Hacker News new | past | comments | ask | show | jobs | submit login
Prosecutors, Transportation Department Scrutinize Development of Boeing 737 Max (wsj.com)
107 points by mehrdadn 39 days ago | hide | past | web | favorite | 67 comments

Why is MCAS needed? If the MAX is so similar to old 737’s and no additional training is needed, then why the MCAS? The most relevant question is “is the MAX aerodynamically stable?” If it is, why do we need the MCAS? That needs to be investigated.

If plane at a low altitude at full power is stalling, just lower the nose. That is pilot training 101. Why need a system like MCAS to help. The pilot should be able to disengage the autopilot and take control of the airplane. This should be simple.

My suspicion is that there is an inherent, more fundamental problem with the MAX. Before Boeing rushes a software fix, idependendent entities “(remember we can no longer assume the FAA is independent based on what transpired over the last few days) need to investigate and makes sure the plane is safe.

I for one will not fly the MAX regardless of what the FAA and Boeing say. Their reputation for prudence and safety is gone.

The short answer to your first sentence is that MCAS was needed to give acceptable handling characteristics at high angles of attack. the MAX was deemed similar enough to the NG, such that additional training was not thought necessary, only because of the difference MCAS made.

More details here: https://leehamnews.com/2019/02/15/bjorns-corner-pitch-stabil...

Stability is a more complicated issue than it might seem, for reasons such as aerodynamic stability being insufficiently damped, and the interaction between roll and yaw. An airplane that is statically stable could still be dynamically unstable, and go into a divergent series of oscillations if not corrected. It is very common for an airplane to be statically stable around all three axes, yet be prone to falling into a spiral dive if not corrected (this is probably what happened to JFK jr.) If you try to increase the stability to fix that, you get an airplane that is susceptible to an oscillation called dutch roll. Most swept-wing aircraft, including airliners, have gyroscopic yaw dampers that operate the rudder to counteract this.

Then there's helicopters... All I know about them is that its complicated.

> The short answer to your first sentence is that MCAS was needed in order to make the MAX so similar to the NG versions that it could be claimed that no additional training was needed.

I think that places the emphasis in the wrong place in a tabloid headline kind of way. The reason for MCAS is so that the 737 Max passes the certification requirement that the pitch controls cannot get lighter on the approach to a stall. It's correct in that clearly the previous 737 were certified as meeting this standard, but it's wrong in that even if the pervious 737 didn't exist this would still be a requirement of certification.

Yes, I had realized my mistake and corrected that, apparently while you were composing this reply. I think the current version covers your objection.

Bjorn's Corner in Leeham's has a lot of information on the topic.

It's probably splitting hairs at this point but I don't think that MCAS was nessasary to avoid having different training requirements between the NG and the Max.

The Max may not have been certified without MCAS.

The existence of MCAS certainly seems to have been brushed under the carpet. It's probably fair to say the reason was to avoid creating additional training requirements.

Perhaps the way to put it is that MCAS was necessary for certification, to correct a handling change caused by the installation of larger engines. Separately, the 737 MAX, in its as-produced form (which included MCAS), was considered similar enough to the NG that additional training was not thought necessary. Once Boeing had ruled out design choices such as a longer undercarriage with the engines moved back, or a larger stabilizer (if the latter would, in fact, have helped), the MAX without MCAS was not an option.

I follow all of this, but something doesn't pass the smell test. Disclaimer, I'm a pilot, former CFII, but I don't have much knowledge about aircraft certification requirements.

I cannot comprehend feature XYZ that helps achieve aircraft certification, that can also be disabled by the pilot. Either feature XYZ is mandatory for certification or it isn't.

I can imagine a feature that provides better handling behavior or safeguarding. But if it can go crazy in a way that it's routine to disable such a feature, it must be mandatory the pilot know about the feature's operation, and they must demonstrate competency at handling the aircraft when the feature is enabled and disabled.

And all of that tells me I don't know the full story yet.

I don't think disabling MCAS (or electric stab trim) should be routine. Given most airliners have given up putting trim wheels in the cockpit I'm sure the reliability of electric trim is very high.

Reading between the lines this system was added as a bit of an after thought. There are plenty of systems which have control of trim so I think they probably didn't give it the respect due to stabilizer trim.

There is always the possibility we haven't got the full story. I'm going to check the full preliminary report from Lion air but from what I've read there is some strange behaviours on the trim system that aren't fully explained yet, even by this half baked fix.

I don't see how MCAS obviates a positive static stability requirement, because it can be disabled. But I admit I'm not familiar with FAA requirements in this area.

If the airplane has substantially different pitch behavior, that usually means there'd be a type rating requirement on the pilot, not a lack of airworthiness certification for the airplane. So I'm not really clear on what behavioral requirement MCAS is mitigating. And further I'm not clear how something that can be disabled can help with either aircraft certification or a obviate a separate pilot type rating.

e.g. fly by wire airplanes have various layers of safeguards in place, and pilots type rated for a particular airplane (or models in that same type) are required to understand those safeguards and how the airplane behaves when they aren't in place.

In the 737 MAX case, it's very weird to me that MCAS is somehow a requirement on the one hand, but then it can be disabled without pilots understanding the alternate behavior on the other hand.

> prone to falling spiral dive if not corrected (this is probably what happened to JFK jr.)

Great post, however, my information was that JFK jr. most likely entered a Graveyard Spiral[1], which is a pilot issue, not a plane/aerodynamics issue.

In short, you think you are flying straight, but are in a turn (so banked). You notice you are losing altitude and gaining speed. In level flight, that means you are nose-down attitude, which you correct by pulling back on the yoke. This would fix both issues.

However, as you are in a bank, pulling back to yoke tightens the turn, meaning you lose altitude more quickly and gain more speed. Loop.

It's a situation that is now trained for in basic flight training.

[1] https://en.wikipedia.org/wiki/Graveyard_spiral

It is both a pilot and a plane/aerodynamics issue. Spatial disorientation and the tendency of the airplane to undergo spiral divergence combine to produce the graveyard spiral. If the airplane was unconditionally stable in roll and pitch, the actions you describe would not lead to the increasing bank and dropping nose of a spiral.

The point here is that spiral divergence is possible, without any contribution from the pilot (whether disoriented or not), even in airplanes having three-axis static stability.


> airplane to undergo spiral divergence

Hmm...I don't see the need for anything of the sort. The graveyard spiral can be achieved purely due to erroneous pilot inputs, the plane's behaviour is basic aerodynamics:

- you lose lift because the wings are at an angle. Nothing you can do about that relationship.

- the tightening of the spiral is also due to basic aerodynamics/geometry: once you are banked, the lift from the aerodynamic surfaces has a horizontal component in addition to a vertical component. You increase the lift from the surfaces by increasing the angle of attack, you get additional force in the horizontal component. Of course you also get vertical component, so in a normal turn this is fine.

Since there is continuous pilot input, even if the plane were stable in such a fashion as to automatically try to revert to straight and level (which most planes don't, you have to explicitly command exit from a turn), that wouldn't help you in a graveyard spiral.

Now the plane doing this by itself due to instability is an additional problem, sure, but it's not a necessary condition.

I don't think so. Firstly, in your scenario, and with an airplane that is unconditionally stable in roll, there is no tendency for the bank to increase. As the pilot pulls back, the airplane will slow down to the target speed, the pilot will adjust the elevator to maintain that speed, and the airplane will have entered a stable fixed-radius turn, albeit slowly descending because the power is set for straight-and-level flight at that speed. But there has been no aileron input, so the roll stability will bring the wings level. If the airplane was initially trimmed for straight and level flight, and the pilot gets it back to the target speed, it will resume straight and level flight, though not on its original heading.

It doesn't work out this way in practice precisely because the airplane is not unconditionally stable in roll, and exhibits spiral divergence.

Not the planes I've flown.

Well, were the planes you have flown immune to spiral divergence? - that's the point here.

No, that's not the point at all, because none of them were left alone long enough for that ever to matter.

Just as in the case of the Graveyard Spiral.

But that's not a point I seem to be able to get across, so we can just let it rest.

You have correctly described what happens to start a graveyard spiral, and when you say "the plane's behaviour is basic aerodynamics" you are correct - but it is the aerodynamics of an airplane undergoing the onset of spiral divergence, and it is that spiral divergence, together with the pilot's failure to notice what is happening and correct appropriately for it, that leads to the increasing bank and falling nose. The bank increases despite the fact that the airplane has some static roll stability and despite the fact that the pilot has taken no action to command it.

"Three types of airplane motion can result from the interaction of yaw and roll:

1. Spiral divergence results when the static directional stability is great in comparison to the static lateral stability (dihedral effect). If a wing is lowered, the directional stability is greater than the roll stability and the aircraft will not sideslip readily. Thus, the dihedral effect is weak and the wing will not rise to the level position. The airplane tends to enter an ever-tightening spiral dive commonly called a graveyard spiral.

Flight Theory and Aerodynamics: A Practical Guide for Operational Safety (Charles E. Dole & James E. Lewis), page 274.


> Why is MCAS needed? If the MAX is so similar to old 737’s and no additional training is needed, then why the MCAS? The most relevant question is “is the MAX aerodynamically stable?” If it is, why do we need the MCAS? That needs to be investigated.

This isn't even a question. The 737 Max is completely aerodynamically stable. It does however exhibit control behaviours which are undesirable.

A fair analogy for this is probably a car which oversteers, in general a normal family car is designed to understeer, because for your average driver that is safer. In the 737 Max the controls get lighter close to the stall because of lift generated by the engine nacelle. The certification requirements require that the controls don't get lighter. Boeing applied what now appears to be a poorly thought out fix.

What might surprise you is that there are plenty of certified aircraft which are actually aerodynamically unstable, at least along the longitudinal axis. For example the 757 has dual yaw dampers and at least one of them needs to be serviceable before flight. The consensus is that at cruise altitude it would depart controlled flight without one of them working.

I think a fairer car comparison would be this: a new power train is fitted to the car, but it sometimes causes torque steer to the right. To overcome that, the steering wheel gets trimmed to the left when torque steer is detected until torque steer is neutralized.

The system detecting the torque steer sometimes has false positive.

> The certification requirements require

Eh, let's not spin it as "the requirements made them do it", they chose to make the new model stick with the existing 737 certification because building a substantially different new plane would require pilots to be retrained, and they didn't want that as Airbus was ahead of them in the development of the A320neo and they needed that commercial advantage to remain competitive.

I'm not sure where you draw the line though? None of this is new, making modifications to existing designs is the aviation equivalent of developing a new feature. Hanging new engines from an existing fuselage, replacing the avionics and lengthening a fuselage have all been done before with reasonable results. Conversely, clean sheet designs have had terrible safety records initially.

Asking a manufacturer to make a clean sheet design every time they make a change is probably going to result in more accidents than it fixes (see the bathtub curve).

> The certification requirements

The 737 is self certified by Boeing, which is really a joke. Basically a Boeing engineer can sign off and say LGTM with no oversight or independent audit as I understand.

> Their reputation for prudence and safety is gone.

A lot of people felt this went a while ago, see the rudder issues that plagued them during the 1990's and the way they subsequently tried to deny responsibility: https://news.ycombinator.com/item?id=19389983

> If the MAX is so similar to old 737’s and no additional training is needed, then why the MCAS?

That's the problem. The MAX isn't similar enough to older 737s, so MCAS is necessary to change the handling characteristics to be more like older 737s. It's a fix to cover up a lie.

> If plane at a low altitude at full power is stalling, just lower the nose. That is pilot training 101. Why need a system like MCAS to help.

They know this, but different planes still do that in a different way. MCAS was supposed to cover up the fact that the MAX did this differently.

> The pilot should be able to disengage the autopilot and take control of the airplane.

But MCAS is not the autopilot, it's something that tried to make the plane behave like a regular 737 during manual control. So turning off the autopilot does nothing; it's already off.

The problem is clearly that Boeing wanted to pretend the MAX flies just like an older 737. It doesn't. If they'd just admitted that and given pilots extra training, all this mess wouldn't be necessary.

> If they'd just admitted that and given pilots extra training, all this mess wouldn't be necessary.

But if they'd done that they probably wouldn't have been able to sell very many of them. Airlines don't want to have to retrain pilots.

And that greed is ultimately what caused this situation. Had they been more honest, these crashes wouldn't have happened, but they would also have sold less planes.

The Max has more powerful engines, mounted further forward on the wings (out of geometric necessity), and as a result has an aerodynamic center of lift further forward.

From the addition of MCAS, I gather (but don’t know with certainty) that they couldn’t make some certification requirement without MCAS.

"If plane at a low altitude at full power is stalling, just lower the nose."

Except as can be seen time and again basic instinct can kick in "damn, plane is falling, I need to be higher" and pilots have been known to pull back on the stick to get height.

A pilot that deals with a stall by pulling up has failed their training.

As I recall, we practiced low speed flight and recovering from a low speed stall either the 2nd or 3rd time I ever went up in a Cessna. Power on stalls were a few days later, they are quite different.

I never did get my license, mainly because I experienced moderate nausea / motion sickness which I thought would abate after a dozen flights or so, but never really got over it.

The problem isn’t that pilots can’t or shouldn’t be relied upon to detect and recover from stalls or near-stalls by increasing throttle and decreasing pitch.

The problem appears to be that a new system, added for the purpose of making a new plane with different handling / characteristics behave the same as an older one for training purposes, is malfunctioning.

The plane could be perfectly safe without MCAS but pilots would have had to be recertified.

> The plane could be perfectly safe without MCAS

It depends on what you mean by "perfectly safe". Many people believe that having the yoke effort decrease at higher angles of attack instead of increase is not very safe. That's why the FAA certification requirements force manufacturers to do whatever is necessary to make sure the yoke force increases with increasing angle of attack, so the pilot has to exert more effort to pull up at higher angles of attack. Without MCAS, the 737 MAX as designed would not meet this requirement.

I agree! After Lion Air I would have been quite hesitant to fly on a Max. Now with all I'm reading - no way would I.

The article didn't seem to mention this crucial detail [1]: The original approval was based on Boeing's claim the MCAS had a max control of 0.6 degrees of the 5 degrees possible. This later became 2.5 degrees applied repeatedly, so 5 degrees.

The 0.6 claim meant that the MCAS system qualified for a max risk of hazardous (people injured), not not catastrophic (ie plane loss).

FAA officials claim that: (1) the mcas shouldn't even have qualified as a hazardous risk, and (2) they were unaware that it could fully control tail deflection.

There are at least three decision makers that are probably in trouble: whoever let the MCAS have a max rating of hazardous, whoever allowed the MCAS more control, and whoever didn't notify the FAA. Hopefully management rather than line-level engineers though, because this seems like a company failure.

[1] https://www.seattletimes.com/business/boeing-aerospace/faile...

> The 0.6 claim meant that the MCAS system qualified for a max risk of hazardous (people injured), not not catastrophic (ie plane loss).

My god. So that is why they only used one AOA sensor rather than comparing both -- and offlining MCAS if they disagree -- they thought it was DAL C (maybe because 0.6 degrees of stab trim likely can be countered with elevator deflection) and not DAL A.

And since there was no annunciator on the flight deck to indicate that MCAS was kicking in, the flight crew on the incident aircraft weren't able to diagnose the problem (since it didn't act like a traditional trim runaway) and do the appropriate actions to disable the electric trim control before it was too late.


For anyone else curious about what DAL means:

Design Assurance Levels (DAL)

DAL A describes flight electronics hardware whose failure or malfunction could cause a catastrophic, hazardous, or severe condition that would result in the deaths of everyone aboard the aircraft.

DAL B describes flight electronics hardware whose failure or malfunction could cause a severe or hazardous condition that could involve some loss of life.

DAL C, meanwhile, describes hardware whose failure or malfunction would result in a major flight condition that likely will involve serious injuries.

DAL D describes hardware whose failure or malfunction would result in a condition that causes only a minor non-life-threatening flight condition.

DAL E, finally, describes hardware whose failure or malfunction would have no effect on the aircraft's operational capability or pilot workload.


For a long time I've used a saying I originally got from a pilot (iirc), "It's not the first problem that gets you, it's the 2nd and 3rd".

In this case it's looking more like a sequence of survivable problems in short order leads to aircraft loss, as you said, horrific.

> And since there was no annunciator on the flight deck to indicate that MCAS was kicking in

It is fairly clear when its trimming, theres a noisy wheel spinning on the pedestal between the pilots.


eh. if you're trained to look at it as a source of problem and primed by the flight log that it might be acting up, otherwise it's easy to overlook.

Well there's an option for dual AOA but neither Lion or Ethiopian took it. In the case of AOA disagreement a light illuminates. Source https://twitter.com/trevorsumner/status/1106934415610073091 and https://theaircurrent.com/aviation-safety/southwest-airlines...

That's not quite accurate. The plane has dual AoA in either case. The option is for AoA indicators and disagreement light.

So, the US airlines who bought the option will have a disagree light, but it's still the case that their MCAS is only being fed by one sensor, so they could experience the same control problems.

That is true, here's a source https://qz.com/1574441/a-warning-signal-that-could-have-prev...

A pet peeve is people not sourcing corrections

Maybe it's because we're looking at the design with hindsight, but it seems strange to me that the AOA disagreement light would be an optional feature.

If annunciators are eventually mandated, I wonder if we'll ever see a situation where MCAS legitimately intervenes, and a pilot in a panic turns it off while approaching stall.

Sounds far fetched, but this whole situation and how its been handled seriously undermines confidence in safety systems you shouldn't be worrying about in an emergency; and the right combination of issues certainly takes down planes, as seen with Lion Air

I completely agree for the LionAir crew. For Ethiopia, I can’t imagine any 737-Max crew could step into a cockpit not having the NNC for stab trim runaway, whether MCAS or not, reviewed and top of mind and have the idea of killing electric trim at the first hint of a trim issue.

As I understand it the copilot on Ethiopia had around 200 of flying total, in any plane. The copilot usually manages checklists. At 200 hours it was probably their first emergency.

Still, the Runaway Stabilizer memory item [1] has the pilot switch the stab trim cutout switches before moving on to the printed checklist.

[1] "I. Runaway Stabilizer" on https://www.theairlinepilots.com/forumarchive/b737/b737memor...

> max risk of hazardous (people injured)

Still, relying on a single sensor when failure could cause multiple injury is grossly negligent. I don't know what failure rates are mandated for this risk level but a single sensor probably doesn't meet that. When you coumpound that with the fact that they sold a "premium" redundant version of that system with proper alarms in case of disagreement between sensors, then it's not hard to conclude that they put their commercial interests first, and people's safety second.

It already looked bad for the FAA that they dragged their feet to ground the plane. That a criminal investigation was launched a full day before they finally grounded the Max raises even more questions. You have the whole world grounding the plane, two highly unusual, strikingly similar tragedies within a short span of time, and a federal investigation into the plane's development, and it still takes a whole day to ground the plane?

I agree with the questions. It's a what's going on here? And that may be the main goal of the prosecutor for all we know at this point.

Grand juries are a bit archaic, it does allow the prosecutor to basically suggest "hey I'm not the only one who thinks this is fishy, I've convinced a grand jury it's fishy" - however there are no defense lawyers allowed to make contra arguments before grand juries so it's not an adversarial system. Yet.

IIRC FAA didnt ground the plane. Trump issued an order and FAA were forced to do it.

> Boeing was toying with a new plane to replace the 737, launched in 1967, and had engineers working on the new plane concept. While many airlines liked the idea, existing 737 customers didn’t want to retrain their pilots at huge cost and so lobbied for an updated, more-efficient 737

> Then in 2011 Boeing learned that American Airlines, one of its best customers, had struck a tentative deal with Airbus for potentially hundreds of A320neo planes to renew its short-haul fleet.

American has 304 737s not including the Max.[0] So Boeing considered building a whole new plane, reconsidered when 737 customers wanted to avoid retraining, then did the Max when one of them started moving to a whole new plane anyway. Something somewhere seems not quite thought through.

[0] https://en.wikipedia.org/wiki/American_Airlines_fleet#Curren...

> Something somewhere seems not quite thought through.

Maybe timing was also an issue, the A320 reengine was (supposed to be) a fairly quick program. A whole new airplane for Boeing presumably would’ve taken a lot longer. For a lot of customers looking to replace 737s in the near future maybe too long to wait. So

* A320neo sooner beats $NewBoeing later

* 737MAX same time beats A320neo for existing 737 operators

* 737MAX and A320neo a toss up for other scenarios

Edit: and if you’re a 737 operator waiting for a new plane is a very risky proposition with delays, etc. It would be less risky if you’re going to have to retrain your pilots to buy the 320.

Southwest has 750+ 737's. Giving them a reason to look at Airbus could have been risky.

“A grand jury in Washington, D.C., issued a broad subpoena dated March 11 to at least one person involved in the 737 MAX’s development...”

Given how cozy Boeing is with the US government, I fear that it will be the engineers and lower managers who are nailed to the wall, not Boeing’s leadership

It's not like software development.

In fields like aviation and medical software, when engineers say something is done, there are usually documents to be signed.

Right now, I don't think I'd like to be the guys who signed off on anything at all to do with MCAS or AoA indicators. I suspect very strongly that we won't find the CEO's signature on those documents. I always implore engineers in FDA regulated medical software and any engineers in aviation to please, please, PLEASE think more like engineers who build bridges and skyscrapers. When you're signing those documents, please understand that it's legally binding. Never let a higher up pressure you into signing such a document if you have any reservations at all.

> In fields like aviation and medical software, when engineers say something is done, there are usually documents to be signed

Yes. In aviation, an engineer may have a formal role as a design authority or as a signatory on a safety case. They will typically have to themselves sign a letter, from an engineering director, that signals acceptance of this delegated responsibility. Most companies will have some way of matching the magnitude of the responsibility to the experience level of the engineer. And enlightened companies will have a no-fault 'stop-work' mechanism that pushes sign-off responsibility upward if engineers cannot in all conscience sign off something that they consider to be poorly designed or high risk.

One area where the heavy unionization of this industry helps a bit. If it looks like the wrong people are being held accountable, there are several unions that can use their voice. Pilots, flight attendants, aerospace engineers, mechanics, etc.

>>>Given how cozy Boeing is with the US government, I fear that it will be the engineers and lower managers who are nailed to the wall, not Boeing’s leadership

Tricky, unless the management specifically told them to ignore safety. Otherwise, "I'm the CEO and that's why I have xx thousand engineers"

c.f. o-rings

If there’s any truth at all to the idea that Boeing applied inappropriate pressure, at any point, via any means, I’d like to see the rest of the world push back very heavily on Boeing imports

Indeed, this is the type of thing US regulators love to hammer non-US companies with.

Sadly even if foul play is found at Boeing I doubt anyone will be held accountable. The Government is full of ex Boeing people even the Secretary of Defense is a 30 year Boeing vet.

> A Boeing spokesman didn’t respond to a request for comment about the inspector general’s probe. Earlier, a Boeing spokesman said: “The 737 MAX was certified in accordance with the identical FAA requirements and processes that have governed certification of all previous new airplanes and derivatives. The FAA considered the final configuration and operating parameters of MCAS during MAX certification, and concluded that it met all certification and regulatory requirements.”

But Bloomberg has an article[0] where the FAA basically handed over much of the process to Boeing. So, of course it was certified in accordance with FAA requirements!

[0] https://www.bloomberg.com/news/articles/2019-03-18/boeing-dr...

The simple fact is that if either of these were true -

- a US airline was involved in the accident, esp on US soil - a non-US company was the manufacturer

then the FAA would've grounded the plane almost immediately instead of publicly declaring it was safe, which was obvious nonsense. In addition, US media made fun of other countries for grounding the plane.

The whole thing just shows how biased FAA/US govt has been.

I’m trying to recall some of the more recent air accidents and the resultant investigations. I don’t remember getting blow by blow updates to the ongoing investigation. Is this new?

The scenarios are a bit different, but MH370 dominated the news cycle for what seemed like an eternity...

I think the FAA already has a healthy culture of failure analysis that makes is _actually safe_, not just a feel good safe. I don't want to see a bunch of malicious prosecutors and lawyers get involved.

In fairness to the Administration here, that "healthy culture of failure analysis" always included the threat of "malicious prosecutors and lawyers". Places like the FAA and the FDA just never put the threat of prison out front and center.

Unless they have to.

I'm not certain this is one of those times, we need more information. But throwing people in prison is very much the appropriate thing to do in certain circumstances.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact