If the updated MCAS software needs two AOA sensors, doesn't that introduce a new single point of failure? The Next CEO of Stack OverflowHow many AOA sensors does the 737 MAX have?How is device control software checked for quality?
What was Carter Burke's job for "the company" in Aliens?
What's the commands of Cisco query bgp neighbor table, bgp table and router table?
Audio Conversion With ADS1243
Is it ok to trim down a tube patch?
What happened in Rome, when the western empire "fell"?
how one can write a nice vector parser, something that does pgfvecparseA=B-C; D=E x F;
Help understanding this unsettling image of Titan, Epimetheus, and Saturn's rings?
Can this note be analyzed as a non-chord tone?
Is it OK to decorate a log book cover?
The Ultimate Number Sequence Puzzle
IC has pull-down resistors on SMBus lines?
Players Circumventing the limitations of Wish
Traveling with my 5 year old daughter (as the father) without the mother from Germany to Mexico
Reshaping json / reparing json inside shell script (remove trailing comma)
Won the lottery - how do I keep the money?
Can I board the first leg of the flight without having final country's visa?
How can the PCs determine if an item is a phylactery?
Physiological effects of huge anime eyes
Can you teleport closer to a creature you are Frightened of?
Is it correct to say moon starry nights?
If Nick Fury and Coulson already knew about aliens (Kree and Skrull) why did they wait until Thor's appearance to start making weapons?
Which Pokemon have a special animation when running with them out of their pokeball?
"Eavesdropping" vs "Listen in on"
Is it okay to majorly distort historical facts while writing a fiction story?
If the updated MCAS software needs two AOA sensors, doesn't that introduce a new single point of failure?
The Next CEO of Stack OverflowHow many AOA sensors does the 737 MAX have?How is device control software checked for quality?
$begingroup$
Regarding the 737 MAX story, the New York Times writes:
"Boeing’s software update would require the system to rely on two
sensors, rather than just one, and would not be triggered if the
sensors disagreed by a certain amount, according to the three people.
Given that the 737 Max has had both sensors already, many pilots and
safety officials have questioned why the system was designed to rely
on a single sensor, creating, in effect, one point of failure [emphasis mine]"
Now I understand that this avoids a False Positive, when one erroneous sensor triggers the MCAS.
But, considering the opposite situation, doesn't this update introduce a new single point of failure, a False Negative, when a stall should be counteracted with MCAS but it isn't, because only one sensor detects it?
(Or if not, what am I missing here? Is it that a faulty sensor fails in a certain way and will not read normal AOA erroneously?)
boeing-737 mcas
asked yesterday
Daniel SparingDaniel Sparing
1786
$endgroup$
add a comment |
$begingroup$
Regarding the 737 MAX story, the New York Times writes:
"Boeing’s software update would require the system to rely on two
sensors, rather than just one, and would not be triggered if the
sensors disagreed by a certain amount, according to the three people.
Given that the 737 Max has had both sensors already, many pilots and
safety officials have questioned why the system was designed to rely
on a single sensor, creating, in effect, one point of failure [emphasis mine]"
Now I understand that this avoids a False Positive, when one erroneous sensor triggers the MCAS.
But, considering the opposite situation, doesn't this update introduce a new single point of failure, a False Negative, when a stall should be counteracted with MCAS but it isn't, because only one sensor detects it?
(Or if not, what am I missing here? Is it that a faulty sensor fails in a certain way and will not read normal AOA erroneously?)
boeing-737 mcas
asked yesterday
Daniel SparingDaniel Sparing
1786
$endgroup$
add a comment |
$begingroup$
Regarding the 737 MAX story, the New York Times writes:
"Boeing’s software update would require the system to rely on two
sensors, rather than just one, and would not be triggered if the
sensors disagreed by a certain amount, according to the three people.
Given that the 737 Max has had both sensors already, many pilots and
safety officials have questioned why the system was designed to rely
on a single sensor, creating, in effect, one point of failure [emphasis mine]"
Now I understand that this avoids a False Positive, when one erroneous sensor triggers the MCAS.
But, considering the opposite situation, doesn't this update introduce a new single point of failure, a False Negative, when a stall should be counteracted with MCAS but it isn't, because only one sensor detects it?
(Or if not, what am I missing here? Is it that a faulty sensor fails in a certain way and will not read normal AOA erroneously?)
boeing-737 mcas
asked yesterday
Daniel SparingDaniel Sparing
1786
$endgroup$
Regarding the 737 MAX story, the New York Times writes:
"Boeing’s software update would require the system to rely on two
sensors, rather than just one, and would not be triggered if the
sensors disagreed by a certain amount, according to the three people.
Given that the 737 Max has had both sensors already, many pilots and
safety officials have questioned why the system was designed to rely
on a single sensor, creating, in effect, one point of failure [emphasis mine]"
Now I understand that this avoids a False Positive, when one erroneous sensor triggers the MCAS.
But, considering the opposite situation, doesn't this update introduce a new single point of failure, a False Negative, when a stall should be counteracted with MCAS but it isn't, because only one sensor detects it?
(Or if not, what am I missing here? Is it that a faulty sensor fails in a certain way and will not read normal AOA erroneously?)
boeing-737 mcas
boeing-737 mcas
asked yesterday
Daniel SparingDaniel Sparing
1786
asked yesterday
Daniel SparingDaniel Sparing
1786
asked yesterday
Daniel SparingDaniel Sparing
1786
asked yesterday
Daniel SparingDaniel Sparing
1786
asked yesterday
Daniel SparingDaniel Sparing
1786
1786
add a comment |
add a comment |
3 Answers
3
active
oldest
votes
$begingroup$
Noting that the details of the MCAS update are yet to be publicly confirmed by Boeing - no I don't believe you are missing anything.
MCAS was meant to be a system that only kicked in when the pilots were letting the situation get out of hand. It was to aid in stall prevention, but does not do anything the pilots can't (as long as their situational awareness would allow). In a million flights MCAS would not be used once unless there were other serious difficulties at play.
In such a system it is much better to have a false negative than a false positive. A false negative means that the aircraft doesn't change anything, and continues to follow the pilot commands. A false positive means... well, it looks like there are 2 crashes that demonstrate what happens.
answered yesterday
BenBen
9,26032753
$endgroup$
4
$begingroup$
Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
$endgroup$
– supercat
yesterday
add a comment |
$begingroup$
Having two of the same type of sensor may not improve things as icing conditions could easily cause disagreement just when it was needed the most. A second system, such comparison of airspeed, pitch to the horizon, power setting, and vertical velocity (In addition to what the pilots are doing) may be much more useful.
Grossly changing the horizontal stabilizer pitch in an uncommanded manner only worsens the situation when the pilot needs to be in control. Breaking a stall is done by releasing the elevator. A properly designed air craft will almost immediately unstall, especially if it is caught early. Strict adherence to aft CG limits greatly improves safety as well.
A more pilot friendly MCAS may work as follows. Design the elevator such that, in conjunction with the horizontal stabilizer, it does not have enough pitch authority to stall the plane under normal flying conditions. An aircraft of this type, with a properly set CG, at full aft elevator, will lose airspeed, start to sink, and "mush" forward with the nose dropping.
Have amber and red stall warning lights.
If a stall warning occurs (real or not), pilot and computer check second system data.
If stall is real, pilot activates MCAS. (toggle switch)
The MCAS would ONLY increase the elevator throw rate and travel. Much like dual rates in
R/C planes, this would hugely increase pitch authority, but would always be under the control
of the pilot. Once stable flight is restored, the pilot turns off the MCAS.
Best luck to Boeing getting this fixed.
answered yesterday
Robert DiGiovanniRobert DiGiovanni
2,6211316
$endgroup$
$begingroup$
The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
$endgroup$
– StephenS
11 hours ago
$begingroup$
That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
$endgroup$
– Robert DiGiovanni
11 hours ago
$begingroup$
@StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
$endgroup$
– TomMcW
8 hours ago
$begingroup$
So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
$endgroup$
– Robert DiGiovanni
7 hours ago
add a comment |
$begingroup$
Every automated system has a possibility of a false positive and a possibility of a false negative. In the system design you have to consider
( Probability of a false positive * consequence of false positive ) versus (probability of a false negative * consequence of false negative).
A team of engineers at Boeing certainly looked at the tradeoff above in the initial design. The probability of AoA sensor failure was most likely based on failure rates from historical aircraft such as original 737. The consequence of each failure was presumably a little harder to estimate, because no such MCAS system existed on previous aircraft, but they somehow they came up with an estimate of what would happen in each case. Based on that, they believed they had the right tradeoff.
Now, new information has come to light. Specifically, "consequence of false positive" is an absolutely unacceptable situation (two fatal crashes). Therefore the system needs to be redesigned. A increased probability of false negative may be acceptable, if it can significantly reduce the probability of false positive. Both errors are still possible, and both consequences still exist, but the tradeoff is shifted to favor one versus the other.
answered 19 hours ago
Daniel KiracofeDaniel Kiracofe
3,522623
$endgroup$
$begingroup$
A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
$endgroup$
– Robert DiGiovanni
17 hours ago
$begingroup$
@RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
$endgroup$
– StephenS
11 hours ago
$begingroup$
So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
$endgroup$
– Robert DiGiovanni
11 hours ago
$begingroup$
@StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
$endgroup$
– TomMcW
8 hours ago
$begingroup$
I understand the balance between FP / FN, my point was the concept of a single point of failure. Not every automated system has a single point of failure. Especially aircraft.
$endgroup$
– Daniel Sparing
2 hours ago
add a comment |
StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "528"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faviation.stackexchange.com%2fquestions%2f61796%2fif-the-updated-mcas-software-needs-two-aoa-sensors-doesnt-that-introduce-a-new%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
Noting that the details of the MCAS update are yet to be publicly confirmed by Boeing - no I don't believe you are missing anything.
MCAS was meant to be a system that only kicked in when the pilots were letting the situation get out of hand. It was to aid in stall prevention, but does not do anything the pilots can't (as long as their situational awareness would allow). In a million flights MCAS would not be used once unless there were other serious difficulties at play.
In such a system it is much better to have a false negative than a false positive. A false negative means that the aircraft doesn't change anything, and continues to follow the pilot commands. A false positive means... well, it looks like there are 2 crashes that demonstrate what happens.
answered yesterday
BenBen
9,26032753
$endgroup$
4
$begingroup$
Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
$endgroup$
– supercat
yesterday
add a comment |
$begingroup$
Noting that the details of the MCAS update are yet to be publicly confirmed by Boeing - no I don't believe you are missing anything.
MCAS was meant to be a system that only kicked in when the pilots were letting the situation get out of hand. It was to aid in stall prevention, but does not do anything the pilots can't (as long as their situational awareness would allow). In a million flights MCAS would not be used once unless there were other serious difficulties at play.
In such a system it is much better to have a false negative than a false positive. A false negative means that the aircraft doesn't change anything, and continues to follow the pilot commands. A false positive means... well, it looks like there are 2 crashes that demonstrate what happens.
answered yesterday
BenBen
9,26032753
$endgroup$
4
$begingroup$
Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
$endgroup$
– supercat
yesterday
add a comment |
$begingroup$
Noting that the details of the MCAS update are yet to be publicly confirmed by Boeing - no I don't believe you are missing anything.
MCAS was meant to be a system that only kicked in when the pilots were letting the situation get out of hand. It was to aid in stall prevention, but does not do anything the pilots can't (as long as their situational awareness would allow). In a million flights MCAS would not be used once unless there were other serious difficulties at play.
In such a system it is much better to have a false negative than a false positive. A false negative means that the aircraft doesn't change anything, and continues to follow the pilot commands. A false positive means... well, it looks like there are 2 crashes that demonstrate what happens.
answered yesterday
BenBen
9,26032753
$endgroup$
Noting that the details of the MCAS update are yet to be publicly confirmed by Boeing - no I don't believe you are missing anything.
MCAS was meant to be a system that only kicked in when the pilots were letting the situation get out of hand. It was to aid in stall prevention, but does not do anything the pilots can't (as long as their situational awareness would allow). In a million flights MCAS would not be used once unless there were other serious difficulties at play.
In such a system it is much better to have a false negative than a false positive. A false negative means that the aircraft doesn't change anything, and continues to follow the pilot commands. A false positive means... well, it looks like there are 2 crashes that demonstrate what happens.
answered yesterday
BenBen
9,26032753
answered yesterday
BenBen
9,26032753
answered yesterday
BenBen
9,26032753
answered yesterday
BenBen
9,26032753
9,26032753
4
$begingroup$
Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
$endgroup$
– supercat
yesterday
add a comment |
4
$begingroup$
Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
$endgroup$
– supercat
yesterday
4
4
$begingroup$
Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
$endgroup$
– supercat
yesterday
$begingroup$
Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
$endgroup$
– supercat
yesterday
add a comment |
$begingroup$
Having two of the same type of sensor may not improve things as icing conditions could easily cause disagreement just when it was needed the most. A second system, such comparison of airspeed, pitch to the horizon, power setting, and vertical velocity (In addition to what the pilots are doing) may be much more useful.
Grossly changing the horizontal stabilizer pitch in an uncommanded manner only worsens the situation when the pilot needs to be in control. Breaking a stall is done by releasing the elevator. A properly designed air craft will almost immediately unstall, especially if it is caught early. Strict adherence to aft CG limits greatly improves safety as well.
A more pilot friendly MCAS may work as follows. Design the elevator such that, in conjunction with the horizontal stabilizer, it does not have enough pitch authority to stall the plane under normal flying conditions. An aircraft of this type, with a properly set CG, at full aft elevator, will lose airspeed, start to sink, and "mush" forward with the nose dropping.
Have amber and red stall warning lights.
If a stall warning occurs (real or not), pilot and computer check second system data.
If stall is real, pilot activates MCAS. (toggle switch)
The MCAS would ONLY increase the elevator throw rate and travel. Much like dual rates in
R/C planes, this would hugely increase pitch authority, but would always be under the control
of the pilot. Once stable flight is restored, the pilot turns off the MCAS.
Best luck to Boeing getting this fixed.
answered yesterday
Robert DiGiovanniRobert DiGiovanni
2,6211316
$endgroup$
$begingroup$
The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
$endgroup$
– StephenS
11 hours ago
$begingroup$
That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
$endgroup$
– Robert DiGiovanni
11 hours ago
$begingroup$
@StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
$endgroup$
– TomMcW
8 hours ago
$begingroup$
So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
$endgroup$
– Robert DiGiovanni
7 hours ago
add a comment |
$begingroup$
Having two of the same type of sensor may not improve things as icing conditions could easily cause disagreement just when it was needed the most. A second system, such comparison of airspeed, pitch to the horizon, power setting, and vertical velocity (In addition to what the pilots are doing) may be much more useful.
Grossly changing the horizontal stabilizer pitch in an uncommanded manner only worsens the situation when the pilot needs to be in control. Breaking a stall is done by releasing the elevator. A properly designed air craft will almost immediately unstall, especially if it is caught early. Strict adherence to aft CG limits greatly improves safety as well.
A more pilot friendly MCAS may work as follows. Design the elevator such that, in conjunction with the horizontal stabilizer, it does not have enough pitch authority to stall the plane under normal flying conditions. An aircraft of this type, with a properly set CG, at full aft elevator, will lose airspeed, start to sink, and "mush" forward with the nose dropping.
Have amber and red stall warning lights.
If a stall warning occurs (real or not), pilot and computer check second system data.
If stall is real, pilot activates MCAS. (toggle switch)
The MCAS would ONLY increase the elevator throw rate and travel. Much like dual rates in
R/C planes, this would hugely increase pitch authority, but would always be under the control
of the pilot. Once stable flight is restored, the pilot turns off the MCAS.
Best luck to Boeing getting this fixed.
answered yesterday
Robert DiGiovanniRobert DiGiovanni
2,6211316
$endgroup$
$begingroup$
The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
$endgroup$
– StephenS
11 hours ago
$begingroup$
That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
$endgroup$
– Robert DiGiovanni
11 hours ago
$begingroup$
@StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
$endgroup$
– TomMcW
8 hours ago
$begingroup$
So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
$endgroup$
– Robert DiGiovanni
7 hours ago
add a comment |
$begingroup$
Having two of the same type of sensor may not improve things as icing conditions could easily cause disagreement just when it was needed the most. A second system, such comparison of airspeed, pitch to the horizon, power setting, and vertical velocity (In addition to what the pilots are doing) may be much more useful.
Grossly changing the horizontal stabilizer pitch in an uncommanded manner only worsens the situation when the pilot needs to be in control. Breaking a stall is done by releasing the elevator. A properly designed air craft will almost immediately unstall, especially if it is caught early. Strict adherence to aft CG limits greatly improves safety as well.
A more pilot friendly MCAS may work as follows. Design the elevator such that, in conjunction with the horizontal stabilizer, it does not have enough pitch authority to stall the plane under normal flying conditions. An aircraft of this type, with a properly set CG, at full aft elevator, will lose airspeed, start to sink, and "mush" forward with the nose dropping.
Have amber and red stall warning lights.
If a stall warning occurs (real or not), pilot and computer check second system data.
If stall is real, pilot activates MCAS. (toggle switch)
The MCAS would ONLY increase the elevator throw rate and travel. Much like dual rates in
R/C planes, this would hugely increase pitch authority, but would always be under the control
of the pilot. Once stable flight is restored, the pilot turns off the MCAS.
Best luck to Boeing getting this fixed.
answered yesterday
Robert DiGiovanniRobert DiGiovanni
2,6211316
$endgroup$
Having two of the same type of sensor may not improve things as icing conditions could easily cause disagreement just when it was needed the most. A second system, such comparison of airspeed, pitch to the horizon, power setting, and vertical velocity (In addition to what the pilots are doing) may be much more useful.
Grossly changing the horizontal stabilizer pitch in an uncommanded manner only worsens the situation when the pilot needs to be in control. Breaking a stall is done by releasing the elevator. A properly designed air craft will almost immediately unstall, especially if it is caught early. Strict adherence to aft CG limits greatly improves safety as well.
A more pilot friendly MCAS may work as follows. Design the elevator such that, in conjunction with the horizontal stabilizer, it does not have enough pitch authority to stall the plane under normal flying conditions. An aircraft of this type, with a properly set CG, at full aft elevator, will lose airspeed, start to sink, and "mush" forward with the nose dropping.
Have amber and red stall warning lights.
If a stall warning occurs (real or not), pilot and computer check second system data.
If stall is real, pilot activates MCAS. (toggle switch)
The MCAS would ONLY increase the elevator throw rate and travel. Much like dual rates in
R/C planes, this would hugely increase pitch authority, but would always be under the control
of the pilot. Once stable flight is restored, the pilot turns off the MCAS.
Best luck to Boeing getting this fixed.
answered yesterday
Robert DiGiovanniRobert DiGiovanni
2,6211316
answered yesterday
Robert DiGiovanniRobert DiGiovanni
2,6211316
answered yesterday
Robert DiGiovanniRobert DiGiovanni
2,6211316
answered yesterday
Robert DiGiovanniRobert DiGiovanni
2,6211316
2,6211316
$begingroup$
The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
$endgroup$
– StephenS
11 hours ago
$begingroup$
That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
$endgroup$
– Robert DiGiovanni
11 hours ago
$begingroup$
@StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
$endgroup$
– TomMcW
8 hours ago
$begingroup$
So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
$endgroup$
– Robert DiGiovanni
7 hours ago
add a comment |
$begingroup$
The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
$endgroup$
– StephenS
11 hours ago
$begingroup$
That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
$endgroup$
– Robert DiGiovanni
11 hours ago
$begingroup$
@StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
$endgroup$
– TomMcW
8 hours ago
$begingroup$
So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
$endgroup$
– Robert DiGiovanni
7 hours ago
$begingroup$
The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
$endgroup$
– StephenS
11 hours ago
$begingroup$
The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
$endgroup$
– StephenS
11 hours ago
$begingroup$
That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
$endgroup$
– Robert DiGiovanni
11 hours ago
$begingroup$
That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
$endgroup$
– Robert DiGiovanni
11 hours ago
$begingroup$
@StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
$endgroup$
– TomMcW
8 hours ago
$begingroup$
@StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
$endgroup$
– TomMcW
8 hours ago
$begingroup$
So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
$endgroup$
– Robert DiGiovanni
7 hours ago
$begingroup$
So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
$endgroup$
– Robert DiGiovanni
7 hours ago
add a comment |
$begingroup$
Every automated system has a possibility of a false positive and a possibility of a false negative. In the system design you have to consider
( Probability of a false positive * consequence of false positive ) versus (probability of a false negative * consequence of false negative).
A team of engineers at Boeing certainly looked at the tradeoff above in the initial design. The probability of AoA sensor failure was most likely based on failure rates from historical aircraft such as original 737. The consequence of each failure was presumably a little harder to estimate, because no such MCAS system existed on previous aircraft, but they somehow they came up with an estimate of what would happen in each case. Based on that, they believed they had the right tradeoff.
Now, new information has come to light. Specifically, "consequence of false positive" is an absolutely unacceptable situation (two fatal crashes). Therefore the system needs to be redesigned. A increased probability of false negative may be acceptable, if it can significantly reduce the probability of false positive. Both errors are still possible, and both consequences still exist, but the tradeoff is shifted to favor one versus the other.
answered 19 hours ago
Daniel KiracofeDaniel Kiracofe
3,522623
$endgroup$
$begingroup$
A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
$endgroup$
– Robert DiGiovanni
17 hours ago
$begingroup$
@RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
$endgroup$
– StephenS
11 hours ago
$begingroup$
So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
$endgroup$
– Robert DiGiovanni
11 hours ago
$begingroup$
@StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
$endgroup$
– TomMcW
8 hours ago
$begingroup$
I understand the balance between FP / FN, my point was the concept of a single point of failure. Not every automated system has a single point of failure. Especially aircraft.
$endgroup$
– Daniel Sparing
2 hours ago
add a comment |
$begingroup$
Every automated system has a possibility of a false positive and a possibility of a false negative. In the system design you have to consider
( Probability of a false positive * consequence of false positive ) versus (probability of a false negative * consequence of false negative).
A team of engineers at Boeing certainly looked at the tradeoff above in the initial design. The probability of AoA sensor failure was most likely based on failure rates from historical aircraft such as original 737. The consequence of each failure was presumably a little harder to estimate, because no such MCAS system existed on previous aircraft, but they somehow they came up with an estimate of what would happen in each case. Based on that, they believed they had the right tradeoff.
Now, new information has come to light. Specifically, "consequence of false positive" is an absolutely unacceptable situation (two fatal crashes). Therefore the system needs to be redesigned. A increased probability of false negative may be acceptable, if it can significantly reduce the probability of false positive. Both errors are still possible, and both consequences still exist, but the tradeoff is shifted to favor one versus the other.
answered 19 hours ago
Daniel KiracofeDaniel Kiracofe
3,522623
$endgroup$
$begingroup$
A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
$endgroup$
– Robert DiGiovanni
17 hours ago
$begingroup$
@RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
$endgroup$
– StephenS
11 hours ago
$begingroup$
So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
$endgroup$
– Robert DiGiovanni
11 hours ago
$begingroup$
@StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
$endgroup$
– TomMcW
8 hours ago
$begingroup$
I understand the balance between FP / FN, my point was the concept of a single point of failure. Not every automated system has a single point of failure. Especially aircraft.
$endgroup$
– Daniel Sparing
2 hours ago
add a comment |
$begingroup$
Every automated system has a possibility of a false positive and a possibility of a false negative. In the system design you have to consider
( Probability of a false positive * consequence of false positive ) versus (probability of a false negative * consequence of false negative).
A team of engineers at Boeing certainly looked at the tradeoff above in the initial design. The probability of AoA sensor failure was most likely based on failure rates from historical aircraft such as original 737. The consequence of each failure was presumably a little harder to estimate, because no such MCAS system existed on previous aircraft, but they somehow they came up with an estimate of what would happen in each case. Based on that, they believed they had the right tradeoff.
Now, new information has come to light. Specifically, "consequence of false positive" is an absolutely unacceptable situation (two fatal crashes). Therefore the system needs to be redesigned. A increased probability of false negative may be acceptable, if it can significantly reduce the probability of false positive. Both errors are still possible, and both consequences still exist, but the tradeoff is shifted to favor one versus the other.
answered 19 hours ago
Daniel KiracofeDaniel Kiracofe
3,522623
$endgroup$
Every automated system has a possibility of a false positive and a possibility of a false negative. In the system design you have to consider
( Probability of a false positive * consequence of false positive ) versus (probability of a false negative * consequence of false negative).
A team of engineers at Boeing certainly looked at the tradeoff above in the initial design. The probability of AoA sensor failure was most likely based on failure rates from historical aircraft such as original 737. The consequence of each failure was presumably a little harder to estimate, because no such MCAS system existed on previous aircraft, but they somehow they came up with an estimate of what would happen in each case. Based on that, they believed they had the right tradeoff.
Now, new information has come to light. Specifically, "consequence of false positive" is an absolutely unacceptable situation (two fatal crashes). Therefore the system needs to be redesigned. A increased probability of false negative may be acceptable, if it can significantly reduce the probability of false positive. Both errors are still possible, and both consequences still exist, but the tradeoff is shifted to favor one versus the other.
answered 19 hours ago
Daniel KiracofeDaniel Kiracofe
3,522623
answered 19 hours ago
Daniel KiracofeDaniel Kiracofe
3,522623
answered 19 hours ago
Daniel KiracofeDaniel Kiracofe
3,522623
answered 19 hours ago
Daniel KiracofeDaniel Kiracofe
3,522623
3,522623
$begingroup$
A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
$endgroup$
– Robert DiGiovanni
17 hours ago
$begingroup$
@RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
$endgroup$
– StephenS
11 hours ago
$begingroup$
So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
$endgroup$
– Robert DiGiovanni
11 hours ago
$begingroup$
@StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
$endgroup$
– TomMcW
8 hours ago
$begingroup$
I understand the balance between FP / FN, my point was the concept of a single point of failure. Not every automated system has a single point of failure. Especially aircraft.
$endgroup$
– Daniel Sparing
2 hours ago
add a comment |
$begingroup$
A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
$endgroup$
– Robert DiGiovanni
17 hours ago
$begingroup$
@RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
$endgroup$
– StephenS
11 hours ago
$begingroup$
So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
$endgroup$
– Robert DiGiovanni
11 hours ago
$begingroup$
@StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
$endgroup$
– TomMcW
8 hours ago
$begingroup$
I understand the balance between FP / FN, my point was the concept of a single point of failure. Not every automated system has a single point of failure. Especially aircraft.
$endgroup$
– Daniel Sparing
2 hours ago
$begingroup$
A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
$endgroup$
– Robert DiGiovanni
17 hours ago
$begingroup$
A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
$endgroup$
– Robert DiGiovanni
17 hours ago
$begingroup$
@RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
$endgroup$
– StephenS
11 hours ago
$begingroup$
@RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
$endgroup$
– StephenS
11 hours ago
$begingroup$
So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
$endgroup$
– Robert DiGiovanni
11 hours ago
$begingroup$
So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
$endgroup$
– Robert DiGiovanni
11 hours ago
$begingroup$
@StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
$endgroup$
– TomMcW
8 hours ago
$begingroup$
@StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
$endgroup$
– TomMcW
8 hours ago
$begingroup$
I understand the balance between FP / FN, my point was the concept of a single point of failure. Not every automated system has a single point of failure. Especially aircraft.
$endgroup$
– Daniel Sparing
2 hours ago
$begingroup$
I understand the balance between FP / FN, my point was the concept of a single point of failure. Not every automated system has a single point of failure. Especially aircraft.
$endgroup$
– Daniel Sparing
2 hours ago
add a comment |
Thanks for contributing an answer to Aviation Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faviation.stackexchange.com%2fquestions%2f61796%2fif-the-updated-mcas-software-needs-two-aoa-sensors-doesnt-that-introduce-a-new%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
