Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The article also states that 2 sensors is not enough as then you have two sensors that can disagree with no way to figure out the correct one.


Yes but at least you know the reading is faulty and avoid applying dangerous commands. Now I don't know if the stall it is meant to avoid is a greater risk than MCAS pushing the plane in the wrong direction.


Stalls can be extremely difficult to recover from as it means the wings have lost lift, and therefore the control surfaces (which you need to regain stability) have reduced or even complete loss of effect - a so-called 'deep stall'. As bad as MCAS is, it could theoretically (in practise, couldn't) be switched off in this scenario and the plane would be flyable. In the imagined scenario where the plane pitched up and began to stall, Beoing's logic is that without MCAS, the plane would be essentially doomed. Air France 447 crashed due to a (pilot-induced) deep stall; it was otherwise stable at cruising altitude.

The root cause is without doubt relying on a single sensor, and then downplaying the importance of the system so that nobody opted for the additional expense of the extra sensor. Boeing also have to answer for their lack of transparency; their flight control logic has always left the pilot fully in control of the plane, and can override any automatic system. This sets them apart from Airbus, which under almost all circumstances will defer to the computer.

In ways, the 737 MAX crashes are the antithesis of the 447 crash - the pilots thought they were in full command of the plane, whereas an automatic system designed to protect them malfunctioned, versus the pilots in the Air France plane believed the computer would protect them from exceeding the plane's capabilities, whereas the plane's computers could not get reliable data and passed full control to the pilots.


The analysis is not as simple as asking whether a stall is more or less dangerous than an MCAS failure. Firstly, MCAS does not prevent a stall; it is intended to make it harder to accidentally stall (and no sane pilot would deliberately stall an airliner in normal operations), in order to compensate for the design change that made it easier to do so. When considering alternatives such as whether to disable MCAS on a sensor discrepancy, one should ask both how likely each possible scenario in each alternative is, and how much risk it adds.

Where the risk analysis seems to have gone most wrong is that Boeing apparently grossly underestimated the difficulty of both figuring out what actions were needed to respond to the symptoms of MCAS failure, and to perform them. I don't know whether it was a significant factor in the former, but when the AofA sensor failed, it caused the stick shaker, as well as MCAS, to kick in.

The other mistake in analysis seems to be that when the power of MCAS was increased after initial flight testing, the additional risk it created was not properly taken into account. In particular, the ability of MCAS to drive the trim all the way forward appears to have been an unintended and overlooked side-effect of one design change.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: