Hacker News new | past | comments | ask | show | jobs | submit login

I feel like this is a strong argument for the airbus alpha protection. And I think Boeing agrees with that given the way the 777 fly by wire system is designed.

There are plenty of people (on this site and on reddit) who jump on to criticize airbus for the way it puts the aircraft's computer systems ahead of the pilots and claim that the 737's flight controls are preferable to pilots because the pilots have full control. I don't want to spark any airbus vs boeing debate, but I want to point out these accidents seem to discredit that line of thinking.




Before we get excited about computer protections, let’s acknowledge that the MCAS system under debate on the 737 Max is itself a computerized system designed to protect pilots from themselves—in this case, from pitching too high and creating a stall.

In the Lion Air accident, a malfunctioning sensor caused this system to react incorrectly, surprising the pilots.

Let’s also remember that a malfunctioning sensor was a contributing factor in the crash of Air France 447... a problem which was exacerbated by human interface choices in Airbus’s fly by wire system. In particular, stick input is not physically synchronized and conflicting inputs were averaged; neither of which is true on a Boeing aircraft. Even on a 787 the yokes move together.

Human factors matter a lot if the computers hand control back to the humans unexpectedly. That can happen even in fly by wire systems on Airbus.

Edit: fixed 737 reference up top


Unclear why you're trying to conflate the MCAS issue with AF447. Or are even bringing up AF447 at all.

On the Max 8 a bad sensor is causing an automated system to misbehave, and may have resulted in crashes.

On AF447 ice blocking the pitot-static system caused automated systems to go offline (enter Alternative Law), and loss of situational awareness caused the pilots to crash their aircraft under manual control.

If you read the final report[0] you'll see that pilot error and loss of basic airman-ship caused the accident. There's always improvements to the airframe to mitigate the human component, but acting like these two are somehow different sides of the same coin is disingenuous.

I'm not actually sure why you brought it up. Comes across as "look they're both just as bad" while ignoring key details about AF447.

[0] https://en.wikipedia.org/wiki/Air_France_Flight_447#Final_re...


> the system rejected the data as invalid and temporarily stopped the stall warnings. However, "this led to a perverse reversal that lasted nearly to the impact: each time Bonin happened to lower the nose, rendering the angle of attack marginally less severe, the stall warning sounded again—a negative reinforcement that may have locked him into his pattern of pitching up", which increased the angle of attack and thus prevented the aircraft from getting out of its stall

From your link. In my mind that is the critical piece. The pilot did the right thing, pushed the nose down, heard the stall warning again, and did the wrong thing, pulled the nose up, because that made the stall warning go away. Having been in a plane upside down at night pointed toward the ground I can imagine the stress on the crew. It’s easy to say dump the nose when the stall warning goes off, but what if they had been upside down, then he would have been doing the right thing by listening to the warning. The fact the stall warning cut off was the final critical link in the accident, not pilot error.


AF 447 and Lion Air 610 are related in a way that does not have anything to do with Airbus vs. Boeing. In both cases, the crew experienced a situation that differed in some way from those they had explicitly trained or been prepared for (in the first case, because it was considered implausible, and in the second, because Boeing had not told pilots about it.) Nevertheless, in both cases, it is somewhat surprising that they were unable to recover from it (the Southwest pilots' union was upset at Boeing for not disclosing MCAS, but the American pilots' union did not think it was a big deal, and neither group seemed to think an MCAS failure would present a serious problem for a prepared pilot.)

After Boeing has made MCAS triply-redundant (or whatever else they have to do to get these airplanes flying again), questions will remain about why nominally well-trained people sometimes perform disastrously below expectations when faced with something unusual, and what can be done about it. Is it possible, for example, that highly-prescribed training adversely affects flexibility and resilience in problem-solving?


This is exactly the type of crowd I was referring to earlier. There seems to be a tendency on this site, and on reddit for people to accuse airbus of having an inferior philosophy when it comes to the sidestick not having any feedback. And while some of those criticisms can be fair, there is a tendency to bring this argument into any discussion about the differences in cockpit design philosophy between boeing and airbus. They always bring up AF447 and attribute that accident to the airbus FBW system. Even with the Sully landing, questions were raised about how the aircraft limited Sully's ability to control the aircraft, completely missing the fact that on dual engine failure, the FBW system degrades to alternate law.

The fact that Boeing themselves chose to implement flight envelope protections and FBW systems on their newer planes show that the industry in general is in favour of them, pretty much the only difference now is that the boeing yoke provides feedback.


I don't think Airbus has an inferior philosophy compared to Boeing, but I'm sure Airbus has a different philosophy from Boeing, and each philosophy comes with its own set of tradeoffs. And neither is a panacea. For me, that's the lesson of AF447.

Adding Airbus envelope protection to the 737 Max 8 would not have prevented the Lion Air crash because the root problem was bad sensor data. Sending bad sensor data into a flight computer will give you bad output, even in a FBW system.

Conversely, if the AOA sensors had been operating correctly, or triply redundant to mitigate failure, then MCAS would have worked correctly and safely, even without Airbus-style "normal law" FBW.

How to safely integrate imperfect automation with human control is a major developing issue, and not just in aviation. The same concerns are coming to light in cars and trucks with features like smart cruise control, lane-keeping assist, highway "autopilot," etc.

On the surface it seems like greater and better automation will make everything safer, and maybe it does in the aggregate, by covering a lot of low hanging fruit. Antilock braking and traction control certainly fit into this category in cars.

But as automation gets smarter, it means that the situations where humans are required to take over from the automation will become less frequent and more unusual. So systems need to be designed to not only protect humans with automation, but also to alert and orient humans as quickly and accurately as possible when they need to step in and take over. This is why I happen to think that physically synchronizing stick/yoke movement is a good idea; it's one less thing to have to talk about in an emergency.

I don't blame Airbus FBW for the AF447 crash, but I don't blame the pilots either. I thing it was the complex interaction of the two that caused the crash. That's a very complex problem to solve, and it's one that we will have to keep addressing until automation is so good that it never hands off to a human for any reason.


Did you read the comment I’m replying to?

The common element between Lion Air and Air France crashes is bad sensor data: AOA and airspeed, respectively. A computerized system, no matter how sophisticated, cannot protect pilots from themselves in the absence of accurate sensor data.


> The common element between Lion Air and Air France crashes is bad sensor data

Agreed but the context is completely different. The airbus flight computers rely on data from three sensors and thus are triply redundant. AF447 happened in severe icing conditions with water ingressing into the pitot tubes on the ground. All three pitot tubes froze, causing all three sensors to report bad data. The aircraft identified the discrepancy and degraded from normal law to alternate law as expected so it would not make any decisions based on the faulty data. The crash ultimately was caused by the pilots being disoriented because of the very low visibility. The sidestick issue is a different discussion, but its not related to the 737MAX accidents.

The MCAS system on the other hand is not triply redundant, and that's what people have issue with. Boeing itself has more redundant envelope protections on the newer models like the 777 and 787.


Although it is perfectly possible to fly an aircraft with the loss of certain instruments. And even if the plane is in a stall, there are established procedures for getting out of it that don't involve flying the plane into the ground. But the computer would need to be prepared to disregard some data in favour of other data.


For those of us non-experts, I am glad that it was brought up because that accident immediately came to mind for me as well, and I was curious about the differences between them. Thank you for the comparison!


No, the MCAS is fundamentally different from the envelope protection on the airbus aircraft, and AFAIK the protections on the 777. The airbus aircraft sensors have triple redundancy, and if even one of the sensors disagrees with the others, the FBW system degrades from Normal law to Direct law.

In the case of Airfrance 447, all three pitot tubes malfunctioned due to icing conditions well outside the the expected range required for type certification for that aircraft. The aircraft also did degrade down from normal law as was expected.

Admittedly, the sidesticks on the airbus do not provide feedback but both pilots ignored the aural "dual input" warning, as well as the warning indication on the panel.


Oops, did you mean 737?


Thanks!


Just another case of humans being unable to accept the fact that computers are better than them.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: