Hacker News new | past | comments | ask | show | jobs | submit login

> The media has covered the training (or lack of it) extensively.

I've never seen it in the media. Not knowing what the stab trim cutoff switch does is a massive failure either on the part of the pilot or the training. Not reading the Emergency Airworthiness Directive is a failure of the pilot.

> It seems like you want to point to a singular cause

Au contraire. It seems that everyone but me wants to blame a singular cause - Boeing. There was a cascade of failure here:

1. A defective AOA sensor was manufactured and installed

2. After the first LA incident landed safely, LA failed to correct the problem before sending the airplane aloft again

3. Single path MCAS inputs could not detect failure

4. Pilots failed to apply known emergency procedures

> require humans to act perfectly in accordance with their training, all the time.

Of course we try to design airplanes so they do not cause emergencies. But we still need pilots to train to react to emergencies. You don't put a person in the pilot seat who is not well-trained in emergency procedures.

Making airplane travel safe means identify and correct ALL causes in the cascade of failures. Most accidents are a combination of airplane failure and pilot failure.

Sometimes pilots make deadly mistakes. That's why we have copilots, they check each other. But in the MAX crashes, both pilot and copilot failed to follow known emergency procedures. Why they didn't, I have no idea.




"Boeing" is not a cause. Things like their safety culture can be a cause, or lack of good process control can be a cause. The reason why Boeing is catching a lot of flack is because they deviated substantially from best practices. This is related to your other comment so I'll just respond here.

There is a general hierarchy when it comes to controlling hazards (remember, Boeing already identified MCAS as hazardous): remove the hazard, engineering controls, administrative controls, and PPE. We can apply a little thought experiment to see the gaps in what you're advocating when it comes to the MCAS issue. (Admittedly, this is contrived to just illustrate the point within the confines of a forum reply).

1) Remove the hazard: They could have redesigned the airframe to adjust the center-of-gravity to remove the stall issue that MCAS was developed in the first place. Why didn't Boeing do this? Because of cost and schedule pressure to have a new plane ready, after threats that American Airlines would take their business elsewhere.

2) Engineering controls: MCAS was an engineering control, but an incomplete one. Because MCAS was listed as "hazardous" in the hazard analysis it required redundant sensors. Why didn't they put on redundant sensors as the default? I can only speculate, but considering they were sold as optional, profit motive seems likely. (This also ignores the fact that MCAS should have been categorized as 'catastrophic' meaning they didn't fully understand the impacts of their system)

3) Administative controls: this was the training piece that you're hanging your hat on. This has multiple problems. For one, even though MCAS changed the handling dynamics of the airframe, Boeing pushed hard to reuse the same certification to avoid additional pilot training. Again, this was a business decision to make the airframe more competitive. Secondly, administrative controls are an inherently weak because of human factors. There's a lot that can go wrong if your plan is to have humans follow an administatrive procedure. You claim "it's not hard". Sorry, this is just a bad mindset. Usually when I hear people say things like "it's not hard" or "all you've gotta do" when they're talking about complex systems, it indicates they take an overly simplified mental model. In this case, you may be ignoring the chaos in the cockpit, the fact that the plane has handling characteristics different from what the pilots were trained on, human factors related to stab trim force at speed, conflicting or confusing information (like why the MCAS comes on at changing timeframes, time criticality, etc. Having adminstrative controls as your main mitigation is bad practice, and setting the system up for failure.

4) PPE: this isn't particularly relevant to this case, but a silly example of PPE control is giving everyone parachutes and helmets in case things went south.

You can obviously see PPE is an absurd control. But your main point is that the main control should be administrative, which is the next worst option. Boeing ignored good safety practice to pursue profit. So they probably deserve some of the heat they are getting.


"redesigned the airframe" means designing an Entirely New Airplane. Boeing didn't do this because designing an entirely new airplane would have been:

1. an absolutely enormous cost, like a couple orders of magnitude more

2. several years of delay

3. pilots would have to be completely retrained

4. the airlines liked the 737 very much

5. mechanics would have to be retrained

6. the inherent risk of a new, untried airframe

There was nothing at all inherently wrong with the concept of the MCAS system, despite what ignorant journalists wrote. What was wrong with it was it was not dual path, had too much authority, and would not back off when the pilot countermanded it. These problems have been corrected.

Pilot training - there have been many, many airplane crashes because pilots trained to fly X and Y did the Y thing when flying X. The aviation industry is very well aware of this. Boeing has been working at least since 1980 (and likely much earlier) to make diverse airplane types fly the same way from the pilot's point of view. This is because it is safer. And yes, it does make pilot training cheaper. Win-win.

> You claim "it's not hard". Sorry, this is just a bad mindset.

Yet it's true. Read about the first MCAS incident, the one that didn't crash. There were 3 pilots in the cockpit, one of which was deadheading. The airplane did some porpoising while the pilot/copilot would bring the trim back to normal, then the MCAS would turn on, putting it into a dive. Then, the deadheading pilot simply reached forward and turned off the stab trim.

And the day was saved.

I've seen your points many times. They are all congruent with what journalists write about the MAX. Next time you read one of those articles, I recommend you google the author to see what their background is. I have done so, and each time the journalist has no engineering degree, no aeronautical training, no pilot training, no experience with airline operations, and no business experience.

You can also google my experience. I have a degree in mechanical engineering with a minor in aeronautics from Caltech. I worked for Boeing for 3 years on the 757 stabilizer trim design. (It is not identical to the 737 stab trim design, but is close enough for me to understand it.) At one point I knew everything there was to know about the 757 trim system. A couple dozen feet away was the cockpit design group, and we had many very interesting discussions about cockpit user interface design.

I'm not a pilot myself, but other engineers at Boeing were, and they'd take me up flying for fun. Naturally, airplanes were all we talked about. My brother and cousin are pilots, my cousin was a lifer engineer at Boeing, my dad flew for the AF for decades in all kinds of aircraft, with an engineering degree from MIT. I inherited his aviation library of about a thousand books :-/ Naturally, airplanes were a constant topic in our family.

I've talked with two working 737 pilots about the MAX crashes.

I've read the official government documents on the MAX crashes, and the Emergency Airworthiness Directive.

That's what I "hang my hat" on. So go ahead, tell me I don't know what I'm talking about. But before you do, please look up the credentials of the journalists you're getting your information from.

P.S. "Aviation Week" magazine has done some decent reporting.

P.P.S. Amazingly, the "Aviation Disasters" TV documentary is fairly decent in its analysis of various accidents, lacking the histrionics of other treatments. But it's rather shallow, considering it's a 40 minute show.


>designing an entirely new airplane would have been:

1. an absolutely enormous cost, like a couple orders of magnitude more

2. several years of delay

3. pilots would have to be completely retrained

Yes, this is the same case I was making. They took a higher (or unknown) risk for business (profit) motives. That's why they deserve a large chunk (but certainly not all) of the blame.

There was nothing at all inherently wrong with the concept of the MCAS system

My claim isn't that the concept was inherently wrong, it's that the execution was wrong. Their own process documents say so and they also belie the fact that they didn't understand their airframe. The damning part of it is that they were likely wrong for the reason of increasing profit. (Still, even if MCAS isn't inherently bad, we still have to acknowledge it's not the best solution...see the discussion above about hierarchies of controls).

>You claim "it's not hard"...Yet it's true.

This is exactly the wrong way to think about this. Just because a mitigation works some of the time doesn't mean it's the best mitigation. Can I still design a car with a coal-fired steam engine and cat-gut brake lines and drive it safely? Sure. But by modern standards, it's still a sub-par design and the likelihood of safe operation is lower because of it. That likelihood is the entire reason there is a hierarchy of controls. You are advocating against well-established best practices in safety and reliability.

>You can also google my experience. I have a degree in mechanical engineering with a minor in aeronautics from Caltech. I worked for Boeing for 3 years

Please don't do this next time and argue the points rather than appealing to (relatively weak) authority. I'm familiar with your points and can usually set a clock by the time it takes you to either bring up your experience at Boeing or some story about your daddy in these discussions. But you aren't the only one with aerospace experience. I've been an airframe mechanic. I also have an ME and additional engineering degrees to include a PhD and published aerospace-related research. I've worked in NASA for many more years than you worked for Boeing. I filled roles in aerospace, quality/safety, reliability, and software engineering related to both software and hardware design. I've worked alongside Boeing on crew-rated space systems. I've also piloted aircraft (although my ratings are no longer current). I've had dinners and discussed similar issues with pilots and astronauts with thousands and thousands of hours of flight time. But parading out your credentials doesn't make your points any stronger and tends to be the bastion of those without much else to rely upon. This isn't a pissing contest, so please make an argument based on its own merits rather than relying on credentials.


> The damning part of it is that they were likely wrong for the reason of increasing profit.

Are you still advocating designing a whole new airframe instead?

> we still have to acknowledge it's not the best solution

We don't have to agree on that at all. It's an inherently simple solution, although Boeing made mistakes in its implementation.

> Just because a mitigation works some of the time

It's turning off a switch. The purpose of that switch is supposed to be a "memory item", meaning the crew should not need to consult a checklist. The switch is for dealing with runaway stab trim. Reading the step-by-step of the crisis, it is impossible for me to believe that the pilots did not know they had a runaway trim problem. There are two wheels on the side of the console, painted black and white, that spin when the trim runs, making a loud clack-clack sound. They are physically connected to the stab trim jackscrew with a cable. If the trim motor fails, the crew can manually turn the jackscrew via those wheels.

> You are advocating against well-established best practices in safety and reliability

Turning off a system that is adversely working is well-established in aviation. It's quite effective.

> and argue the points rather than appealing to (relatively weak) authority

Appeal to authority is not a fallacy when one has some authority :-) And so it is fair to list what makes one an authority.

> This isn't a pissing contest

You might want to review the condescending and quite rude post you wrote that I replied to. Your reply here is also rather rude. I don't think I've been rude to you.

Thank you for listing your credentials.


>Are you still advocating designing a whole new airframe instead?

That would be the ideal solution for that hazard. But I can’t say if it’s the best risk profile overall. I would settle for a properly implemented engineered mitigation of MCAS.

>* It’s an inherently simple solution*

The fact that the engineers who built the thing mischaracterized it would seemingly be evidence to the contrary. I have experienced this flawed thinking often, where software is treated as a quick simple solution without considering the effects on the overall system.

>Appeal to authority is not a fallacy when one has some authority

It actually is. As Carl Sagan said, “mistrust arguments from authority.” But regardless, we seem to have different ideas on what makes someone an “authority”. You may be an aerospace authority when you’re in a room of CRUD software developers, but this forum has a much wider net than that. “Technical authority” is an actual assigned title at NASA, and you probably wouldn’t get it with 3 years of experience from decades prior.

“Turning off a switch” is the easy solution when you’re dealing with the benefit of hindsight. The pilots were operating in a completely different different environment. That’s why administrative mitigations are not a favored approach. Boeing simulator results demonstrate that it was a confusing scenario to identify the correct root cause in a time-critical situation.

As to the tone of the post, I’ve witnessed you in many aero circumstances state your credentials as a “I know what what I’m talking about so that’s the end of it” puffery tone. It in itself comes across as condescending and, worse, adds little to the conversation. I generally try to be respectful on these forums until someone shows they aren’t reciprocating. Normally I just roll my eyes and move on. I’ll give you the benefit of the doubt and assume you don’t even realize the condescending tone some of your posts take. I debated even responding but thought it might make you realize how off-putting you’re style can be. In your case, it comes across as very arrogant rather than curious which is contrary to the HN guidelines. If it offended you, I apologize.


I admit to being arrogant, perhaps that's an inevitable side effect of being confident. When proven wrong, however, which has happened on HN (!) I try to admit it. I don't like making mistakes.

I'm not offended, as that's to be expected when I write things that are unpopular.

But I still accept your apology, and no worries. Perhaps we can engage again in the future!

P.S. I know about the simulator issues, but the information came filtered through a journalist and I am skeptical. What I cannot reconcile is the first incident where the deadhead pilot simply turned off the switch, compared with the simulator pilot. It didn't matter whether the runaway trim was the root cause. It did matter that runaway trim will kill you and it must be stopped. All three crews knew that, which is why they fought it.

In my work on the stab trim system, it was accepted that the first resort for trim failure was turning the thing off. Overhead in the 757 is a matrix of circuit breakers, the purpose of each is to turn off a malfunctioning system. The stab trim one, being critical, isn't located overhead but right there on the console.

I work with machinery all the time. When it fails, my first reflex is to always turn it off. For example, one day I smelled smoke. Looking around, smoke was coming out of my computer box. I could see fire through the grille. The very first thing I did was yank the plug out of the wall, the second was to take the box outside. The flames went out when the current was removed.

I simply do not understand failing to turn off a runaway trim system. Especially when it kept coming back on after normal trim was restored.

For another example, an engine fire. I don't know what the fire checklist says, but I bet right at the top it says to activate the fire extinguishers and cut off the fuel and electric power to the engine. I've done the same for an engine fire in my car :-)




Consider applying for YC's W25 batch! Applications are open till Nov 12.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: