the first time the car braked on its own, you’d freak out. The car is suddenly behaving in a way it should be able to.

I recently got a hell of a shock in my fathers BMW: I was driving with cruise control engaged, depressed the clutch, and when I released it, found the car re-accelerating to match it's previous speed. Every other car I've driven has disengaged cruise when the clutch is engaged, so this took be quite by surprise and could have put me in danger.


Another oddity in using adaptive cruise control that happened with me and scared me a bit: imagine you are in a congestionated area and eventually enter a lower speed uncongestionated area, the car is going to speed up. If you don't notice the speed up and intervene immediately, you might easily end up at speed that is unsafe, unallowed, or both.


Does that mean that if you shift down, the car will still accelerate / maintain speed and that "breaking on the engine" (slowing the car down by increasing the revs and not accelerating) doesn't work?

What gave me a scare was lowering the cruise speed on the steering wheel by clicking the button a few times, which in fact caused the car to actively break quite hard instead of naturally lowering its speed.

EDIT Now that I think about it, my BMW does not disengage the cruise when you shift up and ... I'm not sure if it does when you shift down.


> EDIT Now that I think about it, my BMW does not disengage the cruise when you shift up and ... I'm not sure if it does when you shift down.

My BMWs (E46, E39) all have two clutch switch outputs: one for the starter and one for cruise control.


The cars I've driven only disengage cruise control if you tap the break.


My '97 Mazda, '02 BMW, and '15 Ford all disengage cruise when you clutch. What do you have that doesn't, and are you sure its clutch safety switch is actually working?


>are you sure its clutch safety switch is actually working?

If the clutch switch was inoperative and the cruise control was engaged, the cruise would not know the engine is disengaged from the transmission and would rev the engine up to redline.


Yeah. Another example: the terrorist-proof cockpit doors, which enabled suicidal co-pilot Lubitz to fly Germanwings Flight 9525 straight into the French Alps.

I guess a good thing to note about this is that aviation is so close to optimum safety level that it's hard to find unambiguous ("pareto") improvements; you can just find a different tradeoff. The gradient is pretty close to zero.


One might argue the problem was not the attempt to make systems resilient, but rather the attack model was too narrow:

What if a malicious pilot had been part of the threat model? instead of terrorist-proof cockpit doors, attacker-proof cockpit doors: split the cockpit in half (strong plexiglass), each has their own combination code for their own door. As soon as one pilot starts disobeying ATC, they can choose which pilot gets control of the airplane...

True, the pilots can no longer circle j* during their boring flights...


Those are terrible ideas. No one can foresee all possible threats, or reliably predict which ones will come to pass. It's not possible to split cockpits down the middle because some critical controls such as circuit breakers exist only one one side or the other, but are reachable by both pilots. Adding duplicate circuit breakers on both sides isn't practical for space reasons, and would introduce additional failure points. And allowing ATC to block out a pilot from flight controls would itself be a failure point. What if ATC is compromised?


>Those are terrible ideas.

To the extent the ideas from the peanut gallery are terrible, it is because intellectual property does not allow the peanut gallery to inspect the full airplane designs, schematics etc... I feel confident the community at large (or the relatives and acquaintances of the deceased and their lawyers and or engineers they appoint) could provide better criticisms. But if my aunt had balls she would have been my uncle: intellectual property kills. What is the statistical value of a human life? What is the statistical value of intellectual property?

>No one can foresee all possible threats, or reliably predict which ones will come to pass.

I think that is an open question. But let's pretend you are right for the sake of argument. Improvement does not necessitate foreseeing all problems, excluding failure modes as they are discovered is still improvement, even if they aren't absolute panaceas.

>It's not possible to split cockpits down the middle because some critical controls such as circuit breakers exist only one one side or the other, but are reachable by both pilots. Adding duplicate circuit breakers on both sides isn't practical for space reasons, and would introduce additional failure points.

Space reasons? I'm sure the passengers appreciated their extra millimeter of legroom while crashing into the alps... why not each their own breaker and the circuit only breaks when their breakers agree on breaking? i.e. logical AND. Yes any additional complexity would make the problem space more complex, and should be dealt with using formal verification etc...

>And allowing ATC to block out a pilot from flight controls would itself be a failure point. What if ATC is compromised?

Obviously, the plane only listens to ATC pilot selection when one pilot disagrees (visualize a big red disagree button if you will). As long as none of the pilots has the disagree button engaged the plane ignores ATC. ATC can not initiate selection of pilot. Yes there situations that still admit malicious pilots like: collusion between 2 pilots, collusion between a pilot and an ATC controller. Use things like sortition, and reward ratting out proposals of collusion...

Edit: spelling


I think "someone sitting in the pilot's seat will always be able to crash the plane" is a pretty reasonable assumption. (How do you prevent an intentional cartwheel on takeoff or landing? There are regions of the flight envelope where 2-3 seconds of pessimal input are unrecoverable. ATC override won't help you there) So given that, we aren't trying to prevent the pilot/copilot from intentionally crashing the plane, we're trying to prevent two things:

1. Prevent any passenger on the flight from crashing the plane

2. Prevent anyone from crashing the plane into a location of their choice

Locking cockpit doors prevent the first one. Locking cockpit doors plus 2-in-cockpit rules (as mandated by the FAA, and not implemented by GermanWings) do a good job of preventing the second.


> someone sitting in the pilot's seat will always be able to crash the plane

yeah, in the Airbus A300 just kick the rudders a few times fully left to right (see American Airlines Flight 587) [1]

> 2-in-cockpit rules (as mandated by the FAA, and not implemented by GermanWings)

Just to clarify, GermanWings was not under FAA jurisdiction, so the 2-in-cockpit rule did not apply.

Also, EASA implemented the 2-in-cockpit rule in 2015 after the GermanWings accident [2], but withdrew it in 2016 and replaced it with a more flexible rule [3] after consultation with stakeholders, as "the rule to have 2 persons in the cockpit at all times introduces additional safety and security risks." [4]

As I said somewhere above, there's rarely scope for a pareto improvement in aviation.

[1] https://en.wikipedia.org/wiki/American_Airlines_Flight_587

[2] https://www.easa.europa.eu/newsroom-and-events/news/easa-rec...

[3] https://www.easa.europa.eu/newsroom-and-events/news/minimum-...

[4] https://www.eurocockpit.be/news/end-2-persons-cockpit-rule-s...


>yeah, in the Airbus A300 just kick the rudders a few times fully left to right

Kicking the rudder fully left to right a few times would most likely put any modern airliner outside of its structural limits (and would probably injure lots of passengers even if it didn't). I believe the A300 had very sensitive rudder controls, which made it possible to create extreme loads on the rudder via a sequence of relatively small back-and-forth movements.


>I think "someone sitting in the pilot's seat will always be able to crash the plane" is a pretty reasonable assumption.

The English language is a bit poor on existential and universal quantifiers, which renders the above sentence a bit ambiguous: it could be interpreted as 1) "For every flight and prevention method there will always exist some opportunities for a pilot to crash the plane" (with which I tend to agree) or 2) "For every flight and prevention method, the pilot will at all times be able to crash the plane" (with which I don't agree)

>(How do you prevent an intentional cartwheel on takeoff or landing? There are regions of the flight envelope where 2-3 seconds of pessimal input are unrecoverable. ATC override won't help you there)

I tend to agree.

>So given that, we aren't trying to prevent the pilot/copilot from intentionally crashing the plane

This doesn't follow. We can still limit the attack scenarios to say situations like landing and taking off. It doesn't need to be binary, a reduction in threats is still desriable. For example if Lubitz had been even more antisocial in his destruction by suicide, he could easily have crashed the plane into the surface storage for nuclear waste next to a nuclear power plant. The reactor itself does not house that much nuclear material, while the typical surface storage next to it tends to contain a lot of nuclear waste. He might still kill the passengers on landing and take off, but as crude as it sounds, it's still better than losing the very same passengers and having a nuclear contamination on our hands!

The 2-in-cockpit rule sounds rather weak in my opinion, as it becomes a matter of who is stronger or who strikes first, the element of surprise etc...


The reason that professionals don't want to hear suggestions from the peanut gallery is mostly that the peanut gallery usually comes up with the same silly, impractical ideas over and over again. This distracts the professionals from working on real solutions. Intellectual property has little to do with it. But if IP is your concern, well you can cheaply purchase complete plans for dozens of different light aircraft designs and build them yourself with basic tools. Feel free to do that and use your own airplane as a test platform for your proposals. No one is stopping you; it's totally legal as long as you follow the regulations for experimental aircraft. Let us know when you're done and have something proven to work over thousands of flight hours.

From a systems engineering standpoint, everything you have described would add complexity and would likely be a net negative for safety.


I'm not suggesting professionals want to hear suggestions from the peanut gallery. I don't believe on enforcing desires. I merely postulate that the relatives of the deceased, insurance companies, lawyers and engineers appointed by these family members and possibly judges may want to hear suggestions, or even be forced to hear suggestions during due process...


the terrorist-proof cockpit doors, which enabled suicidal co-pilot Lubitz to fly Germanwings Flight 9525 straight into the French Alps

I believe FAA of US specifically alerted German government's air travel agency (?) about the need to have another crew member (like flight attendant) to be in the cockpit if one of the two had to leave cockpit to use restroom etc, exactly to avoid this kind of scenario.

But the Germany govt agency apparently thought it was unlikely to happen and ignored the recommendation.

I could be wrong, but pretty sure about reading that bit while reading about the incident...


They did just that but they approach problem badly.

Article suggests that pilot didn't know about new system nor how to disable it. In case of faulty sensor (Boeing can't stupid enough not to have quorum of sensors, can it?) crew should be able to disable possibly deadly autopilot.

1. YES - for automation 2. YES - for sensible and safe handling of sensor failure 3. YES - for allow human to override auto-pilot


Rookie pilot here. Large airplanes have drive by wire systems where the plane pretty much flies itself. But when certain instruments like the Pitot tube don't work then the control is handed over to pilots and they operate in alternate law, where they are responsible for the actions.

If instruments cannot measure key environmental indicators such as velocity, temperature etc - no amount of automation will save the plane.

Instrument meteorological conditions (IMC) / Instrument Flight Rating (IFR) flights are when the plane is flying through darkness, or through conditions that do not allow for a judgement of the visual elements and therefore pilots can easily make incorrect judgement calls on the position of the plane, leading to a crash.

The pitot tube is a primitive equipment to measure wind velocity and easily can be jammed by ice, insects etc. I think it was the Pitot tube malfunction in this plane that caused the incident.


What's being called into question here is the alpha vane (which measures the angle of attack) and AoA disagree warning -- of which the 737 has two and none respectively. This means that there's no quorum (need 3+ vanes for that) and no way for the pilots to know if there's a problem with the AoA data being fed into the computers.

I believe the issue is that this hidden system (MCAS) relies on AoA data which can, per the above, not be validated by the pilots or the computers. Thus the fear is that the plane will go full nose down for no obvious reason. Granted the emergency AD indicates some secondary indicators that your AoA vanes have gone wonky.

Per the AA email:

> The MCAS function becomes active when the airplane Angle of Attack exceeds a threshold based on airspeed and altitude. Stabilizer incremental commands are limited to 2.5 degrees and are provided at a rate of 0.27 degrees per second. The magnitude of the stabilizer input is lower at high Mach number and greater at low Mach numbers. The function is reset once angle of attack falls below the Angle of Attack threshold or if manual stabilizer commands are provided by the flight crew. If the original elevated AOA condition persists, the MCAS function commands another incremental stabilizer nose down command according to current aircraft Mach number at actuation.

IOW hey the plane might try to kill you and while you're busy trying not to die at 5,000 ft please disable the electronic aids and grab the trim wheels by hand. Noting, of course, that it take the computer ~30 seconds to move the stabilizer from one end of its travel to the other. It'll take a person longer if you're cranking it by hand. This is, of course, all after the pilots have realized what the problem actually is. All of this at five thousand feet where you might not have 30 seconds to respond. I'd suggest that if this scenario is at all close to what transpired those pilots didn't have a chance.


> no way for the pilots to know if there's a problem with the AoA data

Just to clarify, with two AoA sensors, you can know that there is a problem (if they disagree), but you don't know which one is erroneous.

What I find surprising about this crash is that even if there's an indication of unreliable readings, the automation proceeds to actively do stuff - I thought Boeing philosophy was to hand everything to the pilots in such a case.

> I'd suggest that if this scenario is at all close to what transpired those pilots didn't have a chance.

Yeah, absolutely devastating. In the time they had, how were they supposed to diagnose that error condition (automatic down trim), given that a) it sneakily recurs every now and then, and b) it was not prepared/trained for?


> Just to clarify, with two AoA sensors, you can know that there is a problem (if they disagree), but you don't know which one is erroneous.

The AoA disagree alert is an optional feature on the 737[1]. My understanding is that the AoA display is optional as well[2] but does not break down the info per vane. I don't know if the gauge and alert are bundled together or available separately. So maybe you can know, maybe not.

1: https://ad.easa.europa.eu/blob/2018-23-51_Emergency.pdf/EAD_...

2: https://cimg2.ibsrv.net/gimg/pprune.org-vbulletin/432x481/e7...


That a feature that notifies you that two flight critical sensors are disagreeing is optional is mind blowing to me. It’s like discovering that brakes are optional on the new Mercedes C Class.


Interesting. What I meant to say is that even if the pilots had no way of knowing, the computer should notice and drop into a failure mode (that does not involve trimming down again and again, until the pilot sticks an umbrella in the trim wheel).


I'd be surprised if this was the case. Typically redundancy like this is handled by having A and B systems on commercial aircraft. In the case of flight instruments this is usually divided by pilot and co-pilot systems. They have a separate AHRS (Attitude and Heading system) and their flight instruments show data from each system independently.

If you watch a cockpit video of an airliner taking off you will usually hear the co-pilot announce "80 knots" and the pilot reply "cross-checked". What they are doing is checking that their air-sensor data agrees (within a reasonable margin) for the most critical information at that stage of flight (since takeoff speed is very important with the modern wing shape on an airliner).

Similarly they have A and B autopilot systems which are driven independently by two AHRS units (except in special cases like during auto-land where both systems are operational).

Which is all to say that I think they likely have two separate AoA sensors. Although, perhaps being an optional element the failure of one doesn't automatically trigger a AHRS disagree message.


> Which is all to say that I think they likely have two separate AoA sensors.

Correct, the 737 NG has two separate alpha vanes[1] and I believe the MAX does as well. However the "alpha vanes disagree" alert is a paid option per the emergency AD. Likewise the AoA indicator is a paid option. There is redundancy, but the plane may be configured such that the pilot cannot determine if there is a failure.

Failure of one or both alpha vanes on an NG isn't a good thing, but failure of an alpha vane on a MAX could cause MCAS to essentially try to kill you and without that AoA disagree alert you may not know why because you've never been informed about this system, and at low altitude you likely wouldn't have time to figure out what's going on.

Edit: if that all sounds fucking insane, it is. That's why American and Southwest pilot unions are livid[2].

1: https://www.faa.gov/air_traffic/separation_standards/ase/201...

2: https://www.seattletimes.com/business/boeing-aerospace/u-s-p...


Okay, so Boeing added an electronic safety feature (with a deadly failure mode) necessitated by physical changes and regulation. They didn't mention it for marketing reasons. They made an indicator of the deadly failure mode of the feature a paid option. Got it.


Reading a little between the lines this is probably related to the pitch - power coupling present on all modern airliners. This is due to the thrust line being below the centre of lift meaning that increasing power causes a pitch up moment.

In the 737 Max this probably got exacerbated to the point that it was possible to fly the plane into a stall by sharply increasing power in a high AoA situation (typically in a go-around). This was probably different enough to the 737NG that they felt it necessary to add the MCAS system to prevent having to do, what they considered, excessive differences training in that phase of flight.


Could well be; I read somewhere that it was related to the ever bigger engines (for more efficient (higher) bypass ratio), which presumably have a lower centre of thrust.


They lengthened the nose gear 20cm to fit the new engines with the same ground clearance. Must have dropped the thrust centre line nearly half of that.


Well the Seattle Times quoted an ex-Boeing employee thusly:

> A former Boeing executive, speaking on condition of anonymity because discussion of accident investigations is supposed to be closely held, said that Boeing engineers didn’t introduce the change to the flight-control system arbitrarily.

> He said it was done primarily because the much bigger engines on the MAX changed the aerodynamics of the jet and shifted the conditions under which a stall could happen. That required further stall protection be implemented to certify the jet as safe.


It is too bloody bad these people aren't being charged. They should go to jail, preferably in Indonesia.


> That's why American and Southwest pilot unions are livid[2]

Wow, the information in that Seattle Times article is really damning! Differences training from the 737 NG to the MAX consisted of a one hour iPad session (plus crosswind training because the permissible roll is reduced due to vertical wing tips). Livid indeed.


That’s actually incredibly common in the airline world. The issue isn’t so much the delivery method but more that information was withheld entirely. A brief description of this system allowing enough operational knowledge to be safe would only add a few minutes to the same iPad training.


I can't believe that the AoA disagree warning is a PAID option. And I've worked in aerospace.


There's actually some precedent for this happening: AA flight 191, a DC-10 that crashed in 1979, wasn't equipped with two stick shakers (a stall warning device) - a paid option at the time.

The series of events that caused the accident are a long story, but power was knocked out to the pilot's controls (where the one stick shaker was installed), but not the copilot's controls (which didn't have a stick shaker due to the selected options). TBH, it's doubtful that the pilots could have recovered in that specific situation, but the chances of success dropped to basically zero when they didn't have a device capable of communicating what was happening to them in time.

Of course, this is obviously different than having no warning system for the type of failure whatsoever (as appears to be the case on the MAX), but it was still a little surprising for me.


Good info thanks. But yeah, with a stick shaker there are many other ways for the pilots to get the same info, so I can sort of understand that as being optional for the copilot. Obviously not ideal, but at the end of the day engineering is nothing but compromise management :)


A minor correction as it pertains to US readers:

>Instrument meteorological conditions (IMC) / Instrument Flight Rating (IFR) flights are when the plane is flying through darkness

In the US flight in darkness is not flight in IMC. Neither does darkness impose instrument flight rules. Recall that IMC is governed by ceiling, proximity to visible moisture, and visibility: Fail one of those criterion and you're in IMC, governed by IFR.

A pilot lacking an instrument rating may fly in pitch black, no moon, (high) overcast over an ocean and still be VFR compliant. Whether it's wise or not is a different issue...


Pilots SHOULD be trained to deal with situations like this - getting trained in simulators replicating the conditions that caused previous accidents.

But, that's theoretical. I'm hearing pilots get massively underpaid for the responsibility they have, unless they gain an x amount of flight hours and years of experience so they can do big intercontinental flights (= more flight hours, = more income). It's up to the industry to fix this problem, also to fix their own shortage of pilots. Pay pilots a decent wage when they're starting out on their career. Give them the opportunities to gain the flight hours.


Training is extensive and regular re-certification is not optional. However, modern airliners are complex machines with many weird failure modes that rarely occur. Many of these scenarios are covered only occasionally during certifications since there is no chance to cover them all. Many of these scenarios never occur during a pilot's career but when they do they only may have seconds to take action. Instructors have to choose what to focus on. I'd say this is an example of something that slipped through as something worthy of focusing on.

IMHO the long term solution to improving safety is to make the pilots increasingly redundant. With the current generation of technology this is not yet feasible since they are depending on a wide range of technologies dating back decades. Also a lot of the planes flying are decades old designs. This makes them hard to automate and human-computer interaction has not evolved to the point where a computer can take over these tasks and deal with all the critical human interactions that are involved with operating a plane. In principle the problem is solvable, however. It's mostly just a matter of enough sensors and computation redundancy and improving communication technology to get humans out of the loop.

Mostly pilots these days take executive decisions that boil down to religiously following checklists for basically every scenario imaginable and programming the auto pilot to act accordingly. The auto pilot is activated right after take off and typically disabled on final moments before touch down; or in some cases after landing. Or as in this case, in an emergency.

That's not to marginalize their role. Flying an airliner is a two man operation and they tend to be extremely busy dealing with flying complex procedures, routing around weather, ad hoc queues from controllers, cross checking each other, etc. Most of that stuff requires pilots to have good situational awareness. Most of that awareness is created through reading their instruments, communicating on their radio, and looking outside (when weather permits).

All of that could be automated but it would require a complete rethink of how this business works. For example modern planes are basically equipped with multiple redundant computers and fly by wire control (i.e. a computer controls everything). Yet, critical information is passed to these computers via a non digital communications channel involving people trying to exchange crucial bits of information over a badly congested, low quality radio channel with limited range. This is a ridiculously convoluted, error prone, and hopelessly inefficient way of communicating. The only reason it exists is because agreeing and standardizing on something sensible is going to take decades and has taken decades already.

Most of the chatter on the radio is people cross verifying completely routine information. Worse, people on both sides tend to be very overloaded with information and yet lack the mechanisms to share information other than verbally. Controllers can be juggling communication with dozens of planes and pilots are bogged down in a barrage of instructions, complex procedures, and checklists. A lot of the training focuses on teaching both to stay on top of this (this is very hard). A lot of accidents result from their failure to do so. Emergencies are stressful and stress makes all this even harder.

So, a completely computer based system would do away with most of that to reduce task overload for pilots and controllers and ultimately reduce both of them to the role of remote managers that intervene by exception and very rarely. Ultimately such a system would run itself. Military drones are slightly ahead of the curve here.


> Yet, critical information is passed to these computers via a non digital communications channel involving people trying to exchange crucial bits of information over a badly congested, low quality radio channel with limited range.

This is really arguable.

People always go on about how voice radio communication on a shared channel is from the Stone Age, but what’s better, and why, and can you prove it?

I feel like people drastically underestimate the degree to which the current radio system succeeds in providing situational awareness. We are wired to processs and respond to input from human voices extremely quickly and intuitively with lots of nuance, and our visual and tactile systems are pretty well saturated with information while flying.

What’s your superior suggestion? Saying “computers” or “automation” is going to have to address the fact that those things have some issues as well.


I watch quite a lot of youtube pilot footage; just a strange hobby of mine. Watch any youtube pilot doing IFR flights and note how they struggle to stay on top of the radios (depending on their currency and experience). Most pilots know from hard experience that this is a skill that goes within weeks/months if they stop practicing. They know they will start mangling their radio work and make other mistakes. That's because it is freaking hard. It's by far the hardest part of flying a plane. Actually flying them is easy. You'll be flying solo in no time at all. From there to instrument rating, takes years typically. Being an instrument rated pilot means a life of practice and training.

Much of the pilot training for an instrument rating is about staying on top of the radios, dealing with the enormous task load, and planning ahead as to what is going to be required next. As soon as you loose the plot there, you are in trouble: you lose situational awareness, controllers get pissed, things get very stressful, mistakes get made, etc. Many private pilots chicken out from ever getting their instrument rating since it is so enormously challenging and intimidating and since maintaining it is such a big commitment as well.

Most of this is for the perfectly valid reason that this extremely limited and unreliable medium of shouting out letters as words over congested and distorted radio channels is literally the only way to communicate with controllers.

The fix is obvious: send messages over authenticated digital channels with some integrity/sanity checks using some well defined protocol. Start requiring this for all commercial aviation and ban planes from critical air space that are not able to communicate that way. Important messages should require acknowledgement from pilots. There should be zero doubt for pilots about the current status of controller provided altimeter settings, weather report, most recent instructions, etc. Likewise controllers should be able to pick up planes the second their radios and transponders are turned on. This should not be optional. There should be no need for transponder codes. There should be zero doubt about which plane is where for the controller,the entire history of that plane, it's current journey, it's pilot,all previous communications, etc. None of that should need to be communicated or verified by voice, ever.

Voice channels should be reserved for emergencies. Controllers should be able to talk to any plane without delay. These channels should have stuff like caller id and other fancy stuff any decent mobile phone has been capable off for decades. There should be no need to ever yell out call signs and hope that the other side got it jotted down correctly. Etc.

This is not particularly hard to design technically and hasn't been for a long time. Sure you'd want a sane design and lots of built in checks and balances and back up systems, etc.

But agreeing that it needs to be designed, and then agreeing on a particular design is what the problem is here. If you doubt there is a problem, consider that essentially every major plane crash gets blamed on "pilot error" and translate that as "they accidentally crashed the plane because they got confused about what to do under the enormous task-load". When shit goes wrong, having a lot of confusion about who said what, who did what, what was the pilot, plane doing, etc. seems standard. There's no need for that, at all. E.g. Most of the stuff on a black box should be stored remotely long before the plane hits the ground.


I’m a licensed pilot. I remain skeptical of your argument.

There’s no question that staying on top of a complex flight has a heavy mental load. But I’m not convinced radio is the problem.

The information has to be conveyed somehow. Having humans at every step is a clear sanity check.

Either you cut humans out of the job of decision making and have computers make decisions, which introduces all sorts of new issues, or you have to give humans information and context.

And as long as humans are in charge, humans talking to other humans is underrated as a means of getting a lot of information across quickly and effectively.


I'd argue the current style of communication is effective (by design) but neither quick nor easy out of necessity.

Basically, aviation has a long history of increasing safety by taking tedious complicated tasks away from humans (e.g. dedicated navigators, radio operators, and engineers used to be a thing). This is just the next obvious thing to tackle. I'd also argue pilot stress and task load is the biggest killer in the aviation industry and the single biggest root cause of every crash ever.

Also, I'd argue this is an extra tool. Of course talking to controllers and other pilots in the area should always be an option. Especially, at uncontrolled fields. Wouldn't it be nice if you can skip the formalities of telling over and over again who you are, where you are, etc. because the other side already knows this?


As an instrument-rated pilot, I reject your brazen assertion that radio work is "by far the hardest part of flying a plane." Are you speaking from personal experience, or do you have some data to back up this claim?

From an instrument proficiency point of view, I'm much more worried about efficiently understanding the information on the approach plate, maintaining situational awareness with respect to the approach path, adhering to minimums, and so on. Missed something that a controller said? "Say again." There's a reason it's aviate, navigate, and communicate--in that order.


I can bounce that right back. Do you have solid data proving beyond reasonable doubt that task saturation is not a major factor in airline crashes (considering pilot error is cited frequently as a root cause)? And would you reject tools that reduce task load because of that?

You bring up a fine point: aviate, navigate, and communicate - in that order. Very sensible when everything is manual and you are task saturated to drop tasks in that priority; which is what this is about. If you automate communication and remove most of the task load related to that and navigation, it frees you up to let the auto pilot do the aviation bit.


But as soon as any or all of that fails, you have to fall back to voice communication. And if the pilots aren't used to doing that, and well practiced in the standard phraseology, it will be very prone to error or misunderstanding.


I'm skeptical whether automation of handling failures will be feasible. For example, Chesley "Sully" Sullenberger of US Airways Flight 1549 "Miracle on the Hudson" fame intentionally skipped steps on the checklist for handling engine failure because he didn't have time to go through everything, and the checklist itself didn't quite fit the actual situation which obtained at the time. In the end that proved to be the correct decision.


Maybe in the US, here in EU even the newest Ryanair pilot makes 100k.

https://careers.ryanair.com/pilots/pilotpayincreases/


In the US, new commercial pilots (with ATP license) earn somewhere in the $20k-$40k range.[1] And many take on massive debt for the privilege - college degree and flight training together can cost upwards of $200k.[2]

1 - http://fortune.com/2014/03/03/why-airlines-are-running-out-o... 2 - https://daytonabeach.erau.edu/admissions/estimated-costs/


Yeah, thats not true. The chart you link to says new first officers based in Dublin make 78.400 EUR (with "Productivity" which might not be guaranteed). And since Stansted Captain salary is lower, i would suggest that Stansted FO salaries would be lower too. Additionally, other bases in southern Europe might be even worse.


You are right, the figures are misleading and do not represent EU pilot salaries. Apologies for the error.


>I'm hearing pilots get massively underpaid for the responsibility they have,

I think this is outdated from the post-2008 crisis time, when Airlines cut back on flights. Currently there is a massive shortage of pilots, some make 150k ~ 300k in the Middle East of China.


According to this [0], there's quite some caveat for airline pilots in China.

I was going to quote parts of it, but it's all quite insightful that, making 150k-300k is not quite how it goes. Take a read.

[0] https://onemileatatime.com/expat-pilots-in-asia/


There are a bunch of situations where the autopilot in fact turns itself off. For instance, when the sensors are providing faulty readings. And, coincidentally or not, the plane had had one of its sensors replaced a day or two before the crash. So, a priori, I wouldn't be so sure that the pilots should just have let the embedded software free to do its job. It may have been the case, of course, but only the investigation could tell.


But apparently it was still possible to put the plane into a mode where it crashed. A lot of previous conversations about this topic were related to airbus flight control laws.


Pilots have a license to fly specific airplane models only. They are trained for each new model.


From what I gather, they have a license for a specific category (airplane) and class (multi engine land), and then (above some threshold) require type ratings for specific types.


Ok, well perhaps that's a problem right there.


This is part of an unsettling trend where companies prefer to keep users in the dark about the underlying tech of their products. For normal consumer tech, I can kind of understand, but what astonishes me is that this mindset has extended to aircraft, where the "users" are pilots of commercial aircraft!

The article's quote from a high-ranking boeing official sums it up: the company had decided against disclosing more details to cockpit crews due to concerns about inundating average pilots with too much information—and significantly more technical data—than they needed or could digest.


Telling pilots that when they fly a Boeing, they are always in control and have the last say has been part of Boeing's narrative against Airbus for as long as I can remember.

This might have contributed to their reluctance to talk about adding flight envelope protection features and hiding that even when pilots are "manually" flying, the flight control computers can kick in.

Seems like a reminder that "reality must take precedence over public relations".


As crass as it is s/must/should/ . Because clearly it doesn’t.


That is a quote of Richard Feynman's conclusion to his report on the shuttle Challenger accident: "For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled."


I agree with you here, though I cannot understand this in "normal consumer tech" either. Most people may not need to know, but a subset of customers does needs to know. People have also incredibly good mental capacity to filter out information not relevant to their needs (as evidenced by continued existence of advertising online).

RE that Boeing quote, I'd really love to know on what research on human mental capacity they based this decision. This is not a snark, I understand that a lot of decisions that go into airplanes are based on solid reasons. This particular doesn't seem to be one, though I'd love to know if I'm wrong about this.


One of Boeing's selling points for this model was that pilots would not need "simulator training beyond that already required for older versions". Disclosing the extra technical information may have invalidated this "no extra training needed!" selling point. In this context, the whole "inundating average pilots with too much information" argument looks more like an excuse.


That is worrying. Part of the reason the roads are so dangerous relative to the skies and railways is that the people operating those cars are not professional drivers but merely normal people who are barely trained. Has it got to the point where pilots of commercial aircraft are just normal people who can't handle actually knowing how a plane works?


No. Just compare the difficulty of getting a regular driver's license to that of a license to fly commercial airliners. It's safe to say that _almost_ every pilot can control a plane without incident when sensors / automated systems fail, so long as they are given full manual control. Automation overriding pilot inputs during sensor failure is a recipe for disaster.


> Automation overriding pilot inputs during sensor failure is a recipe for disaster.

In 2009 an Airbus A330-200 crashed into the Atlantic ocean killing more than 200 people because a confused pilot kept pulling the plane up, despite loud stall warnings from automatic safety systems [1]. In the discussions of that event, one commenter asked, "Why did [the plane] not override the pilots' inputs and force a pitch-down?" [2]

Designing safety critical systems is difficult. If the automated system fails, the pilot needs to be able to take over manual control. But at the same time, if the pilot does something stupid, the automatic system should prevent that.

I'm not sure how to square that.

[1]: https://www.telegraph.co.uk/technology/9231855/Air-France-Fl...

[2]: https://news.ycombinator.com/item?id=8452080


One of the confounding elements of that particular crash was the fact that when the angle of attack increased above a certain (crazy) amount, the stall warnings went away, due to the inability of the system to cope with an angle of attack that high. This confused the pilots into thinking they were going "crazy fast", when actually they were going "crazy slow".


Yes, I point out AF447 as a perfect and horrific example of a problem which is really HCI (human computer interaction) / UX.

The lack of stall warning meant two different things: "not stalling", and "stalling so extremely it can't be sure, so don't report it"; as you say. I wondered if there should be a different sounding alarm for "can't determine". Or, the pitch of stall alarm could rise, such that pilots could tell "which side of the stall" the plane is on, so that entering stall from one side would side start with a very high pitch or very low pitch. (I'd guess there's a better way..)

So, in this case, it's more subtlety more tragic than you describe, because the pilot did correct the AoA, and nose down, but when he did that, the stall warning resumed (albeit from the extreme other "side" of the interval), confusing him: no alarm, alarm resumes, so he thought he "re-stalled" it and he pulled up again. This kept him mentally "stuck" in the extreme stall. They needed to "pass right through" the stall warning window, and come out the other side. They had sufficient altitude for this to succeed.


This is equivalent to a confused deputy variant of a Byzantine failure.

Since you already have allegedly redundant pilots and alarm systems and hopefully sensors, the remaining part is figuring out which failure detector has ultimately failed to work and why. Also if redundant pilots are failing, it's a systematic failure in training, fatal to airlines and whoever designs training simulators.

The most potentially fatal to Boeing scenario is a systematic failure or negligence in terms of redundancy. Hampering pilot training is bad enough. Another potential failure point is a software issue which means negligence in safety critical software engineering.


I disagree. Flying a plane is pretty much a simple state machine with very well defined states. We have hundred thousands of flight hours available and we can also build a very realistic simulator which is used extensively to train pilots. It is should not be a challenging task to build a reliable auto-pilot and in fact we have already one that covers most of the aspects of flying. On the top of this, most of the flight related incidents are human errors.


You have been misled concerning the accuracy of simulators. "All models are wrong, some are useful" is a helpful quote to remember here. Certified sims are typically very accurate when it comes to avionics and systems. They are often much less representative where vehicle dynamics are concerned.

Even the most heavily analyzed aircraft can produce surprises once they actually take to the air. Look up "Super Hornet uncommanded wing drop". Or look at dynamic scaling tests (https://www.nasa.gov/pdf/483000main_ModelingFlight.pdf) which uncovered two spin modes in the F-15 that were previously entirely uncharacterized. (Not sure if the linked doc covers that instance specifically -- I learned this from speaking with the study PI. And no, most aircraft programs don't get to do dynamic scaling tests.)

All this is to say that a variety of potential non-linear behavior is lurking inside any given airframe, and all the wind tunnels and CFD in the world will merely allow you to model most of the useful operating conditions, but certainly not all of them.

Simulators, just like autopilots, are useful for finite input ranges. If you leave those input ranges, your simulator will precisely and repeatably model a fantasy, and your autopilot will disconnect.

Source: Short career as an aerospace engineer.


And how do you train pilots for these unexpected non-linear events? What stops you to train auto-pilot the same way?


The point of my post was to say that these unexpected events will not come up in your simulated environment, so you simply will not have the data needed to train the autopilot.

The human, by and large, figures it out. We generally accept that risk. But how will the autopilot react to the unexpected event for which you haven't trained it? Who knows?


It doesn't sound that plausible that we can account for all the various things that can happen to a plane in something as complex as the earths atmosphere with a "simple state machine" . Weather can do really wacky things.


You are saying that it is impossible to implement auto-pilot? How does human pilot fly something planes? You think that human mind can deal with infinite states?


Yes the human mind can deal with an effectively infinite number of states (and let's not get into a pointless pedantic discussion about the true meaning of "infinite"). Until we figure out how to build a true AGI then no autopilot will be able to do that.


No it can't. Flying an airplane on Earth is a very limited exercise in every possible dimension and it can be easily automated without AGIs.


You're simply wrong and have no idea how flight control actually works. In particular failure modes aren't simple at all; real machines can break in a huge number of ways and no one could possibly predict them all. Recommend you take some actual graduate level aeronautical engineering courses and then reconsider the issue.


I am not arguing about how machines can fail, I am arguing for that computers can do things that humans can. Usually with higher precision and much more reliable.


Machines can do some things with higher precision and reliability than humans. Coping with unexpected aircraft failures aren't currently among those things.


noselasd ain't wrong. Autopilots can and do disconnect when the weather conditions exceed their ability. Happens all the time, though probably not often in large airliners because the big carriers have people dedicated to watching the weather and keeping their pilots out of trouble. Your state machine will have to do that, too.


[flagged]


I know this is why do not have auto-pilot.


The system needs to realize that there is a sensor failure. If the Lion Air crash is due to a faulty sensor Boeing needs to answer some serious questions:

1. Why did they not inform operators about changed system behavior?

2. Why wasn't the system capable of detecting sensor failure and/or act accordingly? In the automation industry one goes to great length to be able to tell good sensors apart from bad ones. Why was that not the case here? If it is not possible to tell bad sensors from good ones, why wasn't there (sufficient) redundancy (=multiple sensors) which at least deactivate the system on conflicting input?


Re 2:

There are two AoA sensors. However, good question - why aren't there 3 (so you can have majority quorum in case of one failure), and why wasn't automation disabled once a discrepancy between the 2 existing ones was detected?


I've seen a similar failure in a van. The van was equipped with antilock brakes, which override the driver's control input and reduce braking force when the speed sensors on one or more wheels detect that the wheel has stopped too suddenly, as if skidding. One of the sensors had malfunctioned, resulting in an "ABS" warning light, and a fault code readable with a tool indicating which sensor was malfunctioning.

Did it disable the ABS? No. Instead, it continued to rely on the faulty sensor information, activating ABS under moderate deceleration on dry pavement, greatly reducing the available braking force and creating a severe danger.

I think there may be a bias among people designing safety equipment to always try to provide the intended safety benefit, even when part of the system isn't working. The problem is it's easy to lose sight of how the safety feature fits into the overall picture. A pilot can almost always safely fly a plane that doesn't use automation to recover from a stall, but not necessarily one that uses the trim to point the nose at the ground in spite of control inputs to the contrary.


Cost.


Trains and planes are different transport systems and relative safety records have little to do with the skills of human drivers and more with the nature of the systems.

This 'roads are so dangerous' is part of the self driving crowd scaremongering program. That 'humans can't be trusted' but their tech can obviously.

But when looking at the global picture and the sheer number of cars in all sorts of traffic conditions on roads everyday without incident this narrative falls apart.

We need far more facts, data and critically 'contextualization' than sweeping disingenuous statements by parts of the tech community motivated by self interest and greed.


> This is part of an unsettling trend where companies prefer to keep users in the dark about the underlying tech of their products

I think for a variety of reasons you cannot equate Boeing with, dunno, tech startups and IoT makers. The history, culture, and regulatory environment in commercial aviation is very different from "normal consumer tech". (In other words, even if there were a superficial similarity here, it would not constitute part of or evidence for some sort of overarching trend affecting both normal consumer trend and commercial aviation.)


How long until Tesla releases an over the air update that changes the behavior of familiar systems and causes an accident?


How long until Tesla releases another over the air update that changes the behavior of familiar systems and causes an accident?

FTFY.


Now I'm happier than before about the direction of Google's exploit hunting program, and their willingness to report vulnerabilities.


> Boeing is working on a software fix, according to industry and government officials, that would likely mitigate risks. On Saturday, the company went further than before in spelling out dangers pilots can face if they misinterpret or respond too slowly to counter automated commands.

So the issue seems to be that Boeing didn’t even tell pilots and airlines that the auto-stall-prevention system has been added to new variants. So I wonder if this software mitigation is something as simple as a warning screen or dialog box. If they’re writing software, at this point, to fix/patch how the system actually functions, that seems to imply they released a flawed system/heuristic, if such a patchBle flaw was found out so soon after the Lion Air crash.


It probably worked just fine in perfect maintenance / test conditions, but degrades badly (very badly) when poor users, poor maintenance, and flying well past 'sane' response to errant sensors happens; as in this case.

Testing new variations of software for a product that works when used as designed/tested already may have been (I'll speculate probably was, and at a low back-burner update priority baked in to some other larger change) in progress; but that's still re-testing and validating a complex system that must fulfill the other test cases (probably with real flight time and conditions).

Particularly when a well trained operator (pilot) is supposed to be able to safely work around the existing defect, and seems to have done so in prior flights of that plain as well.


Brand new planes shouldn't have these sort of issues.


In highly regulated environments like software for planes, you don't push new versions without full testing and validation.


Perhaps all those test hours flown in simulators and in the air were by Boeing test pilots who actually had full knowledge of how the new MCAS system operated.


Did I understand correctly that basically air speed sensor was faulty and because of that the autopilot decided that we need more speed to avoid stall and put the nose down all the way to the ground/sea?


The essential bit is that the autopilot made that decision even if it was switched ‘off’, and Boeing never told anybody the autopilot couldn’t really be switched off.

It seems they added a second autopilot that prevents pilots from doing truly stupid things without telling anybody. Problem? Failure modes of that autopilot can easily be lethal.

I think they may have been right in saying pilots don’t need additional training for this new feature. If the plane flew itself into the ground, and there’s nothing the pilots could have done to prevent that, they don’t need additional training.

Chances are they didn’t tell buyers of the plane because, for years, they have marketed their planes as “if the software fails, pilots can take control, unlike in Airbus planes” (counter-acting Airbus’ message that their planes were more modern)


Airbus planes have four modes: Normal Law, Alternate Law, Abnormal Alternate Law and Direct Law. In Normal Law the computer will basically override anything that would put the plane out of its flight envelope. In Direct Law there are no protections provided (but there are still warnings). (Abnormal) Alternate Law are in between, with some protections active. There's even a mechanical backup in case of complete electric power loss... I don't know if it's available on all models though.

So no: in Airbus planes the pilot can and do absolutely control everything. If needed the pilot can always go into Direct Law. When sensors fail (like the pitot tubes in AF447) Airbus planes step down to Alternate Law. “If the software fails, pilots can take control, unlike in Airbus planes” has never been true.

There is however a difference in that Boeing pilots are supposed to always have the last word without needing to deactivate protections or anything. The plane would for instance apply physical resistance on the yoke to alert the pilot that something is wrong, but pulling/pushing hard enough is enough to override the protection. Well, that was my understanding until this accident (investigation pending, of course).


I can't read the article due to the pay wall but if what you said is accurate then I don't believe it's an accurate reflection of the real complexity of a modern airliner.

See http://www.b737.org.uk/flightcontrols.htm

The pitch trim can be controlled by a number of different systems for different reasons, see the section on mach trim for an interesting one. I would be shocked if the inputs here weren't disabled by switching thd stab trim - autopilot switch to the off position.

I've mentioned in previous comments, this sounds like a trim runaway incident. The mechanism may be new but the underlying fault and the symptoms would have been the same.


Yes, and in particular it seems likely that the pilots could have stopped the automatic down trim by either invoking two trim cutout switches, and/or manually holding/turning back the trim wheel. But it appears they a) had many other things to deal with, and b) did not expect this particular failure mode, so did not recognise it. Terrible.


You seem to be right:

http://rgl.faa.gov/Regulatory_and_Guidance_Library/rgad.nsf/...

> Runaway Stabilizer

> Disengage autopilot and control airplane pitch attitude with control column and main electric trim as required. If relaxing the column causes the trim to move, set stabilizer trim switches to CUTOUT. If runaway continues, hold the stabilizer trim wheel against rotation and trim the airplane manually.


This is incorrect. There are two systems here: autopilot and stall/overspeed protection. These are both automated systems, but they are controlled separately.

When autopilot is off, you'll still have stall/overspeed protection that will pitch down/up in the corresponding condition. This protection can also be disabled by switching off some flight computer control. This is the case for both Airbus and Boeing, and the specific controls required depend on the particular plane model.

The issue at hand is ensuring that training for these situations and knowledge of the flight control computers is adequate.


It is hard to believe for me that the stall avoidance system is out of bounds. If somebody would ask me to implement such a system the first thing would be to gather the scenarios when such invasive action would be potentially fatal. Starting with the how far is the ground from the plane following with the condition are we taking off at the moment. If Boeing has a system that does not have bounds and always on than I am going to stop flying with airlines that have these planes in their fleets today.


No. This is not the autopilot, it is a separate independent system that operates only when AP is off. The issues are a- that MCAS depends on having valid AOA data when there are only two AOA sensors and therefore no way to get a consensus “vote” in the event of a failure but far more importantly b- Boeing did not provide 737 MAX pilots with any information whatsoever about this MCAS system and what to do in the event of an AOA failure triggering invalid MCAS behavior.


Not only that, but it does so even when the autopilot isn't engaged and the pilots believe they have manual control.


The book "Aviation Psychology: Practice and Research" by Klaus-Martin Goeters explains exactly this kind of situation, when the flight control system and the pilot are not in sync and don't know each other intentions.



If true, situations like this clearly should result in substantial jail time for various Boeing execs involved. But it won’t, so no one will care.


I fly out of Renton, where these aircraft are made, and the lot is overflowing. The faulty software could only be an indicator of the quality going into the newer aircraft to roll out fast enough to please the stakeholders. I hope that is not the case. It's not ok that Boeing didn't disclose the feature, but it's even more concerning that it wasn't captured during testing as a potential flaw.

https://www.seattletimes.com/business/boeing-aerospace/737-p...


I remember seeing a documentary about some Boeing employees who were whistleblowing about safety issues with the upcoming 737MAX. I can't find it now. Any connection?

I don't see how Boeing will remain immune to the race to the bottom culture plaguing American business.


You may be thinking of “The Boeing 787: Broken Dreams - Al Jazeera Investigates”.


Nice headline to see as I'm about to board a 737 :\


Did you drive to the airport? Without even giving it a second thought?

Don't sweat it.


Actually, it's not that easy. Airplanes are safer per mile.

Per trip, it looks different (for two reasons: a) planes are faster than cars, b) plane trips are generally longer than car trips).

You're probably around 10x more likely to die on your next plane trip than on your next car trip, from what I can tell.


For those questioning these numbers, 10x might be a little high, but I think it's at least in the right direction. Consider how many car trips the average person takes per year, versus the number of times they travel by plane. Travel by commercial airline is 100's of times safer per mile than travel by private vehicle, but the average plane trip is well over 100 times the distance of the average car trip.

Here are Wikipedia's numbers for a 1990-2000 in the UK (because that's what they happen to have easily available):

  Deaths per Billion  
      Journeys Hours Kilometers
  Car:    40    130    3.10
  Air:   117     30     .05
https://en.wikipedia.org/wiki/Aviation_safety#Transport_comp...

So for an average journey by each a couple decades ago, this says that travelling (a long journey) by plane is about 3x the risk of death as travelling (a short journey) by car. Does anyone have more recent numbers for the world as a whole?


Come to think of it, I probably misspoke, because I was looking at fatalities per vehicle journey instead of per passenger journey (and a plane carries more pax than a car).

Best as I can estimate now, the risk of dying on your next (scheduled air carrier, part 121) plane journey is maybe a third as on your next car journey (in the US, thanks to the amazing safety record there).

The aviation industry likes to quote fatalities per passenger mile, which is very favourable to air travel, and of course also relevant if you decide which mode of transport to take for a given journey from A to B.

However, if we want to look at how twitchy you feel for taking a typical car journey vs a typical plane journey, we need to look at fatalities per passenger journey, and they bring the numbers closer together by a factor of around 100.

Numbers for general aviation are much worse: you're about 200 times as likely to die on the next GA trip than car trip.

There are just many more cars around than planes. Also, note that 2% of all B737, 4% of all B747, and 5% of all A300 ever built have been hull losses (including non-fatal incidents). But yeah, aviation has gotten amazingly safe in the last decades.

Would be interesting to look at corresponding numbers for Europe or the world.

See the Uber Elevate report, page 17, for some numbers.

https://www.uber.com/elevate.pdf


Some stats on Wikipedia may fuel this discussion [1] and conclude than planes are safer by km and by time, not by journey though this is an anecdotical thing (not relevant to compare 10 min trip to work to 8 hour flight).

Besides this is based on old data and as others have pointed out flying has become even safer in the last years.

[1] - https://en.wikipedia.org/wiki/Aviation_safety#Transport_comp...


as others have pointed out flying has become even safer in the last years

Modern cars have also become much safer. Which has become safer faster, and thus in which way has the ratio changed? (Real question, I don't know the answer but would be interested in the updated numbers)


I don't really care all that much about how safe a given mode of transportation is on average. I care about how safe it is on my particular trip.

With both flying and driving you can take steps to get better than average odds.

With flying, you can pick airlines that have a better safety record. You can schedule your trips to avoid flying in bad weather. Flying nonstop, or minimizing layovers if you cannot get nonstop, should help, too.

With driving, you can pick a car that has good crash protection. You can keep your car well maintained. You can travel at times when accident rates are lower. You can pick routes with low accident rates. You can drive like you are a 35+ year old female. You can drive at a time when you are sober, not on drugs, well rested, and healthy.

There's so much variation on the driving side, I doubt it is possible to actually figure out the risk if someone takes most or all of those steps.


yeah that doesn't sound right at all. There hasn't been a fatal plane crash in the US in many years now, and there's something like 75K flights a day. And there's about 100 deaths a day from car crashes.


You'd have to break your numbers out a bit, but it sounds to me like you're lumping in GA with commercial flights.


How do you come up with that? It completely flies in the face of conventional wisdom.


If it's not a MAX, you're... probably okay?


737-800, I guess I'll be okay


Pilots are expensive to train, expensive to maintain in terms of salary and cost a lot afterwards with regards to pensions. I am sure airlines are doing everything they can to reduce these costs and as a result competence is suffering. It used to be the case that air force pilots retired to become commercial pilots. Now commercial pilots are trained straight out of high school. (I'm not sure this is entirely true but bear with me as it supports the point I want to make).

Airlines are the final customers of Boeing, Airbus, etc. I am sure they want as much automation on a plane as is possible to reduce the training requirements and so decrease the cost of having pilots on the balance sheet.

The problem I think is that the abstraction that is the modern flight deck is not quite up to the job of dealing with poorly trained pilots or pilots with little experience of unusual situations. That gap was nicely addressed by having military trained people in the cockpits where unusual situations are somewhat more "routine".

So what we are seeing is the mismatch of cost-constrained customers and the failings of technology in a situation where failures are less forgiving. It's the same story with automation that is being played out everywhere. The only difference, if you exclude x-ray machines, is that the impact is higher.


Are you sure? According to https://aviation.stackexchange.com/questions/654/whats-the-t..., flight deck salary costs are about 1~2% of total flight costs


> and cost a lot afterwards with regards to pensions

I'm going to jump on this in particular; please don't go full late stage capitalism and make people feel guilty for a retirement plan they've invested part of their lifetime salaries into.


You misunderstand. I am not making a value judgement on the cost of pilots. I absolutely want somebody who is highly trained flying the plane. However whenever strikes hit airlines it's because of poorly paid flight crews so clearly the airlines are wringing costs out of their operations and safety is being compromised as a result - from scanning the comments here that point is not being made. Instead Boeing are being blamed for not delivering systems can can deal with incompetent pilots. Nobody is stopping to think why the problem is occurring in the first place.


> Instead Boeing are being blamed for not delivering systems can can deal with incompetent pilots.

That's not the impression I'm taking out of this discussion. It sounds like they're being blamed for not giving competent pilots the information they need to fly safely.


So what happens? Is the model grounded until people are trained to fly it or until the new “feature” is disabled?


The feature is part of the airplane’s certification (probably added to make the handling characteristics more similar to previous 737 generations), it won’t be disabled. An FAA AD might be coming to fully document it in the FCOM, and pilots/operators will raise hell that it wasn’t documented already.


They can't possibly keep flying this model that is crashed by a single sensor (angle-of-attack sensor) failure ? Can they ?


They've barely begun the investigation. It'll be a long time before we know why and how this crash happened.


So, would this be negligent homicide?


I'm going to get a little meta here.

After the crash, reading the online comments about it (and the things said about Lion Air and the pilots) was pretty interesting given how things have turned out. It is also interesting how much play the initial discussion received relative to the follow up stories about the safety bulletin and now criticism from within the industry.

And when we finally do get an article on the safety issue, the top comment is focused on the pilot's supposed issues instead:

https://news.ycombinator.com/item?id=18409041

Or trying to continue to blame Lion Air:

https://news.ycombinator.com/item?id=18408540

I guess what I am saying is; there seems to be a deep unwillingness to criticize Boeing. This isn't recent or specific to this accident, Boeing is a very challenging topic to discuss without people getting tribal. Why is that?


I think there's plenty of will to criticize Boeing itself on this board - just mention things like ULA, or weapons manufacturing (erm, Boeing Defense). Just in this case, the default position is to look for a fault in the airline with a known bad record - passenger planes, be it Boeing or Airbus, and 737 in particular, are incredibly well-tested and used without incidents all around the world. If it was Airbus A320 that crashed, I think people would still first ask if the issue really wasn't caused by Lion mishandling maintenance.


> I guess what I am saying is; there seems to be a deep unwillingness to criticize Boeing. This isn't recent or specific to this accident, Boeing is a very challenging topic to discuss without people getting tribal. Why is that?

Boeing is a large employer in the United States, people will get defensive when it threatens their livelihood. That said, as evidenced by the internal AA email Boeing fucked up. Rational or not I'm not planning on setting foot on a MAX anytime soon (and was fully prepared to get a refund if Southwest were to sub a MAX on my last flight).

But... you've also got the Indonesian aviation industry to contend with. Indonesian air travel is notoriously unsafe and in fact all Indonesian airlines were banned from EU airspace for a while. Lion Air, as well, stands out as being less safe than the Indonesian average.

Here's an example:

https://www.youtube.com/watch?v=-alq0iuujOE

Watch the second landing. I'm not a pilot but I'm pretty sure that the pilot not flying is NOT supposed to adjust the control surfaces in an unannounced manner. Likewise I'm pretty sure you're supposed to arm the speed brakes BEFORE you touch down. Shit like that is why people pile onto Lion Air (and Indonesian airlines).


I think non-engineering issues were a focus in the Lion Air crash because of how poor Lion Air’s safety history has been, which included the egregious decision the allow its plane to continue flying despite sensor errors in its previous flights.


> egregious decision the allow its plane to continue flying despite sensor errors in its previous flights.

They fixed the previous issue[0]. Why is flying a fixed aircraft after following Boeing's own procedures to fix it a "egregious decision?"

[0] https://www.financialexpress.com/world-news/indonesia-plane-...


> They fixed the previous issue[0]. Why is flying a fixed aircraft after following Boeing's own procedures to fix it a "egregious decision?"

The New York Times accused Lion Air of falsifying maintenance records.

https://www.nytimes.com/2018/11/08/world/asia/indonesia-plan...

> Pilots and former safety regulators said that Lion Air flight and maintenance crews regularly filled out two log books, one real and one fake, to hide malfeasance.


There may be some semantics here. They "resolved" the issue, which I think can involve merely documenting that it is known.


The story you posted is from Oct. 29. Since then, it has been reported that the airspeed indicator was malfunctioning in its final 4 flights:

https://www.nytimes.com/2018/11/06/world/asia/lion-air-crash...


How can it be fixed when the plane crashed?


We are speaking about a brand new plane delivered in August that crashed after two months. Even if you really wanted to blame lion air, do you think is acceptable for a new plane to self destruct after two months for a bug? I think is not acceptable and I will never fly a 737 max. These airplanes should all be grounded now until a fix is in place.


Good point. Aviation in Indonesia operates in a particularly challenging environment (many islands, short hops, inclement weather, problematic infrastructure, institutional culture with massive corruption and shortcuts, pervasive poverty). Given that background, I think commercial aviation there is amazingly successful and safe, by and large.

On the other hand, Lion Air does have a bad reputation even in Indonesia, and I suspect not without reason. So some speculation in that regard was to be expected. What's a shame is that some commentators pinned it on Lion Air without waiting for the full picture to emerge, and it seems Boeing screwed up, here.

But I don't think Boeing specifically is sacrosanct here; the discussion would have been much the same if it had been an Airbus.

FWIW, I've suggested to my Indonesian friend (who's just been to the funeral of one of the victims) to avoid both Lion Air and Boeing 737-8, -9 MAX for now.


I know little about aviation nor this incident, but the pilot never once radioed panpan let alone mayday despite having the time to do so.

This is very unusual.

For anyone interested the best sources of knowledgeable commentary is ppprune and avherald. Every other site is armchair speculation.


It's a little unusual, but not extremely. There's both the instruction to "aviate, navigate, communicate" -- in that order -- and the fact that when you are "task-saturated" you often straight up fail to hear people talking to you.

If you believed your airplane was at imminent risk of a stall, it would be deeply negligent to spend mental cycles talking to ATC instead of fixing it. ATC exists to sequence traffic; they can't fly your plane for you.


The pilot negotiated turning around and returning to the airport with ATC, which takes more effort than a distress call.

The previous flight which suffered the same problems called in a PanPan before resolving the faulty sensor issue.

Reports are also saying that this fault was noted on the last 4 flights.


> but the pilot never once radioed panpan let alone mayday despite having the time to do so.

Probably because he was too busy trying to keep the plane flying. Also, apparently Boieng hadn't notified the airlines and their pilots about this most recent "feature" that could see the airplane "pushing it down unexpectedly and so strongly that flight crews can’t pull it back up", which certainly must have added to the pilots' confusion in this case.

> That warning came as a surprise to many pilots who fly the latest models for U.S carriers. Safety experts involved in and tracking the investigation said that at U.S. carriers, neither airline managers nor pilots had been told such a system had been added to the latest 737 variant—and therefore aviators typically weren’t prepared to cope with the possible risks.


Aviate, Navigate, Communicate in that order

If you can't Aviate you don't do the other 2


I have a feeling you don’t understand what angle of attack is, or how quickly you die when the sensors + autopilot conspire against you on this metric.


Sensors fail all the time, everything can be turned off. There's a half dozen ways to determine AoA and apparently the previous flight did exactly that, turn off the faulty sensor.


AvHerald and Pprune have more industry input than most sites but aren't neutral by any stretch.

As with any story, don't slavishly follow one source. In fact with aircraft accidents my general advice is to ignore all 'coverage' for a year.


FWIW, they did radio their intent to return to the departure airport (CGK, AFAIK). They might not have formally declared an urgency or emergency, but you don't abort a flight just for fun.


AvHerald and Pprune have more industry input than most sites but aren't neutral by any stretch.

As with any story, don't slavishly follow one source.


Boeing is a company with a 100 year history and an impeccable safety record. Lion air is a budget airline of budget airlines that skimps on maintenance and was once banned by the EU from operating. Just look at their incident list: https://en.wikipedia.org/wiki/Lion_Air#Incidents_and_acciden...

Accident after accident.

That is not to excuse anything Boeing has done, but it's easy to see why most had that reaction.


Boeing as a company does have an excellent safety record but it has had its safety issues:

https://en.wikipedia.org/wiki/Boeing_737_rudder_issues


I don't know about "impeccable," but Lion reportedly kept this particular aircraft in service after previous flights experienced serious difficulties with the same subsystem. That takes a lot of the potential blame away from the manufacturer in my book.


So LionAir is definitely at some fault here. But it doesn't in general lessen Boeing's fault at to in my eyes. This could have happened on the first flight where the sensor had issue. I have no idea how common it is to have a sensor fail on a few months old plane but Boeing is damn lucky that the accident didn't happen on the first flight with sensor issue so they can't at least point to LionAir negligence. Imagine this happening on a first rate airlines and what the reaction would have been.


The manufacturer gives airlines training, SOP's, manuals, etc. All the failures that occurred on previous flights were fixed according to the requirements set forth by Boeing.

This happens every single day on thousands of aircraft worldwide. Problems show up, the engineers fix them, and the aircraft are returned to service.

I'm not sure what you're suggesting should happen... if you want Boeing to sign-off every pitot-tube cleaning or AoA sensor replacement, most planes would be grounded waiting for Boeing to show up.



> The automated stall-prevention system on Boeing 737 MAX 8 and MAX 9 models ... can push it down unexpectedly and so strongly that flight crews can’t pull it back up.

I'm surprised that Boeing designed a system that could override the strength of the pilot. I don't know how strong the normal autopilot controls are on a B-737-800 but on lighter aircraft it's a normal part of the preflight to make sure that you can overpower the autopilot with muscle if it fails.


These are all fly by wire airplanes, muscle has exactly zero to do with simply ignoring the input. You have to know what system is confused, and possibly why, in order to know what component or system needs to be reset or disabled.

And these are the kinds of scenarios that continue to make me think autonomous cars in a hybrid environment (i.e. with human drivers) is just absurd. Flying planes is a standardized environment, and we can't even automate it end to end with available technology in idealized conditions, let alone in emergencies. And car driving is way more complicated (and I say that as a pilot).

Having one inch precision for every bit of concrete, light bulb, paint on every airport in the world, is less data than what you'd see in one town, let alone a city, let alone all of them. The infrastructure standardization within a city is poor let alone across the country, and it evolves daily perhaps even by the hour.


> Flying planes is a standardized environment, and we can't even automate it end to end with available technology in idealized conditions, let alone in emergencies.

Well, it's not that we can't, it's that we haven't yet. Both Boeing and Airbus have treaded lightly into this territory. Hard to blame them, since most polling indicates a overwhelming majority of the public wouldn't get on an unmanned airplane.

Furthermore, there's a few misconceptions here. Weather at 30,000 feet is nothing like weather on the surface of the earth. That said, the tech is pretty close to a reality, but when you have to drag the public along it slows the process down.


This doesn't sound right. Boeing planes are much less fly-by-wire than Airbus, and this is especially true for the older models such as the 757 in this crash.


This crash involves a 737 MAX - a very modern fully fly-by-wire aeroplane. I think the 777 was the last Boeing jet with mechanical backup flight controls.

The difference you're probably thinking of is the Boeing philosophy of ultimate pilot control vs the Airbus one of software restrictions. A pilot can fly a Boeing aircraft outside of its designed envelope, but an Airbus will restrict the inputs.


> This doesn't sound right. Boeing planes are much less fly-by-wire than Airbus, and this is especially true for the older models such as the 757 in this crash.

The plane that crashed was not a 757 it was a 737 MAX.

> This crash involves a 737 MAX - a very modern fully fly-by-wire aeroplane.

The 737 MAX is NOT a fully FBW airplane. The MAX does have a FBW spoiler which the previous 737s (Jurassic, Classic, NG) lack.

> The difference you're probably thinking of is the Boeing philosophy of ultimate pilot control vs the Airbus one of software restrictions. A pilot can fly a Boeing aircraft outside of its designed envelope, but an Airbus will restrict the inputs.

That's not entirely true, all 737s will put additional pressure on the yoke when a stall is detected. You can fly a 737 into a stall, but with quite a bit of effort. Similarly you can fly a modern Airbus into a stall provided you're in one of the degraded "laws". Air France pilots did just that with an A330.

Where the MAX differs from other 737s is that when a stall is detected it will trim the stabilizer -- even worse when the computer predicts a stall the 737 may end up trimming the stabilizer to the point that you cannot overcome it with the elevator.

On a 737 the elevators respond quickly while the trim adjustments are much, much slower. If you're 5,000 ft in the air and Boeing decides to trim the stabilizer full down you may already crash by the time you can re-trim the plane and regain control. Previous 737s did NOT do this. I believe that LOT specifically emphasizes this in their MAX training, unsure if Lion Air did/does.


inferiorhuman appears to know what he is talking about; you can safely ignore the comments preceding his (except the useful alternative link).


737MAX is not fully FBW. Trim is one example...



Thanks. Strongly worded stuff:

> “We’re pissed that Boeing didn’t tell the companies and the pilots didn’t get notice obviously, as well,” said Capt. Jon Weaks, president of Southwest Airlines Co.’s pilot union. “But what we need now is...to make sure there is nothing else Boeing has not told the companies or the pilots.”


I would have thought Scandinavian Airlines Flight 751 would be well known enough to make manufacturers think twice about sneaking in features and not telling pilots about them and CAAs about certifying them.


.... "According to Safety Experts and Others"

Very convincing. If "others" say so - it must be true.


Some of the "others," includes pilots, FAA managers, and ex-crash investigators. The article is worth paying for.


Here, how about a leaked American Airlines email:

https://www.pprune.org/rumours-news/614857-indonesian-aircra...


Did you read the article?


I couldn't. Because paywall.





Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: