[starfox64_]

> 4.2 Safety measures taken by the manufacturer

I would have hoped for Boeing to add a warning system in the case of dual input, like in Airbus aircrafts, but it seems they did the bare minimum here. Simple warnings were added to the pilot hanbook that basically amount to "don't apply opposite inputs".

[spangry]

It's not so straight-forward.

Mechanically linked dual controls, like those on this aircraft, do give you indication that the other pilot is operating them (i.e. your controls physically move in tandem with their inputs). The problem is that if you both provide exactly opposite inputs at the same time both parties can interpret the physical resistance as jammed controls. An audible warning could be useful, but it could also fail if you're in a critical situation that has triggered other audible alerts (e.g. an audible stall warning). Audible warnings also carry the danger of not being comprehensive - if pilots come to rely on warnings of input conflicts instead of training to use explicit verbal communication, they may mistakenly assume that the absence of a conflicting input warning means there is no conflicting input (which may not be the case if the warning system is not absolutely comprehensive).

Another approach here is to have a mechanism that allows one pilot to lock-the controls of the other pilot, coupled with some sort of visual/audible indication as to who is in control. This is sort of a different spin on the 'explicit communication' approach.

[Workaccount2]

It seems a unique haptic feedback given to both pilots controls would work well here.

[gukov]

How does a fly-by-wire system deal with dual inputs?

[formerly_proven]

Warnings and the possibility to override

This thread is kinda funny because generally aviation threads on HN like to shit on airbus for their sidesticks and tout linked controls as obviously superior.

[badcppdev]

Rather than saying: "aviation threads on HN" have you considered using the usernames to identify the individuals with negative comments and positive comments and determine whether it's a small number of accounts saying the same thing repeatedly or a large proportion of the users?

[sofixa]

Yeah, punting everything on "airlines should just establish procedures" is such a lazy copout.

Funnily they're doing the same thing with the 737 Maxes undergoing certification now (10 and 7), which have a small design defect in that if the engine de-icing is on and you leave it on after takeoff, it will overheat and melt the cowling... silently, without any warning or sensor or indicator. They plan on fixing this in like 2025 and want an exemption to allow them to certify the 7 and 10, same as the 8 and 9 that are already certified and flying with this defect, with the solution of "pilots should just not forget to turn it off".

[JohnBooty]

Generally, yeah. Red tape bad, and anything that reduces a pilot's cognitive load is generally going to be a very good thing. In an emergency, there is a lot for them to process.

But this?

Expecting pilots to communicate to each other about which one of them is flying the aircraft (as opposed to like, just grabbing a yoke and YOLOing it?) does not seem like an overly onerous amount of red tape.

That seems like an absolutely fundamental aspect of flying. It's so fundamental I'm not even sure it would qualify as CRM (crew resource management)

[sofixa]

> Expecting pilots to communicate to each other about which one of them is flying the aircraft (as opposed to like, just grabbing a yoke and YOLOing it?) does not seem like an overly onerous amount of red tape.

It already exists, but in emergency under stress it's an easy thing to forget or even not hear at all(cf. the linked incident and many others).

[JohnBooty]

Yeah, fair.

[BenoitP]

Sounds like my coworker telling a marketing campaign operator he has yet again let Excel interpret phone numbers as integers. And that he should learn to properly wield Excel. The downstream system is a call center made of humans. They lose a few seconds inputting the phone number manually though. No lead is lost. I don't want to speculate too much, but I think we might be in the clear. The client is not losing too much money. But if he complains once, we'll have to implement more checks to validate the Excel file. Then I'll have to buy my coworker breakfast, so that he doesn't bitch the whole implementation time. Such is life.

[traceroute66]

> add a warning system in the case of dual input

The trouble is that those warnings should not be necessary.

It is drummed into the skulls of all pilots that there is only ever one person at the controls.

When you are a student pilot with an instructor in the other seat, the "I have control", "You have control" mantra is drummed into you.

When you progress onto professional multi-crew operations, this is further re-enforced through operational "Pilot Flying", "Pilot Not Flying" roles introduced during your MCC (Multi Crew Cooperation) training.

Also, from a purely practical perspective Boeing are yoke-based aircraft, not Airbus joysticks. So it should be pretty bloody obvious if dual control is going on.

[sokoloff]

> it should be pretty bloody obvious if dual control is going on.

Yet we have an example here where it wasn't obvious to a (presumably) fully competent crew who got to the point of missing an approach and declaring an emergency for a flight control anomaly that they couldn't diagnose as being the other human 4 feet away from them also being on the controls.

"Should be" obviously wasn't "is" in this case.

Edit to add: Also from the report:

  The following factors may have contributed to the simultaneous inputs on the controls:
  <snipped 5 other bullets> 
  • the conviction that simultaneous inputs on the controls would be quickly perceived by crews on this type of aeroplane.

[traceroute66]

> fully competent crew who got to the point of missing an approach and declaring an emergency

I think you need to re-read the PDF. My reading of it is that the missed-approach decision was made by the PF on the basis of the unstablised approach, and that it is what happened after that decision that is under investigation in this report. Undertaking MAP due to unstable approach is pretty standard stuff that occurs all day, every day.

The report states there were zero force inputs by PM prior to the missed-approach, which correlates with the other note in the report that the PM ghosted the controls in the period following the missed-approach and that is when the apparent reflex action occured.

[sokoloff]

My read is that the approach was not unstable (it met stabilized approach criteria at all significant checkpoints) at the moment when the PF (co-pilot) become spatially disoriented and began giving improper control inputs.

This disorientation of the PF was the triggering event, which caused him to call the go-around [prior to stabilized approach criteria being violated], the approach to be terminated, and required the PM (the captain) to make corrective [and conflicting] control inputs. These conflicting inputs were not accompanied by the normal exchange of controls communications.

You are correct that the missed approach procedure was initiated before the controls conflict between humans began (but after the co-pilot's disorientation made him suspect a flight controls problem). I was wrong on that point.

[seanmcdirmid]

Safety often comes via overwhelming redundancy and back up protections. The human should do X, but if they don't do X, another system will do Y to save the plane, and if that system fails, then another system will do Z...

Single points of failure should be avoided. Like in driving, things should work out if driver A or driver B does the right thing, or if the road is designed right, or if pedestrians are following reasonable rules, you just try to make all those things true, so if any of them are not, it isn't a disaster.

[MaxBarraclough]

This even has a catchy name: the Swiss cheese model.

https://en.wikipedia.org/wiki/Swiss_cheese_model

[declaredapple]

> The trouble is that those warnings should not be necessary.

Of course they shouldn't be, but it's a protection against scenerios such as miscommunication, being distracted and forgetting you handed them over, etc.

> mantra is drummed into you.

The real danger to well-trained behavior is emergencies and task-saturation. That's when you're most likely be distracted, act impulsively, etc.

Literally halve of all warnings can be covered by "The humans should have been paying attention and noticed it".

[epups]

The Air France 447 incident occurred in an Airbus aircraft with these warnings, and it ended in a crash (https://en.wikipedia.org/wiki/Air_France_Flight_447). The airplane in this incident had a flight system that gave tactile and visual feedback that the other pilot was giving inputs. I think it would indeed be better to have an additional auditory warning, but we should not underestimate the fact that pilots can and do make serious mistakes. Since this is the same company, it points to issues in training.

[spangry]

Pretty chilling reading. A disturbingly similar situation occurred in AirAsia Flight 8501 (Airbus A320): https://en.wikipedia.org/wiki/Indonesia_AirAsia_Flight_8501#.... Similar to the AF incident, the autopilot disengaged and the flight control switched to alternate Law. The aircraft began to roll and the first officer over-corrected back and forth while also pitching the nose up and causing the plane to stall. The pilot and the first officer were both providing opposite inputs (nose down and nose up respectively) which cancelled each other out, preventing recovery from the stall condition. The plane crashed into the ocean, killing everyone onboard.

I'm starting to wonder if there's something inherent in the design of the Airbus side-stick that makes this sequence of events (i.e. banking, overcorrecting, climbing) more likely if the aircraft suddenly switches from normal to alternate law.

[burnerthrow008]

> I'm starting to wonder if there's something inherent in the design of the Airbus side-stick that makes this sequence of events (i.e. banking, overcorrecting, climbing) more likely if the aircraft suddenly switches from normal to alternate law.

I think it’s less something specific to the Airbus sidestick implementation and more over-reliance on cockpit automation in general. Airbus alternate law flies more like (not exactly like) a non-FBW traditional airplane, and pilots who never train that skill (because they always fly normal law) become overloaded when thrown into that situation unexpectedly.

A primary problem is that your muscle-memory is all wrong. Holding the stick to the side no longer gives a constant-bank turn. You have to re-center the stick when you get to the desired bank angle. Pulling all the way back doesn’t give you a constant near-maximum rate of climb (You can stall the airplane), and need to apply a little less back pressure when you get to the desired pitch. You also need to manually adjust pitch trim for any speed or power changes. So a failure that induces alt law means that you took off in one airplane and are now flying a different airplane.

The event that precipitated alt law is nearly always an emergency or near-emergency on its own. So not only are you flying a different airplane than the one you’re used to, you’re also diagnosing system failures at the same time.

If there’s anything to blame with Airbus’s implementation, I would argue it’s that the normal law is too dissimilar to how airplanes actually fly.

Edited for clarity.

[epups]

I wasn't aware of this accident, it does look very similar.

Airbus got some flak at the time for the AF 447 accident, both for this side stick issue and for the way the stall system unintuively stopped when the plane was pointed up (because its speed decreased to a level that was below some threshold that allowed the warnings).

I find it surprising how these UI elements in aviation are so primitive, we should improve them.

[juujian]

If Boeing was a student, they would be the kind that does the bare minimum in every class just so they don't fail.

[danparsonson]

And if they were an SV startup, they'd be receiving abundant praise for rapidly disrupting their market...

[dotcoma]

I am not so sure I want an airplane manufacturer to disrupt much of anything, especially if it involves cutting corners…

[jetbalsa]

Well... SpaceX did it with rockets :V

[dotcoma]

I’m not going to board a rocket anytime soon :)

[jacquesm]

But not while carrying passengers.

[throwawaaarrgh]

That's not a great comparison though. Commercial Airlines are known for safety and reliability, startups are known for being tire fires

[cqqxo4zV46cp]

Yeah I get that dunking on Boeing is the cool new thing but realistically the amount of caution they take with things almost certainly dwarves whatever most of us software gardeners do.

[FredPret]

Yeah but most software bugs aren’t life or death

[danparsonson]

Indeed; it was intended as a joke about 'move fast and break things' culture but didn't pan out very well.

[JumpCrisscross]

> if they were an SV startup, they'd be receiving abundant praise for rapidly disrupting their market

If Boeing were developing radical new designs, I’d be with you. I might even be with them. But they’re not. The 737 Max 9 isn’t revolutionary in any capacity; the newness is practically all in the engines.

[foofie]

> And if they were an SV startup, they'd be receiving abundant praise for rapidly disrupting their market...

I don't think that's a valid comparison.

For a startup to disrupt a market, it should have some semblance of a win.

Boeing is doing all this to avoid a major loss.

Fighting to stay afloat is not the same as disrupting a market.

[danparsonson]

You're right - it was a lazy swipe at 'move fast and break things' culture but it didn't really land (pardon the pun).

[lebean]

They really are building the airplane while it's flying.

[ramijames]

This seems to be the core reason why pure capitalism is a failed concept. There must be regulatory oversight to ensure that what is done MOST RIGHT and not CHEAPEST.

[stef25]

Thinking that "fuck it, we'll risk loss of human life and possibly having to shut down the company" isn't due to capitalism, it's psychopathy and I'm fairly sure that never happened.

Anything that goes wrong is due to dysfunctional management, not greed.

[masklinn]

Ford literally did a cost/benefit analysis for fixing the Pinto versus societal costs of injuries and deaths, and went with the cheaper option. They actually put it to paper and sent that to the NHTSA to argue against fuel system regulations.

“Dysfunctional management” is a direct function of managerial incentives, which is generally capitalistic greed (aka “obligation to maximize shareholder value”)

[gnfargbl]

They thought they went with the cheaper option, but in fact they only considered the value of a life as estimated by the NHTSA ($0.2M). In reality, the damages that juries tended to assign for each needless loss of life turned out to be more like $100M.

If Ford had accounted for those punitive costs in their calculation, then the outcome of the cost/benefit calculation would have overwhelmingly favoured a fix. The real business problem was not the empathy-free approach, but poor mathematical modelling.

[meigwilym]

I think that deciding to go with the cheapest is an empathy-free approach, regardless if the maths were off.

[masklinn]

> They thought they went with the cheaper option, but in fact they only considered the value of a life as estimated by the NHTSA ($0.2M). In reality, the damages that juries tended to assign for each needless loss of life turned out to be more like $100M.

That was in large part due to the disgust over the report they had penned.

> If Ford had accounted for those punitive costs in their calculation, then the outcome of the cost/benefit calculation

Would still have been a cost/benefit calculation rather than a moral or ethical one, aka capitalistic greed.

[nradov]

Every auto manufacturer does the same thing. The Ford Pinto case was particularly poorly handled. But for any given car design, it's always possible to further improve safety by making it more expensive. A Mercedes-Benz S-Class is far safer than a Nissan Sentra by any objective standard. Should we tighten safety requirements so that every car is as safe as the S-Class, and costs about as much? Where do we draw the line on safety regulations?

[yawpitch]

If we tightened safety regulations so that every car was as safe as the S-Class then cars as safe as the S-Class would dramatically drop in price, simply by virtue of there being more of them.

As for where you draw the line on safety regulations, the optimum answer is always “considerably past the point that business owners start complaining about excessive regulation”.

[cqqxo4zV46cp]

Don’t make excuses. Putting psychopaths in the drivers seat is a precipitation of capitalism. Capitalism decides the ultimate KPI, and eventually things shake out this way. We don’t just get to say, yes, there goes another psychopathic executive, and wash our hands of the whole thing. Christ. We all make systems for a living. Look at indirect consequences.

[stef25]

Even psychopaths don't want to end up disgraced or in jail. So maybe it's the lack of punishment we dole out to these kinds of people.

Nowadays companies can seriously suffer by mishandling their "attitudes" over social justice issues, my gut reaction was that if that's true how could they get away with a plane falling out of the sky. Still a bigger deal than dozen people dying in cars with faulty fuel systems, perhaps just because of the optics.

[feoren]

> Even psychopaths don't want to end up disgraced or in jail. So maybe it's the lack of punishment we dole out to these kinds of people.

You're describing effective regulatory oversight. That is a manual control on capitalism, and something capitalism inevitably fights against. Psychopaths exist and look for ways to exploit capitalism, including "fuck it, we'll risk loss of human life and possibly having to shut down the company", which you said isn't due to capitalism. But it is: it's due to the combination of capitalism and human nature, but we can only control the former. The solution is regulatory oversight, as you just pointed out.

Also: realize that psychopaths will absolutely risk shutting down the company if they think they can exit with a personal profit before that happens. CEOs routinely fuck over the longevity of the companies they lead, knowing they won't be around for the fallout. In fact it's hard to find situations where this doesn't happen -- it's almost always private companies or companies where the CEO is completely entrenched.

[foofie]

> Don’t make excuses. Putting psychopaths in the drivers seat is a precipitation of capitalism.

That's a disingenuous take. There are plenty of examples where psycho apparatchiks of anti-capitalist regimes made decisions "for the common good" that resulted in loss of life and even genocide and still they hailed those results as a win.

[feoren]

GP said "System A doesn't work without controls" and you replied "that's disingenuous: System B also doesn't work without controls". Okay? That has nothing to do with it.

[tgv]

And then complain all the way up to the provost when they do fail.

[lotsofpulp]

Crazy how many titles there are in academia. What is the distinction between provost/dean/chancellor/president/etc.

[megabless123]

Profit > Safety is the American way