Hacker News new | ask | show | jobs
by WalterBright 2367 days ago
> The problem with this standpoint is that procedural fixes are the least preferable way of managing a hazardous condition.

The way to make things safe is to address ALL points in the zipper that led to the accident. That includes the pilot error aspects.
2 comments
inferiorhuman 2367 days ago
The way to make things safe is to address ALL points in the zipper that led to the accident. That includes the pilot error aspects.

So how do you propose training against an unfinished product? Boeing still hasn't given the FAA a completed software package to evaluate. At the time of the 737 MAX crashes there were, what? two? 737 MAX simulators, and none of them emulated MCAS or even the forces required to crank the stabilizer manually.

One Lion Air flight got lucky because they had a third set of eyes that could spend time going through reams of documentation.

To even begin discussing pilot "error" is disingenuous when the pilots weren't informed or trained on new 737 MAX behavior. MCAS activation is not, and was not, a runaway stabilizer situation.

link
WalterBright 2367 days ago
> MCAS activation is not, and was not, a runaway stabilizer situation.

It presented as a runaway stab trim. Repeatedly coming on and driving the nose down is runaway trim. No two ways about it. And the usual, standard, runaway trim procedure would stop it.

> they had a third set of eyes that could spend time going through reams of documentation

From my reading of that incident, nothing of the sort happened. The 3rd pilot simply reached forward and flipped off the cutoff switches. The crew landed safely and went on with their day. Nobody bothered to inform the next crew flying that same airplane.

link
inferiorhuman 2366 days ago
It presented as a runaway stab trim. Repeatedly coming on and driving the nose down is runaway trim. No two ways about it.

No, it didn't. From the latest QRH:

Condition: Uncommanded stabilizer trim movement occurs continuously.

Well that's not met as MCAS doesn't run continuously. By design it stops periodically. Put it another way. You're arguing semantics while the 737 MAX remains a smoldering pile of aluminum and hubris.

2.) Control airplane pitch attitude manually with control column and main electric trim as required.

4.) If the runaway stops after the autopilot is disengaged ....

MCAS also stops after the trim switches are hit. So, again MCAS activation is not a runaway trim condition.

From my reading of that incident, nothing of the sort happened. The 3rd pilot simply reached forward and flipped off the cutoff switches.

Reread the report. The third pilot went back into the cabin to fetch reading material.

link
WalterBright 2366 days ago
> You're arguing semantics

Trying to argue that the trim system erratically coming on and driving the nose down is not "runaway trim" is arguing semantics. Runaway trim is when the trim is doing something dangerous without command from the pilot.

If the cockpit voice recorder reveals them discussing the definition of "runaway trim" and deciding that the instructions Boeing provided didn't apply, I'd be surprised and interested.

> MCAS also stops after the trim switches are hit.

Exactly, the trim switches override the MCAS. That's why you use the trim switches to set it back to normal, then hit the cutoff switches. That's what the Emergency Airworthiness Directive says to do.

> Reread the report.

I haven't read that anywhere. I don't know what report that is. Reference, please.

link
Gibbon1 2366 days ago
> Exactly, the trim switches override the MCAS. That's why you use the trim switches to set it back to normal, then hit the cutoff switches.

On the 737 Max there is no way to disable the MCAS without also disabling the electric trim.

link
WalterBright 2366 days ago
Sigh. With the electric trim enabled, the trim switches will override any MCAS commands. This is why, again:

1. trim to normal with the electric trim switches

2. cut off the stabilizer trim

Do it in that order. Doing step 2 before step 1 won't work.

link
bumby 2367 days ago
I don’t disagree but there are clear hierarchical criteria on how these hazards should be addressed. The reason behind engineering mitigation being favored is because they make the less reliable procedural mitigations moot (I.e., they improve the overall reliability by removing one of the points of failure, in this case the pilot). Forgoing engineering mitigations in favor of procedural fixes goes against good engineering practice at best and is a cheap, lazy fix at worst.

I can understand if the AD was intended as a short term fix but I would question the rationale if it were considered a long term solution

link
WalterBright 2367 days ago
> I can understand if the AD was intended as a short term fix but I would question the rationale if it were considered a long term solution

It was not, Boeing at the time was working on a solution.

Regardless, however, the pilots MUST know how to deal with runaway trim. This was true before MCAS, and is true after. It was true on the 757 (I spend 3 years working on the design of the 757 stab trim system). The cutoff switches are prominently within easy reach on the center console for very good reason, 40 years before MCAS.

It is not acceptable that pilots were unaware of the cutoff switches. It is unacceptable that MAX pilots did not read, understand, and remember the Airworthiness Directive sent to all MAX crews.

Similarly, airplane engineers work hard to keep the airplane from catching fire. But pilots also MUST learn to properly use the airplane's fire suppression systems. Most of pilot training consists of learning emergency procedures.

It's why airplanes still have pilots, instead of using automation instead.

Boeing still deserves blame for the flawed MCAS implementation. But there were other contributing factors in the crashes that must be dealt with.

link
inferiorhuman 2366 days ago
It is not acceptable that pilots were unaware of the cutoff switches. It is unacceptable that MAX pilots did not read, understand, and remember the Airworthiness Directive sent to all MAX crews.

The Ethiopian crew tried the cutout switches and found they couldn't trim the airplane with the hand cranks because Boeing lied. How is that a pilot training issue?

But there were other contributing factors in the crashes that must be dealt with.

A Boeing employee concern trolling over pilot training is pretty rich considering that Boeing knowingly hid crucial details from pilots.

link
WalterBright 2366 days ago
> The Ethiopian crew tried the cutout switches and found they couldn't trim the airplane with the hand cranks because Boeing lied. How is that a pilot training issue?

The Emergency Airworthiness Directive to all MAX crews says:

"Initially, higher control forces may be needed to overcome any stabilizer nose down trim already applied. Electric stabilizer trim can be used to neutralize control column pitch forces before moving the STAB TRIM CUTOUT switches to CUTOUT. Manual stabilizer trim can be used before and after the STAB TRIM CUTOUT switches are moved to CUTOUT."

https://theaircurrent.com/wp-content/uploads/2018/11/B737-MA...

> A Boeing employee

I left Boeing about 40 years ago.

link
inferiorhuman 2366 days ago
Initially, higher control forces may be needed to overcome any stabilizer nose down trim already applied. Electric stabilizer trim can be used to neutralize control column pitch forces before moving the STAB TRIM CUTOUT switches to CUTOUT. Manual stabilizer trim can be used before and after the STAB TRIM CUTOUT switches are moved to CUTOUT.

If the graphs are to be believed neither the electric commands nor hand crank were able to move the stabilizer. Again, how is that a pilot training issue?

link
WalterBright 2366 days ago
I don't know what graph you're looking at. The reports I saw was that the EA pilots did not follow the procedure:

1. trim to normal with the electric trim switches

2. cut off the stabilizer trim

What the EA pilots did was:

1. cut off the stabilizer trim

2. try to use the hand cranks to trim to normal

link
bumby 2367 days ago
I don’t think we disagree on any of the above.

But there were other contributing factors in the crashes that must be dealt with

I don’t necessarily disagree with this either, but it does come across as if we’re being distracted by proximate causes rather than focusing on the root cause. To someone on the outside, it sure seems like there are deeper engineering and cultural problems that deserve a greater priority at this point. Not to belabor the point, but simply issuing a procedural AD doesn’t appear to address the root causes and should just be a stop gap measure

link
WalterBright 2367 days ago
It wasn't a "procedural" AD, it was an "EMERGENCY" AD. It says so right at the top:

https://theaircurrent.com/wp-content/uploads/2018/11/B737-MA...

Put another way, would you want to board an airplane where the pilot did not take EMERGENCY instructions seriously? I wouldn't.

> distracted

Pretty much 100% of the popular media (and its repeated appearances on HN) has been on the MCAS design shortcomings. Which distract from dealing with the other causes of the accidents.

As I mentioned previously, the AD was issued as a stopgap measure while Boeing worked on an MCAS fix.

link
bumby 2366 days ago
I think we're miscommunicating what is meant by "procedural" vs. "engineering" mitigation.

Procedural is meant as an administrative action as opposed to a designed engineering action.

Think of a hazardous system that has software involved with controlling a pressure hazard. A procedural mitigation may be to have an operator monitor system pressure and push a non-software shut-off emergency button if the system overpressurizes. Even though it's an emergency, it's still a procedural mitigation. An engineering mitigation, on the other hand, may have mechanical pressure relief devices in place to mitigate the hazard. Whether or not it's an "emergency" just relates to the severity and time criticality of the hazard, not the mechanism of mitigation.

In safety design the hierarchy of hazard control preference is generally engineering controls, followed by procedural controls, followed by PPE as the least desirable control scheme.

Which distract from dealing with the other causes of the accidents.

One of the common flaws in mishap investigation is jumping to “solving” proximate causes at the expense of finding the root cause. This is applicable to MCAS as well if that isn’t the root cause (although my hunch is MCAS will be closer to the root issue than pilot actions). As long as people aren’t pointing to the AD as the “fix” I think there’s not a problem with it being an interim measure

link