Hacker News new | past | comments | ask | show | jobs | submit login
My Letter to the Editor of New York Times Magazine (sullysullenberger.com)
666 points by kaboro 29 days ago | hide | past | web | favorite | 201 comments



Blaming the user is a pernicious problem in UX engineering, especially when a feature is introduced not for the actual users, but the executives making the purchasing decisions.

MCAS was an economics driven decision by Boeing to be able to sell it as a "no cost" upgrade to existing 737 fleets. "You get all this and you don't need to retrain your people"

The entire concept of the 737 MAX was flawed, marketing an inherently unstable aircraft with a patched undocumented system to control that instability. Then, incredibly, making the safety indicators an optional extra was criminal.

The FAA is also liable for regulatory capture and handing over its responsibilities the actual organization it is supposed to be supervising.

Ultimately, it's an example of what happens when MBA execs, convinced that they can run "any business" take over from a rigourous engineering culture. The Harvard (and other) Business Schools have a lot to be blamed for.


> marketing an inherently unstable aircraft

The 737 Max is not an inherently unstable aircraft and to say so grossly misunderstands the term and what MCAS was doing.

MCAS existed to make an inherently stable aircraft handle in the same was as previous 737 generations. Design changes had forced the addition of this system in order to retain the same type rating because those design changes caused the aircraft to handle differently to previous generations.

MCAS was about keeping the same type rating and the same handling characteristics. It had absolutely nothing whatsoever to do with 'inherent instability' - the 737 Max is an inherently stable aircraft without MCAS.

Continuing to spread misinformation about what MCAS is and the 737 Max stability is detrimental to the discussion.

EDIT - There is clearly a lot of misunderstand about the terms 'stable' and 'unstable'. These has a defined meaning in aircraft handling. I encourage you to educate yourselves on the term, on what stability actually is in relation to this discussion.

https://www.boldmethod.com/learn-to-fly/aerodynamics/3-types...

The 737 Max is a stable aircraft. The 737 Max without MCAS activated is a stable aircraft. It is an inherently stable design.

The 737 Max can and was flown without MCAS activated (even by the same aircraft as crashed, the pilots of the previous flight pulled the stabiliser cut out switches and went to manual trim control).

It is a stable aircraft.


According to this article https://spectrum.ieee.org/aerospace/aviation/how-the-boeing-... the engines had become so big that they had to be moved in front of the wings instead of under them, which in turn causes the plane to pitch up when the engines apply power (which was not the case with previous 737s). Whether this can be called 'unstable' or not seems to be a matter of definition. Sure it's not unstable the same way that something that completely randomly pitches up or down is. But if you got to drive a car that veers to the left at high speeds and to the right at low speeds, and needs a computer to compensate (oh, and this computer compensates based on sensor readings that may be faulty, so you might need to disable the computer's compensation and compensate yourself), would you perhaps call that unstable compared to a normal car? Doesn't seem unreasonable to me. It's unstable in the sense that controls that are normally independent are not.


Exactly. This is what is not coming out in most of these discussions. 1. Boeing took a great design and by moving the engine forward towards the nose of the plane and on a different position of the wing than what all previous testing had been on, changed how that design worked. 2. Boeing then skipped necessary testing, claiming it was an incremental change, not something that effected the overall design. They did this to keep costs low.

Boeing cut corners for costs and the FAA allowed them, in large part because they don't have the people power to do a lot of this testing. People died and faith has been lost in the US's oversight of airlines. This is a clear problem.


All aircrafts with engines below the wings have the pitch up tendency at high angles of attack. The only problem with that is, that it is required that the stick force the pilot needs to apply need to increase with high angles of attack. Therefore, most airplanes have some way of augmenting the stick forces in those domains.


All airliners have a cylindrical body projecting forwards from the wing, which produces a pitch-up moment at high angles of attack: it is called the fuselage [1]. Normally, the effects of all such destabilizing aspects of the design are compensated for by the correct positioning and sizing of the wing and horizontal stabilizer.

Most airliners now flying do have additional augmentation of their handling for a variety of reasons. Earlier versions of the 737 already had the elevator feel and centering unit and mach trim, but they are much less aggressive than MCAS, and, most importantly, their presence and full scope of effect was not obscured in order to avoid the cost of training pilots for their failure modes. Furthermore, in other cases where handling and stability augmentation is powerful, adequate redundancy is provided (even the 737 feel and centering unit has more redundancy than MCAS.) The presence of handling augmentation devices on other airliners does not justify the way Boeing introduced MCAS.

[1] https://leehamnews.com/2018/11/30/bjorns-corner-pitch-stabil...


I really appreciate the increasing levels of technical accuracy the further this thread grows. Hacker News draws in subject matter experts like moths to a flame.

Reminds me of the old futurama quote- technically correct is the best kind of correct.


Using those Positive, Neutral, and Negative stability terms from PuffinBlue's comment, is the problem that we want positive stability, but the MAX without MCAS exhibits negative stability at a certain part of its flight envelope?

That is, if the pilot is holding the airplane with a constant amount of force and the airplane is climbing at a certain angle, some turbulence or other disturbance could cause the nose to pitch up, and then continue pitching up?


No. The Max exhibits positive pitch stability in all flight regimes. What it fails to do is have sufficiently linearly increasing stick forces (required by certification) at high pitch.

It’s still aerodynamically stable (not neutral or divergent).


Just trying to understand the nuances of terminology here, but does increasing thrust count as a 'disturbance' in defining the stability regime?

Meaning if the plane is under increased power and continues to pitch up to the point of stalling, is that an indicator of a negative stability regime?


If it would continually increase pitch without bound, that would be described as negatively stable (a ball sitting on top of an upside down capital U. If it "didn't care", that would be neutrally stable (a ball sitting on a horizontal plane). If it tended to reach stability (even if at a different pitch than originally), that's positive stability (a ball sitting in an upright U).

The 737-Max does pitch up with increased thrust (as does any jet airplane with a low center of thrust), but it still reaches a stable pitch.

The problem in hand flight is that the controls on the Max don't get "progressively stiffer" in a linear fashion with increasing pitch. They still require positive force, but the force required to pull 2.0 G is less than double the force required to pull 1.5 G (as an example; I don't know the particulars of the Max stick force gradient curve).

I have not read anything to suggest that a normally trimmed, MCAS-disabled Max would pitch itself into a stall from thrust application. That would be bad, but is also almost surely far from the actual situation.


I am fairly sure I recall reading somewhere that because the engines on the Max are mounted farther forward than previously, there is a region of high AoA and high thrust where the pitch-up force increases with AoA.

I can't vouch for this. It's possible I misunderstood it; it's possible the source was misinformed, though I seem to recall it was written by a pilot. But I have trouble imagining what lesser problem would have required such a heavy hand as MCAS to fix. If it were really just a matter of the controls going light, surely that could have been cured with motors that were not so powerful as to be almost impossible to overcome.


> I have not read anything to suggest that a normally trimmed, MCAS-disabled Max would pitch itself into a stall from thrust application. That would be bad, but is also almost surely far from the actual situation.

?? Most aircraft will do this. Even docile trainers.

https://www.youtube.com/watch?v=DZfOtvjJR-I [edit: watch this instead https://youtu.be/6RtVdmsx4qU?t=71 ]

There's been a couple 747 crashes due to this exact scenario. Or regarding the 737 in particular, to quote "Mike734" in 2007:

> In the B-737 too much nose up trim can make a go-around very exciting. The under wing engines create a very large pitch up when adding full power for a go-around. The pilot has to really push hard to stop the jet from pitching too far nose up.

and "Cac737":

> Now in the Boeings for example, B737 and bigger with underslung engines, this situation is aggravated even more because when you push the power levers forward for go-around thrust, due to where they are and their thrust lines, that act alone will cause the nose to rise very noticeably, and if you are light you can actually find yourself pushing forward on the control column on a go around. now trim "back" as you say and forgetting you did so, can find yourself in a very nosehigh attitude if not careful.

https://www.airlinepilotforums.com/hangar-talk/17446-trim-la...


> ?? Most aircraft will do this. Even docile trainers.

That might be, but the video doesn't demonstrate it - the pilot flying pulls the elevator back quite a bit to induce the stall after he puts in full power.


I agree it's a poor demonstration-- he helps it the last bit of the way to the stall. But look at how much it pitches first...

Unfortunately there's two videos I found of the trim stall demonstration on youtube-- this one which shows most of it with a full cockpit view, and one which I think is a bit better technically but has the camera shaking everywhere.

See FAA AFM 4-12 for official training materials. https://www.faa.gov/regulations_policies/handbooks_manuals/a...


Here is a better demonstration:

https://youtu.be/6RtVdmsx4qU?t=71

The plane goes way above the normal climb attitude. He doesn't take it to the full stall, but has to push heavily on the control column to arrest it-- he never pulls.

(Really, it's pretty astounding how hard you have to push, and how high the nose rises anyways-- even if you weren't fully trimmed for glide, and even in mild-handling airplanes... I tend to fully trim for whatever flight condition I'm in, --except glide-- and then am holding light backpressure just to control this).


Thanks for the clarification. Do you know if there are rules/regulations regarding the control inputs? I.e. is linear feedback necessary or just a preferred/expected feel? Without much knowledge of the system, wouldn't a non- linear input be the "expected" feel of a purely mechanical system because the drag increases proportionately to the square of air speed?


Yes, there are certification requirements spelled out in FAR 25.175.

https://www.law.cornell.edu/cfr/text/14/25.175

The requirements have the form of "In configuration <XYZ>, the stick force curve must have a stable slope at all speeds within a range which is the greater of <range definition> above and below the trim speed."

It is this linear stick force curve requirement that was failing that MCAS was implemented to address. The airplane is still aerodynamically stable.


The pitchup cause is aerodynamic because the fan shroud is so big.

Moving the engines backwards or forward doesn't affect thrust related pitch moment.


Right: you have the underslung engine pitch effect from the engine thrust, and in the MAX an additional pitch force applied by airflow under the big-ass fan shroud. It was this latter force tbat would be unfamiliar to 737 pilots, and that MCAS was supposed to hide.

It didn't vary with engine thrust, but only with airspeed at a high attack angle.


That article is just an opinion piece by self proclaimed expert who is just a recreational pilot.


“Recreational pilot?” He has over 2000 hours of flight time and 30 years of flight experience including time in type for the 757. That’s 1700 more total hours than the copilot of the Ethiopian Airlines flight.

The author isn’t a recreational pilot: https://en.m.wikipedia.org/wiki/Pilot_certification_in_the_U...

It wouldn’t matter if Chuck Yeager wrote the article; people have their minds made up. It’s either “Boeing should die because ‘big US corporation’ or “The crash pilots were a victim of deficient, assembly-line third world airline training.”

The answer is more nuanced and in the middle of those extremes.


I'm assuming this is a typo, but I'll just mention it: Sullenberger has 20,000+ hours of flight experience, not 2,000 :)


I presume GP was referring to the other article linked above, not Sully's.

https://www.boldmethod.com/learn-to-fly/aerodynamics/3-types...


Agree with your point.

Both things can be true: 1) Many pilots are trained in assembly-ling training 2) Boing did not do adequate testing.

Often discorse seems to follow the lines of bracket tournaments: only one thing can be true.


This is misleading. Yes, the aircraft is most likely stable. But without MCAS, the 737 MAX would likely NOT meet certification requirements (at all, not just 737 type requirements) with regard to handling, specifically FAR 25.173 point C.

https://leehamnews.com/2019/02/15/bjorns-corner-pitch-stabil...

https://seekingalpha.com/article/4286602-boeing-737-max-misc...

> If test pilots from the OEM and subsequently from the FAA/EASA consider the feel in pitch for a part of the envelope above a certain rating, the aircraft will not pass Certification. It needs augmentation for this part of the flight envelope.

> The aircraft OEM is asked to propose fixes to the pitch characteristics of the aircraft so it can be judged acceptable for use by a minimum standard (Re. training and proficiency) pilot. This was the reason behind the MCAS pitch argumentation for the 737 MAX.


I addressed this in another comment more fully as the discussion evolved away from the use of the terms stable Vs unstable.


In a different comment, you wrote:

> The 737 can be flown just fine without MCAS turned on as it has absolutely nothing to do with making the aircraft stable.

which suggests that MCAS would not have been necessary for certification, if the MAX was being certified as a completely new aircraft type.


An aircraft might be stable and able to be flown just fine, yet not pass certification requirements.


As noted above, stable has a precise definition in this context, and in that context the Max is stable.


Yes, I acknowledge this in the second sentence of my comment.


You're confusing aerodynamicist's idea of stability with the regulatory idea of stability. I.e. You're in the wrong namespace.

To be said to be stable, and certifiable as a Civil Transport Aircraft, an airframe must pass all relevant prescriptive tests as specified in the FAR's.

FAR 25.173(c) is not demonstrated without MCAS, and therefore in regulatory parlance, not necessarily aerodynamic parlance, the aircraft is unstable by virtue of failing to demonstrate longitudinal stability as specifically prescribed in the FARs.

The fact that MCAS was added to minimize the risk of losing grandfathered type cert, and the terrible engineering that went into it is just icing on the cake.

The specific behavioral failure occurs during a wind-up turn. If you look up the procedure for the test, one of the independent variables is trim setting. That you have to adjust the trim (an input variable) during the maneuver in order to pass the test (preservation of control stick force response curve characteristics) kind of invalidates the entire endeavor. Never mind that the mechanism you leveraged to pass that corner case can doom the plane in case of false positive activation.

So yes. It may be aerodynamically stable in 98% of the operating envelope, but in order to eke out that last 2 percent, caution was thrown to the winds, and implemented a kludge that was never safely integrated.

Note I'm not arguing against the point you're trying to make. Just pointing out where the confusion in terms is likely arising in translation from technical to layman.

The layman only cares that the regulatory definition is hit, as the regulation is the compromise point between aviation and everyone else's interest in not having craters.


Frankly, that makes matter worse. A steering system that stabilizes and unstable aircraft would be needed and it would be a tragedy if it fails. An system that just changes the behavior from stable to stable in the same way as the previous generation so that there is no need to retrain pilots, is just a cost cutting measure.


Yes, I totally agree.

You have correctly identified the true source of much 'professional' outrage at what Boeing has done here. The MCAS system was, at its core, about saving money.

Boeing thought it could retain the same type rating with an automated system that would make the aircraft fly the same.

It is an almost unforgivable and detestable course of action.


Is a "cost cutting measure" really a bad thing? Most employers, consumers and the aviation industry would regard saving money as a good thing.

The way Boeing went about it is foolish, short-sighted, exceptionally dangerous, and very poor engineering.


There's cost-cutting, and there's risk-shifting.

Unfortunately, accounting methods and markets don't distinguish between these, especially where benefits (or profits) are immediately evident, but costs are occult and obfuscated. This is a situation which appears frequently, repeatedly, and notoriously in technological contexts. I'm seeing it increasingly as a fundamental conflict and paradox of market economics.

The issue can work in reverse as well: measures (practices, products, technologies, services) with immediately evident costs, but distant, obscure, or covert benefits, can be a very hard sell. Maintenance. Employee training. CO2 mitigation.


Exactly. MCAS was a "cost cutting measure" implemented without consideration for anything else--including safety.

SpaceX's (almost) entire existence is centered on a cost cutting measure: reusing rockets. But they didn't approach it in a way that killed a bunch of people.


Yet. SpaceX hasn't killed a bunch of people yet.

If you look at the history of flight, the biggest periods of progress killed people left and right. I'm not sure space can't go forward without doing the same.


From what I gather, you're half correct:

1. Yes, the 737 Max is stable in the conventional aerodynamic sense.

2. No, MCAS was not introduced only to make it handle like the previous 737 generation. Without MCAS, the 737 Max would not fulfil certification criteria related to stick forces at high angle of attack.

(I've never figured out whether the 737 Max stick force is sub linear, but monotonically increasing at high AoA, or decreasing.)


Didn't 737 MAX edge towards stalling when you increased the speed due to oversized engines? Isn't that violating one of most basic rules of aviation?


If an airplane, even one like a Cessna, is trimmed for straight and level, if you add full power without retrimming, you can definitely stall the airplane. Power-on stalls are a thing, in fact responding to them correctly is a fundamental training task taught in the earliest days of flight training.

If I take a Cessna Turbo 206 in the landing configuration and apply full power with no other input, you can stall or even spin the airplane. Critical factors include the position of the center of gravity.

The point is that you might be misunderstanding one of the critical rules of aviation — a stall is independent of speed or power, but entirely dependent on the exceeding the critical angle of attack. A stall can occur at any speed and any power setting.


> a stall is independent of speed or power, but entirely dependent on the exceeding the critical angle of attack.

Air France Flight 447 is a perfect example of this. They pulled back on the stick so much the AoA reached 40 degrees. The wings lost lift and the aircraft fell like a rock tail-first despite the engines running at full throttle. "But I've been at maximum nose-up for a while!"

https://en.wikipedia.org/wiki/Air_France_Flight_447


"violating one of most basic rules of aviation"

This really illustrated how poor the articles about this have been. the 737 MAX was not violating the "most basic rules of aviation". We keep hearing the design is unstable. But no one can tell us where in the flight envelope it is unstable.


> Design changes had forced the addition of this system in order to retain the same type rating because those design changes caused the aircraft to handle differently to previous generations.

It's not "just to retain the same type rating" that the MCAS worked as it worked.

The MCAS, as it was implemented in the planes which crashed had to be implemented for the plane to pass the certification requirements which exist because of the safety.

The plane is with its geometry inherently unsafe without some clever devices correcting the "inherent" behavior.

Anybody who claims it's not "unstable" does misdirection of clinging to the technicalities of wording of the specific claim (as the plane can be technically-speaking "stable", if nothing unexpected happens, while still being the death trap under non-average conditions, and that's what happened here), as there are more elephants in the room remaining, to be specific:

- The regulation exists to provide safety.

- Boeing 737 MAX is unsafe to fly without some additional hardware and software which does the compensation. Nobody can sell or certify the Boeing 737 MAX as it is designed without adding some hardware and software that would do something similar to MCAS. "Just turning off MCAS" permanently or "just removing it" makes the plane non certifiable safety-wise, not only losing its "type rating."

- MCAS design (its power) wasn't decided only once and implemented. The set of events was that only during the test flights the additional problems with the safety of the plane's response to the commands were detected, and the MCAS revisions added more power to MCAS (and less to the pilots) through the time. The result was that the MCAS which exists on all the planes sold (and the planes crashed) is not the MCAS from the initial specifications or claimed by Boeing after the crashes, as they still quoted the original characteristics.

- The goal of Boeing of "keeping the same type rating" is the motivation why they decided to lie about what they implemented and why they actively reduced the safety of the plane to the point of plane actively being the death trap.

- Specifically, Boeing misused the trust it had: through the years Boeing was allowed to do more and more of the certification work for their own planes.

- Not to mention disastrous public claims there's nothing wrong with their planes even after the two crashes, a lot of information already public and most of the world already having grounded the planes.

- Not only Boeing lied about what they did to the FAA and the rest of the world, even after the first crash happened, but while making the plane the engineering decisions have been made more than once just with the goal of preserving the false promises made by the Boeing managers as they have sold the planes: that's why there was the change in the behavior of the switches where there were separate switches before but they changed two switches to behave identically, only to actively hide what the new MCAS was doing. That's why the system was made glaringly non-redundant: adding redundancy would make it obvious that the system was (and it actually was) critical.

In short, it's not misinformation that 737 MAX was a death trap made as such under the guidance of Boeing's managers.

There are many levels of evilness Boeing managed to achieve in designing the plane and responding to the existing crashes. Some managers should be prosecuted for what they did. If that doesn't happen, the laws should be changed to allow that kind of responsibility the next time, or there will be even more victims.


> The plane is with its geometry inherently unsafe without some clever devices correcting the "inherent" behavior.

No it isn't. It is a stable design. To claim otherwise misunderstands the term.

The 737 can be flown just fine without MCAS turned on as it has absolutely nothing to do with making the aircraft stable.

Many people seem to want to shit on Boeing for making an 'unstable' aircraft. They simply did not make an unstable aircraft. They made an inherently stable aircraft that handled a little bit differently and then to save money (in order to prevent the need for a new type rating and pilot retraining) they used MCAS to make it handle like previous generations.

To repeat, the 737 Max flies just fine without MCAS (indeed previous flights of one of the downed aircraft pulled the stabiliser cut out switches and flew just fine) and MCAS was about handling, keeping the same type rating and saving money.


The 737 Max would not pass certification requirements without MCAS. Agreed?



> the 737 Max flies just fine without MCAS

No. Without the MCAS (but implemented correctly with the redundance etc) it behaves dangerously wrong in some ranges of its flight envelope: it effectively amplifies the small changes in the pilots control to the catastrophic results.

Also see that the final MCAS was delivered non-redundant and also modified to turn itself on under more than one condition and also to exert much more power in overriding pilot than in the initial design.

What you're claiming is a retelling of an initial belief about the MCAS as it was introduced, not about the MCAS as it was actually sold and as it was present in all the planes.

The claim wasn't true then and isn't true now.

Edit: What I'm talking about is documented here:

https://www.seattletimes.com/seattle-news/times-watchdog/the...

"This original version of MCAS, according to two people familiar with the details, was activated only if two distinct sensors indicated such an extreme maneuver: a high angle of attack and a high G-force."

"About a third of the way through flight testing in 2016, as first reported by The Seattle Times in March, Boeing made substantial changes to MCAS.

The flight-test pilots had found another problem: The same lack of smooth stick forces was also occurring in certain low-speed flight conditions. To cover that issue too, engineers decided to expand the scope and power of MCAS.

Because at low speed a control surface must be deflected more to have the same effect, engineers increased the power of the system at low speed from 0.6 degrees of stabilizer nose-down deflection to 2.5 degrees each time it was activated.

On the stabilizer, maximum nose down is about 4.7 degrees away from level flight. So with the new increased authority to move the stabilizer, just a couple of iterations of the system could push it to that maximum.

Because there are no excessive G-forces at low speed, the engineers removed the G-force factor as a trigger. But that meant MCAS was now activated by a single angle-of-attack sensor."

"While the changes were dramatic, Boeing did not submit documentation of the revised system safety assessment to the FAA."

The "low-speed flight conditions" is effectively what was discovered only in 2016, what was changed in the implementation of the MCAS only then and what was not documented and what eventually caused the crash of both planes.

And they had to add it for safety, not for "type rating." And it seems PuffinBlue is either not aware of that part of the story or intentionally ignores these findings in the comments, sticking to the the first part of the story, the MCAS as it was initially planned, not as it was actually implemented.

The "type rating" motivation was why they lied about what they did. But the intention of the MCAS changes were to make it safer to fly, not to fit the type rating.


Can you cite sources for the factual claims you're making here, which contradict what's claimed by Wikipedia and many media sources I've read?


"No it isn't. It is a stable design. To claim otherwise misunderstands the term."

Well, then we just disagree on the term.

"Because the 737 Max had been outfitted with larger new engines that could cause its nose to pitch dangerously skyward" (Source: https://www.nytimes.com/2019/03/14/opinion/business-economic... )

I don't call this a stable design. You can crash every airplane (e.g. "stall") but the plane should not enter an unsafe flying mode during normal flying behavior. No good engineer would have chosen that design.

An airplane that can only be kept in the air with a computer must not be necessary unsafe. As far as I know the stealth bombers can only fly with massive computer help. But this must be a rational, conscious decision and the pilot must be aware of this. Not a quick fix to stick huge engines on a plane that was designed in the 60ies.

I can put a Ferrari engine in a Mercedes from the 20ies. And I am sure it will drive. But the car, the brakes, everything is not made for this combination.


> Well, then we just disagree on the term.

When you're talking aeronautics, you should use the definition used by aeronautical engineers.


The author in the NYT is a pilot.

"Unfortunately, in the case of the 737 Max, it seems that Boeing has built a plane with a fundamental aeronautical issue that it thought would be resolved by adding a new automated system. "


Mr. Wise is indeed a pilot, but not one for jetliners. Flying a high altitude jetliner is very different from flying a Cessna. Mr. Wise does not have a degree in aeronautical engineering, nor in engineering of any sort.

http://jeffwise.net/about-the-author/


Note that he doesn't use the term "stable" incorrectly. He points out an issue (that would indeed preclude the 737 Max from being certified without MCAS, as I understand it).


> that would indeed preclude the 737 Max from being certified without MCAS

It would not prevent certification. It would require pilots to be separately rated for the MAX.


That's not my understanding. I understand (and PuffinBlue concurs, if I'm not mistaken) that the 737 Max would not be certifiable without MCAS.


> Because the 737 Max had been outfitted with larger new engines that could cause its nose to pitch dangerously skyward

I'm stretching to the limit of my understanding of the matter here but I'll try outline why that statement is misleading.

To put it in basic terms, you want to avoid a situation where an aircraft can enter an 'accelerated stall'. I believe this to be the correct term.

In the original documents to the FAA I think the exact quote of the wording was:

> MCAS “was added to address potential nose-up pitching moment at high angles of attack at high airspeeds outside the normal flight envelope.”

Specifically this was in a banked downward spiral, known as a 'wind-up turn' where instead of maintaining constant resistance on the control column, at a certain point the resistance to pulling back would lessen and this could allow entering an accelerated stall situation.

NOTE - from there I think MCAS ballooned into other areas of control, but I believe that the original intent of MCAS.

The reason this possibility arose was because the engines were moved forward, altering their thrush relationship to the center of gravity of the aircraft and, as I understand it, by the design of the engine pods themselves (flat bottomed and can add lift).

Under normal flight conditions an airliner would never enter a wind up turn, but it is a test that must be passed as part of the certification process, as far as I understand it.

So yes, there are circumstances where the characteristics of the 737 Max can make it easier to enter a dangerous nose up pitch. Note only 'easier' i.e. less resistance on the control column so pulling back with the same force in the same circumstance through the duration of a wind-up turn could allow it to be easier to enter a stall state.

But in normal flight and under conditions an airliner would fly, the nose up pitching moment caused by the engines would be entirely 'normal' and in line with what many airliners do (i.e. control column resistance would remain linear) but would have caused the handling to be different is very specific circumstances and so would have needed a new type rating and pilot training to address.

MCAS sought to avoid the need for that type rating by automatically applying trim to prevent any situation arising, even outside the normal flight parameters, that would cause different handling characteristics.

Again, none of this relates to stability/instability as was my original point.

Sources:

I read about this level of detail here quite a long time ago:

https://www.seattletimes.com/seattle-news/times-watchdog/the...

In looking up this article I found this aviation.stackexchange.com answer that also comments on this:

https://aviation.stackexchange.com/questions/66799/what-is-m...


Read to the bottom of the answer on that page. Yes, the wind-up turn issue appears to have been the motivation for the initial introduction of MCAS, but (I have read elsewhere) the first version of MCAS did not yet have the motor torque required to override the pilot's force on the controls. But a second issue was found which occurred at low speeds — the article doesn't say what it was, but I'm fairly sure I've read somewhere that there was an actual instability — and in response to which Boeing expanded the allowable amount of stabilizer movement and removed the high-g sensor condition for MCAS to activate.

While I don't claim to know the truth of the matter, I think it's premature to assert forcefully and unconditionally, as you have been doing, that there was no actual instability anywhere in the flight envelope. What I recall having read is that during climb, if the pilots took the AoA to a certain point somewhat higher than the normal range, pitch-up forces would increase to an unacceptable degree. Now, I may have misunderstood, or the source (sorry, can't find it) may have been misinformed. But unless you can find me an authoritative, independent source specifically contradicting this possibility, I am not willing to dismiss it, and I don't think you should be waving it away either.


I've been very specific in what I was saying - and I have been clear on the definition of stability.

That said I accept your comment and would happily be corrected, but everything I have seen has stated that there is no inherent instability in the design of the 737 Max.

What I have seen (and is widely reported) is that low speed high AoA may have increased the possibility of stall compared to how previous gen 737's behaved, but we're again not talking about stability as I've been clear to define it. That increase in the possibility of stall appears to be the reason why MCAS became more powerful and operated at these critical phases of flight.

It would obviously make no sense for Boeing to design an aircraft that was unbalanced. That would increase drag and reduce fuel efficiency. It's also understandable that the large and more powerful engines, plus their slightly further forward positioning, would create a slightly higher nose up pitch when compared to the previous 737's under certain phases of flight/flight configurations. That's not to say it made the aircraft unstable or unflyable, but it would suggest a reason why MCAS might be shoved into action there, in another attempt to recreate the same handling characteristics as the previous generations.

That seems far more likely to be where the greater authority for MCAS came from (it would need greater authority under that flight configuration/phase of flight).

It's also far more likely that there was a simple screw-up and MCAS was given too much authority and too little breadth of input.

Every bit of evidence so far suggests a fight for compromise over retaining type certification and use of MCAS. Nothing suggests inherent instability.


An accelerated stall is one of the most basic safety training exercises done. It's fundamentally familiarizing the pilot with the stall envelope of the aircraft.

The pilot should have to increasingly fight the stick to approach the stall. If the operating characteristics of the plane allow it to approach an accelerated stall with only an increase in thrust, then that is inherently not a stable behavior.


This doesn't have anything to do with inherent instability.

There's not enough information around that I can find to give a concrete answer as to what was found under high speed, high bank angle and high AoA as would be tested in a Wind-Up Turn. Some things I've seem mention it's a simple 'stick-force-per-g' test. Other things I've read suggest there was maybe flow separation under these conditions, which would point to accelerated stall.

What we can say is accelerated stalls are stalls that occur at higher airspeeds than the aircraft would otherwise normally stall due to increased g load.

In the specific example I mentioned above, I believe (I can find scant info on this) that additional handling augmentation was required because of the non-linear force on the control column when conducting the wind-up turn. To be certified I believe the 737 Max needed to return a linear force input requirement throughout the entire wind-up turn.

Another comment has pointed out that it is a basic requirement for all aircraft to have this linear feedback curve, so this wasn't just specifically to make the 737 Max handle like other 737 under this particular scenario (though apparently it did evolve to that under other conditions but I'd have to look into that further to be sure).

Again, this is not about inherent instability.

There are some comments out there on the web I've seen that point to there being some issues at slow speeds and high AoA. I'd love to get more info on both things if anyone has it.

But really, we have to use the correct language for the field we are talking about and that means understanding stability/instability are specifically defined and relate to a very specific thing.


>There are some comments out there on the web I've seen that point to there being some issues at slow speeds and high AoA.

1)This is precisely how you induce the accelerated stall I mentioned. Slow down, nose up till you get to the bottom of the energy curve, then accelerate while continuing to nose up. Hold this straight back, or bank to one side, and you stall. It's one of the most basic training procedures there is, although maybe not for 737s.

2) If accelerating causes nose up on it's own (without pulling on the stick) while near the bottom of the energy curve, you could have a run away condition.

So are you saying a run-away condition can still be "stable" in aeronautical engineering terms?

Because I'm pretty sure that's wrong. You might be studying the wrong books re: the technical language.


>Anybody who claims it's not "unstable" does misdirection of clinging to the technicalities of wording of the specific claim

In the context of aviation "stable" and "unstable" almost always refer to longitudinal static stability. Sure, it's a technicality but this is a term of art even beginner pilots should be quite familiar with.

>while still being the death trap under non-average conditions

Which has precisely nothing to do with stability, but with the plane deciding to fly into the ground.


That's exactly my point. Most of the readers aren't aware of these nuances in technical terminology, so when somebody pops up and claims something that is technically true (as "plane is not unstable") but practically irrelevant (because the plane is dangerous having its own geometry alone and without some additional correction like a correctly implemented MCAS as it should have been but wasn't as the the deceptions were a higher priority because profits) they get a wrong impression that the Boeing 737 MAX and the managers making it are "less dangerous" and "less guilty" than they really are.


> It's not "just to retain the same type rating" that the MCAS worked as it worked. > > The MCAS, as it was implemented in the planes which crashed had to be implemented for the plane to pass the certification requirements which exist because of the safety.

Citation needed. No indication of that at https://en.wikipedia.org/wiki/Maneuvering_Characteristics_Au... and a quick Google turns up no suggestion that it's true.


https://www.seattletimes.com/seattle-news/times-watchdog/the...

Note the section "In flight test, MCAS changes"

I've posted the link in my other comment too.

The initial introduction of MCAS was motivated by "type rating" issues. The later changes were the real safety issues. The later were activated during the crashes.

But the certification rules for type rating are also there to provide safety, and not some crazy bureaucracy decision. It was designed to prevent the pilots flying the planes for which they aren't trained. Boeing just lied about what MAX is as it was selling it and as it preformed the certification.

So the narration that implies the plane was "inherently" safe is just wrong. It could have been in completely useless purely technical terms "stable" (as ryanlol in the other comment writes that that apparently technically means only "longitudinal static stability") but that is just a red herring in the whole context.


> “It could have been in completely useless purely technical terms "stable"...”

Not for nothing, how is this dismissal of terms helping forward understanding? This is in part a technical discussion with intelligent individuals. If avionics takes ‘stable’ to have a special meaning, then denying the term’s special meaning undermines credibility of those who are working so hard to hold Boeing to account.


Nobody is denying the technical meaning. That is a strawman claim. If any intelligent individual remained after all this misinformation actions he/she will see at least that much.


> MCAS existed to make an inherently stable aircraft handle in the same was as previous 737 generations.

I understand this is the attempt, but my understanding is that this is fundamentally impossible and the aircrafts fundamentally handle differently. This is the basis of the allegations of fraud.


> the 737 Max is an inherently stable aircraft without MCAS.

Ok, but 737 MAX wihout MCAS is not the aircraft in question. 737 MAX is the aricraft and it comes with MCAS. And that is unstable, right?


No.

In no way is the aircraft unstable with or without MCAS activated.

Delete 'unstable' from the discussion. It's is a completely incorrect term to be using.

MCAS - Movement Characteristics Augmentation System is a system to give the 737 Max the same handling characteristics as previous generation 737.

The use of larger engines on the 737 Max and the short undercarriage meant that the engines had to sit further forward on the wing. This caused a vary very small difference in handling characteristics but was enough to cause the aircraft to need a new type rating as it didn't handle in the exact same way as previous generations.

MCAS was born to make adjustments to the horizontal stabiliser in order to make the aircraft feel the same as before so pilots wouldn't need retraining and the aircraft could keep the same type rating.

Absolutely no part of the 737 Max is unstable and no part of MCAS has anything to do with stability.

This information is widely verifiable for anyone taking the time to look.


I'm not having a go at you particularly but this is a typically 'faulty' post - you don't say what aircraft experience you have (captain? engineer? or PC Flight Sim?), and even more important you claim something and state "it's easy to find" but don't post it yourself.

If you say "This information is widely verifiable" then post links, please.


My father-in-law is the former chief test pilot for the RAF. And he was Head of Flight Test and Evaluation for large parts of the Eurofighter programme (now retired). He has decades of pilot, engineering and aircraft design experience.

We have had numerous discussions on this topic and any pilot with an understanding of the definition of the term will tell you that the 737 Max is inherently stable. My comments parrot his words.

Many here have to understand that learning about these things is not compatible with a 5 minute HackerNews comment. There is a good deal to educate yourselves about. One excellent series to do so comes from Juan Browne - a current 777 pilot:

https://www.youtube.com/watch?v=s3LrsvaCUoo&list=PL6SYmp3qb3...

Yes, that's a playlist, yes watching all of them is necessary to understanding the true nature of the problem. If understanding this was a simple 5 minute thing then you can expect pilots with years of direct training to be able to deal with it. The fact something has gone this catastrophically wrong should give sufficient indication that this is a complex and difficult subject.

There is also clearly a massive misunderstanding about what stability is. This site has a good overview:

https://www.boldmethod.com/learn-to-fly/aerodynamics/3-types...

To misunderstand this means one will misunderstand what went wrong with MCAS. MCAS is about trimming the aircraft (moving the horizontal stabniliser) in order to recreate the exact same handling characteristics as the previous generation 737's.

On the 737 Max (and most aircraft actually) there is a pitching moment that results in the engine nacelle producing lift. Most aircraft will do this to some extent - more power = increase in altitude for many aircraft. The 737 Max is not unusual or unstable in this regard. The important thing to know is that the pitching moment on the 737 Max was different enough due to design and engine changes that the aircraft handled slightly differently in certain phases of flight and in certain flight configurations - namely high angle of attack.

Because the aircraft handled differently to previous generation 737 it weould have needed a new type rating and that would have likely cost billions of dollars in certification and pilot retraining. Boeing saught to avoid this through the use of MCAS.

The important things to know are:

1) If an aircraft model retains the same type rating as previous generations then pilots don't need retraining, this saves money.

2) The 737 Max engines and mounting design produced a slightly higher pitching moment in certain phases of flight and under certain flight configurations than previous 737 designs. This was enough to make the handling different - not unstable, but different. In general terms, this would require slightly different trim level to 'balance' the aircraft under certain flight configurations (notably high angle of attack). Balance does not relate to stability/instability, it relates to balanced aerodynamic forces on flight control surfaces and ensures pilots don't have to continually input control stick movement to counteract an unbalanced setup. Trimming an aircraft is piloting 101 and noting to do with inherent stability.

3) To keep the same type rating, Boeing decided to create an automated system that adjusted the trim on the 737 Max automatically in order to cause the aircraft to handle in the exact same fashion as previous generations 737 under all phases of flight. This automated system allowed the 737 Max to retain the same type rating as pilots flew an aircraft with the exact same characteristic thanks to the automation provided by MCAS.

What went wrong:

MCAS had too much authority and took input of flight data from too few sources. This meant that when those inputs were erroneous, MCAS was able to apply greater nose down trim than could be overcome with other flight control surfaces. In order to recover from this pilots would have to pull the stabiliser trim cutout switches and manually trim the aircraft. Again, this is nothing to do with stability/instability and is piloting 101 stuff.

The problem was compounded further because the failure mode of this runaway trim condition was not clear to the pilots. It presented as a series air speed indication and other warnings with a the highly disconcerting addition of automatic nose down trim. This multi-failure presentation can quickly overwhelm a pilot and make identifying the correct course of action difficult.

Further, stabiliser trim cutout is a memory item, it's not contained in a checklist. So human factors, overwhelming error indications and the fact MCAS was not even explained fully in early manuals meant that pilots didn't immediately know what the issue was. When there is just a few seconds to identify the problem before crashing, these factors combine into a fatal outcome.


Excellent reply, thank you.

Again, this is not aimed at you but the general posting without underpinnings that goes on far too much.

My problem is that when this plane is discussed there are some strange posts that I don't trust (they try to spread blame to the pilots, to question other countries' flight safety, smear things out). Also there are claims from people who may have just done some reading, and kudos to them but they aren't experts. Without more info a post like yours may fall into either of these camps, or you may be an actual expert, or quoting one. Clearly the latter here, so I can trust your info now.

> about these things is not compatible with a 5 minute HackerNews comment

Actually they are. If a verified expert they can present a lifetime of experience in a short sentence, then do. With any luck these threads will become a fraction the length and much more informative.


I upvoted your original comment. You raise a valid and important point that I should have taken time to address without prompt. As such you added critical value to the discussion.


Overall excellent posts on this thread.

> stabilizer trim cutout is a memory item, it's not contained in a checklist

All memory items are contained (in written form) above the dashed line on the checklists. Memory item means crews are expected, trained, and tested to execute those actions prior to referencing the written checklists. It does not mean they aren’t on the checklist.

Screenshot: https://i.stack.imgur.com/cRG4J.jpg


Ah, excellent addition thank you.


> If an aircraft model retains the same type rating as previous generations then pilots don't need retraining, this saves money.

It also makes the airplane safer if pilots can transfer their experience and training from one aircraft to another, as it reduces the likelihood they'll do something right for one airplane but wrong for another (there have been multiple crashes due to this sort of mistake, even when they were correctly trained for each type).


Yes, the commonality of pilot experience is an important safety consideration, and something that Boeing has been praised for in the past, but it is the the breaking of that principle (or, more precisely, the attempts to downplay the differences introduced by MCAS) that is the issue in this case.


"On the 737 Max (and most aircraft actually) there is a pitching moment that results in the engine nacelle producing lift. Most aircraft will do this to some extent - more power = increase in altitude for many aircraft."

Minor side note: More power is supposed to increase altitude. (An aircraft is trimmed for a given airspeed; adding power injects more energy into the system. Then, it doesn't go faster, it goes up. To go faster, lower the nose. To go faster without losing altitude, you lower the pitch and increase power.)

For aircraft with engines below the center of mass, thrust tries to rotate the aircraft upwards around the center of mass. In un-accelerated flight condition, this is counteracted by other forces. But adding thrust increases the force and causes the aircraft to pitch up to a new angle based on the new thrust. This is aside from the more power = more altitude effect.

A second-order effect is that the engine nacelles act aerodynamically. (They're wings, albeit poor ones.) When pitched up, they generate more lift. Because the 737 MAX's nacelles are in front of the wing, their increased lift causes another pitching up force.

None of these forces affect stability; the aircraft will arrive in another stable state shortly after you change the power. However, they can lead to other effects like the control force changes you clearly describe in other comments.

Edit: Source: I slept in a Hilton last night.


Yes: the distinction between pitching force from engine thrust, and pitching force from engine nacelle aerodynamic lift, is essential and, here, frequently elided.

MAX has more powerful engines with center of thrust lower than in NG, and they are both physically bigger and mounted such as to exaggerate an already increased aerodynamic pitching force.

The distinction is frequently neglected in discussion here. Both effects contribute to MAX's different handling characteristics, but differently in different flight regimes.

The result is that it is tricky to make a MAX fly like an NG, particularly while trying to conceal the system used to do it.


That's a really good summary of the issue. Does your father-in-law have an opinion on if the MAX should fly again and what it would take to make it safe?


No: The information you present is what was documented as the initial rationale for introducing the MCAS.

But even during the development and the test of the plane it turned out that it wasn't enough. MCAS was redesigned to correct for more than that initial flaw -- check the widely researched and published articles about that. There are different moments at which MCAS was modified to turn itself on, and the more power over the pilot was added, to the point of crashing two planes while the pilots fought against the wrongly implemented device (which was made non redundant "to preserve the type rating" -- i.e. to "not affect the sales").

737 MAX under any type rating can't be certified to fly without something doing something similar corrections to MCAS.

There are articles documenting that.



> Absolutely no part of the 737 Max is unstable and no part of MCAS has anything to do with stability.

Vs. how Boeing describes it:

> The Maneuvering Characteristics Augmentation System (MCAS) flight control law was designed and certified for the 737 MAX to enhance the pitch stability of the airplane – so that it feels and flies like other 737s.


Do you think MCAS worked well in the event of a failed angle of attack sensor? I mean ignore fucking "stability" semantics.

Also this: "The MCAS deflects the horizontal stabilizer four times farther than was stated in the initial safety analysis document..[19] Due to the amount of trim the system applies to the horizontal stabilizer, aerodynamic forces resist pilot control effort to raise the nose." Wikipedia


> No

In that case we just disagree on what unstable means. Where I come from it means something that suddenly stops working and that thing happens too often. The plane is grounded because it suddenly stopped working few times. I call that unstable. Like Windows Vista with old GPU drivers was unstable.


And in aircraft design, that is not what unstable means.


Well, this is hacker news.


Debian is totally unstable: when I throw the server out of the window and it experiences an upset around the pitch axis, it does not tend to revert to the original flight attitude without control input.


Was there a point in this message? I did not get it.


Yes, I should've been more explicit: It's evidently problematic to use jargon from one field in another field. "Stable" has a common sense definition, and has a meaning in IT that's fairly close to that common sense definition, but has a meaning in aerodynamics that's much more specific. A lot of confusion in this thread resulted from a mixing of those definitions. That's the point I tried to humorously make above.


We also claim to be software engineers, too.


So if it is stable. Then it crashed because of pilot error?

(No retraining required. These pilots never crashed a non MCAS plane, and MCAS was actively moving the plane towards the ground). <--- How do you conclude this plane is stable?


No it crashed because the MCAS malfunctioned.

That malfunction manifested as the plane pitching down consistently. No matter what the input of the stick, it'd point to the floor.

Now, if a big flashy light+warning buzzer had been sounding (like with a stall warning) then this would have never happened. But it didn't, and because the pilots were not trained for this specific feature (cause it had the same rating) They didn't know what to do.

Its nothing to do with stable. the MCAS silently pointed the plane at the floor regardless of user input.


“There’s a simple explanation. MCAS is not meant to control an unstable aircraft. It is meant to restrain the aircraft from entering the regime where it becomes unstable. This is the same strategy used by other mechanisms of stall prevention—intervening before the angle of attack reaches the critical point. However, if Brady is correct about the instability of the 737 MAX, the task is more urgent for MCAS. Instability implies a steep and slippery slope. MCAS is a guard rail that bounces you back onto the road when you’re about to drive over the cliff.”

http://bit-player.org/2019/737-the-max-mess


No, it crashed because MCAS malfunctioned and drove it into the ground.


AND it must always be said in the same, the pilots were not trained in what to do. (Because not training pilots is cheaper than training them.)


Boeing’s argument (and I’m inclined to agree on this specific point) is that the existing stab trim runaway checklist was an appropriate and sufficient pilot response here.

Lion Air crew did it the day before to save the aircraft. The Ethiopian Air crew almost saved their aircraft by executing that checklist. They then turned the trim back on and for whatever reason only initially commanded nose up electric trim and then stopped, leaving the system powered.

Boeing has significant fault here, but I don’t agree that pilots were not trained to deal with a stab trim runaway (obviously). The crux is whether existing stab trim runaway training was sufficient for the MCAS equipped Max. Evidence suggests it was not.


"The crux is whether existing stab trim runaway training was sufficient for the MCAS equipped Max. Evidence suggests it was not."

So, you agree with me? I'm confused.


I think the pilots were trained in what to do. Runaway stabilizer trim? Cutoff the stabilizer trim power, as you've been trained to do as one of the only 14 memory items on a 737.

They weren't trained specifically in what to do in the event of an MCAS failure, because the thinking at Boeing was that the presentation was one of stab trim runaway, something that is already trained for. I have a lot of sympathy for this point of view when looking forward from several years' ago. It turns out to have been proven wrong in the field.


Oh then I understand. I know too little, but I have a bias against megacorp.


No. 737 MAX behaves differently from 737 NG under certain conditions. MCAS makes it behave as 737 NG under those conditions. This makes it so that 737 NG pilots can fly 737 MAX without additional, and expensive, training. This is what they mean when they say MAX has the sam type rating. There is nothing inherently unstable about 737 MAX. It's not as if it does not fly without MCAS.

Problem with MCAS, as implemented on MAX, is that it has too much authority and can prevent pilots from maintaining controlled flight under certain conditions such as if feed wrong input from angle of attack sensor.

There are aircraft that are aerodynamically unstable and require flight control systems to maintain controlled flight but they are not used in civil air transport.


Yet four highly trained pilots plowed this "inherently stable aircraft" into the ground.

"keeping the same type rating" lead to creating an "inherently unstable aircraft". As shown by the fact that over 100,000 hours of accumulated training didn't help.

Saying the "737 Max is an inherently stable aircraft without MCAS" is like saying its stable if it never leaves the ground. It has (well had) MCAS by default.

Minimising the size of this mistake is what is detrimental to the discussion. Boeing should go out of business. They are responsible for hundreds of deaths. If this were a person, this wouldn't even be a discussion. But corporations some how get a free pass on man-slaughter.


PuffinBlue's problem seems to be one of terminology and I'd agree with them. "Unstable" is not a good term for what you're trying to describe.

It's like if I started to describe your app's database as "unstable" because your website's down due to cloudflare configuration.

(With that said it's all just petty semantics; we all understand what the post is trying to convey)


> With that said it's all just petty semantics

Ordinarily I would agree with you, but this issue of stability is clouding the truly detestable course of action Boeing took.

Boeing was trying to save money. They wanted to keep the same type rating, so they added MCAS to an inherently stable and flyable aircraft for purposes of retaining the same type rating.

The system they added included optional safety measures that airlines had to pay more to install [0]. Boeing new that MCAS would be safer with these features and charged more for them!

The true outrage here should be directed at this underlying cause and the erroneous discussion over stability should be put by the wayside.

[0] https://www.theguardian.com/business/2019/mar/21/doomed-boei...


Sorry to say but you’re the one doing what you accuse others of doing.


"With that said it's all just petty semantics..."

Semantics is what words mean.


No amount of "stability" is going to correct for a system constantly adjusting your nose to point into the floor.

All mcas does is adjust the offset on the elevator.

it is a failure of UX and oversight. Pilots weren't trained, Alarms weren't installed. Its as simple as that.


Yet four highly trained pilots plowed this "inherently stable aircraft" into the ground.

This had nothing to do with the aircraft being unstable, but that MCAS had introduced a huge downwards trim as consequence of the sensor malfunction. Had MCAS not been active, none of the accidents had happened.


This is not what inherently stable means

Any aircraft will make a hole in the ground if its nose is pushed down, which is what mcas was doing.

But the airframe is not mcas. The pitch up movement happens in the NG as well, to a lesser degree.


    > ...  it's an example of what happens when MBA execs, convinced that they can run "any business" take over from a rigourous engineering culture. The Harvard (and other) Business Schools have a lot to be blamed for.
Sadly, the culture problems brought by bean-counters are the very last thing that will see the light of day. They're really the "long story" root cause problem here. It's the same kind of mentality that lead to the Challenger disaster, new building collapses in China and countless other less dramatic failures of big projects and systems.

Don't hold your breath for anyone to held accountable, don't expect that business will learn a lesson from this.


This article covers the culture problem exhaustively https://www.perell.com/blog/boeing-737-max


> The Harvard (and other) Business Schools have a lot to be blamed for

Is this documented? Did MBAs from HBS flood the FAA? And how would that lead to a plane falling out of the sky?

I'm with you on the general gist of your comment with regards to HBS - but I'd be careful about starting a witch hunt.


This went unnoticed but, do we know whether the executives or those who made the decisions here were all MBA graduates? I am an MBA student and we do case studies on exactly these kinds of issues and how the correct course of action, but ethically and financially is to do the right thing. Maybe others disagree but this comment definitely stood out to me.


I'm not sure why we're even having this discussion, even a non-technical layperson reading a description of how MCAS was supposed to work can immediately realize it's a horribly flawed and unsafe design. You don't need any experience with aviation or engineering, that's how awful the design is.


> such a pernicious and deadly design

Yes, MCAS is a pernicious and deadly design.

Equally, Boeing's corporate governance and FAA's regulation and oversight are also "pernicious and deadly".

All must be fixed before this aircraft flies again.


You can't fix a culture developed over 20 years (at least not fast). Especially if its a culture seen as good and beneficial by everything that surrounds you. Let's face it: the culture problems at Boeing are only a sign of the same problem everywhere.

If fixing culture is a prerequisite the MAX will never fly again.


I'm not sure why you get so worked up?

From what I can tell flying is far too safe for its own good. Seriously:

Flying is regulated to ridiculous level of safety. At current levels, each marginal dollar spent on flight safety would do much better being spent on driving safety or more radically, preventing deaths from malaria.

If we apply unequal dollar amounts to how much we are willing to pay for each life saved in different areas of life, we are saving fewer lives than we could.


That's an I tereting point of view, and I don't want to dismiss it out of hand. Do you have any links re:that subject?


Which part?

I tried to find some numbers about how much the marginal life saved in aviation costs vs other areas. https://en.m.wikipedia.org/wiki/Value_of_life is a good start, but doesn't have the numbers I was looking for.

The argument about paying two different prices for the same good buying you less than settling on a uniform price is basic economics. But it seems like something the LessWrong people or SlateStarCodex might have a write-up for.

The topic is difficult to discuss because huam life is a 'sacred good' and money is a 'profane good', and it is not socially acceptable to admit that we are making finite trade-offs between the two.

And I do have some sympathy for safety regulations of the aircraft themselves, as they are mostly based on actual engineering, as opposed to the safety theater when you board the plane.

But honestly, people aren't just trading off lives for money, they are trading off lives for minor inconveniences: you could make airplanes safer at no extra cost by mounting the seats backwards and removing the windows.

Windows are the essentially holes, they weakest points on the airframe. Removing them from the design would even save money.

Of course, you'd have a hard time finding enough passengers to pay to fly in you windowless plan.

(The military doesn't have a problem with that. Their passengers don't have much of a choice.)


> Blaming the user is a pernicious problem in UX engineering

I've been around computers since well before it was called UX, and since UX? trust me, I never blame users, I definitely blame UX.

we need to bring back UI.


All jetliners are unstable, which is why they have a yaw damper as required equipment since the 707.

https://en.wikipedia.org/wiki/Yaw_damper


“Dutch roll stability can be artificially increased by the installation of a yaw damper.”

Less stable is not the same as unstable.


There have been crashes as the result of the yaw damper being disconnected. That's why they're required equipment.

https://en.wikipedia.org/wiki/Dutch_roll#Accidents


In software, "stable" often means that, given certain assumptions (OS interfaces, working hardware, etc), the code will not crash even if given bad inputs.

Based on my reading of this thread, in aviation, "stable" means that, given certain assumptions (fuel supply, etc), the plane will tend to return to equilibrium after pretensions along one particular axis, if you give it no inputs. Pilots in the thread, please correct me if I'm wrong.

You may think to yourself "that's stupid, stable means it doesn't crash!" But if you want to communicate with people in the field, you have to learn their language. If an astrophysicist said "what do you mean that program is stable?? It doesn't have enough hydrogen to roast a marshmallow, much less initiate and sustain fusion!" you would roll your eyes. Sure it's all the same English word, and there is even a common semantic root, but they all mean very different things in their contexts.


Planes are stable by design. Instabilities have causes:

>a rudder power control unit malfunction led to a Dutch roll oscillatory instability

>a Dutch roll incident following structural failure of the rudder

>a trainee pilot's actions violently exacerbated the Dutch roll motion and caused three of the four engines to be torn from the wings


Stability, in a technical sense, means if you push something off of equilibrium, it will return to equilibrium after some time has passed. It is unstable if it does not return to equilibrium. Less stable means it takes longer to return to equilibrium, more unstable means it diverges quicker from equilibrium.

My understanding of dutch roll is it takes only a small perturbation to push it off of equilibrium and into oscillation, the oscillation is sickening to people, and it doesn't return to equilibrium without active correction (by the pilot or an active system). A small perturbation means it happens more or less continuously. Correcting the oscillation rather than making it catastrophically worse is something only a well trained pilot can do successfully.

The stable point is not straight and level, it's lurching around sickeningly. I mean that literally, at Boeing I was told about a 707 crossing the Atlantic when the yaw damper failed. The pilot didn't crash it, but the airplane was full of vomit by the time it arrived.

To be technical, it is not stable flying straight and level. The stability point is dutch roll, like a carbureted car does when the engine rpm "hunts" at idle.


If you haven't seen it you should check out John Oliver's bit on Harvard's MBA ethics pledge from when he was on The Daily Show. Here's a link that isnt region locked - http://dailybail.com/home/the-daily-show-enlists-a-prison-co...


Langewiesche is a terrific writer, but it does seem like the overwhelming majority of people in the business consider his take on the 737MAX to be misguided.

Reading his article, I got the impression that he has a certain idealised image of what a pilot should be like. One that I have also noticed quite a few people here on HN seem to be rather fond of.

Namely: that being a pilot should not just be someone's job, but their calling. To use a weird phrase I once saw here, they are supposed to be "fixed-wing enthusiasts".

There also seems to be a certain, somewhat outdated, concept of masculinity at play here. And, of course, combining these expectations with stereotypes of African and Asian companies (and people) initially led many to the conclusion that these pilots were either incompetent ("because of a lack of calories in early childhood" to quote one line of reasoning I saw (luckily not here)) or incapable of independent thinking. Never mind that at least one of the captains was trained in the US.

These ideas couldn't be farther from how the system is actually evolving, and how it should be: Flying needs to be boring. If your pilot has a chance to become a hero, the system has already failed. The goal must be a system of technology, institutions, curricula, etc. that makes it perfectly safe to trust any decent high school student to become a competent(-enough) pilot. Candidates with a sense for adventure should be screened out, because flying an airliner is dreadfully boring, and a volatile personality will soon find a way to make it more exciting (drinking, usually).

And planes should become more and more automated. Software and design errors tend to occur just once. Humans tend to make mistakes, even repeatedly, even with the best training. The 737MAX disaster is a terrible outlier that shouldn't obfuscate the fact that in the last 50 years or so, airline fatalities have dropped by an order of magnitude, even thought miles traveled have increased by a similar magnitude.

Combining the two: air travel today is 50 to 100x safer than it was in the golden age of piloting so many seem to glorify.


Exactly this.

The Langewiesche legacy goes back to his father Wolfgang Langewiesche, who is also a terrific writer, incidentally about probably still the best book about flying fixed wings, Stick and Rudder (1936).

But flying has moved on a lot since then. Although I also appreciate "The story of Mel", computing has moved on so far from moving some bits and bytes on a drum memory, that I absolutely prefer someone writing readable code today to someone who produces unreadable, but performant code (spare a few niches of inner loop optimization).

The same goes for flying back now and then. When there's not just "Stick and Rudder" in a modern airplane, but caring for massively diverse aspects such as ATC, passenger air quality, airspace control or fuel optimization, I don't need specialists. I need competent generalists.

Of course it makes for a nice hero story if a pilot just makes it to the runway because they took an airliner into a forward slip like the Gimli Glider, but the point is that they absolutely should not have to.

Humans are not meant for sensing to fly. The average VFR pilot loses not just orientation, but control over the airplane an average of around 178 seconds (!) after going into a cloud.

We need less heroes and more engineers who can build reliable automated safety systems.


(Explanation for anybody who isn't a pilot or up to their nose in this stuff:)

VFR is Visual Flight Rules, meaning the pilot's training and the paperwork qualifying them to fly is only for when you can see where you're going. The other case is IFR Instrument Flight Rules, which means you need to learn to ignore your brain's guess as to where it is and how it's moving and trust the (redundant but not necessarily infallible) instruments to tell you what's happening. You still look outside the plane, because there might be something important to see (e.g. geese!) but you mostly are scanning your instruments, seeking confirmation that everything continues to be good, the instruments don't disagree with each other or with the pilot's understanding of what's supposed to be happening.

VFR qualified pilots are not supposed to go near clouds at all. The exact distances vary depending on where the plane is exactly (low, slow flying planes get to be closer than higher, fast moving planes) but the general principle is that you need to stay so far from all clouds that you can easily see anything coming out of a cloud and avoid it entirely, since under VFR you are relying primarily on what you can see. Unfortunately they sometimes stray into clouds, and 178 seconds isn't very long.

Obviously the people flying a Max will all be IFR qualified (the commercial pilot licensing doesn't have a VFR option) but the parent's point is true anyway - we are already training pilots not to try to fly by instinct because humans do not have appropriate instincts for flying, we are earthbound.


The commercial pilot rating does not require an instrument rating, but the ATP does. All airline pilots will have an ATP; the commercial rating is an earlier step along the pilot certification path.


Good point.


If flying becomes boring, it becomes a tedious job that requires a lot of mental fortitude to slog through. Boring jobs are dangerous, because human beings don’t do boring very well.

And I think we’ve already reached that point in aviation, as much of the work has been offloaded to automated systems, making it easy for attention to doze elsewhere, and making transitions to where manual intervention is unexpectedly required even more difficult. It’s the same with self driving cars: the only safe options seem to be no automation and all automation since humans simply don’t do boring very well.


This is a very strange perspective to me. Clearly making flying boring has tremendously reduced the number of incidents. Certainly it's true that making something boring will increase the incident rate...but what's overwhelmingly clear from the data is that the reduction in incidents from all that automation dwarfs that effect.


The problem is that both statements are true.

Yes, we want flying to be as boring as possible, and yes making flying this boring has been the result of the amazing success of making flying safe.

Yes, with flying so boring, when something exciting does happen it's in many senses more of a problem.

This is a, maybe the fundamental dilemma in aviation safety today. Part of the solution is lots and lots of simulator training. Which of course is a problem when the manufacturer claims that there is no need for simulator training, because everything is exactly the same.


Boring for the passenger doesn’t mean boring for the pilot. A bus driver has to drive the bus, it’s routine yet never the same thing, their day goes by pretty fast. Compare to someone watching over an automated train...it’s just time they spend twiddling their thumbs, time crawls, they get really bored.

Flying is becoming less like flying a bus and more like supervising an automated train, and that is what is dangerous. When something unusual happens, the pilots are surprised and unable to adjust quickly, because unusual isn’t usual.

Of course, if unusual happens all the time, or is too out of the norm, you are pretty screwed, exciting is more dangerous than boring, but it doesn’t make boring less dangerous.


Pilots still have a lot to do, they must monitor the radios, the weather, fuel, etc. Since plenty of accidents have been caused by not paying attention to these things, I don't think you can say that having more time to do them is a bad thing.

If there is a lack of manual flying ability it is entirely due to culture and not the aircraft. Pilots can and do turn off the autopilot if they want to practice, and most landings are done manually because it is softer.


Langewiesche himself wrote about exactly this paradox in this (excellent) piece on the Air France 447 crash:

https://www.vanityfair.com/news/business/2014/10/air-france-...


Old saw, true enough: "Anesthesiology is 99% boredom and 1% panic."


Corollary: We had a senior anesthesiology resident who, a few months before completing his 3 years of training and going out into the great world to make his fortune, STILL came back to the ready room at the end of every day and said, "Something really interesting happened today." Us attendings hated working with this guy. Why? Because by the end of your residency, interesting events in the OR should be the exception rather than the rule.


Exactly this.

Statistically the most common cause of car crashes is driver fatigue.

Forcing undivided attention toward a boring subject for prolonged periods always results in cognitive fatigue.

I guarantee fatigue would be a similarly common occurrence in plane crashes caused by pilot error.

Either our planes should be flying themselves, or our pilots should be given cocaine before takeoff


You know which planes crash the most? Tiny planes with less than 6 passengers. Almost no automation, and by god are the pilots excited while they plow into the ground through their own error.


Unfair. A single propeller engine vs redundant jets.


What's unfair about it? GA pilots manage to kill themselves in twin engine planes too, fewer of them because most of them only own single engine planes in the first place, but plenty.

They make mistakes, and in particular some of these are mistakes that are more likely when you're flying for your own reasons (usually leisure) rather than because it's a job. "Get-there-itis" is an example, an airline pilot sees the weather at Nashville looks too dodgy, they confer with their colleague, then divert. "Sorry ladies and gentlemen, looks like Nashville's having some attrociously bad weather this evening, we're going to get you on the ground at... Charlotte and make alternative arrangements". But a private pilot father who promised to attend his daughter's performance this evening is damned if he'll divert and miss it, he's going to land at his intended destination. When he realises he might miss the performance by being dead, it's too late.


Yet how many crashes are due to engine failure? I have a friend who is a flight instructor on small planes, and he describes most general aviation crashes as being due to insufficient/improper preparation: not being aware of weather conditions, skipping safety checks, etc. Pressure (from passengers or the pilot themselves) to arrive at a destination by a specified deadline also play a role: a flight should always be delayed if there are concerns about weather, equipment, etc. Commercial aviation has an advantage, here: the layers of bureaucracy prevent passengers from interacting with the people deciding whether to delay or cancel a flight (I'm not even sure who makes that call: is it the pilots, or someone in a central office somewhere?).

Of course unexpected catastrophic failures do occur, but I've not seen any statistics that claim that they are a prevalent cause of general aviation crashes.

All that being said, in the case of the MAX, I find it unfathomable to blame pilot error, given the lack of training on the MCAS system.


wrt flight cancelations, etc.

> I'm not even sure who makes that call: is it the pilots, or someone in a central office somewhere?

The relevant regulation is here,

https://www.law.cornell.edu/cfr/text/14/121.533

The "operational control" is jointly shared between the pilot in command and the aircraft dispatcher. In theory, either one can cancel the flight. In practice the dispatcher does it or a shift duty manager (who may not be actually performing dispatch duties) who is the "man behind the curtain" and oversees all flight operations during their dirty duty shift. Big carriers may have several managers, assigned per region (CONUS, Asia Pacific, Europe-Trans Atlantic, etc.) but the theory is the same.

[me: licensed dispatcher & former flight ops duty manager]


>If your pilot has a chance to become a hero, the system has already failed.

Very well said.


Isn’t that question also true for any large Corporation?


Flying is boring when everything works well. I remember a story from a friend, a pilot of an airline that was going to sell all its aircraft of a model. 6 month before the sell, the preventive maintenance was reduced to only the legal minimum. In each flight during this 6 month, my friend has encountered technical issues (sometimes as severe as a broken reactor). IMHO, the role of a pilot is to keep a cool head to analyze faults with sometimes slight symptoms and find the right answers occasionally in opposition to the manual. That's also why I want the pilot to be in the same aircraft as me (no remote piloting).


> Never mind that at least one of the captains was trained in the US.

Point of fact, that captain did initial private pilot training in San Carlos in Cessnas — his airline training was at the airline. “US trained” in this context is similar to a doctor being “US trained” because he did an undergraduate degree in the US but his medical degree somewhere else.


This is completely wrong. If you watch air crash investigation, the majority of pilots who saved planes under extreme circumstances were fixed wing enthusiasts, often flew small planes or gliders for fun.

Especially in situations like the MAX crashes you need a feeling for the aircraft.

I'm astonished what this has to do with masculinity, which is of course not outdated (watch who women date ...).


"Namely: that being a pilot should not just be someone's job, but their calling. To use a weird phrase I once saw here, they are supposed to be "fixed-wing enthusiasts"."

Rotary-wing enthusiasts are just crazy. Everybody knows that.


My takeaway from the letter is that pilots should be at the top of there game at all times, and one shouldn't be cheap when building an airplane. Blaming pilots for a shoddy aircraft is weak sauce, and Sulli wantd us to know that.


Wow he didn't miss. It's a good example of an interesting change in our information dissemination dynamic. 30 years ago he would have been waving his arms trying to get other news organisations to run a counter-story and then be subject to having quotes taken out of context and having his thoughts filtered through the story the journalist was trying to write or that the editor thought was more compelling. Giving everyone the best possible motives, which was frequently reasonable, it had serious issues.

Now he writes the letter. Publishes it himself very cheaply. Then allows it to be read by a very large number of people directly, un-edited. There are many of examples of this kind of thing nowadays (and it's easy to see it doesn't always work too). When it does work the world is just a little bit better.


The NYT had a Letters to the Editor section 30 years ago, just like the one that published today's letter.


The letter wouldn't necessarily be published, and it would likely still be edited. By having his own place to publish, we do know exactly what his words are.


Aviation accidents are typically about defense-in-depth being undermined (the "swiss cheese model"). The object of an investigation should be to find multiple vulnerabilities that could be fixed, at all levels. Focusing exclusively on one of them to the exclusion of others would be a problem.

Sullenberger says the same: "we need to fix all the flaws in the current system — corporate governance, regulatory oversight, aircraft maintenance, and yes, pilot training and experience."

But this doesn't mean any particular article can't focus on one problem more than others, so long as they don't claim it's the only problem.

Looking at the original article, the clickbait headline (typically not written by the author) pretends we can find a single cause ("What Really Brought Down the Boeing 737 Max?") but the subhead takes it back ("equally guilty"). The article focuses on problems at some airlines, Lion Air in particular, and alleged differences internationally in how airlines approach safety. Apparently that's what the author wanted to focus on?

So I guess it comes down to a difference in emphasis?


But...the whole concept of the 737 MAX was, "you don't need extensive retraining of your pilots, it's still a 737, and if they can fly a 737 they can fly this with minimal retraining." Otherwise, there was no purpose in designing a plane with this design; if you started from scratch you would put the wings higher up so that the engines would fit in the normal position, and the MCAS wouldn't be necessary.

So, "equally guilty"...is equally wrong. If this pilot thinks it's not reasonable to expect a typical 737 pilot to be able to react to an MCAS failure in time, then (given two crashes in the first year of use), he's probably correct.


I would suggest changing the title of this HN post. Maybe "The MCAS design should never have been approved" or something to that effect. IMO, the current "My Letter to the Editor of New York Times Magazine" is far too ambiguous.


The title is no good, but maybe a compromise would be "Capt. “Sully” Sullenberger on the 737 MAX". Picking a just a sentence without the context seems to be against the spirit of the no clickbait rules.


Central point of Sully's letter:

These emergencies did not present as a classic runaway stabilizer problem, ...

Which flatly contradicts Langewiesche's claim that that is what they presented themself as and therefore should have been handled by any competent pilot.

I have to admit I also found the Langewiesche article extremely tendentious and...not sure "racist" is quite the right term, but it certainly felt close to it.

Ethopian for example had an excellent reputation and safety record up until the MAX accident, something never mentioned in the article. Instead we learn a lot about Adam air, an airline that went belly up before the 737 MAX program was even started. How that is supposed to be relevant except for a "well, those Indonesiens ..." dismissal is beyond me, and of course there is no connection to Ethopian except, well, darker skinned foreigners.

Not a good look, New York Times.


I'm glad Mr. Sullenberger spoke up about this. As some people have pointed out in this thread, Langewiesche is indeed a terrific writer, but the tone of the piece in question was off-putting.

For those who're interested, Patrick Smith (aka Ask the Pilot) also wrote a critical piece about the article last month: https://www.askthepilot.com/plane-and-pilot/


The article to which this letter is in response: https://archive.is/Rf4Yj


That article in New York Times Magazine (https://www.nytimes.com/2019/09/18/magazine/boeing-737-max-c...) seems like a part of the Boeing's PR action to win back the public confidence in 737 MAX...


> The MCAS design should never have been approved, not by Boeing, and not by the Federal Aviation Administration (FAA).

This is the line that stuck out to me. Basically, it never occurred to me that the FAA has to approve aircraft designs. And if that assumption is correct, who exactly would the approvers be, and are or can they even be qualified? It feels like they'd just be mostly trusting Boeing's judgment as not to upset the Juggernaut, which seems like a rather useless process.


The FAA actually does keep engineers on staff, and the aircraft manufacturer will have to explain and demonstrate how their aircraft complies with thousands of different requirements. This is actually one of the larger sub-controversies of the whole MCAS issue; the FAA has been progressively delegating more and more of airworthiness compliance to Boeing's engineers and trusting their results instead of verifying it themselves.

With regards to the regulations, they're excruciatingly detailed. I encourage you to read 14 CFR 23, Airworthiness Standards: Normal Category Airplanes, and 14 CFR 25, Airworthiness Standards, Transport Category Airplanes.


Sully's the man. His description of the experience of piloting in a crisis and analysis of the design and regulatory issues reminds me of Sidney Dekker and 'Safety Differently': http://sidneydekker.com/


Interesting story: Sully actually lost a copy of one of Sidney Dekker's books in the forced water landing that he'd borrowed form the library.


The worst thing about these accidents is the pilots never encountered the situation in simulators.

For non-lethal failures, tech companies do extensive game day testing to practice failure conditions and engineers responses. The fact that it wasn't done in this case because the failure was too expensive, unlikely to occur and the new plane wasn’t different enough was a huge failure on Boeing’s and the FAA.


Worth noting that Langewiesche wrote a book about Sullenberger’s infamous flight on the Hudson. Not a critical one, but they do have a previous relationship at least of some sort.


Calling it "infamous" is a bit critical, isn't it? "Famous" would make more sense.


Definitely famous. He became an instant hero. The plane's role was less positive, but at least it didn't sink.

The performance of the ferry crews who did the rescue should never be neglected. Union-mandated emergency training was carried out perfectly.


Not in my opinion. But entirely up to you how you take it.


Well, I like to follow the rules of English, so that's how I take it. https://www.merriam-webster.com/words-at-play/infamous-vs-fa...


Whatever blows your hair back, bud.


This letter is something the modern internet and media are sorely missing - a real expert opinion instead of a flood of "armchair expert" opinions. I would always prefer one opinion of someone who does, over a hundred opinions of those who think.


OTOH, there's plenty of experts in every field who can and do say "I've been doing this for 30 years, and I know that ..." and then mention something they do which statisticians have since shown isn't effective.

Sully is worth listening to here because the facts are on his side, in terms of blaming the victim versus analyzing the system as a whole. Sully is getting a lot of airtime in the media because he's a famous public figure, but a new pilot 6 months out of flight school would be just as correct with the same facts.

He's a smart guy who is obviously familiar with the safety research done in his field. His own decades of experience do not constitute research on their own, though.


Even if the pilots are partly to blame it indicates a bad design philosophy. The hierarchy of mitigation in safety critical systems is

1. Engineer the hazard out so it no longer becomes possible

2. Use other systems to detect and safe the system (ideally, if it's a software hazard, use non-software mitigation)

3. Procedural or administrative mitigation

#3 is by far the least desirable, meaning you only use it as a primary mitigation if the other two are infeasible. If Boeing uses this defense I would want to know why they were not willing to implement the other, better methods, because it would seemingly point to managerial or technical deficiencies


The risk wasn't identified in the first place. Remember that the updated MCAS was itself a mitigation.


The risk of MCAS was identified in the system safety analysis (SSA), but they didn't appear to do a thorough job (in hindsight, at least). The biggest mistake to me seems to be the erroneous severity attribute:

> Assessed a failure of the system as one level below “catastrophic.” But even that “hazardous” danger level should have precluded activation of the system based on input from a single sensor — and yet that’s how it was designed.[0]

[0] https://www.seattletimes.com/business/boeing-aerospace/faile...


Am I the only one surprised by the whole professional personal brand management of Sully? Do they also sell mugs with his face?

It's not like he is the only person to ever glide with an airliner to a safe landing

https://en.wikipedia.org/wiki/List_of_airline_flights_that_r...


He is an author who does speaking and consulting on the basis of his experience. I don’t believe his branding is anything abnormal or differing much from that of prominent software development authors, speakers, and consultants.


It might be unique among professional pilots, though.


He is one of very few to glide into a water landing with zero fatalities, and the only one in the middle of one of the world's largest cities.


There was a HN discussion of the Langewiesche article that this letter makes a reply to: https://news.ycombinator.com/item?id=21004683

It made some similar arguments, but also quite a bit of Boeing PR bashing. It got flagged.



Sullenberger's testimony to the House Committee on Aviation: http://www.sullysullenberger.com/my-testimony-today-before-t...

And ironically, William Langewiesche (whose reputation for aviation is based, aside from being a pilot himself, on his father, Wolfgang Langewiesche) wrote a book on US Airways 1549: https://en.wikipedia.org/wiki/Fly_by_Wire


Not relevant to the content of this letter, but "this age-old aviation canard" in a note about MCAS has got to be the best word choice I've seen all year.


> These emergencies did not present as a classic runaway stabilizer problem

I find this baffling. The stabilizer was clearly running and dangerously pitching the nose down.

The pilots could have safely resolved the situation by:

1. using the electric trim switches to override the runaway trim, which they did

2. then cutting off the stabilizer trim with the cutoff switches, which they did not

(1) and (2) are true. See Aviation Week Aug 19.


August 19 is 4 months after March. That's a lot of time for details to have finally been worked out about how MCAS actually worked.

Also, they did cutoff the electric trim, but had to reenable it in order to try to neutralize already present mistrim.

If the switches had been left alone from the NG, where the flight computer could be isolated while maintaining the electric trim controls, they could have been fine.

...Of course, if Boeing had actually mentioned MCAS in training materials, then things may have been different too.


Knowledge of MCAS was not required for (1) and (2) to work and be effective. Note that the pilots were already doing (1). And the Stab Trim Cutoff switches are there to cut off the stab trim.

Besides, at the time of the Ethiopian crash, the existence of MCAS was well known:

https://theaircurrent.com/aviation-safety/boeing-nearing-737...

Note that the bulletin, sent to all operators of MAX aircraft, is a longer version of (1) and (2) that I mentioned, giving more detail.


No. The switches worked differently in the MAX than in the NG. Doing what would work in the NG would not work in the MAX.


Read Boeing's bulletin on the matter in the link I posted. It works as I said.


Another reason to steongly consider the Gell-Mann amnesia effect when reading anything from the NYT.


I think a flaw in his letter is that it is printed in all italics. ugh.


Pilots do cause a lot of issues: https://en.wikipedia.org/wiki/Pilot-induced_oscillation

It's the aeronautical engineer's version of PEBKAC.


If a model of car occasionally drives itself into oncoming traffic, "Drivers also cause some accidents" would be a pretty ridiculous response.


Amusingly, that is exactly the response in every Tesla thread on HN.


That’s not in dispute, nor the point of this letter.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: