Hacker News new | past | comments | ask | show | jobs | submit login
Plane Tests Must Use Average Pilots, NTSB Says After 737 Max Crashes (wsj.com)
339 points by tompic823 20 days ago | hide | past | web | favorite | 308 comments



This seems like a good thing, they should be testing with people who don’t know the answers. Though I can’t help but wonder if this is a very subtle re-framing of the Max accidents to shift blame back towards pilots. This approach of a regulatory agency recommending “average pilot” testing makes both the agency and Boeing look good, and tends to downplay the fact that Boeing intentionally avoided training the pilots, and that the system was only recoverable if you had some extremely specific knowledge. This wasn’t an issue of the quality of the pilots, this was an issue of the quality of the training, which we know was kept from all pilots to attempt to save time and money.


>Though I can’t help but wonder if this is a very subtle re-framing of the Max accidents to shift blame back towards pilots.

Blame is a loaded word. Boeing assumed that pilots could be relied upon to recover from a MCAS induced runaway trim. Practice has shown that they can't. Whether Boeing or the pilots is at fault is, from a safety perspective, irrelevant. The bottom line is that an assumption was made, it was wrong, and a couple planes crashed. Using average pilots instead of highly experienced test pilots is a sensible step to prevent a repeat.


I appreciate the attempt to be diplomatic, and I agree that using average pilots is sensible. But, with respect, I could not disagree more with the rest of that.

> Blame is a loaded word.

Boeing’s response to the accidents was to blame the pilots, there is precedent for this word in this situation.

https://www.cnn.com/2019/05/23/business/american-airlines-bo...

> Boeing assumed that pilots could be relied upon

No, Boeing intentionally hid information from pilots. This is well known.

https://www.wsj.com/articles/boeing-withheld-information-on-...

> Whether Boeing or the pilots is at fault is, from a safety perspective, irrelevant

No. If you want to fix the problem, you must know what the problem is. The cause may be irrelevant to the people who are dead, but it is absolutely relevant to solving the problem in the future especially from a safety perspective.


In aviation we tend to look at failure chains.

There are many, many things that went wrong:

1. The stuck AOA instrumentation on the plane.

2. MCAS not using redundant AOA information and being fooled by the stuck instrumentation.

3. Lack of clear indication of what MCAS was doing contributing to flight crew confusion.

4. Improper execution of the runaway trim procedure/checklist by flight crew.

5. Training shortcomings about MCAS in particular.

6. Operator / national regulator training shortcomings in dealing with runaway trim procedure.

If you remove any of these links in the chain, the crash is less likely to happen. Good risk management tries to improve all of them.

#5 that you mention is important. #4 / #6 are important, too -- jurisdictions that emphasized this training produced flight crews that did the right things and survived. #2 and #3 are most important, IMO, and even #1 deserves some thought (can the instrumentation be made better/more reliable?)

I say #2/#3 are most important because using training alone to fix a system that does tricky things at a difficult time is a band-aid, and is going to let some of the accident scenarios through.


Agreed! Your comment reminds me a lot of this 1998 article about the ValuJet crash in Flordia https://www.theatlantic.com/magazine/archive/1998/03/the-les...

Specifically it's the argument in the article that large disasters often have multiple causes. "Perrow says, Murphy's Law is wrong—what can go wrong usually goes right. But then one day a few of the bad little choices come together, and circumstances take an airplane down. Who, then, is really to blame?"

In large disasters, sometimes several not very likely simultaneous failures happen at the same time.

"The ValuJet accident is different. I would argue that it represents the third and most elusive kind of disaster, a "system accident," which may lie beyond the reach of conventional solution, and which a small group of thinkers, inspired by the Yale sociologist Charles Perrow, has been exploring elsewhere—for example, in power generation, chemical manufacturing, nuclear-weapons control, and space flight. Perrow has coined the more loaded term "normal accident" for such disasters, because he believes that they are normal for our time. His point is that these accidents are science's illegitimate children, bastards born of the confusion that lies within the complex organizations with which we manage our dangerous technologies. Perrow is not an expert on commercial flying, but his thinking applies to it nonetheless. In this case the organization includes not only ValuJet, the archetype of new-style airlines, but also the contractors that serve it and the government entities that, despite economic deregulation, are expected to oversee it."


Not just large disasters, every failure in engineering large or small. That's why we use tools like 5 Why's in a root cause analysis. Anyone who's thinking about safety is thinking about redundancies. So every observed failure is likely a confluence of many failures.


Specifically it's the argument in the article that large disasters often have multiple causes. "Perrow says, Murphy's Law is wrong—what can go wrong usually goes right. But then one day a few of the bad little choices come together, and circumstances take an airplane down. Who, then, is really to blame?"

But that's exactly what's disingenuous about the GP's claim. Many disasters do indeed involve a sequence of mistakes of different sorts but that's not really the case here. The situation with 737 max was one terribly system and the pilot's complete inability to stop this - inability that could have been anticipated and which was the product of the original bad design.

"His point is that these accidents are science's illegitimate children, bastards born of the confusion that lies within the complex organizations with which we manage our dangerous technologies."

This kind of disaster certainly can happen but the situation with the 737 Max was Boeing pushing an old design far beyond it's limits because of the threat of losing market share and regulators allowing this.


>But that's exactly what's disingenuous about the GP's claim. Many disasters do indeed involve a sequence of mistakes of different sorts but that's not really the case here. The situation with 737 max was one terribly system and the pilot's complete inability to stop this - inability that could have been anticipated and which was the product of the original bad design.

MCAS is a badly designed system, but many other stabiliser control failures could cause the aircraft to rapidly lose altitude. The solution is the same in all cases - flip the cutoff switches to disconnect automatic stab control and trim the stabiliser manually using the wheel on the center console.

The flight crews in both MCAS-related disasters showed serious failures in airmanship and a lack of understanding of the fundamentals of flight. They were taken by surprise by MCAS, but they should have been more than capable of swiftly handling that situation; their inability to do so is symptomatic of broader failings in the training and culture of pilots in many emerging markets.

https://www.nytimes.com/interactive/2018/11/16/world/asia/li...

https://www.nytimes.com/2019/09/18/magazine/boeing-737-max-c...


> MCAS is a badly designed system, but many other stabiliser control failures could cause the aircraft to rapidly lose altitude. The solution is the same in all cases - flip the cutoff switches to disconnect automatic stab control and trim the stabiliser manually using the wheel on the center console.

ET302 tried this-- maybe slightly late, but MCAS is weird/sneaky. Still, it's hard to fault their response at this point.

They were unable to budge the trim wheel because of overspeed. They were barely climbing at Vmo. This left them in a difficult position.

Ideal response would be to reduce power (prevent overspeed), keep climbing at Vmo. During this, try to turn trim wheel. If necessary, once they had sufficient altitude, they could aerodynamically unload and trim. Instead they, for some reason, decided to turn the stabilator trim system back on (whoops 1), and then used it an insufficient amount to get trim to a reasonable place (whoops 2), and then left it on for MCAS to trigger again (whoops 3).


> The situation with 737 max was one terribly system and the pilot's complete inability to stop this - inability that could have been anticipated and which was the product of the original bad design.

You accuse me of being disingenuous and immediately follow it with a false claim.

This is untrue. Stabilator trim can be turned off. Indeed, before Lion Air 610 the previous flight had experienced the problem and had dealt with it correctly.

Also, re-trimming using the trim switch disables MCAS for some number of seconds.

In the case of ET302, they turned the system off, but allowed the aircraft to overspeed and were, as a result, unable to retrim manually. Still, they had a positive rate of climb. It is only when they turned it back on in violation of training/checklist and inexplicably did not use it to retrim nose up that they were doomed.

> This kind of disaster certainly can happen but the situation with the 737 Max was Boeing pushing an old design far beyond it's limits because of the threat of losing market share and regulators allowing this.

I strongly disagree. I think it's a badly engineered system but things like this are part of the normal design refinement that happens when planes are stretched and iterated upon. The 737 has bad handling on pitch during departure; bigger, more powerful 737's have it worse, and it makes sense to fix this.


I believe my position is that of the strong consensus of the long debates that have gone on in detail here and in numerous mainstream and technical publications. I can't summarize all the arguments there and I won't try but the conclusion has been Boeing is to blame (period).

In this day and age, I'm suspicious and annoyed even small effort to improperly spread blame when that spreading serves powerful interests.


Basically all of aviation safety is about the spreading of blame and plugging up holes.

Either approach is wrong: just pointing to the pilot and saying "hah-hah error" without considering what led to the error is what aviation did for decades. "Crash less!" we said to pilots, and were surprised when things didn't improve much. But you can't ignore crew performance, either.

The crews that crashed did not do great. But if a system is regularly putting crews to the test in a way that requires high levels of personal performance to survive, that's a bigger problem.

And MCAS is more easily improved than the rest: we can more easily reduce the frequency and severity of that "testing" than we can improve all flight crews. But we shouldn't ignore the problems in crew decision-making, and the related training choices (e.g. not requiring crews to demonstrate handling of runaway trim in some jurisdictions).


>The crews that crashed did not do great.

Not necessarily fair since one didn't even know what they were up against, and the other was trusting a Boeing checklist that wasn't guaranteed to work, and only stood a realistic chance at working if the failure did not occur at a critical stage of the flight, where a currently undocumented maneuver could be performed. (The 'roller coaster' by which the pilot allows the plane to dive to unload the stabilizer so it can be trimmed)

>And MCAS is more easily improved than the rest: we can more easily reduce the frequency and severity of that "testing" than we can improve all flight crews. But we shouldn't ignore the problems in crew decision-making, and the related training choices (e.g. not requiring crews to demonstrate handling of runaway trim in some jurisdictions).

This is just poppycock, if you ask me.

MCAS was a desperate attempt to satisfy a prescriptive behavior requirement (FAR 25.173, demonstration of longitudinal stability) during which the plane should not experience slackening control forces all the way to the stall in a wind up turn, which non-compliance with would disqualify the airframe from certification under the grandfathered 737 type certificate and as a Civil Transport Airplane.

There would have been no need to consider the skill of the pilots if due diligence and proper redundancy concomitant to the actual hazards of the design had been done, which weren't due to management's pressure to get this damn plane flying on time at any cost.


> Not necessarily fair since one didn't even know what they were up against, and the other was trusting a Boeing checklist that wasn't guaranteed to work, and only stood a realistic chance at working if the failure did not occur at a critical stage of the flight

Well, it did get them back to positive rate climb, didn't it? :P Just, dubious subsequent actions gave that back.

> This is just poppycock, if not straight up, grade A bullshit; no personal disrespect intended to you, fine sir.

Well, it is absolutely personal disrespect, and adding qualifiers amplifies rather than undoes it. A decent person should do better.

> There would have been no need to consider the skill of the pilots if due diligence and proper redundancy concomitant to the actual hazards of the design had been done, which weren't due to management's pressure to get this damn plane flying on time at any cost.

I already said MCAS is awful, kthx? At the same time, it's exposed that many air crews in developing countries don't know how to deal with trim runaway. And trim runaway happens: switches get stuck. So the other links in the failure chain should be dealt with, so that they don't conspire to bring down aircraft under other conditions.


>This is untrue. Stabilator trim can be turned off. Indeed, before Lion Air 610 the previous flight had experienced the problem and had dealt with it correctly.

In the Lion Air penultimate flight, the situation was handled thanks to a third pilot in the cockpit with no other responsibilities contributing extra attention and reasoning. This is not available on every flight, and should not be considered a proof of safe operability. The mental model of a pilot unconcerned with the immediacy of flying the plane is more accommodating to unconventional occurrences due to being removed from the majority of learned perspective.

>Also, re-trimming using the trim switch disables MCAS for some number of seconds.

It also resets the activation cycle, and increments the amount by which the trim is activated. Both these details were unknown to all pilots at the time.

>In the case of ET302, they turned the system off, but allowed the aircraft to overspeed

And did nothing wrong. Given the stage of flight the problem occurred, they left the throttle in exactly the position they should have. Addis Ababa is also a "hot & high" airport, meaning the engines were already in the uppermost range of their operating envelope anyway. Furthermore, when the AoA sensor went bonkers, that leads to an airspeed unreliable checklist due to bad AoA figures throwing off the airspeed indicators which are dependent on AoA being correct for calibration. The airspeed unreliable checklist requires advancing throttles to the appropriate setting for the current stage of the flight regime, which was climb out.

>...and were, as a result, unable to retrim manually. Still, they had a positive rate of climb. It is only when they turned it back on in violation of training/checklist and inexplicably did not use it to retrim nose up that they were doomed.

They turned it back on in the hopes that the electronic trim could overpower the aerodynamic load where they could not, they did not realize that closing the circuit would give at most five seconds before MCAS dove again. Also, by this point, they were out of checklist.

It is almost as if I've heard these arguments before. (I have. We discussed it long ago when most things were conjecture.)

Sibling poster is correct. We've worked through this, and the pilots really couldn't have done any better considering the amount of information there was out at the time.

Also, later on, Boeing also notified airlines that only the MAX 10 I believe should be used in hot and high airports. The MAX 8 could take off due to Addis Ababa's extra long runway, but it just goes to ram home how uncomfortable a margin the Engineering firm was with safety margins afterwards.


> The airspeed unreliable checklist requires advancing throttles to the appropriate setting for the current stage of the flight regime, which was climb out.

It's basic airmanship to know that if you are not in climb attitude, that high power is going to overspeed in anything slick. Combine that with "overspeed" alerts and you should maybe realize it's time to pull the power back.

> They turned it back on in the hopes that the electronic trim could overpower the aerodynamic load where they could not, they did not realize that closing the circuit would give at most five seconds before MCAS dove again. Also, by this point, they were out of checklist.

They turned it back on, clicked the trim switch briefly, and then left it alone, despite knowing they were way out of trim. Can you explain why this makes sense? Why turn it on and not get back to nominal trim?

Also, they were still climbing at Vmmo (or overspeed). It would have always been an option to climb a bit...


This is called the "Swiss cheese model of accident causation" and it is commonly used to discuss airplane accidents. https://en.wikipedia.org/wiki/Swiss_cheese_model


Nope, the excessive authority given to MCAS in combination with the hard to rewind trim (particularly at high speeds) were a mousetrap to be sprung. There are many ways to trigger this mousetrap. This is not a chain, this is a cluster with many chains hanging from it.


Correct. Many factors contributed, but there was one prevailing factor - the defective design of MCAS.


0. They added software hack (keeping their cert) to use engines on a aircraft not desinged for them.


I strongly disagree with this one being a real link in the chain.

OK, we put bigger engines on. The 737 is kinda already sporty and easy to get the nose too high on departure. Now it's a little worse with bigger engines.

This is part and parcel for what happens when you stretch planes, adapt new engines, etc; there are minor, associated design changes you need to make to improve handling, etc. Software is a reasonable way to do it.

The criticality of this was badly misunderstood and mis-characterized.


You seem quite knowledgeable.

You disagree with the statement that roughly the urge to avoid recertifying pilots caused Boeing to not mention MCAS even in manuals, leading directly to these deaths? Because from my pov, Boeing introduced a new failure mode (MCAS failure leading to intermittent forcing of the nose down) without any warning to the pilots.

Now maybe the pilots' standard training should have compensated, and there are obviously maintenance or training deficiencies, but Boeing also knew good and well they were selling planes to pilots with these existing training deficiencies. And should have designed a plane to be operated by real world pilots.

Very curious for your thoughts; thank you!


I disagree that deciding to stretch the 737 is fundamentally bad engineering. Yes, it realistically requires some control augmentation (and maybe earlier 737's should really have had something like MCAS, too). Yes, bigger engines and heavier 737's have the problem worse, but it isn't unreasonable to fix this with systems.

I think there were failures across the board. The fundamental analysis of MCAS was flawed: it was much less reliable than was thought, and failures of it provided a much more difficult situation for pilots than anticipated.

I suspect the analysis boiled down to "MCAS provides a little defense against getting the nose excessively high on departure; it shouldn't be necessary so no big deal if it fails. And the worst failure we can think of is like stabilator trim runaway, which everyone knows how to deal with."

This was compounded by the fact that many developing countries do not require pilots to demonstrate they can deal with runaway trim as part of a checkride and recurring training.

Not disclosing information about the system made the problem even worse-- and this is harder to attribute purely to being part of bad initial analysis.

I do not understand some of the aircrew actions, even in retrospect. If I am fighting pulling the yoke back-- I am going to have my finger on the trim switch to try and get rid of those control forces, even before I am thinking about the problem. This would have inhibited MCAS and retrimmed the plane. I think that Boeing assumed that this would happen. I am lazy and would rather not have to tug the yoke so I use trim a lot. :P


I don't have any technically knowledgeable comments to make, but I think if you don't fully understand what happened, there's no excuse for doggedly insisting one group of people involved should be given the benefit of the doubt and the other not. It's reasonable to assume we lack something when it comes to the crew's POV.

Actually, I have one thing to contribute, that I often think of whenever I read about an air disaster. Experts frequently say "why didn't the operators do logical thing X?", and I think there is a practically universal answer. Whenever something unusual goes wrong, it is likely to upset your existing logical model. You know either your logic is faulty or the inputs to your model are wrong, but which is it and how?

It's easy to say "just do A, B, and C as trained", but once jolted out of your mental context, you probably can't regain it in a few seconds or minutes before crashing. The impossible task is not to know the necessary actions according to the book, but regaining the trust that they are the right ones in the face of something unexpectedly violating your assumptions.

Developing a new logical model for reality is very difficult even for highly trained people, particularly under time constraints and life-or-death pressure. Or, even the meta-problem of knowing whether it is time to develop a new model of reality.


I really don't understand many of the responses to what I'm saying.

I have already stated that MCAS was a horrible screwup and failure in analysis and regulation. Any system that routinely puts people to the test requiring high performance to avoid death is bad.

That doesn't mean one should ignore the other weaknesses. Given that both the countries with crashes didn't require pilots to demonstrate coping with stab trim runaway as part of type training... and pilot understanding of the stab trim system under stress seems lacking... maybe that should be addressed too.


Just for clarity, I have no qualms about stretching the plane.

It's building in a new control system and not telling the pilots about it that seems crazy to me.

Thanks so much for your thoughts!


Yup, I agree completely. There's some people who say that because the longer 737 is less stable in pitch it should have never been built, and I think that's over the top.

Thank you for the discussion and questions!


> There's some people who say that because the longer 737 is less stable in pitch it should have never been built, and I think that's over the top.

I know that aerodynamic instability requiring continuous correction by fly-by-wire systems has become common on fighter jets because it's necessary to achieve some of the maneuvering characteristics necessary to make them competitive. These are, of course very different priorities from commercial passenger aircraft.

Has a jetliner been certified before the 737 MAX that is aerodynamically unstable in any of the tests that it's required to pass without control inputs made by the computer without direct input from the pilot, or in contravention of the pilot's input? I know Airbus is fond of its "do what I mean" system, but that in some circumstances, Airbus flight control systems revert to essentially emulating an analog airplane. Would their flight characteristics pass certification in that mode?


Concorde's Safety Flight System is in some ways similar to MCAS, in that it'll nudge elevons itself.

I don't know if Airbus would meet certification requirements in direct control law. I suspect not. Definitely not in mechanical control law.

Just like more conventional jetliners wouldn't meet certification guidelines without all of their control rigging, counterweights, and trim systems. It's just now tempting to make adjustments to those systems with software instead of fiddling with everything else.


I thought of a much better answer to your question:

Many airplanes require functional (electronic) yaw damping to be safe in various flight conditions, because of dutch roll. There are also e.g. electronic control feel systems in some aircraft that must be operational to exceed certain speeds and/or altitudes and not be excessively vulnerable to PIO, etc.


My understanding of dutch roll (from watching a few flying videos on youtube and reading the wikipedia article) makes it seem like dealing with it is basic flight control coordination that shouldn't give a pilot experienced in a given aircraft any trouble.

Is it harder than I'm imagining in big jets, or in specific aircraft due to peculiarities of their handling characteristics?


Dutch roll is an oscillatory mode resulting from delayed cross-axis coupling and different axis stability. There's not really much a pilot can do about it other than trying to avoid exciting it.

Aircraft with swept, low wings exhibit dutch roll worse than other types (e.g. airliners). It's also worse at high speeds and high altitudes.

Yaw dampers vary based on aircraft and flight regime to "attenuating somewhat that annoying-bouncing-back-and-forth-feeling in the back of an airliner during cruise (imagine how bad it would be without active damping!)" to "preventing an oscillation from building in 2-3 cycles to a point where it will cause structural failure".


I think some of my confusion here was related to some notable youtubers misusing the term to mean a roll-on-heading exercise. When I wrote my last question, I was thinking "there's too much, or an unpredictable amount of adverse yaw", but I now understand the problem as "the aircraft enters a self-reinforcing oscillation in response to certain poorly coordinated control inputs", which doesn't sound like a good thing at all.

Thanks for all your input in this discussion. I find both flight in general and the case of the 737 MAX fascinating. Previously the implementation of MCAS sounded absolutely insane to me, but I can mostly understand how they got there after reading your comments.


Regarding the engines, indeed none of them would have crashed without MCAS.


Sure, but 737's have crashed before from crews getting the nose too high on departure, so... arguably the entire 737 fleet would benefit from a "proper" MCAS.

The people who built MCAS thought they were taming a 737 handling weakness that was worsened by the new engines. Again-- a normal kind of thing to have to work on when stretching jets.


Not stalling on takeoff is pilot 101. If an aircraft is prone to it I personally do not want layers of software hiding the issue. It's practically a law of nature that software is full of bugs.


Better avoid Airbus, then, because there's a massive control law between the pilots and the actuators to create a "do what I mean" interface with envelope protection and all kinds of characteristics tamed.

https://www.skybrary.aero/index.php/Flight_Control_Laws#Norm...

Boeing has mostly avoided that. MCAS is kind of an unusual form of control augmentation as far as Boeing is concerned.


Thanks. I couldnt agree more. It would make sense if the bar was higher for adding control software than training pilots. To me it seems like the type cert problem was backwards.


In fairness, we've added a whole lot of automation since 1970, and most people think that increased automation has been a key factor in why aviation is so much safer overall. (Along with crew resource management).

Automation definitely has directly killed people, though, too.


> Not stalling on takeoff is pilot 101

So is trimming the stabilizer.

Boeing was proven wrong by the two crashes but it's not a priori obvious that pilots wouldn't know to manually trim the stabilizer and then pull the cutout after MCAS kept kicking in.


They were following Boeing's advice! Boeing said if MCAS misbehaves then pull the cutout. They did that but then they couldn't move the manual trim wheel because of the forces on the stabilizer. So they reenabled the electric trim, at which point MCAS jumped in again and everybody died.


They couldn't move the manual trim wheel because the plane had been allowed to overspeed.

It was climbing at Vmo; they could have pulled back the power to not let the plane overspeed, rather than exceeding Vmo.

Hopefully at Vmo they could move the trim wheel, but if not, they could wait until they had a few thousand feet more height, aerodynamically unloaded and trimmed.

> So they reenabled the electric trim, at which point MCAS jumped in again and everybody died.

They re-enabled the electric trim, and touched the electric trim switch a couple of times but left the plane far out of trim. I can't figure this out-- there's even an indicator that makes it obvious you're out of trim. Why re-enable electric trim and not really use it?

Then after a timeout after they pushed the trim switch, MCAS jumped in again and everyone died.


That's what you would do, you weren't there though, they were. Confronting a system whose implementation details were not well known, already two potential memory item checklists into the flight to the ground.

It's easy now to point the finger and say "Airmanship" when you know the innards of the damn thing. They had one airworthyness directive, and maybe a grand total of five paragraphs in the entire manual, plus a memory item checklist that didn't accurately reflect the detail of an MCAS failure. An MCAS failure is not continuous uncommanded trim. It's discrete pulses,

I appreciate the detail and effort, and you certainly speak as an experienced member of the industry; but pushing this off to the pilot's when there is so much that had to happen before the plane left the factory for them to be in that position is a bit much.

There is whistleblower testimony that the decision to not implement a multi-sensor MCAS was intentional to avoid the financial consequences of having to have pilots put in simulator time.

You can't sit here and say the pilots weren't good enough when the manufacturer went out of their way to make sure they could skulk a plane by regulators with the least amount of training humanly possible, safety be damned. To do so is not just mad, it's unconscionable. It's the very thing of insanity. A Catch-22 if I've ever heard one.


OK, so you're here to ad hom and mock (in your other post) and then not actually speak to the question asked here (when your plane is climbing, why would you re-enable electric trim, and then not even bother to significantly retrim the plane?)

This is not the behavior I expect from someone whom I'll voluntarily talk to.


Yah. If I'm holding massive backpressure on the yoke, my thumb is on the trim switch to ease that up.


What was improper about the execution of runaway trim by either LNI610 or ET302? Those two cases are different. LNI043 and LNI610 are also different but the similarity is 4 of 5 pilots didn't recognize it as runaway trim. And does it? Boeing says it does, but saying things doesn't make it true. It's much more aggressive than the kind of runaway trim pilots are trained for.

So again, what was improper? Especially ET302 where they absolutely did run the checklist rather immediately and by that time it was already in a mistrim situation.


ET302 ultimately turned the electric trim back on which was their death knell, in violation of procedures.

A contributing factor to ET302 is that mechanical trim wheel rotation can be very difficult in some flight regimes.

A further contributing factor is ET302 left an unreasonable amount of power in and got to an overspeed situation, which makes rotating the trim wheel yet more difficult. Being trimmed a bit nose down should not kill you. It should be the kind of thing you experience in training.

> It's much more aggressive than the kind of runaway trim pilots are trained for.

Bullshit. A stuck stabilizer trim switch will run away much faster than MCAS, and this is the primary thing they're trained for. The problem with MCAS is that it's an insidious, intermittent runaway-- an unlikely failure mode for a switch.

But sure, add to my list that "the trim wheel is often very hard to rotate manually", and "the flight crew left the thrust levers nearly full-forward creating an overspeed condition".


Now you're starting to make me angry.

>ET302 ultimately turned the electric trim back on which was their death knell, in violation of procedures.

No it wasn't, they'd run out of checklist, and were deep in "oh shit" territory.

>A contributing factor to ET302 is that mechanical trim wheel rotation can be very difficult in some flight regimes.

>A further contributing factor is ET302 left an unreasonable amount of power in and got to an overspeed situation, which makes rotating the trim wheel yet more difficult. Being trimmed a bit nose down should not kill you. It should be the kind of thing you experience in training.

It was absolutely not unreasonable given the environment and stage of the flight (initial climbout) and the fact that pulling power would have led to nose drop (the opposite of what the current desired tendency of the plane was). Also, the plane was suffering by definition airspeed unreliable which dictates advancing throttles to the appropriate throttle position for the desired state of flight and leaving them there.

And what training? Oh! You mean that training they should have had because MCAS was a two sensor system, and therefore required level D simulator time that never happened because the manufacturer decided to cut corners to make more sales of their "best selling plane of all time"? That training?

https://youtu.be/QytfYyHmxtc

Or the one hour glorified PowerPoint training that never mentioned a single detail of a flight control computer algorithm, or the disabling of a trim override switch built into the yoke, or the changing of the functionality of the STAB TRIM CUTOUT switches on the console to degrade the granularity of control with regards to which systems were electrically isolated from the trim motors because a hidden AoA dependent control routine had to be allowed to run uninterrupted because to do so would jeopardize their competitive advantage/ability to generate shareholder value by disqualifying their airframe outright or severely delaying its delivery because regulators started asking really inconvenient questions? That training?

http://www.seattletimes.com/business/boeing-aerospace/boeing...

The training unacceptable because Boeing would owe USD 1,000,000 per airframe to one of their largest customers if they implemented their safety system correctly in accordance to engineering best practices? That training?

https://www.seattletimes.com/seattle-news/times-watchdog/the...

The training that would have to happen anyway after their hacked together design had already killed 400 people, increasing scrutiny, causing them to finally do analysis they should have done in the first place, but didn't, because they were too busy trying to financially engineer the company after absorbing the management that drove McDonnell Douglas into the ground?

That training?

https://www.seattletimes.com/business/boeing-aerospace/newly...

https://www.mymoneyblog.com/boeing-engineer-dream-job-nightm...

https://www.bloomberg.com/news/features/2019-05-09/former-bo...

I get it. You sound like a knowledgeable dude, but you also sound like someone who has absolutely not sat front and center, day in, and day out, as companies try to go through the wildest mental gymnastics to avoid being held responsible for complying with regulations that have a damn good reason for being there.

You know what? Those pilots might have made mistakes. But the entire job of an Engineering firm is to ensure that the opportunity for those mistakes to occur are as rare and infrequent as practicable, with a dash of practicality thrown in; at least enough to keep the bean counters and management from sweating bullets. That means clearly communicating details of safety critical systems, being willing to admit a system is safety critical, and putting your bloody books behind in priority to getting the job done right as much as is reasonably necessary.

I'm a hobbyist. I do Quality Assurance as my day job. I could see plain as day the issues and risks they would be taking. I sat down and calculated the bloody forces that would have to be applied to the screw jack to actuate against the airstream at those velocities, and the torque numbers I got without even factoring in the extra pressure from the elevators was well into the output range of an automotive engine. I could also tell, just from the press releases over the development years the type of culture they had slipped into. That complacency by management kills, and did kill people.

Those pilots were the very last thing between those people and that crater, and did everything to the letter to the moment they had to improvise, and even then, they went into it insufficiently informed on the particulars of their aircraft.

I've bounced the details of this entire event passed maintenance people, passed crash investigators, passed anyone who'll care to listen. Boeing did things that are pretty much universally amongst them considered "things no one in their right mind should do."

If you want to buy in to "oh, they just sucked as pilots", fine. I'll give you Lion Air, but Ethiopian Airlines has a stellar safety record, and can fly in American airspace. So they obviously can't be that bad.

Oh, almost forgot!

>Bullshit. A stuck stabilizer trim switch will run away much faster than MCAS, and this is the primary thing they're trained for. The problem with MCAS is that it's an insidious, intermittent runaway-- an unlikely failure mode for a switch.

I call Bullshit right back, sir, seeing as, just as you mentioned, MCAS manifests differently from the classical stab trim runaway. Something which could be cause for pause for someone expecting a continuous runaway.

Just because they weren't you now does not mean primary fault can or should be attributed to them.

They walked onto that plane, cocksure, and as full of enthusiasm as you would have on any day. Up until the point Boeing's reckless design decisions came to light, no one had a clue just how different the MAX was from the 737's every airline pilot is familiar with.

You want to trade places with them? Ask God. He may oblige. Then mayhaps 150 or so may still be alive. That doesn't change the fact Boeing created an unsafe plane, hid the fact/didn't analyze hard enough to determine that fact at the pressuring of management, and to add insult to injury, tried to firmly pin the blame on the pilots, your comrades. It isn't even the first time they've done it if you recall the nastiness of the rudder reversals in the 90's, and some of their difficulties getting the 727 certified in Europe back in the 60's.

I'm frankly shocked you're so willing to jump to Boeing's defense in light of the mountain of evidence that has hitherto come to light, considering it's you they want to pin the blame on to avoid taking responsibility for what they decided to do.

Good day, sir. I only hope people take the time to do their own research.


> Now you're starting to make me angry.

After you've spouted invective and abuse at me? I see you've edited it out since.

> > ET302 ultimately turned the electric trim back on which was their death knell, in violation of procedures.

> No it wasn't

Wrong. Boeing OMB, dated November 6, 2018:

"In the event an uncommanded nose down stabilizer trim is experienced... do the Runway Stabilizer NNC ensuring that the STAB TRIM CUTOUT switches are set to CUTOUT and stay in the CUTOUT position for the remainder of the flight."

Followed by an airworthiness directive requiring the immediate revision of flight manuals and familiarity of pilots with this OMB.

ET302 was 10 March 2019.

It goes on to state that you should neutralize trim forces before going to STAB TRIM CUTOUT.

"Electric stabilizer trim can be used to neutralize control column pitch forces before moving the STAB TRIM CUTOUT switches to CUTOUT."

I told you before that MCAS was faulty. It's the most important link in the failure chain, but it sure is unwise to advocate ignoring the rest of the links.

As I said to you elsewhere: "The crews that crashed did not do great. But if a system is regularly putting crews to the test in a way that requires high levels of personal performance to survive, that's a bigger problem." This summarizes my thoughts on this topic. MCAS should get fixed; Boeing should be found liable for the accidents; Pilots should be better informed about the systems on their aircraft... AND we've proven that pilots that don't get recurrent training and evaluation on stab trim issues do badly with them.

> I sat down and calculated the bloody forces that would have to be applied to the screw jack to actuate against the airstream at those velocities, and the torque numbers I got without even factoring in the extra pressure from the elevators was well into the output range of an automotive engine.

OK, and humans can exert torques on trim wheels with a handle "well into the output range" of an automotive engine, too, so you've established nothing.

You've still declined to answer my simple question in the other posts, too-- which I suspect is because you don't have an answer.


>Boeing’s response to the accidents was to blame the pilots, there is precedent for this word in this situation.

Your cite says Boeing said:

>The actions of the pilots played a role in the chain of events that caused the crashes

Which isn't blaming them and is factually correct in both crashes. The Lion Air pilots didn't disable electric trim and the Ethiopian air ones turned it back on. Those actions played a role in the crashes. Whether that makes the pilots responsible and at fault for the crash is a separate question.

>If you want to fix the problem, you must know what the problem is.

And, again, the problem (among other problems) was that the designer of the aircraft made assumptions about pilots that were incorrect.


Don’t forget the pilot of the previous LA607 flight was able to recover successfully. Other pilot crew had more flight time, thus more experience. Look at NTSB crash data, experienced crews have a higher chance of lower fatalities in an accident. Why? Because these pilots understand their vehicle like the back of their hand. A 5000+ hour pilot has deep knowledge, for instance, of the hydraulic system of the plane and will try to e.g drop flaps to squeak out extra fluid in an emergency. Is this a good thing? Maybe. Probably. Is it sustainable? Like managing a growing server farm manually, probably not.

Planes are going to get dumber, but there will be a lot more connected planes for remote troubleshooting/control


The pilot of LNI043 did NOT recover successfully. He failed, the first officer failed. It was a jump pilot who recognized the issue and the solution. Also the MCAS upset in LNI043 was no where near as aggressive as LNI610 or ET302.

Literally no one disputes the importance of experience. But you keep throwing it out as relevant to LNI610 and ET302 without any explanation or causal connection. In the case of Colgan Air 3407, the two pilots had 5500+ hours of experience between them, each well over the current ATP experience of 1500 hours total time requirement, and yet the captain inexplicably, likely due to startle factor, pulled back on the yoke contrary to his training, and made the stall worse and the airplane unrecoverable. Who cares if 5000+ hour pilots know to drop flaps in an emergency if they get startled in a stall and make the stall worse by pulling back on the yoke!


> Is it sustainable? Like managing a growing server farm manually, probably not.

Sustainable for what exactly? Being good enough to handle complex emergency procedures?

There will always be a more experience subset of pilots plus new ones coming in. They have the benefit of having two pilots (sometimes more) so they can even off the average experience in the cockpit.

Although newbie co-pilots have contributed to crashes in the past as well.


What type of process could be used to make sure that their experience and knowledge gets back into the mainline product?


How about Boeing stops taking cost saving measures that end up throwing unnecessary curve balls at otherwise well trained pilots?

At the end of the day, this is the foundation of the problem.


But airbus has had that design philosophy since inception. The joke is a Boeing will tell you it thinks an engine has failed and ask if you want to shutdown, an airbus will tell you it thinks an engine has failed and will shutdown the engine for you. Which approach is correct? Depends on the situation but pilots will debate this everyday like emacs and vi

I think MCAS represents a change for Boeing where it will start doing things without asking.


It sounds like you're advocating for blame-ful post mortems. Is that the case and what's your reasoning?


There is a nuance to his/her comments that may be being lost.

When an airliner goes down, the airline, the pilots union and the airline manufacturer all point fingers.

That is what happens. When Boeing says we should use "average pilots" there is subtly in the statement that assigns blame.

Boeing should have said, "we should use pilots who are trained through normal training procedures, rather than over trained test pilots."

That statement would not have assigned blame and OP is probably correct that the statement choice was intentionally designed to shift blame back to the pilots.


Not playing the blame game is what you do when you have a development team figuring out what went wrong when something went down for a couple hours.

This is a corporation putting a product on the market with a critical safety system that lacked redundancy and poor training given to pilots. Yes, there is blame to be placed here. Individuals who worked on the system aren’t the issue here, a greedy corporation is and I feel no sympathy for the company itself.


Yes, when 400 people die for a company to save money, you must assign blame and put people in jail.


I have downvoted your comment, because I believe it does more to obscure understanding than to enlighten.

> when 400 people die for a company to save money

Let me take a step back and ask: Why?

Is it because we're vindictive, and demand blood? Or is it because this actually does something to help keep people from dying in the future?

If the latter is more important than the former -- which I hope is the case -- how can we trust that we're pursuing a course that improves the future of society while also using rhetoric to the effect of "when 400 people die for a company to save money"?

Consider, for instance: Part of reason for the company "saving money" is that it results in lower costs for planes, and ultimately lower airfare for customers who pay airlines' capital expenses, potentially resulting in fewer miles driven and fewer accident. Is reducing this statistical danger more or less than the danger of the planes? Quite possibly, it's not -- but using this rhetoric certainly won't help us find out.

More broadly the "omg greed" narrative, which -- to me, at least -- just doesn't make too much sense. If the corner-cutting that led to 737 Max problems is to be understood as a "greed" move, it's a pretty incompetent one, because Boeing is almost certainly out billions over the mess. People who seek to maximize profits for their own self-interest also seek to mitigate risk, for the same reason. I would suggest that a "hubris" narrative, or something similar, is probably more appropriate here.

If this is so, the remedies are entirely different, and the assertion that we MUST jail people, because it fits our "greed" narrative and whatever cognitive bias we drag into the picture, ensures that we will not remedy the problem effectively. This means people may die.


> the assertion that we MUST jail people, because it fits our "greed" narrative and whatever cognitive bias we drag into the picture, ensures that we will not remedy the problem effectively. This means people may die.

You don't send people to jail because of "greed", broadly speaking you might divide it into two categories: A) this specific person is a threat to society; B) this person did something morally unconscionable, irresponsible, negligent etc. The reasoning for following through with B is not merely vindictive, it's societal value is in sending a message that this behaviour is not OK! that is a preventative measure - "you must be morally responsible".

This is entirely applicable to this scenario: greed is NOT the problem, trying to make cheaper planes is NOT the problem, trying to beat the competition is NOT the problem - The problem is attaining those goals by gambling with peoples lives by cutting corners that significantly compromise safety, that is gross negligence.

... So yes! send the people responsible to jail, please show the next in line that this behaviour is not tolerated.


> If the corner-cutting that led to 737 Max problems is to be understood as a "greed" move, it's a pretty incompetent one, because Boeing is almost certainly out billions over the mess.

Incompetence and greed aren’t mutually exclusive.

If you take the word of all of the good engineers who were pushed out or quit in frustration over the financialization of the company after the McDonnall Douglas merger, then “omg greed” really does explain everything.

Note that this could have been (and was) predicted by anyone with half a brain:

“On some level, though, he saw it all coming; he even demonstrated how the costs of a grounded plane would dwarf the short-term savings achieved from the latest outsourcing binge in one of his reports that no one read back in 2002.*“

https://newrepublic.com/article/154944/boeing-737-max-invest...


Just because it us an incompetent greed move, dors not mean it wasn't a greed move.

They lost big thus time, but they were winning big, with more orders than they could make.

When Boeing mgt declared that they 'no longer needed [to spend money on] senior engineers because these are mature products', and successfully pushed for the same type rating for a plane with deadly different handling characteristics (to save money on pilot training), both were explicit greed moves.

And yes, irresponsible managers who ignored the reality of physics and put their profits over the safety of passengers should go to jail for their criminally bad decisions.


There is a difference between what we in tech consider a post-mortem, and a more literal one.


This wasn't a web service that was unavailable for a couple hours; planes crashed and people died.


The essence of successful post mortems is getting the fact collection right, before discussing how to prevent the issue. The grandparent's summary omitted essential facts.


> Boeing assumed that pilots could be relied upon to recover from a MCAS induced runaway trim. Practice has shown that they can't. Whether Boeing or the pilots is at fault is, from a safety perspective, irrelevant.

From a practical perspective, however, Boeing making universal assumptions about pilot capabilities in life-or-death situations, utilizing new equipment that they were not trained on, is anything but irrelevant.


Their logic was that pilots are trained to deal with runaway trim, a MCAS failure is runaway trim, ergo pilots are trained to deal with a MCAS failure. Obviously that logic turned out to be faulty but it's not like Boeing made some outlandish leap here.


You're right. Boeing did not make an outlandish leap of logic, or any leap of logic at all in this context, because it was fully their intent to get away with no training. They worked their butts off to minimize the training, to minimize even the very idea that training was needed, and to prevent the Max from having to be re-certified by the FAA.


Of course, we can just as easily blame the FAA. If it's so hard to establish a differential training program then maybe the re-certification program the FAA requires (to certify a pilot to fly a slightly different aircraft) is too onerous. It's easy for the government to require too much work and seize up innovation, and I think we see that at work here. If the re-certification program wasn't so onerous, we could have seen Boeing put in some new warning conditions, or a better control layout that more clearly indicates the presence and activation of the MCAS, train pilots on that, and have a better, safer, airplane.


The FAA definitely bears some responsibility, but not because the regulation is too stringent, it’s because they looked the other way. Recertification is onerous for a reason; it’s safety we’re talking about, and the result of not being careful enough is exactly what happened, hundreds of deaths. The FAA’s process in this case is already a product of regulatory capture; Boeing is already practically certifying themselves. Lots of reporting on this already; it’s easy to find more info.


It seems to me that your statement has some assumptions that may not be true, that a MCAS failure caused runaway trim would be recognized as such by the pilots. The ultimate issue may be a runaway trim, but a MCAS failure may not produce the normal indicators that would lead the pilots to diagnose the failure correctly within the time available. Assuming that a MCAS failure is the same thing as a runaway trim failure and should have been handled by the pilots, while technically correct, might not be an appropriate conclusion.


Boeing did though - they decided unintentional trim was the same as a flight system that was deliberately hidden from the pilots was just a “trim” issue.

They needed to classify it as a ordinary trim problem because otherwise they would have needed to have testing for it, which would have meant acknowledging MCAS existed.

The evidence that it wasn’t just a normal trim issue is the second crash, which occurred when pilots already knew about the design fault. When it turned out that it wasn’t physically possible for a pilot to take the corrective actions.

Boeing is still trying to blame the pilots for their own decision to fraudulently sell an unsafe aircraft.


> it's not like Boeing made some outlandish leap here.

Your attempts to whitewash Boeing's negligence seems rather dishonest.


Do you really think that’s an appropriate level of analysis for the manufacturer of a brand new MCAS? “Any failure of this new thing we’re shipping is just a trim failure, pilots can handle it”?


With the benefit of hindsight it looks obviously wrong, but without that the reasoning looks sound to me. IMHO, the failure lies in validating the analysis with realistic test conditions. They should be testing their assumptions against the worst pilots, not the best.


The problem with their testing wasn't just that they tested against the best pilots. They simulated MCAS failure as just the stabilizer trim running away, which of course their test pilots caught. Real-world MCAS failures were accompanied by a bunch of warnings about loss of accurate airspeed and altitude (because those also used the angle-of-attack sensor), which meant that in reality pilots were occupied trying to sort through that and figure out if any of the conflicting airspeed and altitude readings could be trusted. That is, as I understand it, hard enough to deal with and demanding enough on its own that even well-trained Western pilots screw it up, occasionally with tragic results. Then whilst all that's happening they're meant to notice that the trim wheel is moving in an uncommanded and unwanted fashion, turn electric trim off, and manually wrestle the trim wheel back into the correct position (whatever that even is). Boeing didn't simulate any of those added complications according to the NTSB.


Doing X number of complicated routine things at once, in general, is infinitely easier than any situation where you are suddenly told "part of your system isn't reliable, now come up with a new model of what you can trust on the fly".

It boggles me how people can't put themselves in the place of someone in the latter situation. Like, even if you haven't crashed a plane, haven't you experienced something similar on a small scale? Haven't you observed other people with such problems?


I think they made a very outlandish leap and that resulted in hundreds of lives being lost. There is no room for assumptions when it comes to flight procedures.


> Using average pilots instead of highly experienced test pilots is a sensible step to prevent a repeat.

It wouldn't have made a difference without the training for this specific MCAS issue. Highly experienced test pilots would have been equally unable to recover had they been flying the planes that crashed.

Normal runaway trim is easily handled, but the MCAS-induced runaway trip had the cockpit lighting up with all sorts of errors and warning lights and beeps. The only way to deal with this is to pick up checklists and start going through them... which you simply couldn't do because there was no time.

So using pilots selected at random from various airlines is a great idea and should be implemented, but it would not have prevented this situation. Only training might have.


>Boeing assumed that pilots could be relied upon to recover from a MCAS induced runaway trim.

The incidents of MCAS errors with US pilots who reported it to the FAA did result in recovery. But later cases did result in tragic accidents.

https://static.seattletimes.com/wp-content/uploads/2018/11/L...

But when you make that statement, I don't think you're really imagining what it would be like to be on a plane like that. The above infographic shows what it is like. The plane was operating in an erratic manner.

I don't design planes, but does Boeing at least have a system that detects whether or not pilots are resisting against the controls?


They did actually. Older 737 models have an "oh shit" trim override when the pilot pulls the yoke back.

This was specifically removed from the MAX to accommodate MCAS.


You cannot really assume such thing in a situation like flying when the consequences of your assumption is loss of life potentially.


> Using average pilots instead of highly experienced test pilots is a sensible step to prevent a repeat.

Or a good way to kill average pilots.

How about using highly skilled pilots, but failing a plane when anything unusual happens?


>Whether Boeing or the pilots is at fault is, from a safety perspective, irrelevant.

It's quite literally the most relevant talking point in this entire conversation.


To be more precise, Boeing assumed that all pilots flying their aircraft would be up to the standards of the United States as opposed to the different standards around the world.


My understanding is that the pilots had only about 40 seconds time to solve the problem and were trained for one hour with an iPad (not on the MCAS, but the whole 737 Max). I'm not sure whether this is a question of pilots' standards in the US vs around the world.


The general idea was that pilots would correctly recognize large amounts of undesired and uncommanded trim being runaway trim and perform the checklist to resolve that issue that they are expected to know by memory, since there is a need to execute it fast, without paging through the Quick Reference Handbook. This is not a checklist that was introduced with the 737 MAX, but one that has existed since the introduction of the 737 in 1969. I haven't gone and checked but IIRC a similar checklist exists for all Boeing jetliners and I would expect Airbus as well.

In any system failure there is a chain of events that leads up to the ultimate failure, concentrating solely on Boeing's mistakes in these crashes overlooks all the other points at which they could have been averted:

1. In the Lion Air crash, there were some significant maintenance issues that lead up to the replacement for a failing AoA sensor with a used part older than the aircraft failing as well.

2. There were some significant failings in Crew Resource Management in the accident flights.

3. There appear to be issues in the pilots abilities to deal with unexpected situations. This is why simulator training exists, so that pilots can encounter unexpected issues and deal with them correctly.

4. The failure that lead to MCAS being activated also caused a whole ton of warnings to be activated, which may have been a situation Boeing was not expecting, and therefore did not put into the minimum baseline training they create.

5. The flight computer system and MCAS was implemented problematically, relying on one input because the expected control authority was very low, and then when that was not changed the system was not re-architected.

6. Boeing's designs reflect a US-centric expectation of pilots. In the US we expect pilots flying airliners to have spent at least 1500 hours flying before they can even sit in the co-pilot seat. In other parts of the world I have heard numbers as low as 240 hours, so pilot testing will need to reflect this going forward.


> "Boeing's designs reflect a US-centric expectation of pilots"

So we are expected to believe that Boeing never connected the dots between:

1. We design planes for US pilots

2. We sell planes abroad

3. Incidents abroad can ground an entire aircraft series

This makes them seem more incompetent, not less. It's not like they have no say in what's considered standardized training for the series.


It's an appeal to "intelligence of operator" to coverup for poor design.


That's a tradeoff that will always exist, and cannot be eliminated. The question is where you set the tradeoff for various systems.


The tradeoff where the designer introduces an edge case where a plane crashes unless a pilot has specific additional information?

From my understanding of the issue, Boeing just needs to stop the cost saving measures that led to needing software to stabilize an otherwise unstable plane.


Yes, that tradeoff always exists. There are always edge cases. The pilot will always need specific 'additional' information about the plane to avoid crashing.

The choice to make is how difficult you will allow features to be, and how many difficult features you will add.

The answer has to be at least moderately high to get the plane off the ground. If it's too high then you have a bunch of deaths.

It's okay to say Boeing went too far on the scale, but to say they never should have been on the scale is misguided. Intelligence of the operator has to cover for certain aspects of the design.


3. Who had a simulator that simulated MCAS upset?

4. Which is not at all what happens with runaway trim. Also runaway trim that pilots are trained on is a consistent and relatively slow trim. The MCAS upset form is intermittant, and can be but isn't always, aggressive and comes with a ton of other data in the form of various instrumentation disagree warnings and possibly stick shaker going off which NEVER happens in a runaway trim situation.

6. Boeing's design and US-centric expectation of pilots didn't prevent US Air 427 from crashing. Literally everyone in the world expects pilots won't pull back on the yoke at stall. Yet these U.S. pilots did that. Colgan Air 3407, same thing, captain pulled back on the yoke during a stall making the stall worse, recovery impossible. Both accidents, each pilot had more than 1500 hours experience.

In US Air 427, the pilots aren't centrally blamed because the failure mode was a) caused by an airplane defect, a servo failure, b) the airplane's subsequent behavior was so abrupt and aggressive that the startle factor was pretty much not that surprising.

So why is it that the standard should be different for ET302 in particular? But also LNI043 and LNI610? Why would the blame not centrally be on Boeing even if the pilots made some mistakes, just like U.S. pilots have also made some mistakes yet weren't blamed as the proximate cause? And what mistakes did ET302 pilots make other than trusting electric trim being reenabled wouldn't immediately try to murder them?


> And what mistakes did ET302 pilots make other than trusting electric trim being reenabled wouldn't immediately try to murder them?

Like I told you before: overspeeding the plane, preventing them from restoring the trim condition with the trim wheel.

I get that if you're not climbing as much as you'd like, it's tempting to have a ton of power in. But the maximum airspeed of the plane is chosen because there are undesirable handling characteristics -- like not being able to manually retrim, or even worse things like aileron reversal-- above it. At some point you need to pull back power.

If you're out of trim because of electric trim misbehaving, turning electric trim back on may not be the smartest thing, too.

And then I can't even understand what happens next: if you touch the trim switch, MCAS can't do stuff for awhile. If they're going to re-enable electric trim, why didn't they then fully fix trim with the trim switch? How is MCAS able to actuate and worsen the existing out of trim condition?


Runaway trim checklist doesn't call for a power reduction. A power reduction for transport category airplanes always causes a nose drop, a requirement of certification . Attitude for ET 302 was already too low, further altitude loss isn't acceptable. Manual trim was jammed.

20+ degree down angle inside of three seconds. The negative G sent them to the roof. I'm a certified fight instructor, and I've never experienced negative G.

MCAS killed them.


> Runaway trim checklist doesn't call for a power reduction.

No, but overspeed does.

> A power reduction for transport category airplanes always causes a nose drop a requirement of certification

Please cite. If you point to 25.173/25.175, note that it refers to trim speeds and return to trim speed, not power. The plane was climbing before crossing Vmo / power could be reduced to maintain Vmo and the current climb rate.

> I'm a certified fight instructor, and I've never experienced negative G.

What? You've earned a spin endorsement, then. You've experienced the little negative G (in most planes) as you tip and enter the incipient spin. It's fun. The first time I did it I said "oh shit" and let go of the yoke to grab my seat. :P Also kinda alarms me that if you're an instructor you've never pushed a little negative.


> Boeing's design and US-centric expectation of pilots didn't prevent US Air 427 from crashing. Literally everyone in the world expects pilots won't pull back on the yoke at stall. Yet these U.S. pilots did that.

The reason that '427 pilots aren't blamed is that it's unclear that with perfect inputs that the plane was recoverable. We also excuse them a bit because the situation became unrecoverable in a matter of seconds since it manifested, instead of a longer time with the MCAS upsets.


It's long since been demonstrated the airplane was recoverable. With perfect information. Lacking stall, full opposite aileron successfully counteracts rudder.


This is untrue. There is a crossover airspeed above the stall speed where rudder wins.


Pilot training is critical. But having said that, the system shouldn't rely on there always being zero human and technical error.


I just want to say thank you for you great replies throughout this thread. There is too much simplification of this incident everywhere in the media, and even in technical circles to "Boeing put out a horrible design because of cost cutting that killed people". These are things I've tried to explain, but you put it much more eloquently.


Its really the most tedious thing I've ever done. Everyone here wants to pick apart my arguments because they want Boeing to be the only culpable party, or want MCAS to be the only reason why the planes crashed.

This is wrong, it is unethical to approach engineering a system like this. In investigating these crashes, all the failures that lead up to the accident must be identified, all of the possible solutions must be explored. Sometimes its an easy fix, sometimes like United 173 we have to change the whole culture inside the cockpit to fix the problem (Cockpit Resource Management). Sometimes the solution wont show up until years later, so accidents from decades prior are used to formulate solutions to problems that had not been solvable until the right technology, either hard mechanical technology like hydraulic fuses, or physiological technology like CRM, comes along.

I feel like this attitude that there's only one thing to fix every time something goes wrong is why we see colossal fuckups in the software and infosec industries and I think that needs to change. System failures require systematic solutions, not just some quick fix or patch.


> 5. 5. The flight computer system and MCAS was implemented problematically, relying on one input because the expected control authority was very low, and then when that was not changed the system was not re-architected.

I like your approach: Pilot's failures caused the crash, and Boeing made an honest mistake. And you seem to think it would have been fine flying in the US. You do realise plane crashes and industrial accidents do happen in the US?

A safe system assumes they are operated by humans who are not infallible, and should not go up in flames from minor issues. Otherwise we must conclude Chernobyl reactor was a perfectly fine design.


So... I said the design was bad and your saying I'm not harsh enough in that?

Are we trying to solve engineering problems by getting emotional about them or something?


This conversation isn’t really about solving engineering problems it’s about whether Boeing’s posture on the matter is in line with Engineering ethics. Many people believe there was one or more ethics breaches here.

Your position seems to be that it was a combination of innocent engineering mistakes and substandard behavior by the pilots.


Out of the six points you mentioned, you blamed everyone, blaming the pilots twice, and merely mentioned this against Boeing:

> The flight computer system and MCAS was implemented problematically, relying on one input because the expected control authority was very low, and then when that was not changed the system was not re-architected.

Do you have a personal stake in Boeing or something? Because you appear very biased indeed. There were several ethical breaches that resulted in these tragic catastrophes.


Every time we blame a crash on pilots, we are blaming it on training. Aside from some truly exceptional cases,* pilots who contribute to a crash are having issues because they have not been trained adequately in dealing with the situation. I believe that these two crashes indicate there is a need for reinforcement of the CRM training and also more training on unexpected situations.

We can try to blame Boeing for the lack of this training, but Boeing cant force airlines to do anything but the type specific training. They cant force airlines to do recurring training, they in-fact rely on the regulators to setup structures to make sure this all happens.

I don't have a personal stake in Boeing, I have a personal stake in not dying because someone decided breaking one link in the failure chain was adequate.

* These would be the cases where the pilot crashes the plane on purpose, for which some airlines have dealt with systematically and with associated training on prevention.


Who is "we"? People are blaming Boeing for trying to pass an airplane that's significantly different from a 737 as a 737. Pilots are rightly pissed off. MCAS is a completely new invention that's exclusive to 737 Max. Boeing was ethically in the wrong for passing the plane off as any old 737, because they wanted to save money due to re-certification costs. The flying characteristics of the 737 Max are different from 737, due to the bigger engines (another cost cutting measure as the engine efficiency is proportional to the size). They introduced dynamic instability, in that the airplane has a tendency to pitch up at an increasing rate when increasing power at take off. Boeing, rather than addressing this issue early on, created MCAS as a bandaid, another cost saving measure. The AoA sensor sampling wasn't redundant, a neglectful cost saving measure and oversight. The sensor disagreement light, a critical safety feature, was sold as an optional package.

My point is, there are a lot of technical and ethical oversights you are glossing over. There is a reason why all the 737 Max are grounded and have been grounded for months. These crashes weren't simply due to lack of pilot training. There were multiple ethical and technical oversights and negligence by Boeing that resulted in these tragedies.


Or perhaps assumed that the pilots even knew that the MCAS existed and how to override it.

Part of the debate is that Boeing told the FAA and everybody else that 'no special training' for the Max series was needed; just watch a couple-hour video or somesuch.


Has there been a documented occurrence of a US pilot encountering an MCAS failure in the US and correctly dealing with it?


As far as anyone could tell, MCAS was not encountered before in the US.


Yes, there are many reported incidents from US pilots of stability trim incidents in the FAA's database which, in hindsight, were due to MCAS. The pilots couldn't identify them as such at the time because, of course, they didn't know MCAS existed. But they were able to figure out the corrective action in time to maintain safe flight. (The reports also criticize the flight manual for being inadequate.)

https://www.google.com/search?client=ubuntu&channel=fs&q=us+...


Also all of the US-based MAXs had the optional AoA Sensor Disagree indicator, which would instantly show the source of the issue. The international pilots were in the dark because Boeing turned a critical safety feature into a revenue stream.


AoA Disagree was supposed to be turned on on all 737 MAXs, but it depended on AoA indication, which was an option. This was a mistake Boeing admitted to and has since corrected.

Options are not all tied to fees, the process of ordering an airplane is quite complicated because of the immense amount of customization each airline does before they even pay for the aircraft. Its unclear how much this option cost, if it cost anything.

The reason why AoA indication is an option is that it requires more advanced training for the pilots, some airlines provide this training and some do not. The airlines are the ultimate decider on how much training pilots will get, Boeing and the FAA can only set minimums.


Do you have any official sources to support anything you're saying? It seems unbelievable to me that Boeing would introduce MCAS, a complete flight characteristics "augmentation" system and pass it off as a standard 737 without any special training, but would only offer AoA indication as an option due to training.


Most of those reports involved the autopilot or were while flaps were extended, which disables MCAS. The ones that did not were complaining about not being informed about MCAS and not about it actuating. There were even incidents reported as being MCAS that did not involve stabilizer trim or a 737 MAX.


Reports like the one where the plane started descending when autopilot was engaged are still relevant because they indicate issues with the angle of attack sensor, which is also what MCAS relies on.


AoA sensors are notoriously unreliable and Boeing should not have depended on just one.


Yes, definitely.


From what I read, I'd assume that the US just got lucky.


> Though I can’t help but wonder if this is a very subtle re-framing of the Max accidents to shift blame back towards pilots.

How so? The assertion that average pilots must be use implies that average pilots were not being used and that because of this the testing is flawed.

I think the point is that an average pilot would have failed tests and exposed a flaw in their training but because they used above average pilots any flaws in their systems were mitigated or avoided by the pilots.

I think we'd all agree that if a pilot landed a fully functional plane, that they were certified to fly, without first deploying the landing gear then we'd question that pilot's abilities. The rationale for testing using average pilots is along the same lines. An average pilot can reasonably be expected to have a certain level of knowledge and ability, therefore all testing should be to expose the gaps between what they know and what's needed to pilot a new aircraft. Using a more experienced pilot closes or narrows those gaps.


> and that the system was only recoverable if you had some extremely specific knowledge.

This isn't true. If you follow the runaway trim procedure, you recover. Pilots in the US are required to demonstrate the runaway trim procedure as part of a type rating checkride.

Aggravating factors are, IMO:

1) Even well-trained aircrews getting a runaway trim condition on takeoff are not guaranteed to show the same performance as on their checkride day.

2) Not all jurisdictions require this demonstration.

3) The MCAS could fail in a way that could be surprising and not seem exactly like normal runaway trim (intermittency).

4) This test of "can you handle runaway trim?" was much more frequent than the normal causes of a stuck switch or actuator.

I think #3-4 is the big issue. While better trained crews could address the others, MCAS has the ability to fail in a way that it only does stuff when the crew isn't looking. There's nothing that can address this but system redundancy.


> If you follow the runaway trim procedure, you recover.

In the Ethiopian crash the crew followed the runaway trim check list but didn't recover. The issue seems have been that the aircraft was going to fast so they couldn't turn the manual trim adjuster. But that isn't mentioned on the runaway checklist (http://www.b737.org.uk/runawaystab.htm)

OK a different crew might have figured that and slowed down but not crashing should not be that tricky really.


As already discussed, the runaway trim procedure got them to a positive rate climb.

Then they did A) re-enabled electric trim (and MCAS) B) while still low, C) touched the trim button for a second, and didn't adjust anywhere close to proper trim, and D) left electric trim/MCAS on.

Not to mention, from your source, the FCTM says:

> Excessive airloads on the stabilizer may require effort by both pilots to correct the mis-trim. In extreme cases it may be necessary to aerodynamically relieve the airloads to allow manual trimming. Accelerate or decelerate towards the in-trim speed while attempting to trim manually.


What is average? Is the average of one countries pilots the same as another's - maybe, maybe not.

Whilst I tend to agree, this does seem a bit of a blame-shift/deflection, it does raise the area of pilot plane certification. Maybe, that is the area that needs to be addressed so pilots are more knowledgeable about the plane they are flying at a level beyond what is allowed now.

However this plays out, I'd say those who certify planes for use by pilots also need to do so on the basis of the "average" pilot and perhaps need to raise their standards more than pilots do.

I would of assumed that had plane had difficulty - that they had a hotline to somebody who was very knowledgeable beyond forcing pilots in a panic situation to RTFM. Which is kinda what the situation is now.


> the system was only recoverable if you had some extremely specific knowledge

I don't think this is a fair characterization.

The runaway trim condition is not arcane knowledge. It's a standard part of pilot training and easily something the vast majority of pilots are well prepared to handle.

The issue with MCAS was that, while it was ultimately a runaway trim issue, it didn't look like it from the pilot's seat. The MCAS trim inputs were intermittent and came with no indication that the MCAS system was providing them. You also had throttle inputs and a whole slew of cabin warnings. The fact that the AoA disagree indicator was not standard shows just how little consideration was made to communicate to pilots.

Even with improved pilot training, I think a major crash was inevitable due to the nature of how the malfunction presents itself. More training doesn't make up for the obscure operation of MCAS or the fact that this failure occurs with very little time to react.

I'm in strong agreement that blaming the pilots is unconscionable. The pilots' action disabling the trim with the cutout switch, and then re-enabling it in a desperate bid to regain control of a badly-out-of-trim and overspeed aircraft speaks volumes. They were quickly put into a nearly-impossible situation and behaved reasonably, if ultimately incorrectly.


I see it as every certificated Airline Transport Pilot is a pilot who passed the certification requirements, and any of them should be able to recover from recoverable scenarios, rather than fragmenting this certification into elite or specialist test pilots. The notion that a specialized test pilot or airplane certification pilot can recover from a unusual scenario cannot be used to justify impunging the qualification of any qualified pilot.

And that's basically the early Boeing rhetoric, and also from others like Langewiesche, talking about airmanship, the notion that some certified pilots really actually are incompetent they just so happen to be foreign pilots, etc. To whatever degree the average pilot is not getting the proper training, it's a call that the entire industry has an obligation to bring up the average pilot to the actual real world expected minimum level of competency, and stop this b.s. blaming of pilots as if there are different kinds of competencies for the same level of certification.

I further note, upon MCAS existence becoming public, U.S. based pilots got rather distinctly pissed off about being kept in the dark. That is not a reaction consistent with, yeah it'll be just like runaway trim, we can handle that, no big deal.


I am thinking of another question:

The boeing model, apart from MCAS, has traditionally been "the pilot decides"

Would this shift towards the airbus model (the plane decides)?


It's not the NTSBs job to lay blame. They aren't litigators.


Why would NTSB try to shift blame away from Boeing?



I love those articles, and the lesson learned from them. But there is no automatic parallel in this situation, in fact the opposite here. The NTSB isn’t suggesting that Boeing model a single “average” pilot. They’re suggesting that Boeing test using many pilots who are not highly trained in test procedures. The “flaw of averages” problem is one of combining averages in multiple dimensions and assuming the result is still average. That flaw is absent when you test with multiple average people and categorize the results for each dimension separately.

Also, the outcome of the flaw of averages was to make various parts of the plane adjustable. In the case of an air emergency, your response time is not adjustable, you either solve it or you die. The NTSB’s suggestion is to understand how normal people react to ensure both ergonomics and training are adequate.

In any case, recommending that testing be done with people less knowledgeable than the experts, who don’t instantly know the right answers, can likely only result in better outcomes, not worse.


I like the idea that they pick pilots at random:

- Either it’s Boeing’s fault for improper UX,

- Either it’s Boeing’s fault for pilot certifications not being stringent enough.

In either case, the aircraft manufacturer must improve. I think of it as an “integration test”, “let’s see how the pilot+plane integrate together”.

Not necessarily Boeing, btw. It could be Airbus. It could even be a move from the US regulator which advantages Boeing compared to Airbus depending on whether Airbus planes were tested with skilled pilots.


It's always fun to look at the performance figures in aircraft manuals.

Somewhere, a skilled test pilot got those numbers in a pristine plane.

But mere humans in a real-world plane will typically not obtain them.


Average does not have the same meaning in the context of this link and yours. We are not talking about physical measurements here.


Why doesn’t the same principle apply? One pilot is very good at one skill, another very good at some other skill. There exists no mean pilot that is fairly good at both, so designing or testing for that is a bad idea. Replace body dimensions with skill sets and it’s the same issue.


Really, they shouldn't be trying to test for an "average" pilot, they should be testing for a "bad" pilot - one who can only meet the minimum requirements for a pilot's license.


You can train a skill and improve on it. You can't train your head shape or arm length nearly as much. The brain is more malleable than some of the other body parts.


I'm not sure what you're suggesting then - we should train all pilots to be uniformly brilliant at everything so there's no variation and we can use any pilot to test, before we test any more aircraft?


No, it would be about making things safe/usable for the merely competent and not relying on "brilliance".


Right, but my point is there may not actually be any pilots who are merely competent at all skills. The distribution of skills may be more complex than that. You may be making things safe for someone who does not exist, which is pointless, and you'd be better off making things safe for something other than a simple mean average.


You're going off on a tangent based on semantics and speculation. Pilots who are competent at every basic skill, but don't have years of combat or test pilot experience or extensive experience on the plane in question absolutely exist and that's what we're talking about.


You're getting hung up on this, like looking for the individual in a population who exactly matches an average, while ignoring the normal distribution that surrounds it. Don't obsess over the point, just center your window function around it.


You understand a Venn diagram just fine though. It's the same sort of problem, just generalize to n dimensions and use a clustering algorithm, or decompose an overly complex problem into multiple clusters.


A friend of mine was once told to make his product idiot-proof. He said "sure, as soon as you give me the spec for the standard idiot."


That's a really old joke and its purpose is to deflect rather than to illuminate. Your friend was trying to sound smart to distract from his unwillingness or inability to come to grips with the underlying design issues.


>Your friend was trying to sound smart to distract from his unwillingness or inability to come to grips with the underlying design issues.

Stout claim.

So I presume that you've witnessed any design or engineering firm that was able to deal with every 'idiot' within their problem domain?

I think OPs interpretation of the saying is more correct. The saying is bringing up the impossibility of designing something for everyone , not the deflecting of labor in some snarky way.


Maybe it was an old joke, but it was new to me at the time - only time I had heard it, and I haven't heard it again in the many years since.

And I think it says something useful about the impossibility of the task. The domains we work in are all about the expected inputs and expected outputs, and it takes a special kind of imagination to come up with parameters outside of those.


I'm pretty sure they mean "active duty pilots" va "dedicated test pilots", and I also assume they mean in addition to the test pilot tests they already do.


> Once these and other design solutions were put into place, pilot performance soared, and the U.S. air force became the most dominant air force on the planet.

Some of that trend miiight be correlation and not causation.


I imagine they could use total flight hours and total 737 flight hours...or some other metric that roughly correlates to experience and skills.


Sport pilot here: total flight hours on an airliner is an almost useless metric, the difference between 2000 hours and 5000 hours is negligible. I know pilots with over 10,000 hours that died in stupid accidents, I know instructors that never performed maneuvers that are almost routine to other pilots that don't even have 500 hours. I know dozens of pilots and there is no average one, some are very good and some are barely flying, with no middle ground. It is an area where you are either good or pretty bad.


Is there any data that would show that? Like crashes with pilot error as a contributing cause mapped to hours, and weighted by bands of hours.


For airliners, there is less room for error caused by the pilots (but it still happens). In General Aviation, the accident rate is more than an order of magnitude higher per mile (FAA has the data on their site) and by far in most cases it is pilot error, even if GA planes are less reliable. The official statistics are not very accurate because the GA accidents are investigated with less rigor, there are no black boxes to record what really happened and the pilots lie about the real cause (in more than 50% of the accidents I personally know). It is hard to prove all these, but some data exists on the FAA site, the inside info will never be public anywhere to consult. By inside info I am talking about the real story told by the pilots that had the accidents, in small communities people talk very openly about it. LE. I mentioned General Aviation because I know pilots with over 10,000 on B737 that died flying smaller planes or not able to fly at all smaller planes.


Sorry, trying to clarify but there is too much to tell for a full picture. In a B737 you are not allowed to do most maneuvers you do when flying a small plane or a fighter; not necessarily acrobatics, but even more basic things like stalls, spins, side slips or flying without engines, which is something I regularly do to maintain my proficiency. That means 10,000 hours of limited, routine flying does not make a lot of difference, especially when you get into an incident that is outside of the routine. Good pilots vs bad pilots: some pilots that I know can fly visual without any instruments, knowing the plane and feeling the plane. Many others are barely flying straight if you mask their artificial horizon and VSI.


Aren't those maneuvers done in simulators?


A simulator is to flying what porn is to sex: a simulation pretty far from reality. I had a lot of simulator time when I first flew a plane, it still took me 8 hours to be able to fly it in real life and that was a very simple 2-seater trainer.


Actually they must use the worst pilots. If they use average pilots that means 50% of the pilots might be out of their depth flying that plane. What kind of insanity is this?


This assumes the skill variance among pilots is pretty low. Average not in skill (I don’t think there’s a way to rate or rank pilots) but in specialised Boeing plane specific training. The problem with Boeing’s assumption was that pilots would have specialised training on that model, and the regulators seem to be trying to remediate that.


If the skill variance is pretty low then you might as well use test pilots. Their skill will hardly be better then the worst of the worst.

I don't think there is actual data on skill variance among professional airline pilots so I rather they just force testing on groups which are statistically more significant to get into crashes.


But aren’t test pilots specially clued on to the plane, the features they’re testing and how to react in problem situations? That’s like testing car airbags with stuntmen who know how to crash without getting hurt anyway.


Keep in mind that even with test pilots briefed on the behavior, one of the three ended up losing the plane during testing of single event upsets of the Flight Computer.

https://www.seattletimes.com/business/boeing-aerospace/newly...


That absolutely does not follow. Test pilots are prepared and trained for the extremes of control. It's a totally different skillset.

The point of the test flight is to push the plane as far as it will go. Practically all drivers, regardless of skill level, will lose control if you have them hydroplane a car. Race drivers will not. With a couple advanced driving classes suddenly most people will be able to handle a slide much better. There's a gap in experience, not talent. There is no such gap between any two normal drivers.


I don't believe the wording means arithmetic average.

It's more akin to the reasonable person test in law. Meaning, a reasonably well trained pilot that is not considered significantly more expert than those around him or her.


Just a side note from a law nerd. 'Reasonable person' doesn't mean 'typical' or 'ordinary' person, it means 'person who is amenable to reasoned argument.'

Suppose you make a proposition to a person and they reject it based on some fallacious argument. You, an intellectual, kindly point out the fallacy in their objection. A reasonable person is one who takes this in and reconsiders your proposition. An unreasonable person is someone who doubles down and either offers different but equally fallacious arguments (if they just hate your proposition and are looking for an excuse to reject it, but wish to conceal that) or refuses to acknowledge their original fallacy (due to embarrassment, stupidity, or perversity).


So, like, an NPR listener vs a Fox News viewer?


I agree. Though I would also feel pretty disheartened if I got a call from them after that decision was made -

"Hey, we need someone of your skill level to come in and fly some test planes"

"...okay"


Call it training not testing and the morale problem probably goes away.


Naw, you have everyone try to recover the plane in the simulator.

The Max needs to ensure that 80% ("average" is too low a standard) of tested pilots recover the plane.

The other 20% take remedial classes.


Imagine the job postings for such positions ...


You would word it differently, such as "Max 2 years of experience".


You could just select all applicants whose name is Max or Maxine, to get statistically average pilots.


While I don't disagree, at least moving from test pilots to average pilots would be a big improvement. And, in practice, might mean that you have to simplify and streamline the UI just as much as for the minimum viable pilots. But, even if not, at least average would be way better than test pilots only.


"Simplify and streamline" is exactly not the solution here, in fact the issue was that the relevant information was invisible and hidden from pilots, not that there was too much. Not everything in good design needs to end up looking like a Fischer-Price toy.

The main problems from my limited understanding were: pilots didn't know the subsystem existed; they didn't know it had activated; they didn't know what it was doing; they didn't know how to turn it off.

Additional instrumentation could have addressed all these issues but would have been more expensive than what they actually did.


True, but too much instrumentation is also a problem.

I'm into synthesizers, which run the gamut from bleep-bloop toys to movie-soundtrack in a box.

Mostly, synths are marketed like 'Not only can the Omnicron Neutron Wrangler produce any sound imaginable, it can produce more of them more loudly than the competition and audiences will surely be impressed by your mastery of its mind-bogglingly vast control surface.'

But the synths which end up being well-loved classics are not the ones with the biggest range or the most controls, they're ones with a decent range which is designed and calibrated well enough that it's hard to get a bad sound out of it - meaning they don't have too many abrupt phase transitions or nonlinear feedback loops that could cause you to suddenly lose control and turn an interesting complex tone into noisy garbage.


That's true, but the design constraints are very different. If your synth had a system in it that could fail, and another system responsible for monitoring that first system, and potentially overriding it, and if that system failure required you to take immediate and very specific action to prevent your synth from turning into a fireball, you'd want probably want a more or less one-to-one mapping between those subsystems and the instrumentation that you're looking at.

The well-loved classics you describe sound more like making a plane that's aerodynamically hard to lose control of... which is kind of a holy grail, but the MCAS design came after all of that was fixed by earlier design decisions.


I suspect the test pilots represent the <1% of pilots who are 10x skillful as a typical pilot.


Depends on the distribution


You're technically correct, but for the metric "human pilot skill" I think the median and average probably align fairly well.


I would guess that the skill distribution of licensed pilots is asymmetrical, if only because the tail end of bad pilots are not allowed to fly.


The primary design objective of the 737 max was to avoid pilot retraining. Until that stops being a major economic driver in aviation no problem was solved here.

Changing MCAS another dozen times and updating the manuals does nothing to prevent this from happening in new future system design.


There’s a tension between progress (some of which offers fuel [and ecological] savings) and cost.

If you can make a plane that saves an airline $1MM/year/copy but costs them $4MM extra and $500K/yr in training costs, you won’t sell as many as if it costs them $3MM extra and requires no retraining (or even $5MM/$0). Sometimes that difference is enough to make the project not viable economically.

Certification is incredibly expensive. The airplane I fly the most was built in 1997 on a type certificate (the basis of certification) originally approved in 1958. That’s incredibly common.

Passengers complain about terrible seats, terrible service, jam packed flights and then search for tickets on price as the overwhelming factor. It’s little surprise that airlines are competing mostly on price.

I’m not sure what you’re suggesting here as the solution to make it [pilot re-training?] “not a major economic driver”. It could be “reduce training costs for everyone” or “increase training costs for everyone” or something else.


This problem would be resolved if type certifications expired.

Eg. A newly certified plane type can be produced for 15 years before requiring recertification to new standards.

In effect, this forces Boeing to come up with new designs, since the chances of old designs meeting new standards are low. It'll give them a big incentive to find ways to get the cost of certifications down.

Up to them if they choose to evolve the plane with the standards, or do a ground-up redesign every 15 years.


> It'll give them a big incentive to find ways to get the cost of certifications down.

That is exactly what went wrong in the 737 MAX process -- the goal was achived by using political pressure to weaken the oversight.

With proper oversight, type-certificate extension is a sound process. Without it, no form of certification is effective.


That's an interesting proposal. Thanks for bringing it forward.

It would certainly increase costs in the industry and might introduce discontinuities in the pilot supply, particularly during irregular ops (weather delays causing crew timeouts causing crew substitutions) when pilots of 2015-era narrowbody jet #7 can't fly the 2014-era narrowbody jet #7 because the type rating is different or we have to stuff into their brains the qualifications for both the pre- and post- and have them alternate recurrent training between the two types, which brings its own safety concerns as compared to sending the crew to only one type of recurrent every required period.

Alternatively, we might address that by giving a common type rating to the aircraft (such as with the 757 and 767, which share a common type rating [the pilot qualification basis] today despite being built on different type certificates [the aircraft certification basis]), which would allow for common recurrent training with just differences training across models/series.


New designs tend to have new issues.

The pre-MAX 737s tend to be remarkably safe because the inherent mechanical issues have been detected and fixed over billions of flight hours.


Airline flights, and international travel generally, is _incredibly cheap_ compared to basically all human history. Adding in just a little more cost for a measurable, significant safety benefit seems like an obvious choice.


There's a lot of safety value in not having to be retrained, too.


It's sort of key when taking that approach to actually succeed in not requiring the retraining.


Of course. That’s pretty common though, and you don’t hear about when that is successful. As an example, the 757 and 767 share a common type rating.


The safety value proposition of the max is kind of hard to sell after two planes crashed. It was already the most successful plane ever in terms of avoiding retraining right?

All that unlocked safety value didn't count for much.


It's not just limited to pilot retraining. It's also about the rating on the air-frame, and grandfathering in saftey features/systems etc that wouldn't cut it on modern reviews, like the doors.


I'd say that's a clickbait title. The actual report is at: https://www.ntsb.gov/investigations/AccidentReports/Reports/..., and framing it as a recommendation to change the test procedure to use 'average' pilots seems like a big liberty.

To me, the thrust of the article is on making sure human factors are incorporated into flight certification process. As they highlight, although uncommanded MCAS input was part of the certification tests, it was only marked as a 'major' risk rather than more severe classifiers. This wasn't because of any phenomenal test pilots, but just because the FAA (rather than Boeing) guidelines behind the certification assume immediate assessment and diagnosis of the issue.

The report goes into a lot of depth about other human factors, for example, how transport-category planes should have straightforward highlighting of the primary issue since often the primary cause bubbles through various interconnected systems, and the main pilot response tends to be to identify the root cause under stress and then having to fix it.

To the extent I could re-summarize the report, I'd say "Plane Certification Processes Must Consider Real-World Scenarios And Factor Human Response to In-Flight Failures in Plane Design"


The irony here is that when I wrote "The Tyranny of the Minimum Viable User" I'd specifically excluded cases such as commercial aviation, where a minimum qualifying standard can be used.

By that logic, aircraft certification should be based on the minimum qualifying pilot.

https://old.reddit.com/r/dredmorbius/comments/69wk8y/the_tyr...


Wouldn't you need the worse pilot you can get? Average doesn't account for the fact that 50% of the sample are WORSE.


Robert Sheckley has a short story called The Minimum Man, which is about precisely this. An unlucky, clumsy, error-prone schlub who gets hired by basically-NASA for testing purposes.

Turns out, when he's placed in a life-or-death situation, he finds some focus and skill, and is no longer the minimum man. So they have some ways to counter that tendency....


In times of crisis, we rarely rise to the occasion, but rather sink to the level of our training.


That correlates with something interesting I learnt about leadership a while back - evidence shows that it's very hard to predict ahead of time whether someone will be a good leader from one context to another, with predicted good leaders often underperforming, and vice versa (might be a little out of date now).


Wartime general vs. peacetime general is the classic example.


> So they have some ways to counter that tendency....

Alcohol?


I think a better term should be "minimally proficient pilot". One that passes all the requirements, but not by very much. That's the lowest common denominator you should be targeting for certification.


But that's median not average...


Given set: 1 2 2 2 2 2 4 10

What's the average? 3.125

What's the median? 2


Mean is 3.125, median is 2, and mode is 2. All of those are averages.


I don’t know what you think ‘average’ means. Median is an average.


Most commonly it is used for the mean though...


Less than you might think. Mean is easier to calculate and tends to be close enough, but when there are are significant outliers people tend to revert to the median.

Life expectancy for example is calculated via median. Median income is generally used over average etc.


Mean wouldn’t make any sense in this context. Does a mean pilot even exist? Median pilots exist by definition.



If you can order pilots by some quantifiable measure, you can also take the mean of that and select pilots that are exactly the mean or closests to the mean.


Imagine the day you're hired to be a test pilot, and _officially_ graduate as the worst pilot there is!


imagine being the second to worst pilot, and not being hired at all.


I have 15 hours in a Cessna 172, I’d be happy to give it a go!

But in all seriousness, in no way shape or form should the testing be informed by the skill assessment of the test operator.

The analysis should be looking at the tasks that had to be performed during the test, whether they were properly identified by easily selected checklists, and quantitative measurements of the complexity and physical difficulty of the tasks.

If it comes anywhere close to a question of the skill or strength of the specific test-taker then something has gone terribly horribly wrong.

In old school UI testing you would do GOMS analysis which allowed calculating the difficulty of specific tasks based on the actual manipulations required to perform them. The skill of the particular operator is not generally a factor in these types of analysis.

The subtitle of TFA states;

> Safety board says FAA should embrace data-driven approach to assumptions about pilot responses

This is a much more reasonable statement. For instance, the maximum physical force required to perform the task must be an industry standard that pilots are all certified to be able to perform.


You could take a probabilistic approach...

In this 1 in a million situation, 90% of tested pilots managed to follow the procedures to recover. Therefore the chance of a fatal crash is 1 in 10 million.

Let the manufacturer decide if they want to make the situation rarer or the training better to reduce the overall crash risk.


How about if that info was available to the public? I don't want to put my health and safety on a scale against someone's profitability.


It won't be someone's profitability, it'll be the ticket price that you pay.


Because there is no relationship there at all, nope none, zero.


The aviation market consistently has margins that are just slightly above zero. Change the costs and ticket prices change in response; the profits stay constant.


It would be interesting if all of the airlines' own recurrent simulator sessions (every 6 months, IIRC) resulted in data being fed back to the FAA. You've got a huge sample size right there, and they try out all of these unexpected scenarios.


This makes a lot of sense. They need similar requirements for evacuation testing. Regulations say all passengers in a plane need to be able to evacuate within 90 seconds. As Americans get bigger and airplane seats get smaller the airlines "comply" with the 90 second requirement by conducting an evacuation test in completely unrealistic circumstances.[1] The test participants are all handpicked, fit, airline employees who prepare and practice for the drill. The test "starts" with everyone in their seat (seat backs & try tables up) and with their life jacket already on.

And in recent years the FAA hasn't required these tests as frequently. Why? Because even with all the preparation that goes into it, the mad-rush to the exits in a staged emergency, tends to be quite dangerous for the participants.

[1] https://www.youtube.com/watch?v=XIaovi1JWyY


I wonder if a bigger factor would be the test pilots knowing in advance what the test was.

Eg. being told, "next we are testing what happens when MACS fails", whereas in a real life situation the pilot has to diagnose what has happened, recall the correct remedial action, then act on it.


Also this test pilots may know the inner working of the plane where the real pilots were not told that MCAS was added behind their backs and some buttons/switches changed behavior.

Also were this test pilots had accessed to extra diagnose data where regular pilots were not provided even with a sensor disagree message


There wouldn't be a sensor disagree message because there was only one AOA sensor, prone to failure, with no redundancy.


MCAS was only using data from one of the AOA sensors (picked during restart), but two were still present, so sensor disagree light/message (when available) would show disagreement between the sensors.


And Boeing decided to make it an optional paid feature, though I am not sure if it was added later by request from airlines or they designed it like this.


Of course it should be. But the precedent was set in the early days of aviation when test pilots were flying experimental aircraft from alpha to v1. You don't want to kill rookies who freak out in a flat spin, so you put your coldest mfer in the seat.

And then they do barrel rolls during the first public flight of your 707.

But now that we've got such accurate virtual cockpits, we don't have to worry about killing pilots as much.


If you test for average pilots, then you've still got approx 50% of pilots who aren't capable. Whatever happened to testing for the lowest common denominator - especially in life and death situations?


How about we take below-average pilots, have them run the test right after their normal full shift ends without any rest in between, and give them a glass of whisky for encouragement?


Welcome to the Aperture Laboratories Aircraft Enrichment Centre!


In all seriousness (but with less fun), a similar effect can be produced simply by asking them to be reciting the alphabet constantly, solving addition problems constantly being fed to them, etc. -- anything that is constantly distracting half their brain.

In fact, this is a similar technique some actors use to make sure they know their lines cold -- no matter how well they can recite them with full concentration, can they still recite them while playing an intense video game? Because things will be so different on stage/set, it will be equivalently distracting.


Love this.


Don't they mean they must recruit pilots at something close to random, so they should indeed get all skill levels? I couldn't read the article so I can't verify but that's what I would think, because how do the otherwise find 'average' pilots? By a survey?


What about just picking 10 random airline pilots from around the world to test it out a few times and get feedback?


Good idea - any shit pilots want to volunteer? ;)


I don't think it'd be any kind of a challenge to find shitty volunteer pilots, you just restrict your search to PPLs.


Testing a large enough random sampling of people will include the lowest common denominator as well.


Yes, we need to round up our dumbest pilots for these tests.


Those can be found in the spherical cow aisle.

I'm sure the intentions are good but shouldn't the goal here be to use the least qualified, but still qualified pilots for testing? After all if the average pilots are passing the test but the least qualified, but still qualified pilots do not then it is a matter of time before the next crash. Boeing sells their planes all over the globe and I suspect that the average and the mean could be quite a ways apart and that the least good but still qualified pilot still sits comfortably below either.


Perhaps a portion of testing could be performed in the simulator using a random sample of line pilots?

The current advanced qualification program in use at the airlines kinda is set up to test operational policies. All pilots of a fleet (essentially a random sample of abilities) go into the sim once a year and perform a check on what’s considered a ‘normal’ flight in the sim where anomalies are presented without being pre-briefed and the crew must over come them just as if they were out flying the line. The data is aggregated and problematic trends are identified and corrected.

Translate the same to new aircraft certification. Get the airplane basically ready and train some pilots in the sim. Just regular line pilots who will be flying the aircraft for their airline. Then spend an appropriate amount of time giving them realistic scenarios (without pre-briefing the anomalies) that test the boundaries of the aircraft performance and see how the human/machine interaction occurs and if there are problems that need to be addressed. In the case of the MAX, MCAS was a new system so scenarios to test pilot interaction with it would’ve been a requirement and I’m sure these issues could’ve been identified.

This already happens to some degree when airlines take delivery of a new aircraft. They make proving runs to hammer out any small bugs and get good real world data on fuel usage, performance, etc. My proposal is simply to expand the scope of proving runs in the sim with a good dose of abnormal operations using normal every day line pilots.


Sounds like FAA & Boeing are trying to place blame on pilot error for the MAX crashes, to deflect attention from the MCAS issue and the FAA's failure to notice it. I agree with the conclusions as the majority of aircraft accidents are pilot error, but in the case of MAX there is nothing the pilots could have done to save those aircraft.


Half of pilots are going to be below average - why not test against their ability?


You’re thinking of median, not average, but your question stands.


"Average" is a blanket term which includes median: https://en.wikipedia.org/wiki/Average


Median and mean are both averages, and there are other types of averages. Average by itself doesn’t imply mean. And of course it’s median - how can you have a mean of something discrete like group of people?


The arithmetic mean (I.e. the average) is the 50th-percentile (I.e. the median) in a normal distribution. The question absolutely stands - unless pilot ability is not a normal-distribution.


In anything with a lower bound (passing to become a pilot) the distribution can be heavily skewed (ie cutting off the bottom 20% of a normal distribution)

Which means that more than half would be below average!


Since there is a long training/weeding-out process I would expect the distribution would be truncated normal, with some cutoff to graduate plane school. If this bar is low then the distribution will still be roughly normal, but if it's near or about the mean (does anyone have the fail rates?) then the distribution can look a lot different, e.g. one-sided normal, or power-law.


Why would a competitive, high skilled role with aggressive disqualification requirements be anywhere close to a normal-distribution?


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: