Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I see in a sibling comment that you do not think the MCAS system on the MAX was well designed, and the reliance on a single AoA sensor was not a good decision. I agree.

The aircraft should have never been declared airworthy. There should have been no need for an EAD in the first place. There is no excuse for putting a control system that flies the craft into the ground when there is a failure in a nonredundant sensor on a commercial aircraft.

The high standards required for pilots, like Amelia Earhart, do not obviate the even higher standards for quality and safety from manufacturers.




I suspect that Boeing didn't think it would be a problem because the runaway stab trim procedure is enough to stop it and recover. Who would have thought that trained pilots would not remember this procedure? It's supposed to be a "memory item", meaning consulting the checklist was not required.

The stab trim cutoff switch is in a prominent position on the central console (not overhead or behind the crew).

In the first Lion Air crash, the airplane dipped and recovered (via the thumb switches) 25 times over a period of 11 minutes. They never thought to turn off the stab trim system. It boggles the mind. Would you want to fly with a crew that didn't know what the switches on the console were for? Not me.

Both Boeing and the crew are at fault. Some percentage also for whoever made the faulty sensor and the failure to see that it worked correctly after it was installed.


Do we also blame the drivers of the Toyotas that got stuck accelerators, because any driver should know to take the car out of gear or turn the key to the off position. Right? While the car is accelerating at or near WOT?

I've been in a car when the throttle got stuck open, we crashed, I hit the windshield. It happened in about 5 seconds, and the driver spent most of those giving steering inputs to avoid hitting people and furiously working the break and kicking the gas pedal. It happened because enough engine mounts were broken or broke because of a hard throttle push.

Also my dad died in a single seat plane crash because the engine died several times in flight, according to a witness interviewed by a local paper; there was no investigation at all so I'll never know what really happened. At least the company that made the plane changed their name!


I do not work in aero or auto, but I have a much higher expectation of training and retention of a commercial airline pilot than I do of a random Toyota driver.

I had a stuck accelerator on an old Ford F-150. The throttle inside the carb got stuck. I was lucky to have the Toyota case in my memory, so I just shifted into neutral.

It was an automatic, which I think is another factor -- the more direct control you remove from the driver, the less intuitive it becomes to compensate for a single system failure. Obviously a standard transmission driver would just hit the clutch.

(And I've had a similar failure on an unfamiliar motorcycle that just came out of storage. Pulling the clutch bail was the instinctive response, after manually untwisting the throttle did not work. I learned my lesson about old vehicles eventually. Trust nothing, verify everything.)

Very sorry to hear about your dad!


I had the throttle stick on my car once. I immediately turned the ignition off. I was a teenager at the time (and my car was a POS).

The brakes are much stronger than the engine (proof: you can brake in a much shorter distance than you can accelerate).

On my current car, I have inadvertently hit the edge of the gas pedal while I stepped on the brake a couple times, as those pedals are too close together and I have wide feet. My reaction was to instantly move my foot.

A number of those "surging" incidents are suspected of being the driver had their foot on the gas rather than the brake.

Glad to hear you're all right after the crash. I nearly died in a car crash.

Sorry to hear about your dad. It must be very frustrating to not know the cause. I thought all GA accidents were officially investigated.


My car has a pushbutton "ignition switch" and i have not tried pushing it while travelling; however, my lexus also has floormat retention to stop the floormat from going onto the gas pedal. It wasn't "accidental" - there was a recall. The toyotas and lexus affected don't have a floating accelerator pedal, where it hangs from above and there's space underneath. The gas pedal is hinged on the floor, and swings free at the top. So you could shove something forward and it will push the gas pedal down.

If memory serves there was an instance in southern california where the driver called 911 or some other recorded line (they died); but it may have just been a witness statement i remember.


1. The Maneuvering Characteristics Augmentation System (MCAS) system existed because the plane was unstable at high angles of attack.

2. The 737 MAX was unstable because Boeing wanted to milk the 737 airframe further than it should have been for financial reasons and oversized engines were mounted forward on the wings.

3. Since the plane was unstable in this way, it would pitch up when climbing. MCAS would detect this through the angle of attack (AoA sensors) and automatically engage, forcing the nose down.

4. When the single, nonredundant AoA sensor failed, MCAS would misinterpret this and try to continuously force the nose down in normal operations. Or more plainly, it would fly the plane into the ground for no reason.

5. This happened at least 3 times. In two cases, it caused crashes, killing everyone - almost 350 men, women, and children - aboard.

6. Boeing strenuously blamed the crew in the first crash, and did not ground the planes.

7. Boeing did not ground the 737 MAXes after the second crash, either. The FAA only grounded the aircraft after much of the rest of the world already had.

As you noted previously, MCAS existed to make the 737 MAX fly like prior versions of the plane. Boeing, in fact, lobbied for this outcome so it would not affect certification or require separate pilot training, which would have cost time and money. So while MCAS was documented, pilots were not required to be trained on the system, because of Boeings efforts.

One cannot put a "don't crash the plane button" on a plane, even if it is well documented. It is particularly disgraceful if the "don't crash the plane" button only exists because the plane's manufacturer added the button to increase their own profits.

I have to admit, you have made me lose my composure here a bit. I thought anyone this knowledgable about flying would not blame pilot error in the 737 MAX crashes. The plane was grounded for almost 2 years, this was arguably the greatest scandal in the production and regulation of commercial aircraft in history. Boeing paid $20 billion in fines and restitution, and pled guilty to criminal charges.

For the benefit of anyone else curious about this, good starting points are

https://en.wikipedia.org/wiki/Boeing_737_MAX_groundings

"hours after the approval for MCAS's redesign was granted, Boeing sought, and the FAA approved, the removal of references to MCAS from Boeing's flight crew operations manual (FCOM)"

"Boeing wanted the FAA to certify the airplane as another version of the long-established 737; this would limit the need for additional training of pilots, a major cost saving for airline customers. During flight tests, however, Boeing discovered that the position and larger size of the engines tended to push up the airplane nose during certain maneuvers. To counter that tendency and ensure fleet commonality with the 737 family, Boeing added MCAS so the MAX would handle similar to earlier 737 versions."

"The MAX was exempted from certain newer safety requirements, saving Boeing billions of dollars in development costs."

https://en.wikipedia.org/wiki/List_of_Boeing_737_MAX_groundi...

https://www.amazon.com/Flying-Blind-Tragedy-Fall-Boeing/dp/0...


All the media reports about the MAX cannot be trusted. All the ones I've seen contained false information.

The first error was the claim that the MAX was "unstable". It just behaved differently due to the engine placement. I see this error all the time. And so on.

The errors in the MCAS design were not to save money. They were just sloppy engineering. There was nothing wrong with the MCAS concept. The proof is MCAS is still there, it just had its flaws corrected.

As for knowledgeable, I've talked with two 737 pilots. One told me it was pilot error and never would have happened to him. The other told me that his pilot buddies agreed with me but were afraid to speak up against the tidal wave of bad press. I also spent 3 years working on the 757 stab trim system, at one point I knew more about it than about anyone else. The 737 system is more primitive, but is easily understandable. (The 757 uses dual hydraulic motors driving a differential gearbox, the 737 has a single electric motor with manual drive for the backup. Both have a console mounted cutoff switch. Both have column thumb switches.)

> Boeing added MCAS so the MAX would handle similar to earlier 737 versions.

Which improves safety. This is never mentioned. (The 757 and 767, very different airplanes, were designed to fly similarly and have the same cockpits. It did save money on training because of that, saved money on production, and improved safety.)


I appreciate the civil and informed discussion. I appreciate your expertise and connections, but I think we will end up disagreeing.

I think interested parties should look at the JATR report (Joint Authorities Technical Review Observations, Findings, and Recommendations) -https://www.faa.gov/sites/faa.gov/files/2021-08/Final_JATR_S...

With respect to "unstable", I will quote the findings

"Observation O3.4-B: Extension of MCAS to the low-speed and 1g environment during the flight program was due to unacceptable stall characteristics with STS only. The possibility of a pitch-up tendency during approach to stall was identified for the flaps-up configuration prior to the implementation of MCAS"

Regarding flight crew expectations, this is dry, but I will quote it in its entirety, anyway,

"Recommendation R6.1: The FAA should ensure applicants improve adherence to failsafe design concept principles when designing or modifying systems. The FAA should encourage applicants not to design only for compliance, but also to follow basic principles to design for safety when developing or changing system functions. This should include elimination of hazards and use of design features, warnings, and procedures.

- Observation O6.1-A: Proper flight crew action was considered an adequate mitigation to risks such as erroneous activation of MCAS.

- Finding F6.1-A: The JATR team identified that the design process was not sufficient to identify all the potential MCAS hazards. As part of the single-channel speed trim system, the MCAS function did not include fault tolerant features, such as sensors voting or limits of authority, to limit failure effects consistent with the hazard classification.

- Finding F6.1-B: The use of pilot action as a primary mitigation means for MCAS hazards, before considering eliminating such hazards or providing design features or warnings to mitigate them, is not in accordance with Boeing’s process instructions for safe design in the conception of MCAS for the B737 MAX.

- Finding F6.1-C: The JATR team found that there was a missed opportunity to further improve the system design through the use of available fail-safe design principles and techniques presented in AC 25.1309-1A and in EASA AMC 25.1309 in the MCAS design"

and further, on flight crew expectations

"Finding F6.4-A: When all flight deck effects are considered, the introduction of the MCAS function invalidated aircraft-level assumptions for flight crew responses related to erroneous AOA failures under certain conditions. A complete workload assessment was not performed for validation of the erroneous AOA effects with the added MCAS functionality. The same assumptions for flight crew responses to erroneous AOA were carried over from previous programs without formal validation."

The Technical Advisory Board's report is also interesting - https://www.faa.gov/sites/faa.gov/files/2022-08/737_Technica...

The discussion around AOA DISAGREE conditions is educational regarding MCAS for others who might not be familar with the technical root cause. But I would specifically encourage you to read the Flight Controls and Flight Deck Interface Assessment and Training Evaluations. They don't avoid the issue of flight crew training and trim system awareness, but I they illustrate how workload created by the erroneous MCAS activation was contributing.

As for your pilot conversations, I will make two short points. First, pilots don't always suffer for a lack of self-confidence. Maybe it would have never happened to them, maybe not, and thankfully we will not get to find out. Second, passengers are owed a safe aircraft based on the full range of quality flight crews, with a wide margin for error. I do care if a highly skilled qualified crew would have avoided the accident, I care if the least-skilled qualified crew would have. And 610's captain had 5,176 hours on the 737 and 302's captain had 4,120 hours.


Thank you for your detailed reply.

A tendency to nose up is not "instability". Recall that additional pilot training to anticipate and correct for it was the original solution to the characteristic. A pilot unaware of it may react incorrectly.

I have no disagreement with the shortcomings of the MCAS design, but the concept of it was sound.

As for pilot skill, recall there were 3 MCAS incidents. The first one porpoised a couple times, with the pilots recovering each time, and then another crew member in the jump seat turned off the stab trim.

In the second incident, the crew restored trim 25 times and never thought to turn off the trim system, over a period of 11 minutes. This is plenty of time to remember what the runaway trim cutoff switch is for. There's no excuse here.

In the third incident, the crew apparently did not read, understand and remember the Boeing Emergency Airworthiness directive sent to all MAX pilots after the first crash, with a simple 2 step procedure to save the airplane. There's no excuse for that. I just find it baffling that a pilot would not be keenly interested in the only crash of the airplane type he is flying, to ensure he wouldn't crash.

The stab trim switch is a memory item, meaning it is supposed to be memorized by the crew. It's their job to remember it.

As for the two pilots I talked to, one contacted me as a result of these HN discussions. The other I buttonholed at the airport during layover. The latter was quite confident in his flying skills, the former related that he and his colleagues all agreed on the pilot error aspect.

There are pilots in my family, I have friends who are pilots, I worked at Boeing where my colleagues were pilots. None of them had any patience for pilots who could not follow emergency procedures properly. I don't either. A careless pilot has no business in a cockpit.


> In the second incident, the crew restored trim 25 times and never thought to turn off the trim system, over a period of 11 minutes. This is plenty of time to remember what the runaway trim cutoff switch is for. There's no excuse here.

> ...

> The stab trim switch is a memory item, meaning it is supposed to be memorized by the crew. It's their job to remember it.

The runaway trim memory item was written in a way that was inconsistent with how MCAS runaway behaved.

The steps were:

> Firmly hold control column. Disengage autopilot if engaged. Disengage autothrottle if engaged. Use the control column and thrust levers to control airplane pitch attitude and airspeed. Use main electric stabilizer trim to reduce control column forces.

> If the runaway stops after autopilot is disengaged, do not re-engage autopilot or autothrottle; end of procedure.

> If the runaway continues after autopilot is disengaged, place both STAB TRIM cutout switches to CUTOUT.

> If the runaway continues, grasp and hold stabilizer trim wheel.

Historic runaway stab was generally consistant running, not a cycle like MCAS, so following the check list, you turn off the auto pilot, trim stops, you consider you completed the checklist. When it fires off again, it's not completely unreasonable to believe that it's not a runaway trim, as you completed the checklist as instructed.

As for the third incident, the Boeing Emergency Airworthiness directive specifically said that this issue only happened under manual control. The crew kept engaging the autopilot and when it continued to happen on the autopilot, it's not unreasonable for them to believe it wasn't the same issue per the Boeing Emergency Airworthiness directive.

Could they have done better? sure. Could they have saved the aircraft if they followed a different train of thought? yes. Was their train of thought unreasonable? According to the investigation, no, it was not. To many many other people who study this stuff, no one that I'm aware of places any blame on the crew and it feels wrong to continue to shit on their skills when from all indications, they did follow procedures as written and it wasn't enough.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: