If the updated MCAS software needs two AOA sensors, doesn't that introduce a new single point of failure? The 2019 Stack Overflow Developer Survey Results Are InHow many AOA sensors does the 737 MAX have?How is device control software checked for quality?
The difference between dialogue marks
Falsification in Math vs Science
Deal with toxic manager when you can't quit
For what reasons would an animal species NOT cross a *horizontal* land bridge?
Can a flute soloist sit?
Can an undergraduate be advised by a professor who is very far away?
How to deal with speedster characters?
Are there any other methods to apply to solving simultaneous equations?
Mathematics of imaging the black hole
What is the grammatical structure of "Il est de formation classique"?
Command for nulifying spaces
Right tool to dig six foot holes?
Can we generate random numbers using irrational numbers like π and e?
Keeping a retro style to sci-fi spaceships?
What do I do when my TA workload is more than expected?
Why doesn't shell automatically fix "useless use of cat"?
How to type a long/em dash `—`
Using xargs with pdftk
"consumers choosing to rely" vs. "consumers to choose to rely"
Why is ParallelDo slower than Do?
Why is the Constellation's nose gear so long?
Dropping list elements from nested list after evaluation
How can I define good in a religion that claims no moral authority?
Vorinclex, does my opponents land untap if they were tapped before i summoned him?
If the updated MCAS software needs two AOA sensors, doesn't that introduce a new single point of failure?
The 2019 Stack Overflow Developer Survey Results Are InHow many AOA sensors does the 737 MAX have?How is device control software checked for quality?
$begingroup$
Regarding the 737 MAX story, the New York Times writes:
"Boeing’s software update would require the system to rely on two
sensors, rather than just one, and would not be triggered if the
sensors disagreed by a certain amount, according to the three people.
Given that the 737 Max has had both sensors already, many pilots and
safety officials have questioned why the system was designed to rely
on a single sensor, creating, in effect, one point of failure [emphasis mine]"
Now I understand that this avoids a False Positive, when one erroneous sensor triggers the MCAS.
But, considering the opposite situation, doesn't this update introduce a new single point of failure, a False Negative, when a stall should be counteracted with MCAS but it isn't, because only one sensor detects it?
(Or if not, what am I missing here? Is it that a faulty sensor fails in a certain way and will not read normal AOA erroneously?)
boeing-737 mcas
asked Mar 30 at 10:01
Daniel SparingDaniel Sparing
1856
$endgroup$
add a comment |
$begingroup$
Regarding the 737 MAX story, the New York Times writes:
"Boeing’s software update would require the system to rely on two
sensors, rather than just one, and would not be triggered if the
sensors disagreed by a certain amount, according to the three people.
Given that the 737 Max has had both sensors already, many pilots and
safety officials have questioned why the system was designed to rely
on a single sensor, creating, in effect, one point of failure [emphasis mine]"
Now I understand that this avoids a False Positive, when one erroneous sensor triggers the MCAS.
But, considering the opposite situation, doesn't this update introduce a new single point of failure, a False Negative, when a stall should be counteracted with MCAS but it isn't, because only one sensor detects it?
(Or if not, what am I missing here? Is it that a faulty sensor fails in a certain way and will not read normal AOA erroneously?)
boeing-737 mcas
asked Mar 30 at 10:01
Daniel SparingDaniel Sparing
1856
$endgroup$
add a comment |
$begingroup$
Regarding the 737 MAX story, the New York Times writes:
"Boeing’s software update would require the system to rely on two
sensors, rather than just one, and would not be triggered if the
sensors disagreed by a certain amount, according to the three people.
Given that the 737 Max has had both sensors already, many pilots and
safety officials have questioned why the system was designed to rely
on a single sensor, creating, in effect, one point of failure [emphasis mine]"
Now I understand that this avoids a False Positive, when one erroneous sensor triggers the MCAS.
But, considering the opposite situation, doesn't this update introduce a new single point of failure, a False Negative, when a stall should be counteracted with MCAS but it isn't, because only one sensor detects it?
(Or if not, what am I missing here? Is it that a faulty sensor fails in a certain way and will not read normal AOA erroneously?)
boeing-737 mcas
asked Mar 30 at 10:01
Daniel SparingDaniel Sparing
1856
$endgroup$
Regarding the 737 MAX story, the New York Times writes:
"Boeing’s software update would require the system to rely on two
sensors, rather than just one, and would not be triggered if the
sensors disagreed by a certain amount, according to the three people.
Given that the 737 Max has had both sensors already, many pilots and
safety officials have questioned why the system was designed to rely
on a single sensor, creating, in effect, one point of failure [emphasis mine]"
Now I understand that this avoids a False Positive, when one erroneous sensor triggers the MCAS.
But, considering the opposite situation, doesn't this update introduce a new single point of failure, a False Negative, when a stall should be counteracted with MCAS but it isn't, because only one sensor detects it?
(Or if not, what am I missing here? Is it that a faulty sensor fails in a certain way and will not read normal AOA erroneously?)
boeing-737 mcas
boeing-737 mcas
asked Mar 30 at 10:01
Daniel SparingDaniel Sparing
1856
asked Mar 30 at 10:01
Daniel SparingDaniel Sparing
1856
asked Mar 30 at 10:01
Daniel SparingDaniel Sparing
1856
asked Mar 30 at 10:01
Daniel SparingDaniel Sparing
1856
asked Mar 30 at 10:01
Daniel SparingDaniel Sparing
1856
1856
add a comment |
add a comment |
4 Answers
4
active
oldest
votes
$begingroup$
Noting that the details of the MCAS update are yet to be publicly confirmed by Boeing - no I don't believe you are missing anything.
MCAS was meant to be a system that only kicked in when the pilots were letting the situation get out of hand. It was to aid in stall prevention, but does not do anything the pilots can't (as long as their situational awareness would allow). In a million flights MCAS would not be used once unless there were other serious difficulties at play.
In such a system it is much better to have a false negative than a false positive. A false negative means that the aircraft doesn't change anything, and continues to follow the pilot commands. A false positive means... well, it looks like there are 2 crashes that demonstrate what happens.
answered Mar 30 at 12:24
BenBen
9,34332753
$endgroup$
5
$begingroup$
Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
$endgroup$
– supercat
Mar 30 at 15:42
add a comment |
$begingroup$
Every automated system has a possibility of a false positive and a possibility of a false negative. In the system design you have to consider
( Probability of a false positive * consequence of false positive ) versus (probability of a false negative * consequence of false negative).
A team of engineers at Boeing certainly looked at the tradeoff above in the initial design. The probability of AoA sensor failure was most likely based on failure rates from historical aircraft such as original 737. The consequence of each failure was presumably a little harder to estimate, because no such MCAS system existed on previous aircraft, but they somehow they came up with an estimate of what would happen in each case. Based on that, they believed they had the right tradeoff.
Now, new information has come to light. Specifically, "consequence of false positive" is an absolutely unacceptable situation (two fatal crashes). Therefore the system needs to be redesigned. A increased probability of false negative may be acceptable, if it can significantly reduce the probability of false positive. Both errors are still possible, and both consequences still exist, but the tradeoff is shifted to favor one versus the other.
answered Mar 31 at 10:57
Daniel KiracofeDaniel Kiracofe
3,542623
$endgroup$
$begingroup$
A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
$endgroup$
– Robert DiGiovanni
Mar 31 at 12:52
1
$begingroup$
@RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
$endgroup$
– StephenS
Mar 31 at 18:32
$begingroup$
So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
$endgroup$
– Robert DiGiovanni
Mar 31 at 18:57
$begingroup$
@StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
$endgroup$
– TomMcW
Mar 31 at 21:35
1
$begingroup$
@DanielSparing, A single point of failure is not necessarily a dealbreaker in design if the overall system remains acceptable, and conversely a triply redundant system may not be any safer than a single one if not designed properly (look up Sioux City crash). Again, all comes back to weighing probabilities times consequences. Reducing single points of failure is certainly good, but sometimes there is no better alternative
$endgroup$
– Daniel Kiracofe
Apr 2 at 1:10
|
show 1 more comment
$begingroup$
Having two of the same type of sensor may not improve things as icing conditions could easily cause disagreement just when it was needed the most. A second system, such comparison of airspeed, pitch to the horizon, power setting, and vertical velocity (In addition to what the pilots are doing) may be much more useful.
Grossly changing the horizontal stabilizer pitch in an uncommanded manner only worsens the situation when the pilot needs to be in control. Breaking a stall is done by releasing the elevator. A properly designed air craft will almost immediately unstall, especially if it is caught early. Strict adherence to aft CG limits greatly improves safety as well.
A more pilot friendly MCAS may work as follows. Design the elevator such that, in conjunction with the horizontal stabilizer, it does not have enough pitch authority to stall the plane under normal flying conditions. An aircraft of this type, with a properly set CG, at full aft elevator, will lose airspeed, start to sink, and "mush" forward with the nose dropping.
Have amber and red stall warning lights.
If a stall warning occurs (real or not), pilot and computer check second system data.
If stall is real, pilot activates MCAS. (toggle switch)
The MCAS would ONLY increase the elevator throw rate and travel. Much like dual rates in
R/C planes, this would hugely increase pitch authority, but would always be under the control
of the pilot. Once stable flight is restored, the pilot turns off the MCAS.
Best luck to Boeing getting this fixed.
answered Mar 30 at 22:54
Robert DiGiovanniRobert DiGiovanni
2,8281316
$endgroup$
$begingroup$
The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
$endgroup$
– StephenS
Mar 31 at 18:35
$begingroup$
That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
$endgroup$
– Robert DiGiovanni
Mar 31 at 19:02
$begingroup$
@StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
$endgroup$
– TomMcW
Mar 31 at 21:42
$begingroup$
So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
$endgroup$
– Robert DiGiovanni
Mar 31 at 22:58
1
$begingroup$
This does not seem to answer the actual question but seems like more of a general essay on how you feel the MCAS system should be designed.
$endgroup$
– Sanchises
Apr 3 at 10:03
|
show 1 more comment
$begingroup$
The new system will not be a single point of failure.
Normally, the AOA sensors should not disagree. But then again, normally pilots should not be flying the aircraft near stall margins.
However, if the sensors do disagree -- it will tell the pilots with a cockpit indication: effectively "MCAS will not rescue you today, watch your trim". It should also automatically log a report of the failure to the maintenance staff. This then becomes a maintenance item that must be fixed soon.
You're right that either sensor failing will cause this, and you're right, that is a single point of failure of the MCAS system; but this would still require an unbroken string of pilot mistakes to cause a crash, and that string of mistakes isn't happening today on the thousands of 737 classic and NGs without any MCAS at all.
answered Apr 3 at 6:24
HarperHarper
4,744926
$endgroup$
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "528"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faviation.stackexchange.com%2fquestions%2f61796%2fif-the-updated-mcas-software-needs-two-aoa-sensors-doesnt-that-introduce-a-new%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Noting that the details of the MCAS update are yet to be publicly confirmed by Boeing - no I don't believe you are missing anything.
MCAS was meant to be a system that only kicked in when the pilots were letting the situation get out of hand. It was to aid in stall prevention, but does not do anything the pilots can't (as long as their situational awareness would allow). In a million flights MCAS would not be used once unless there were other serious difficulties at play.
In such a system it is much better to have a false negative than a false positive. A false negative means that the aircraft doesn't change anything, and continues to follow the pilot commands. A false positive means... well, it looks like there are 2 crashes that demonstrate what happens.
answered Mar 30 at 12:24
BenBen
9,34332753
$endgroup$
5
$begingroup$
Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
$endgroup$
– supercat
Mar 30 at 15:42
add a comment |
$begingroup$
Noting that the details of the MCAS update are yet to be publicly confirmed by Boeing - no I don't believe you are missing anything.
MCAS was meant to be a system that only kicked in when the pilots were letting the situation get out of hand. It was to aid in stall prevention, but does not do anything the pilots can't (as long as their situational awareness would allow). In a million flights MCAS would not be used once unless there were other serious difficulties at play.
In such a system it is much better to have a false negative than a false positive. A false negative means that the aircraft doesn't change anything, and continues to follow the pilot commands. A false positive means... well, it looks like there are 2 crashes that demonstrate what happens.
answered Mar 30 at 12:24
BenBen
9,34332753
$endgroup$
5
$begingroup$
Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
$endgroup$
– supercat
Mar 30 at 15:42
add a comment |
$begingroup$
Noting that the details of the MCAS update are yet to be publicly confirmed by Boeing - no I don't believe you are missing anything.
MCAS was meant to be a system that only kicked in when the pilots were letting the situation get out of hand. It was to aid in stall prevention, but does not do anything the pilots can't (as long as their situational awareness would allow). In a million flights MCAS would not be used once unless there were other serious difficulties at play.
In such a system it is much better to have a false negative than a false positive. A false negative means that the aircraft doesn't change anything, and continues to follow the pilot commands. A false positive means... well, it looks like there are 2 crashes that demonstrate what happens.
answered Mar 30 at 12:24
BenBen
9,34332753
$endgroup$
Noting that the details of the MCAS update are yet to be publicly confirmed by Boeing - no I don't believe you are missing anything.
MCAS was meant to be a system that only kicked in when the pilots were letting the situation get out of hand. It was to aid in stall prevention, but does not do anything the pilots can't (as long as their situational awareness would allow). In a million flights MCAS would not be used once unless there were other serious difficulties at play.
In such a system it is much better to have a false negative than a false positive. A false negative means that the aircraft doesn't change anything, and continues to follow the pilot commands. A false positive means... well, it looks like there are 2 crashes that demonstrate what happens.
answered Mar 30 at 12:24
BenBen
9,34332753
answered Mar 30 at 12:24
BenBen
9,34332753
answered Mar 30 at 12:24
BenBen
9,34332753
answered Mar 30 at 12:24
BenBen
9,34332753
9,34332753
5
$begingroup$
Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
$endgroup$
– supercat
Mar 30 at 15:42
add a comment |
5
$begingroup$
Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
$endgroup$
– supercat
Mar 30 at 15:42
5
5
$begingroup$
Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
$endgroup$
– supercat
Mar 30 at 15:42
$begingroup$
Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
$endgroup$
– supercat
Mar 30 at 15:42
add a comment |
$begingroup$
Every automated system has a possibility of a false positive and a possibility of a false negative. In the system design you have to consider
( Probability of a false positive * consequence of false positive ) versus (probability of a false negative * consequence of false negative).
A team of engineers at Boeing certainly looked at the tradeoff above in the initial design. The probability of AoA sensor failure was most likely based on failure rates from historical aircraft such as original 737. The consequence of each failure was presumably a little harder to estimate, because no such MCAS system existed on previous aircraft, but they somehow they came up with an estimate of what would happen in each case. Based on that, they believed they had the right tradeoff.
Now, new information has come to light. Specifically, "consequence of false positive" is an absolutely unacceptable situation (two fatal crashes). Therefore the system needs to be redesigned. A increased probability of false negative may be acceptable, if it can significantly reduce the probability of false positive. Both errors are still possible, and both consequences still exist, but the tradeoff is shifted to favor one versus the other.
answered Mar 31 at 10:57
Daniel KiracofeDaniel Kiracofe
3,542623
$endgroup$
$begingroup$
A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
$endgroup$
– Robert DiGiovanni
Mar 31 at 12:52
1
$begingroup$
@RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
$endgroup$
– StephenS
Mar 31 at 18:32
$begingroup$
So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
$endgroup$
– Robert DiGiovanni
Mar 31 at 18:57
$begingroup$
@StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
$endgroup$
– TomMcW
Mar 31 at 21:35
1
$begingroup$
@DanielSparing, A single point of failure is not necessarily a dealbreaker in design if the overall system remains acceptable, and conversely a triply redundant system may not be any safer than a single one if not designed properly (look up Sioux City crash). Again, all comes back to weighing probabilities times consequences. Reducing single points of failure is certainly good, but sometimes there is no better alternative
$endgroup$
– Daniel Kiracofe
Apr 2 at 1:10
|
show 1 more comment
$begingroup$
Every automated system has a possibility of a false positive and a possibility of a false negative. In the system design you have to consider
( Probability of a false positive * consequence of false positive ) versus (probability of a false negative * consequence of false negative).
A team of engineers at Boeing certainly looked at the tradeoff above in the initial design. The probability of AoA sensor failure was most likely based on failure rates from historical aircraft such as original 737. The consequence of each failure was presumably a little harder to estimate, because no such MCAS system existed on previous aircraft, but they somehow they came up with an estimate of what would happen in each case. Based on that, they believed they had the right tradeoff.
Now, new information has come to light. Specifically, "consequence of false positive" is an absolutely unacceptable situation (two fatal crashes). Therefore the system needs to be redesigned. A increased probability of false negative may be acceptable, if it can significantly reduce the probability of false positive. Both errors are still possible, and both consequences still exist, but the tradeoff is shifted to favor one versus the other.
answered Mar 31 at 10:57
Daniel KiracofeDaniel Kiracofe
3,542623
$endgroup$
$begingroup$
A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
$endgroup$
– Robert DiGiovanni
Mar 31 at 12:52
1
$begingroup$
@RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
$endgroup$
– StephenS
Mar 31 at 18:32
$begingroup$
So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
$endgroup$
– Robert DiGiovanni
Mar 31 at 18:57
$begingroup$
@StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
$endgroup$
– TomMcW
Mar 31 at 21:35
1
$begingroup$
@DanielSparing, A single point of failure is not necessarily a dealbreaker in design if the overall system remains acceptable, and conversely a triply redundant system may not be any safer than a single one if not designed properly (look up Sioux City crash). Again, all comes back to weighing probabilities times consequences. Reducing single points of failure is certainly good, but sometimes there is no better alternative
$endgroup$
– Daniel Kiracofe
Apr 2 at 1:10
|
show 1 more comment
$begingroup$
Every automated system has a possibility of a false positive and a possibility of a false negative. In the system design you have to consider
( Probability of a false positive * consequence of false positive ) versus (probability of a false negative * consequence of false negative).
A team of engineers at Boeing certainly looked at the tradeoff above in the initial design. The probability of AoA sensor failure was most likely based on failure rates from historical aircraft such as original 737. The consequence of each failure was presumably a little harder to estimate, because no such MCAS system existed on previous aircraft, but they somehow they came up with an estimate of what would happen in each case. Based on that, they believed they had the right tradeoff.
Now, new information has come to light. Specifically, "consequence of false positive" is an absolutely unacceptable situation (two fatal crashes). Therefore the system needs to be redesigned. A increased probability of false negative may be acceptable, if it can significantly reduce the probability of false positive. Both errors are still possible, and both consequences still exist, but the tradeoff is shifted to favor one versus the other.
answered Mar 31 at 10:57
Daniel KiracofeDaniel Kiracofe
3,542623
$endgroup$
Every automated system has a possibility of a false positive and a possibility of a false negative. In the system design you have to consider
( Probability of a false positive * consequence of false positive ) versus (probability of a false negative * consequence of false negative).
A team of engineers at Boeing certainly looked at the tradeoff above in the initial design. The probability of AoA sensor failure was most likely based on failure rates from historical aircraft such as original 737. The consequence of each failure was presumably a little harder to estimate, because no such MCAS system existed on previous aircraft, but they somehow they came up with an estimate of what would happen in each case. Based on that, they believed they had the right tradeoff.
Now, new information has come to light. Specifically, "consequence of false positive" is an absolutely unacceptable situation (two fatal crashes). Therefore the system needs to be redesigned. A increased probability of false negative may be acceptable, if it can significantly reduce the probability of false positive. Both errors are still possible, and both consequences still exist, but the tradeoff is shifted to favor one versus the other.
answered Mar 31 at 10:57
Daniel KiracofeDaniel Kiracofe
3,542623
answered Mar 31 at 10:57
Daniel KiracofeDaniel Kiracofe
3,542623
answered Mar 31 at 10:57
Daniel KiracofeDaniel Kiracofe
3,542623
answered Mar 31 at 10:57
Daniel KiracofeDaniel Kiracofe
3,542623
3,542623
$begingroup$
A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
$endgroup$
– Robert DiGiovanni
Mar 31 at 12:52
1
$begingroup$
@RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
$endgroup$
– StephenS
Mar 31 at 18:32
$begingroup$
So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
$endgroup$
– Robert DiGiovanni
Mar 31 at 18:57
$begingroup$
@StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
$endgroup$
– TomMcW
Mar 31 at 21:35
1
$begingroup$
@DanielSparing, A single point of failure is not necessarily a dealbreaker in design if the overall system remains acceptable, and conversely a triply redundant system may not be any safer than a single one if not designed properly (look up Sioux City crash). Again, all comes back to weighing probabilities times consequences. Reducing single points of failure is certainly good, but sometimes there is no better alternative
$endgroup$
– Daniel Kiracofe
Apr 2 at 1:10
|
show 1 more comment
$begingroup$
A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
$endgroup$
– Robert DiGiovanni
Mar 31 at 12:52
1
$begingroup$
@RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
$endgroup$
– StephenS
Mar 31 at 18:32
$begingroup$
So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
$endgroup$
– Robert DiGiovanni
Mar 31 at 18:57
$begingroup$
@StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
$endgroup$
– TomMcW
Mar 31 at 21:35
1
$begingroup$
@DanielSparing, A single point of failure is not necessarily a dealbreaker in design if the overall system remains acceptable, and conversely a triply redundant system may not be any safer than a single one if not designed properly (look up Sioux City crash). Again, all comes back to weighing probabilities times consequences. Reducing single points of failure is certainly good, but sometimes there is no better alternative
$endgroup$
– Daniel Kiracofe
Apr 2 at 1:10
$begingroup$
A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
$endgroup$
– Robert DiGiovanni
Mar 31 at 12:52
$begingroup$
A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
$endgroup$
– Robert DiGiovanni
Mar 31 at 12:52
1
1
$begingroup$
@RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
$endgroup$
– StephenS
Mar 31 at 18:32
$begingroup$
@RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
$endgroup$
– StephenS
Mar 31 at 18:32
$begingroup$
So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
$endgroup$
– Robert DiGiovanni
Mar 31 at 18:57
$begingroup$
So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
$endgroup$
– Robert DiGiovanni
Mar 31 at 18:57
$begingroup$
@StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
$endgroup$
– TomMcW
Mar 31 at 21:35
$begingroup$
@StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
$endgroup$
– TomMcW
Mar 31 at 21:35
1
1
$begingroup$
@DanielSparing, A single point of failure is not necessarily a dealbreaker in design if the overall system remains acceptable, and conversely a triply redundant system may not be any safer than a single one if not designed properly (look up Sioux City crash). Again, all comes back to weighing probabilities times consequences. Reducing single points of failure is certainly good, but sometimes there is no better alternative
$endgroup$
– Daniel Kiracofe
Apr 2 at 1:10
$begingroup$
@DanielSparing, A single point of failure is not necessarily a dealbreaker in design if the overall system remains acceptable, and conversely a triply redundant system may not be any safer than a single one if not designed properly (look up Sioux City crash). Again, all comes back to weighing probabilities times consequences. Reducing single points of failure is certainly good, but sometimes there is no better alternative
$endgroup$
– Daniel Kiracofe
Apr 2 at 1:10
|
show 1 more comment
$begingroup$
Having two of the same type of sensor may not improve things as icing conditions could easily cause disagreement just when it was needed the most. A second system, such comparison of airspeed, pitch to the horizon, power setting, and vertical velocity (In addition to what the pilots are doing) may be much more useful.
Grossly changing the horizontal stabilizer pitch in an uncommanded manner only worsens the situation when the pilot needs to be in control. Breaking a stall is done by releasing the elevator. A properly designed air craft will almost immediately unstall, especially if it is caught early. Strict adherence to aft CG limits greatly improves safety as well.
A more pilot friendly MCAS may work as follows. Design the elevator such that, in conjunction with the horizontal stabilizer, it does not have enough pitch authority to stall the plane under normal flying conditions. An aircraft of this type, with a properly set CG, at full aft elevator, will lose airspeed, start to sink, and "mush" forward with the nose dropping.
Have amber and red stall warning lights.
If a stall warning occurs (real or not), pilot and computer check second system data.
If stall is real, pilot activates MCAS. (toggle switch)
The MCAS would ONLY increase the elevator throw rate and travel. Much like dual rates in
R/C planes, this would hugely increase pitch authority, but would always be under the control
of the pilot. Once stable flight is restored, the pilot turns off the MCAS.
Best luck to Boeing getting this fixed.
answered Mar 30 at 22:54
Robert DiGiovanniRobert DiGiovanni
2,8281316
$endgroup$
$begingroup$
The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
$endgroup$
– StephenS
Mar 31 at 18:35
$begingroup$
That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
$endgroup$
– Robert DiGiovanni
Mar 31 at 19:02
$begingroup$
@StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
$endgroup$
– TomMcW
Mar 31 at 21:42
$begingroup$
So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
$endgroup$
– Robert DiGiovanni
Mar 31 at 22:58
1
$begingroup$
This does not seem to answer the actual question but seems like more of a general essay on how you feel the MCAS system should be designed.
$endgroup$
– Sanchises
Apr 3 at 10:03
|
show 1 more comment
$begingroup$
Having two of the same type of sensor may not improve things as icing conditions could easily cause disagreement just when it was needed the most. A second system, such comparison of airspeed, pitch to the horizon, power setting, and vertical velocity (In addition to what the pilots are doing) may be much more useful.
Grossly changing the horizontal stabilizer pitch in an uncommanded manner only worsens the situation when the pilot needs to be in control. Breaking a stall is done by releasing the elevator. A properly designed air craft will almost immediately unstall, especially if it is caught early. Strict adherence to aft CG limits greatly improves safety as well.
A more pilot friendly MCAS may work as follows. Design the elevator such that, in conjunction with the horizontal stabilizer, it does not have enough pitch authority to stall the plane under normal flying conditions. An aircraft of this type, with a properly set CG, at full aft elevator, will lose airspeed, start to sink, and "mush" forward with the nose dropping.
Have amber and red stall warning lights.
If a stall warning occurs (real or not), pilot and computer check second system data.
If stall is real, pilot activates MCAS. (toggle switch)
The MCAS would ONLY increase the elevator throw rate and travel. Much like dual rates in
R/C planes, this would hugely increase pitch authority, but would always be under the control
of the pilot. Once stable flight is restored, the pilot turns off the MCAS.
Best luck to Boeing getting this fixed.
answered Mar 30 at 22:54
Robert DiGiovanniRobert DiGiovanni
2,8281316
$endgroup$
$begingroup$
The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
$endgroup$
– StephenS
Mar 31 at 18:35
$begingroup$
That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
$endgroup$
– Robert DiGiovanni
Mar 31 at 19:02
$begingroup$
@StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
$endgroup$
– TomMcW
Mar 31 at 21:42
$begingroup$
So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
$endgroup$
– Robert DiGiovanni
Mar 31 at 22:58
1
$begingroup$
This does not seem to answer the actual question but seems like more of a general essay on how you feel the MCAS system should be designed.
$endgroup$
– Sanchises
Apr 3 at 10:03
|
show 1 more comment
$begingroup$
Having two of the same type of sensor may not improve things as icing conditions could easily cause disagreement just when it was needed the most. A second system, such comparison of airspeed, pitch to the horizon, power setting, and vertical velocity (In addition to what the pilots are doing) may be much more useful.
Grossly changing the horizontal stabilizer pitch in an uncommanded manner only worsens the situation when the pilot needs to be in control. Breaking a stall is done by releasing the elevator. A properly designed air craft will almost immediately unstall, especially if it is caught early. Strict adherence to aft CG limits greatly improves safety as well.
A more pilot friendly MCAS may work as follows. Design the elevator such that, in conjunction with the horizontal stabilizer, it does not have enough pitch authority to stall the plane under normal flying conditions. An aircraft of this type, with a properly set CG, at full aft elevator, will lose airspeed, start to sink, and "mush" forward with the nose dropping.
Have amber and red stall warning lights.
If a stall warning occurs (real or not), pilot and computer check second system data.
If stall is real, pilot activates MCAS. (toggle switch)
The MCAS would ONLY increase the elevator throw rate and travel. Much like dual rates in
R/C planes, this would hugely increase pitch authority, but would always be under the control
of the pilot. Once stable flight is restored, the pilot turns off the MCAS.
Best luck to Boeing getting this fixed.
answered Mar 30 at 22:54
Robert DiGiovanniRobert DiGiovanni
2,8281316
$endgroup$
Having two of the same type of sensor may not improve things as icing conditions could easily cause disagreement just when it was needed the most. A second system, such comparison of airspeed, pitch to the horizon, power setting, and vertical velocity (In addition to what the pilots are doing) may be much more useful.
Grossly changing the horizontal stabilizer pitch in an uncommanded manner only worsens the situation when the pilot needs to be in control. Breaking a stall is done by releasing the elevator. A properly designed air craft will almost immediately unstall, especially if it is caught early. Strict adherence to aft CG limits greatly improves safety as well.
A more pilot friendly MCAS may work as follows. Design the elevator such that, in conjunction with the horizontal stabilizer, it does not have enough pitch authority to stall the plane under normal flying conditions. An aircraft of this type, with a properly set CG, at full aft elevator, will lose airspeed, start to sink, and "mush" forward with the nose dropping.
Have amber and red stall warning lights.
If a stall warning occurs (real or not), pilot and computer check second system data.
If stall is real, pilot activates MCAS. (toggle switch)
The MCAS would ONLY increase the elevator throw rate and travel. Much like dual rates in
R/C planes, this would hugely increase pitch authority, but would always be under the control
of the pilot. Once stable flight is restored, the pilot turns off the MCAS.
Best luck to Boeing getting this fixed.
answered Mar 30 at 22:54
Robert DiGiovanniRobert DiGiovanni
2,8281316
answered Mar 30 at 22:54
Robert DiGiovanniRobert DiGiovanni
2,8281316
answered Mar 30 at 22:54
Robert DiGiovanniRobert DiGiovanni
2,8281316
answered Mar 30 at 22:54
Robert DiGiovanniRobert DiGiovanni
2,8281316
2,8281316
$begingroup$
The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
$endgroup$
– StephenS
Mar 31 at 18:35
$begingroup$
That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
$endgroup$
– Robert DiGiovanni
Mar 31 at 19:02
$begingroup$
@StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
$endgroup$
– TomMcW
Mar 31 at 21:42
$begingroup$
So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
$endgroup$
– Robert DiGiovanni
Mar 31 at 22:58
1
$begingroup$
This does not seem to answer the actual question but seems like more of a general essay on how you feel the MCAS system should be designed.
$endgroup$
– Sanchises
Apr 3 at 10:03
|
show 1 more comment
$begingroup$
The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
$endgroup$
– StephenS
Mar 31 at 18:35
$begingroup$
That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
$endgroup$
– Robert DiGiovanni
Mar 31 at 19:02
$begingroup$
@StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
$endgroup$
– TomMcW
Mar 31 at 21:42
$begingroup$
So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
$endgroup$
– Robert DiGiovanni
Mar 31 at 22:58
1
$begingroup$
This does not seem to answer the actual question but seems like more of a general essay on how you feel the MCAS system should be designed.
$endgroup$
– Sanchises
Apr 3 at 10:03
$begingroup$
The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
$endgroup$
– StephenS
Mar 31 at 18:35
$begingroup$
The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
$endgroup$
– StephenS
Mar 31 at 18:35
$begingroup$
That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
$endgroup$
– Robert DiGiovanni
Mar 31 at 19:02
$begingroup$
That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
$endgroup$
– Robert DiGiovanni
Mar 31 at 19:02
$begingroup$
@StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
$endgroup$
– TomMcW
Mar 31 at 21:42
$begingroup$
@StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
$endgroup$
– TomMcW
Mar 31 at 21:42
$begingroup$
So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
$endgroup$
– Robert DiGiovanni
Mar 31 at 22:58
$begingroup$
So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
$endgroup$
– Robert DiGiovanni
Mar 31 at 22:58
1
1
$begingroup$
This does not seem to answer the actual question but seems like more of a general essay on how you feel the MCAS system should be designed.
$endgroup$
– Sanchises
Apr 3 at 10:03
$begingroup$
This does not seem to answer the actual question but seems like more of a general essay on how you feel the MCAS system should be designed.
$endgroup$
– Sanchises
Apr 3 at 10:03
|
show 1 more comment
$begingroup$
The new system will not be a single point of failure.
Normally, the AOA sensors should not disagree. But then again, normally pilots should not be flying the aircraft near stall margins.
However, if the sensors do disagree -- it will tell the pilots with a cockpit indication: effectively "MCAS will not rescue you today, watch your trim". It should also automatically log a report of the failure to the maintenance staff. This then becomes a maintenance item that must be fixed soon.
You're right that either sensor failing will cause this, and you're right, that is a single point of failure of the MCAS system; but this would still require an unbroken string of pilot mistakes to cause a crash, and that string of mistakes isn't happening today on the thousands of 737 classic and NGs without any MCAS at all.
answered Apr 3 at 6:24
HarperHarper
4,744926
$endgroup$
add a comment |
$begingroup$
The new system will not be a single point of failure.
Normally, the AOA sensors should not disagree. But then again, normally pilots should not be flying the aircraft near stall margins.
However, if the sensors do disagree -- it will tell the pilots with a cockpit indication: effectively "MCAS will not rescue you today, watch your trim". It should also automatically log a report of the failure to the maintenance staff. This then becomes a maintenance item that must be fixed soon.
You're right that either sensor failing will cause this, and you're right, that is a single point of failure of the MCAS system; but this would still require an unbroken string of pilot mistakes to cause a crash, and that string of mistakes isn't happening today on the thousands of 737 classic and NGs without any MCAS at all.
answered Apr 3 at 6:24
HarperHarper
4,744926
$endgroup$
add a comment |
$begingroup$
The new system will not be a single point of failure.
Normally, the AOA sensors should not disagree. But then again, normally pilots should not be flying the aircraft near stall margins.
However, if the sensors do disagree -- it will tell the pilots with a cockpit indication: effectively "MCAS will not rescue you today, watch your trim". It should also automatically log a report of the failure to the maintenance staff. This then becomes a maintenance item that must be fixed soon.
You're right that either sensor failing will cause this, and you're right, that is a single point of failure of the MCAS system; but this would still require an unbroken string of pilot mistakes to cause a crash, and that string of mistakes isn't happening today on the thousands of 737 classic and NGs without any MCAS at all.
answered Apr 3 at 6:24
HarperHarper
4,744926
$endgroup$
The new system will not be a single point of failure.
Normally, the AOA sensors should not disagree. But then again, normally pilots should not be flying the aircraft near stall margins.
However, if the sensors do disagree -- it will tell the pilots with a cockpit indication: effectively "MCAS will not rescue you today, watch your trim". It should also automatically log a report of the failure to the maintenance staff. This then becomes a maintenance item that must be fixed soon.
You're right that either sensor failing will cause this, and you're right, that is a single point of failure of the MCAS system; but this would still require an unbroken string of pilot mistakes to cause a crash, and that string of mistakes isn't happening today on the thousands of 737 classic and NGs without any MCAS at all.
answered Apr 3 at 6:24
HarperHarper
4,744926
answered Apr 3 at 6:24
HarperHarper
4,744926
answered Apr 3 at 6:24
HarperHarper
4,744926
answered Apr 3 at 6:24
HarperHarper
4,744926
4,744926
add a comment |
add a comment |
Thanks for contributing an answer to Aviation Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faviation.stackexchange.com%2fquestions%2f61796%2fif-the-updated-mcas-software-needs-two-aoa-sensors-doesnt-that-introduce-a-new%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
