Hacker News new | past | comments | ask | show | jobs | submit login
Inside Larry Page’s Kitty Hawk: Returned Deposits, Battery Fires, Boeing Shakeup (forbes.com)
99 points by atlasunshrugged 12 days ago | hide | past | web | favorite | 70 comments

The anti-safety culture is kind of surprising. When they made previous announcements I thought that safety was what they were bringing to the table. Autonomous drones, even large scale ones, are pretty ubiquitous at this point. People are building human-scale drones using off the shelf equipment in their back gardens. The thing they're all lacking is properly safety certified electronics. I would have thought the thing a project with deep pockets like kitty hawk would bring would be the huge effort required to build a certifiably safe done.

Having worked in other hardware startups though, I'm guessing what actually happened was a few years of reinventing the wheel and learning on the job. Safe systems don't look any different to non safe systems to an outsider, so unless there's a real buy in from management it's very hard to build them.

Before talking about anti-safety culture, I observed that the real issue in a purely hardware/software-driven culture is that people focus on technology. For safety systems, this usually fails / overbudgets because there needs to be some systems thinking /before/ about why and how the proposed system can be declared safe. In the case of drones, I am afraid that the systems design to make these devices acceptably safe is yet to be formulated (Note: these are not planes, they fly close to the ground so they do not benefit from the safety of altitude to have time to react in case of failure)

Safety, very much like security, needs to be built in during the design phase - or you're trading off the development cost for an expensive retrofit while gambling with the risk of killing the project (or even setting back that entire class of transportation) by killing people.

Can't emphasize that enough. I read a book in 80's on safety critical design and that was the first rule. Safety has to be a primary design goal from the start or you are hosed.

Helicopters are certifiable for carrying passengers, and yet take offs and landings have no altitude nor speed benefits.

In what way do multirotors / drones differ?

Helicopters have a height-velocity diagram with some areas marked unsafe (low speed, low altitude); when operating in the forbidden areas a pilot cannot be reasonably expected to perform an emergency landing using autoration following complete engine loss. In all other areas this should be possible. Coincidentally, that's why helicopters avoid taking off vertically (they only do that in video games...); they want to gain some speed before gaining significant altitude, because forward speed helps autorotation. If a helicopter just climbs straight up at zero speed and the engine goes out, it's going to fall pretty much like a rock.

Average multicopter designs would seem to be incapable of autorotation for aerodynamic and technical reasons. The technical reason being that the BLDC motors used are typically permanent magnet synchronous machines, which develop significant holding torque in most (driver) failure modes and there is no clutch to disconnect the motor from the propeller.

Notably - this is what killed the billionaire owner of the Leicester City football club. He liked to land his helicopter on the field after the game and depart from there (against many people's advice) which prevented any forward momentum on takeoff or landing. Last year, he was taking off after a game and had an engine issue which resulted in the helicopter crashing into the parking lot killing everyone on board.


There's also typically* no collective pitch control in small multicopters, so to autorotate the props have to have time to stop turning and reverse. Even assuming they could declutch from the motors they would usually crash first.

*There are some exceptions: https://www.droneguru.net/collective-pitch-drones/

If the engine fails in a helicopter, and you have enough altitude, you can autorotate the rotors for a soft landing. It's the helicopter equivalent of gliding in a fixed wing aircraft. The danger potential is similar to a fixed wing aircraft - landing and takeoff are the critical stages, but normal flight gives plenty of opportunity for a safe-ish forced landing.

A multirotor on the other had doesn't have the ability to glide, like a fixed wing or a helicopter. Any safety will have to be engineered in by making sure that a single rotor failure (or even multiple) can be coped with correctly and reliably.

I suffered a battery lead failure on a large hexcopter this summer at ~27 ft. It was spectacularly destructive to the airframe. Had it been a motor/prop/ESC, it would have had enough thrust to land (awkwardly), but cutting power to all 6 motors at the same time (flight controller has a separate battery)... not recoverable.

I know exactly nothing about aircraft safety, but since this is HN, I want to throw out a guess: in case of landing, could it be that helicopters make the blades spin very fast prior to beginning the landing maneuver, compensating for extra lift with pitch control, and then keep them spinning fast throughout the entire landing process, and brake them only after touchdown? This would, in my mind, let them do a soft touchdown via autorotation in case of sudden engine failure at any point of the landing maneuver (at least if the pilot has fast enough reflexes).

In theory, yes. In practice the blades don't have enough angular momentum for this to work longer than a very short time, which is why the first step a pilot must take upon engine failure is to slam the collective down so the air flowing past the blades will keep them spinning in the same direction.

Some helicopters with very heavy blades with lots of angular momentum have been built, but it makes the blades heavy which requires a more powerful engine which makes the whole craft heavier which means you need even more angular momentum...you get the idea. It's an engineering nightmare so it's atypical.

I'm going to go on a limb here, you'd need to put enough energy into the rotors of: helicopter weight * recovery time (so distance * descent rate) * gravity². that is a big number to get rotor mass * rpm to equal.

Autorotation is already the standard emergency landing practice in case of loss of engine power mid-flight; I'm only guessing that landings could be performed in such a way as to maintain the capability for autorotation throughout the maneuver.

That's what I was trying to explain, that energy to maintain rotor speed in an autorotation is stored in the height. To replace that is a damn big number you're putting somewhere else. Maybe landing rockets like the soyuz.

That does sound like a reasonable guess.

Can anyone with more knowledge chime in?

I’m off to bed, otherwise I’d try looking in to it.

I know copters have autostability as their benefit - the big rotor has inertia on its side and keeps it aloft and even a loss of power would fall slower.

Multirotors I believe require active control of every individual rotor instead of straightforward big angular momentum. Which I believe is part of why they are seen on drones.

Riffing on this a little bit based on my experiences with multirotors but not having any kind of "autorotation" capability with them:

Most motors on multirotors are BLDC motors that require active control to make them spin. Voltage gets applied to the motor phases sequentially to make it spin. However, when they're completely open-circuit, they actually spin quite freely! I've seen the ones I had (26" prop) windmill quite well in a mild breeze. The trick, though is that you're probably not going to get much descent-arrest out of open-circuit BLDCs. Another possibility is short-circuited BLDCs; in that condition, the rotos are quite tough to turn. My speculation is that the props wouldn't spin much at all in a short-circuit condition. Buuuuut... if ESCs were able to modulate the open/short-circuit condition (even without power to actively spin the motors), I suspect you might be able to get some kind of arrested descent situation.

I've been thinking of building an ESC from scratch this winter... this might be a useful feature to experiement with!

Modern soft/hardware development looks like this: idea -> money. There is no real engineering in between except hammering on things until they get to "money".

The home built experimental powered lift aircraft are lacking a lot more than properly safety-certified electronics. The big gaps are in power reserves and systems redundancy for fault tolerance.

The FAA generally requires certified helicopters to have a 30 minute fuel reserve in order to allow a safe diversion to an alternate landing site. With lithium battery power, once you subtract out the reserve time there's hardly any range left. (It might be possible to obtain some exemptions to the reserve regulations in limited circumstances.)

It’s 20 minutes for rotorcraft:


Experimentals don’t get to waive fuel reserve requirements (which are Part 91 flight requirements [pilot responsibility to comply], not Part 23/25 type design requirements [designer responsibility]).

The 20 minute reserve requirement is for VFR conditions only. The 30 minute reserve requirement that I cited is for IFR conditions. If Kitty Hawk wants to sell a certified aircraft that can be used for revenue passenger flights then I assume it will have to meet the IFR requirements, but perhaps the FAA will reach a different decision?


Many helo ops are VMC only. You could sell a helo that wasn’t IFR equipped.

The market for VMC only helicopters is tiny and already pretty well saturated. Robinson is the largest and they only sell a few hundred per year. This latest crop of start-ups building multi-rotor powered lift aircraft all seem to be targeting the air taxi and executive transport markets, which will need to fly in IFR conditions in order to be economically viable.

(Even if the range and safety issues can be resolved it's not clear that the target market even exists, but that's a separate problem.)

but you could not (AFAIK) operate it as a scheduled passenger service as such

I don’t think there’s much scheduled pax service in helicopters to start with. Lots of sight-seeing, air ambulance, and on-demand charter ops (part 135) and of course private (part 91) flying. I think there’s a market for a small, VMC-only helo. (I’m not convinced that it’s going to be electric anytime soon.) I think most of the R22 and a significant fraction of the R44s sold today are not IFR-equipped. AFAIK, none of them are certified for IMC operation (even if IFR equipped) and Robinson has a healthy business going, obviously.

I recall when Tesla was starting out that they already had a safety story including compartmentalizations and monitoring. The impression given was that safety was a forethought.

This isn't a product yet. Not focusing on safety when it's ferrying people is one thing, but not focusing on safety when the craft doesn't even work yet is another. I read this as an order of operations thing. First work out the concept, then get it to work, and then get it to work reliably. As long as nobody is in danger putting reliability last seems natural by definition. Once it's reliable, it's done.

You can't add on safety. It has to be designed that way from the start. For example, on airplanes it's safer to have the wings below the cockpit because it gives the pilot more visibility. If you weren't thinking about that when you designed the plane you would be hard-pressed to make that change.

That simply doesn't work. If you want to build a reliable aircraft then you have to design around reliability from the beginning, starting with the basic product concept. Reliability isn't something you can add on at the end of the development cycle and achieve good results. Real aeronautical engineers have known this for decades.

That really doesn't match actual aircraft design history though. Like were the wright brothers in 1900 thinking about how to make their first flier safe?

This isn't 1900 though. Helicopters have been a thing for 70 years. Everyone knows you can make an unsafe multirotor. They're everywhere. Colin Furze made one in his shed. You can buy general aviation aicraft today with fully autonomous autopilots, including a completely hands-off "land at the nearest airport because the pilot's having a heart attack" button.

The absolute bottom line offering of any small aircraft has to be that its safe (or at least, the failure rate is acceptable - which means at least comparable to modern helicopters). That's the innovation that anyone entering the market needs to bring.

No? not safe + working is more useful than safe + not working. Beside they are not building helicopter, they are building new kind of aircraft.

This isn't Skunkworks where they're developing experimental aircraft for extremely well trained pilots in the military. They're trying to make these for consumers who don't even want to get a pilot's license. They should be designed to be far safer than what is available today if that is their target audience.

Doesn't matter if it military or end user. First you have to make it work then make it safe. A not safe but working consumer multirotor plane is still much better than safe but not working plane.

We have decades of experience to learn from in the aviation industry, that is what we should be iterating on and benchmarking against.

Making a new type of aircraft that is significantly more dangerous and requires significantly less training (so it is unrealistic to expect the consumer to understand the risk) is just valuing profits over human lives - full stop.

Are you still okay with unsafe flying machines when they start falling out of the sky and killing people on the ground? As mentioned previously, these aren't even supposed to require a pilot's license, so you can't expect the customer to be trained like a pilot.

The FAA rules are written in blood. If people want to experiment with new types of aircraft responsibly, that's fine! There is even a specific process for that, it's called an experimental certification.


But selling these things to untrained consumers is just completely, utterly, reprehensibly irresponsible. That's probably why Kitty Hawk returned deposits - they realized the machines just weren't safe enough to sell to people.

Not safe + 'working' means people will die. When people die due to negligent engineering, the company goes bankrupt at best.

Safe + not working eventually leads to bankruptcy too, but people don't die in that case.

Not to say that advancing aerospace engineering should be totally without risk. But these folks are not building space vehicle or fighter planes, they're building commercial aircraft. In that sector, tolerance for risk is far lower, as it should be.

Sure, there are always risk of people dying. Safety is an iteartive process.

I'm not sure that safety is a primary concern if you're just trying to see if you can make something fly _at all_.

I'm sure they've started from zero several times with entirely new designs. There's no point worrying overly much about safety if you only plan to fly something once.

> “It was a pattern — if you talked about safety you were done, so you just didn’t,” said one former employee. “That’s just how it had to be if you wanted to keep getting a paycheck.”

Sounds like a problem with management, which isn't surprising. Sebastian Thrun is a brilliant researcher, but he has yet to turn any of his ideas into sustainable technologies or companies. Self-driving cars aren't real yet, and Udacity is going through some rough times. To the best of my knowledge Udacity has never been profitable (please correct me if I am wrong).


Maybe he'll turn around Udacity (I doubt it, although I really hope so). My point is this man chases after shiny things, and then leaves as soon as there's another shiny thing for him to pursue. He does the fun stuff with early development, and then loses interest when you get to the hard slog of making everything sustainable.

Similar to self-driving cars, he was able to get his flying machines working well enough for some really awesome demos - but he can't commercialize the technology because it's still demoware.

I want to compare this to Icarus because superficially it's so appealing, but in the end Sebastian is going to be incredibly wealthy and never having really lost anything. He will even likely continue to be heralded as a genius by many (and sometimes rightfully so).

That first quote is really a massive indictment for an aviation company - it's diametrically opposed to how it should be ("safety culture" and all).

I work at a company doing something very similar, owned by an aerospace giant as well.

We are led to believe that safety is the most important aspect of any part of our work. At least that’s what we’re told at group meetings and company-wide meetings. But when push comes to shove and the (arbitrary) schedule demand a test, hacky code is produced, checks fall off the list, and errors do happen.

Progress seems to be more important than safety. We are instructed to show some sort of significant return on investment within 6-12 months for the funding we’ve received. It’s pretty sad.

Telling mangers that we need to take it low and slow at first makes them angry and ignore the engineers who do the good work in exchange for engineers who do it fast.

Scariest comment on HN in a long time.

Also, you probably think you're anonymous and safe in setting this comment out here but you and your employer are trivially identifiable from this comment and a couple of others made on HN so you may want to petition the mods to kill this comment on the off chance that your employer gets wind of this, it might be a career limiting thing.

"checks fall of the list" issue has always been a thing. There is a term in electronics call "Muntzing". Named after Earl Muntz who, after the engineers created a thing (TV) he would start pulling parts until it failed. Then call it good. This did two things. Made the product cheaper and caused service calls to fix (Put back parts). He made money both ways. The "Anti Safty" issue is management's form of Muntzing the code.

I wouldn't have expected a Google related project to deathmarch like this. Energy density was always going to be the problem. The Lithium ion chemistries are just not there yet. These guys know what they are doing: https://skai.co/ Vid: https://www.youtube.com/watch?v=uhMP5237dGA

Minor nitpick: Energy density is energy per volume. What's crucial here is specific energy, ie energy per mass.


Some days I love hacker news.

The most impressive thing is he did it in a friendly manner! Sometimes I'm pretty bad at correcting people without sounding like an asshole.

It boggles my mind how many of these human transporter designs have the props low to the ground. How the hell is a passenger supposed to egress in case of emergency when the blades are running?

There are other reasons for rotors to be overhead, as well. Locating the center of mass below the center of thrust makes a more stable system. Viewing the ground, which is something that many passengers would desire, is much easier when there isn't a bunch of machinery in the way. The further rotors are from the ground, the less likely they are to strike debris when landing and taking off.

I'm trying to think of reasons it would be good to have low rotors... maybe something about noise experienced by the passengers?

> Locating the center of mass below the center of thrust makes a more stable system.

That’s a common fallacy, early rockets placed the nozzle’s on top based on this assumption but it’s not useful. Ex: https://en.m.wikipedia.org/wiki/Rocket#/media/File%3AGoddard... The issue is the thrust is in line with the angle of the craft so you get the same thrust vector from below or above the aircraft.

Edit: https://en.m.wikipedia.org/wiki/Pendulum_rocket_fallacy

The rocket situation is not clearly similar to this one. In the first place, these craft are controlled by varying the speeds of the different rotors. That means that the thrust is not "in line with the angle of the craft".

They are still attached to the aircraft so net vector rotates with the aircraft.

Take a modern twin engine aircraft and they can turn by changing the thrust from each engine, but when the engines are outputting identical thrust they don’t add stability. In both cases rotating the aircraft also rotates the net thrust in an identical fashion. Which means there is zero restoring force from the engines to return them to the original orientation.

PS: Fixed wing aircraft get stability from their airframes not their engines. https://en.m.wikipedia.org/wiki/Longitudinal_static_stabilit... Though in fighter jets this may be aided by active control.

Getting them high enough up would require a larger super structure supporting them and would look pretty goofy to get them high enough up that a standing person wouldn't risk hitting them. These can also be stopped pretty quickly just by shorting all the motor leads together so stopping them in an emergency isn't very hard.

I think there are extremely good reasons to keep the rotors on top, not below, with people around the craft or entering and exiting. One prop in front of single engine plane is enough of a safety hassle that one makes a big deal out of it in safety briefings, and yet people run into them again and again [1][2].

At any rate, the Volocopter [3] has the rotors on top, and while it might not look as sporty as the Kitty Hawk, I don't find it annoyingly goofy.

[1] https://www.huffpost.com/entry/lauren-scruggs-model-plane-pr...

[2] http://www.rightthisminute.com/video/graphic-man-hit-plane-p...

[3] https://www.volocopter.com/en/

I'll go with goofy looking and keep my legs. :)

The other thing is these are meant for operation over water so if you have crashed it will be into water and the blades will stop very quickly due to the drag.

“No person has ever been harmed or exposed due to undue risk in over 26,000 test flights with over 100 prototype vehicles,”

Well that isn’t exactly difficult to achieve if no one was on it. I’d like to know the data if it was carrying a crash dummy.

Also that is such a contrieved way of saying “no person has ever been harmed in over 26,000 test flights”. There must be something the “due to undue risk” clarification hides.

I read that as there were injuries, but they were due to risks that had to be taken, not risks that were carelessly taken.

Good point. One could say that nobody has ever been injured or died in civil aviation due to undue risk (except maybe where the captain let his kid fly the jet for a bit, that might be considered "undue"...)


What risks 'had to' be taken in this context?

Steve Jobs was famous for his "reality distortion zone" - simply not believing that something could not be done.

Early on in a project you need vision and innovation, "fake it 'till you make it".

Get a demo working, even if it only works 20% of the time or covers one use case poorly.

But at some point, along comes actual reality.

Faking it is really a bad model - the number of Steve Jobs "prepared to use sleight of hand to hide loading times" is vastly out numbered by expensive failed replacements.

The most defensible practice are at least inherently modular and could be stitched together - really the deception would be highly unnecessary

Sounds exactly like the path Theranos took.

> required to report safety-related issues to their managers, or through a confidential digital channel directly to the general counsel and human resources

What. How is it appropriate fo HR to be involved in reports of safety issues. This reads like there was confidential channel to self selection layoffs.

EHang is making short flights with people aboard.[1] The EHang 216, a one-person drone-like craft, has 16 props on 8 booms, so there's some redundancy. But not enough battery life to go very far.

[1] https://youtu.be/7RjstNDRuCQ

Volocopter has been making manned flights since 2016 (see links below). It has 18 rotors (at least 3 can fail while leaving it completely controllable) and 9 independent battery packs.

And, in particular, it doesn't have the people-decapitating and knee-cap-smashing rotors below the passenger capsule, but above (like a conventional helicopter).



The flyer has lot of anti-intuitive designs for example 6 massive fans whirring around the pilot.

What if there is bird strike or the blades somehow dismantle from the fan and fly towards the pilot.

Also this being made for non professional pilots/passengers what if a passenger tries to board/de-board while the fans are still spinning?

At this point, I assume the aircraft keeps morphing into whatever the next iteration of managers/designers deem highest priority to keep the company afloat

I hate Forbes.com articles with a burning hate in my heart. The ads. Oh my god - stop it!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact