4

this article states that the original version of MCAS was suppose to rely on two sensors,

One sensor will detect a high angle of attack, therefore activating MCAS

The other sensor will detect a high G force and therefore activate MCAS.

But what I don’t understand, is why people use this as an argument against Boeing, as if they should have went with that idea? If the high g force sensor was faulty, wouldn’t it technically need a second sensor looking at a high g force, in order to compare the two?

So basically if they had stuck with that idea, we’d still be here today?

Community
  • 1
George Clooney In a Mooney
  • 4,401
  • 6
  • 27
  • 54
  • 1
    The combined “2 input” AOA and G load design was only used in testing and never used in the production aircraft. The final MCAS design uses only 1 of 2 AOA indications available. The system automatically switches from the left to the right AOA for each flight. – Mike Sowsun Feb 14 '20 at 13:26
  • No, the Seattle Times article says "two factors," not "two sensors." The reporter doesn't know the difference between a parameter and a sensor and thinks that the two parameters originally used to trigger MCAS (AOA and g-loading) were replaced by one AoA sensor, when in fact the new triggering parameters were: AOA, Flaps retracted, Autopilot off. The system used one AOA sensor per FCC before, and STILL used one per FCC when the MAX entered service. Just another example of the utter rubbish that the news media put out while doing a crash investigation although utterly incompetent in aviation. – Pete P. Aug 04 '22 at 20:42

2 Answers2

10

The problem is that there is no redundancy in the sensor input. The quote from the article is:

This original version of MCAS, according to two people familiar with the details, was activated only if two distinct sensors indicated such an extreme maneuver: a high angle of attack and a high G-force.

So on the original design, MCAS activation required two sensors detecting an input over a certain threshold, and in itself this creates protection against false positives.

There are two major failure modes for sub-systems:

  • Zero output, where the sub-system simply stops outputting a signal.
  • Hard-Over failure, where the sub-system outputs a false positive. This is what happened with the AoA sensor in the two MCAS disasters.

With the original design, if one sensor would go hard-over, MCAS would not activate and the system would be protected against a single failure. But in the certified config, the activating input was not checked against any signal and MCAS repeatedly activated.

Further notes on the AoA sensors, from the final accident report page 45:

  • There are two AoA indicators on the B737Max, and only one was used for MCAS input.

  • There was an AOA disagree detection installed - as an option which Lion Air had not selected at the time of the accident:

    Accordingly, the software activated the AOA DISAGREE alert only if an airline opted for the AOA indicator. At the time of the accident, Boeing advised that the AOA indicator has been selected by approximately 20% of airlines.

    When the discrepancy between the AOA display requirements and the software was identified, Boeing determined that the absence of the AOA DISAGREE alert did not adversely impact aircraft safety or operation. Accordingly, Boeing concluded that the existing functionality was acceptable until the originally intended functionality could be implemented in a display system software upgrade, scheduled for the third quarter of 2020.

    Lion Air did not select the optional AOA indicator feature on the PFD of their 737- 8 (MAX) aircraft. As a result, the AOA DISAGREE did not appear on PK-LQP aircraft, even though the necessary conditions were met.

The safety analysis of the certified system has proven to be fatally incorrect, and this is what is so baffling. A single mode of failure was allowed to activate a flight critical system, by the most experienced aerospace company on earth. Plus: the incorrect safety analysis was accepted by the aviation authority whose function it is to protect us, the passengers.

Koyovis
  • 61,680
  • 11
  • 169
  • 289
  • 1
    I think you can also add that Boeing and the FAA also decided that the pilots didn't need to be trained on this system. – Robin Bennett Jan 17 '20 at 13:58
  • But even if they use one sensor, how can it not reject just based off the sensors differing? I know they work simultaneously, but couldn’t they have been an easy change? – George Clooney In a Mooney Jan 21 '20 at 21:34
  • @Firefighter1 Very, very good point! – Koyovis Jan 28 '20 at 00:08
  • The answer is seriously flawed. One of the conditions that must be satisfied for the system to activate cannot serve as "protection against false positives" of the other condition because the parameters are independent and unrelated, and completely unaware as to the validity of each other. The author of the article had no understanding of basic engineering yet attempted to conduct an accident investigation and perform engineering analysis. Also, the parameters are used as analog variables that trigger MCAS and modulate its duty cycle, not as binary discretes that merely flip MCAS on or off. – Pete P. Jul 19 '22 at 23:29
  • @Robin Bennett "Boeing and the FAA also decided that the pilots didn't need to be trained on this system." Actually, Boeing and the FAA decided that there was no training for this system, i.e. no training was possible. That is why the airplane has returned to service and there is STILL no flight simulator training for MCAS. But since you think there should be—btw, you're not the only one to think so—please enlighten us with some details on what that training should consist of. – Pete P. Aug 04 '22 at 20:57
  • 1
    @PeteP. I'd have thought that was obvious. Pilots should know that the system is there, that's it's vulnerable to a failure of the AoA sensor, how to recognise a failure and how to disable the system and regain control. – Robin Bennett Aug 05 '22 at 07:58
  • 1
    @Robin Bennett The pilots can't detect normal MCAS operation, can't control/adjust it, can't turn it ON or OFF, there is no mention of it in system fault messages, checklists or procedures. Nonnormal operation manifests as a runaway stabilizer trim, which has multiple causes and is handled without fault isolation, by the same NNC regardless of cause, and for which initial and recurrent simulator training is standard.

    The system is transparent to the flight crew, so no MCAS-specific flight-sim training is necessary or even possible and there is no need for its inclusion in the FCOM.

     – Pete P. Aug 08 '22 at 20:56
  • @PeteP. Evidently, there was a need for including the existence of MCAS in the FCOM. It caused a repeating stab trim runaway, and trim did not run away all the way. – Koyovis Aug 09 '22 at 02:53
  • @Koyovis The Runaway Stab Trim NNC was already in the FCOM and none of the possible causes were listed. The definition of RST: The stab moves—un-commanded—to a position it should not be. About 2–3 seconds into a RST the pilot will notice the pitch attitude deviating and will instinctively restore it using the elevator. At 4–5 seconds s/he senses that the elevator force needed to maintain pitch attitude is abnormally high and getting worse. By 6–8 seconds s/he is reaching for the electric trim to assist with the elevator force and notices that the stab is being trimmed—excessively… – Pete P. Aug 11 '22 at 10:51
  • …There is no use for discerning whether the runaway is intermittent or continuous or what is causing it. Not only is the system not designed for quick and more in-depth fault isolation by the pilots beyond "autopilot" and "other", but the recovery procedure doesn't care; regardless of cause it is essentially: shut down autopilot… if that doesn't do it, shut down electric trim… – Pete P. Aug 11 '22 at 10:52
  • The question to all those experts who insisted that the pilot needs to know if the runaway is continuous or intermittent… How would you determine that? By watching and waiting— i.e. doing absolutely nothing while the nose slews towards Heaven and a stall, or towards Hades and your ad hoc gravesite—until the stabilizer either reaches the physical travel limit or stops short of it?! And then, for what do you use that little nugget of information? (while your fellow pilot stares at you with growing alarm, unsure whether you are paralyzed by shock, or you are suicidal). – Pete P. Aug 11 '22 at 10:55
  • It is mind-boggling that all the experts who declared that the pilots were lacking training for the new and unexpected type of runaway because Boeing "hid" the system, never bothered to run through the scenario in their head to validate it… and discover its absurdity. – Pete P. Aug 11 '22 at 10:56
  • @PeteP. There is validity in your argument. However, the pilots of the 2 crashed planes were trained for stab runaway, and did not recognise the MCAS behaviour as such. So something in the MCAS behaviour did not match their simulator training. – Koyovis Aug 11 '22 at 23:27
3

That's a completely incorrect understanding of the article. The summary should be:

MCAS activates if: a) Sensor detects a high angle of attack and b) Sensor detects a high normal G load

If one sensor is erroneous and and the other one isn't, then MCAS would not erroneously activate.

JZYL
  • 11,066
  • 2
  • 15
  • 49
  • And what happens if the high g force sensor is faulty and not reading correctly, but the plane is experiencing a high g force and high angle of attack? – George Clooney In a Mooney Jan 16 '20 at 22:23
  • @Firefighter1 Then MCAS would not kick in. You may encounter a stick force reversal and a pitch up as a result. You will still have the stick shaker activated in this flight regime. – JZYL Jan 16 '20 at 22:34
  • Actually, the article itself is nonsensical. The author lacks basic competence in engineering and has confused the various conditions that must be satisfied for the system to activate as being "multiple points of failure," not realizing that they are independent and unrelated parameters. He also doesn't realize that the modified system required Flaps_Up and Autopilot_Off in addition to AOA_High in order to trigger MCAS, which blows his "single point of failure" conspiracy to bits. – Pete P. Jul 19 '22 at 23:41
  • @JZYL True, MCAS would not kick in, but there would not be any stick force reversal, that is not a characteristic of the airplane. There would also not be any pitch up, whether due to stick forces or anything else (other than pilot induced); that is also not a characteristic of the airplane. And whether the stick shaker goes off or not depends solely on the angle of attack: if it is high enough to trigger the stall warning, it will activate; doesn't have anything to do with MCAS. For clarity—MCAS is NOT an anti-stall system or stall-recovery system, regardless of what a news reporter says. – Pete P. Aug 04 '22 at 21:10
  • @PeteP. I never claimed MCAS was originally designed for anti-stall. As far as I understand based on publicly available sources, it's required for certification and adhere to the requirements Part 25 related to stall characteristics and maneuver stability. – JZYL Aug 05 '22 at 15:54
  • @JZYL Understood, it was the reporter who mischaracterized the system.

    Although you correctly stated AOA and G-load sensor values as the conditions a) and b) that must both be satisfied for MCAS activation, your next sentence impugns the first by implying that activation depends on the validity of those sensor values! How does the system know if a sensor value is erroneous or valid?

    Whether MCAS activates or not simply depends on whether the sensor values are in the range to satisfy conditions a) and b) or not, regardless of their validity.

     – Pete P. Aug 08 '22 at 22:28