What I fail to understand is why Boeing didn’t install two angle of attack sensors on EVERY airplane and why a warning light saying “MCAS ON” wasn’t installed. It also sounded to me as if there was a problem WITH the sensor … has that ever been determined? In the F-16 fly-by-wire airplane, four flight control computers are in the loop plus a polling computer that’ll turn off errant commands pronto I don’t know if that’s still true of the current versions of that airplane but … it was in the beginning. How a single point failure mode could have been allowed into the design is Boeings fault. But there’s fault to spread all around
This sort of blog is superb! I learn much from it all.
My comment had more to do with redundancy and the reliability of multiple channels for critical systems. I was using the F-16 as an example of same. That Boeing didn’t just install two AOA sensors befuddles me. Also, there’s a system that’s recently been NORSEE approved to determine rough AOA from pitot and static pressures without a AOA vane. Why couldn’t they have used such a design as a backup or cross-check? Finally, I question why motorized stab trim required MCAS to be on is likewise nutty. Why couldn’t MCAS be turned off but electric trim remain on to overpower the thing? Lotsa questions.
If Boeing is to be believed, MCAS was created to provide pilots with a pitch control feel that mimicked that of earlier models of the 737. Consequently, pilots who were 737-rated would NOT require (costly) MAX-specific training - up to and potentially including a MAX type rating.
Unfortunately, the combination of (IMWO) very poor design and two incompetent flight crews proved deadly.
The 737 HAS two AOA vanes, but the MCAS design made use of only one of them per flight. To your point, redundancy can be a false surrogate for reliability - two is better than one; three is better than two, etc.
Redundancy is just one means of attempting to achieve reliability - which is the actual objective. But redundancy of like apparatus (multiple instances of the same sensor) leaves a system vulnerable to common-mode failures.
Example:
A four-engine aircraft is loaded with contaminated fuel.
Example:
A four-AOA-vane aircraft ices up all of them in trecherous weather.
YARS-ism: “A properly-designed control system employs multiple TYPES of sensors, to DERIVE reliable information.”
Example:
An AOA vane MEASURES angle-of-attack.
But the COMBINATION of pitch attitude information (from the attitude-sensors) PLUS 3-D flight-path information (from GPS and/or inertial sources) permits a computer to DERIVE angle-of-attack information - which then can be compared with measured AOA from the vanes.
But Boeing wasn’t interested in re-inventing a wheel. IMWO, they still aren’t. They seek the simplest effective solution to a narrowly-defined problem.
But engineers need to be always vigilant of the peril that attends conflating the simple with the simplistic. Danger, Will Robinson.
>>I have another old dear aviation friend who passed on at age 104 last year who made 221 crossings of the Pacific in the Boeing 314 Clipper. HIS expertise was celestial navigation … hence why they flew at night.
Sort of. The real reason they flew at night was because they were crossing big oceans in an airplane that couldn’t do much more than 130MPH. They flew day and night to get to a destination.
Celestial navigation does not require night-only operation. There is still one really good “star” sighting available to a celestial navigator during the day.
Gotta side with Kirk here. Can’t run around at full T/O thrust. They ran the correct checklist, but never pulled the power back, so the aerodynamic load was too great to manually trim against.
That was my exact point, Yars. I thought about it this AM before I got vertical. When the trim system went crazy on those two airplanes, the very first thing the crews did was activate the yoke mounted trim switch. It got them relief until they let go of it whereupon the MCAS took over again. Had there been training ON the MCAS system – starting with its existence and purpose – the crews would have at least known about it. It could have been said the system is there to make it feel like all the rest of the 737’s. If – additionally – an “MCAS Activated” warning light would have come on with the capability to deactivate MCAS but leave electric trim ops normal, both flights would have ended safely … albeit with an underwear change for the crew.
Here we all sit opining how simple it would have been to do a better job. Meanwhile, in Seattle, the big B is doing damage control, their lawyers are trying to minimize damage, the FAA is working overtime to make it right (because of ODA) and tens of thousands of hours are being wasted … for what? And – as Eric W said – this is a life AND death situation. I sure hope someone from Boeing is reading all of this?
On a major weapon system I worked on, every other Tuesday we had to go before the engineering VP and “confess” issues. Had we done something like this … we’da been swimming with da fishes.
I remember reading recently that the design and purpose of the MCAS system evolved over time. Originally, its purpose was to prevent excessive pitch-up at high airspeed and low AoA. The AoA data from a single sensor was crossed-checked with G forces on the airframe - exactly the two independent data points Yars is talking about. Then they added the stall protection requirement. Problem is there’s no increase in G load as you approach stall, so the G force cross-check was removed, making MCAS input dependent on just the single AoA sensor.
It’s a classic case of all the engineers sitting in their office cubes, each looking at their square inch of the system. No one was looking at the big picture on an ongoing basis.
I also fault Boeing for their decision to completely omit MCAS from the MAX’s documentation and training. It’s not possible to provide scenario-based training for every possible failure, but flight crews need to be aware of the systems on the aircraft and how they can behave. A well-understood technique for stopping runaway trim on the older 737s is a firm yank or shove on the yoke (in the direction opposite to the runaway). This technique, however, did not work for a runaway MCAS event on the MAX. The Ethiopian pilots tried this technique repeatedly, indicating that they hadn’t gotten the memo. Calling the Malaysian and Ethiopian flight crews incompetent is unfair. Inadequately trained is a much better characterization.
Apart from sorry design, Boeing apparently presumed ( ? ) that aircrews would be able to deal with “uncommanded” trim issues, regardless of their origins.
Mac McClellen wrote a truly great piece titled “can Boeing trust pilots.” You still can access it at:
airfactsjournal dot com /2019/03/can-boeing-trust-pilots/
“Boeing apparently presumed that aircrews would be able to deal with “uncommanded” trim issues…” This presumption, combined with the failure to document the behavior of MCAS, amounts to cognitive dissonance.