If the updated MCAS software needs two AOA sensors, doesn't that introduce a new single point of failure?












6












$begingroup$


Regarding the 737 MAX story, the New York Times writes:




"Boeing’s software update would require the system to rely on two
sensors, rather than just one, and would not be triggered if the
sensors disagreed by a certain amount, according to the three people.
Given that the 737 Max has had both sensors already, many pilots and
safety officials have questioned why the system was designed to rely
on a single sensor, creating, in effect, one point of failure [emphasis mine]"




Now I understand that this avoids a False Positive, when one erroneous sensor triggers the MCAS.



But, considering the opposite situation, doesn't this update introduce a new single point of failure, a False Negative, when a stall should be counteracted with MCAS but it isn't, because only one sensor detects it?



(Or if not, what am I missing here? Is it that a faulty sensor fails in a certain way and will not read normal AOA erroneously?)










share|improve this question









$endgroup$

















    6












    $begingroup$


    Regarding the 737 MAX story, the New York Times writes:




    "Boeing’s software update would require the system to rely on two
    sensors, rather than just one, and would not be triggered if the
    sensors disagreed by a certain amount, according to the three people.
    Given that the 737 Max has had both sensors already, many pilots and
    safety officials have questioned why the system was designed to rely
    on a single sensor, creating, in effect, one point of failure [emphasis mine]"




    Now I understand that this avoids a False Positive, when one erroneous sensor triggers the MCAS.



    But, considering the opposite situation, doesn't this update introduce a new single point of failure, a False Negative, when a stall should be counteracted with MCAS but it isn't, because only one sensor detects it?



    (Or if not, what am I missing here? Is it that a faulty sensor fails in a certain way and will not read normal AOA erroneously?)










    share|improve this question









    $endgroup$















      6












      6








      6


      1



      $begingroup$


      Regarding the 737 MAX story, the New York Times writes:




      "Boeing’s software update would require the system to rely on two
      sensors, rather than just one, and would not be triggered if the
      sensors disagreed by a certain amount, according to the three people.
      Given that the 737 Max has had both sensors already, many pilots and
      safety officials have questioned why the system was designed to rely
      on a single sensor, creating, in effect, one point of failure [emphasis mine]"




      Now I understand that this avoids a False Positive, when one erroneous sensor triggers the MCAS.



      But, considering the opposite situation, doesn't this update introduce a new single point of failure, a False Negative, when a stall should be counteracted with MCAS but it isn't, because only one sensor detects it?



      (Or if not, what am I missing here? Is it that a faulty sensor fails in a certain way and will not read normal AOA erroneously?)










      share|improve this question









      $endgroup$




      Regarding the 737 MAX story, the New York Times writes:




      "Boeing’s software update would require the system to rely on two
      sensors, rather than just one, and would not be triggered if the
      sensors disagreed by a certain amount, according to the three people.
      Given that the 737 Max has had both sensors already, many pilots and
      safety officials have questioned why the system was designed to rely
      on a single sensor, creating, in effect, one point of failure [emphasis mine]"




      Now I understand that this avoids a False Positive, when one erroneous sensor triggers the MCAS.



      But, considering the opposite situation, doesn't this update introduce a new single point of failure, a False Negative, when a stall should be counteracted with MCAS but it isn't, because only one sensor detects it?



      (Or if not, what am I missing here? Is it that a faulty sensor fails in a certain way and will not read normal AOA erroneously?)







      boeing-737 mcas






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Mar 30 at 10:01









      Daniel SparingDaniel Sparing

      1856




      1856






















          4 Answers
          4






          active

          oldest

          votes


















          9












          $begingroup$

          Noting that the details of the MCAS update are yet to be publicly confirmed by Boeing - no I don't believe you are missing anything.



          MCAS was meant to be a system that only kicked in when the pilots were letting the situation get out of hand. It was to aid in stall prevention, but does not do anything the pilots can't (as long as their situational awareness would allow). In a million flights MCAS would not be used once unless there were other serious difficulties at play.



          In such a system it is much better to have a false negative than a false positive. A false negative means that the aircraft doesn't change anything, and continues to follow the pilot commands. A false positive means... well, it looks like there are 2 crashes that demonstrate what happens.






          share|improve this answer









          $endgroup$









          • 5




            $begingroup$
            Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
            $endgroup$
            – supercat
            Mar 30 at 15:42



















          2












          $begingroup$

          Every automated system has a possibility of a false positive and a possibility of a false negative. In the system design you have to consider



          ( Probability of a false positive * consequence of false positive ) versus (probability of a false negative * consequence of false negative).



          A team of engineers at Boeing certainly looked at the tradeoff above in the initial design. The probability of AoA sensor failure was most likely based on failure rates from historical aircraft such as original 737. The consequence of each failure was presumably a little harder to estimate, because no such MCAS system existed on previous aircraft, but they somehow they came up with an estimate of what would happen in each case. Based on that, they believed they had the right tradeoff.



          Now, new information has come to light. Specifically, "consequence of false positive" is an absolutely unacceptable situation (two fatal crashes). Therefore the system needs to be redesigned. A increased probability of false negative may be acceptable, if it can significantly reduce the probability of false positive. Both errors are still possible, and both consequences still exist, but the tradeoff is shifted to favor one versus the other.






          share|improve this answer









          $endgroup$













          • $begingroup$
            A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
            $endgroup$
            – Robert DiGiovanni
            Mar 31 at 12:52








          • 1




            $begingroup$
            @RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
            $endgroup$
            – StephenS
            Mar 31 at 18:32










          • $begingroup$
            So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
            $endgroup$
            – Robert DiGiovanni
            Mar 31 at 18:57










          • $begingroup$
            @StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
            $endgroup$
            – TomMcW
            Mar 31 at 21:35






          • 1




            $begingroup$
            @DanielSparing, A single point of failure is not necessarily a dealbreaker in design if the overall system remains acceptable, and conversely a triply redundant system may not be any safer than a single one if not designed properly (look up Sioux City crash). Again, all comes back to weighing probabilities times consequences. Reducing single points of failure is certainly good, but sometimes there is no better alternative
            $endgroup$
            – Daniel Kiracofe
            Apr 2 at 1:10



















          0












          $begingroup$

          Having two of the same type of sensor may not improve things as icing conditions could easily cause disagreement just when it was needed the most. A second system, such comparison of airspeed, pitch to the horizon, power setting, and vertical velocity (In addition to what the pilots are doing) may be much more useful.



          Grossly changing the horizontal stabilizer pitch in an uncommanded manner only worsens the situation when the pilot needs to be in control. Breaking a stall is done by releasing the elevator. A properly designed air craft will almost immediately unstall, especially if it is caught early. Strict adherence to aft CG limits greatly improves safety as well.



          A more pilot friendly MCAS may work as follows. Design the elevator such that, in conjunction with the horizontal stabilizer, it does not have enough pitch authority to stall the plane under normal flying conditions. An aircraft of this type, with a properly set CG, at full aft elevator, will lose airspeed, start to sink, and "mush" forward with the nose dropping.
          Have amber and red stall warning lights.



          If a stall warning occurs (real or not), pilot and computer check second system data.
          If stall is real, pilot activates MCAS. (toggle switch)



          The MCAS would ONLY increase the elevator throw rate and travel. Much like dual rates in
          R/C planes, this would hugely increase pitch authority, but would always be under the control
          of the pilot. Once stable flight is restored, the pilot turns off the MCAS.



          Best luck to Boeing getting this fixed.






          share|improve this answer









          $endgroup$













          • $begingroup$
            The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
            $endgroup$
            – StephenS
            Mar 31 at 18:35










          • $begingroup$
            That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
            $endgroup$
            – Robert DiGiovanni
            Mar 31 at 19:02












          • $begingroup$
            @StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
            $endgroup$
            – TomMcW
            Mar 31 at 21:42










          • $begingroup$
            So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
            $endgroup$
            – Robert DiGiovanni
            Mar 31 at 22:58






          • 1




            $begingroup$
            This does not seem to answer the actual question but seems like more of a general essay on how you feel the MCAS system should be designed.
            $endgroup$
            – Sanchises
            Apr 3 at 10:03



















          0












          $begingroup$

          The new system will not be a single point of failure.



          Normally, the AOA sensors should not disagree. But then again, normally pilots should not be flying the aircraft near stall margins.



          However, if the sensors do disagree -- it will tell the pilots with a cockpit indication: effectively "MCAS will not rescue you today, watch your trim". It should also automatically log a report of the failure to the maintenance staff. This then becomes a maintenance item that must be fixed soon.



          You're right that either sensor failing will cause this, and you're right, that is a single point of failure of the MCAS system; but this would still require an unbroken string of pilot mistakes to cause a crash, and that string of mistakes isn't happening today on the thousands of 737 classic and NGs without any MCAS at all.






          share|improve this answer









          $endgroup$














            Your Answer








            StackExchange.ready(function() {
            var channelOptions = {
            tags: "".split(" "),
            id: "528"
            };
            initTagRenderer("".split(" "), "".split(" "), channelOptions);

            StackExchange.using("externalEditor", function() {
            // Have to fire editor after snippets, if snippets enabled
            if (StackExchange.settings.snippets.snippetsEnabled) {
            StackExchange.using("snippets", function() {
            createEditor();
            });
            }
            else {
            createEditor();
            }
            });

            function createEditor() {
            StackExchange.prepareEditor({
            heartbeatType: 'answer',
            autoActivateHeartbeat: false,
            convertImagesToLinks: false,
            noModals: true,
            showLowRepImageUploadWarning: true,
            reputationToPostImages: null,
            bindNavPrevention: true,
            postfix: "",
            imageUploader: {
            brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
            contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
            allowUrls: true
            },
            noCode: true, onDemand: true,
            discardSelector: ".discard-answer"
            ,immediatelyShowMarkdownHelp:true
            });


            }
            });














            draft saved

            draft discarded


















            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faviation.stackexchange.com%2fquestions%2f61796%2fif-the-updated-mcas-software-needs-two-aoa-sensors-doesnt-that-introduce-a-new%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown

























            4 Answers
            4






            active

            oldest

            votes








            4 Answers
            4






            active

            oldest

            votes









            active

            oldest

            votes






            active

            oldest

            votes









            9












            $begingroup$

            Noting that the details of the MCAS update are yet to be publicly confirmed by Boeing - no I don't believe you are missing anything.



            MCAS was meant to be a system that only kicked in when the pilots were letting the situation get out of hand. It was to aid in stall prevention, but does not do anything the pilots can't (as long as their situational awareness would allow). In a million flights MCAS would not be used once unless there were other serious difficulties at play.



            In such a system it is much better to have a false negative than a false positive. A false negative means that the aircraft doesn't change anything, and continues to follow the pilot commands. A false positive means... well, it looks like there are 2 crashes that demonstrate what happens.






            share|improve this answer









            $endgroup$









            • 5




              $begingroup$
              Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
              $endgroup$
              – supercat
              Mar 30 at 15:42
















            9












            $begingroup$

            Noting that the details of the MCAS update are yet to be publicly confirmed by Boeing - no I don't believe you are missing anything.



            MCAS was meant to be a system that only kicked in when the pilots were letting the situation get out of hand. It was to aid in stall prevention, but does not do anything the pilots can't (as long as their situational awareness would allow). In a million flights MCAS would not be used once unless there were other serious difficulties at play.



            In such a system it is much better to have a false negative than a false positive. A false negative means that the aircraft doesn't change anything, and continues to follow the pilot commands. A false positive means... well, it looks like there are 2 crashes that demonstrate what happens.






            share|improve this answer









            $endgroup$









            • 5




              $begingroup$
              Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
              $endgroup$
              – supercat
              Mar 30 at 15:42














            9












            9








            9





            $begingroup$

            Noting that the details of the MCAS update are yet to be publicly confirmed by Boeing - no I don't believe you are missing anything.



            MCAS was meant to be a system that only kicked in when the pilots were letting the situation get out of hand. It was to aid in stall prevention, but does not do anything the pilots can't (as long as their situational awareness would allow). In a million flights MCAS would not be used once unless there were other serious difficulties at play.



            In such a system it is much better to have a false negative than a false positive. A false negative means that the aircraft doesn't change anything, and continues to follow the pilot commands. A false positive means... well, it looks like there are 2 crashes that demonstrate what happens.






            share|improve this answer









            $endgroup$



            Noting that the details of the MCAS update are yet to be publicly confirmed by Boeing - no I don't believe you are missing anything.



            MCAS was meant to be a system that only kicked in when the pilots were letting the situation get out of hand. It was to aid in stall prevention, but does not do anything the pilots can't (as long as their situational awareness would allow). In a million flights MCAS would not be used once unless there were other serious difficulties at play.



            In such a system it is much better to have a false negative than a false positive. A false negative means that the aircraft doesn't change anything, and continues to follow the pilot commands. A false positive means... well, it looks like there are 2 crashes that demonstrate what happens.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Mar 30 at 12:24









            BenBen

            9,34332753




            9,34332753








            • 5




              $begingroup$
              Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
              $endgroup$
              – supercat
              Mar 30 at 15:42














            • 5




              $begingroup$
              Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
              $endgroup$
              – supercat
              Mar 30 at 15:42








            5




            5




            $begingroup$
            Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
            $endgroup$
            – supercat
            Mar 30 at 15:42




            $begingroup$
            Another way to look at things is to say that inaction by MCAS can never represent a single-point of failure, since the only time MCAS would need to do anything would be after there have already been two points of failure (typically one involving the captain and/or the controls operated thereby, and the other involving the first officer and and/or the controls operated thereby).
            $endgroup$
            – supercat
            Mar 30 at 15:42











            2












            $begingroup$

            Every automated system has a possibility of a false positive and a possibility of a false negative. In the system design you have to consider



            ( Probability of a false positive * consequence of false positive ) versus (probability of a false negative * consequence of false negative).



            A team of engineers at Boeing certainly looked at the tradeoff above in the initial design. The probability of AoA sensor failure was most likely based on failure rates from historical aircraft such as original 737. The consequence of each failure was presumably a little harder to estimate, because no such MCAS system existed on previous aircraft, but they somehow they came up with an estimate of what would happen in each case. Based on that, they believed they had the right tradeoff.



            Now, new information has come to light. Specifically, "consequence of false positive" is an absolutely unacceptable situation (two fatal crashes). Therefore the system needs to be redesigned. A increased probability of false negative may be acceptable, if it can significantly reduce the probability of false positive. Both errors are still possible, and both consequences still exist, but the tradeoff is shifted to favor one versus the other.






            share|improve this answer









            $endgroup$













            • $begingroup$
              A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
              $endgroup$
              – Robert DiGiovanni
              Mar 31 at 12:52








            • 1




              $begingroup$
              @RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
              $endgroup$
              – StephenS
              Mar 31 at 18:32










            • $begingroup$
              So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
              $endgroup$
              – Robert DiGiovanni
              Mar 31 at 18:57










            • $begingroup$
              @StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
              $endgroup$
              – TomMcW
              Mar 31 at 21:35






            • 1




              $begingroup$
              @DanielSparing, A single point of failure is not necessarily a dealbreaker in design if the overall system remains acceptable, and conversely a triply redundant system may not be any safer than a single one if not designed properly (look up Sioux City crash). Again, all comes back to weighing probabilities times consequences. Reducing single points of failure is certainly good, but sometimes there is no better alternative
              $endgroup$
              – Daniel Kiracofe
              Apr 2 at 1:10
















            2












            $begingroup$

            Every automated system has a possibility of a false positive and a possibility of a false negative. In the system design you have to consider



            ( Probability of a false positive * consequence of false positive ) versus (probability of a false negative * consequence of false negative).



            A team of engineers at Boeing certainly looked at the tradeoff above in the initial design. The probability of AoA sensor failure was most likely based on failure rates from historical aircraft such as original 737. The consequence of each failure was presumably a little harder to estimate, because no such MCAS system existed on previous aircraft, but they somehow they came up with an estimate of what would happen in each case. Based on that, they believed they had the right tradeoff.



            Now, new information has come to light. Specifically, "consequence of false positive" is an absolutely unacceptable situation (two fatal crashes). Therefore the system needs to be redesigned. A increased probability of false negative may be acceptable, if it can significantly reduce the probability of false positive. Both errors are still possible, and both consequences still exist, but the tradeoff is shifted to favor one versus the other.






            share|improve this answer









            $endgroup$













            • $begingroup$
              A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
              $endgroup$
              – Robert DiGiovanni
              Mar 31 at 12:52








            • 1




              $begingroup$
              @RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
              $endgroup$
              – StephenS
              Mar 31 at 18:32










            • $begingroup$
              So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
              $endgroup$
              – Robert DiGiovanni
              Mar 31 at 18:57










            • $begingroup$
              @StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
              $endgroup$
              – TomMcW
              Mar 31 at 21:35






            • 1




              $begingroup$
              @DanielSparing, A single point of failure is not necessarily a dealbreaker in design if the overall system remains acceptable, and conversely a triply redundant system may not be any safer than a single one if not designed properly (look up Sioux City crash). Again, all comes back to weighing probabilities times consequences. Reducing single points of failure is certainly good, but sometimes there is no better alternative
              $endgroup$
              – Daniel Kiracofe
              Apr 2 at 1:10














            2












            2








            2





            $begingroup$

            Every automated system has a possibility of a false positive and a possibility of a false negative. In the system design you have to consider



            ( Probability of a false positive * consequence of false positive ) versus (probability of a false negative * consequence of false negative).



            A team of engineers at Boeing certainly looked at the tradeoff above in the initial design. The probability of AoA sensor failure was most likely based on failure rates from historical aircraft such as original 737. The consequence of each failure was presumably a little harder to estimate, because no such MCAS system existed on previous aircraft, but they somehow they came up with an estimate of what would happen in each case. Based on that, they believed they had the right tradeoff.



            Now, new information has come to light. Specifically, "consequence of false positive" is an absolutely unacceptable situation (two fatal crashes). Therefore the system needs to be redesigned. A increased probability of false negative may be acceptable, if it can significantly reduce the probability of false positive. Both errors are still possible, and both consequences still exist, but the tradeoff is shifted to favor one versus the other.






            share|improve this answer









            $endgroup$



            Every automated system has a possibility of a false positive and a possibility of a false negative. In the system design you have to consider



            ( Probability of a false positive * consequence of false positive ) versus (probability of a false negative * consequence of false negative).



            A team of engineers at Boeing certainly looked at the tradeoff above in the initial design. The probability of AoA sensor failure was most likely based on failure rates from historical aircraft such as original 737. The consequence of each failure was presumably a little harder to estimate, because no such MCAS system existed on previous aircraft, but they somehow they came up with an estimate of what would happen in each case. Based on that, they believed they had the right tradeoff.



            Now, new information has come to light. Specifically, "consequence of false positive" is an absolutely unacceptable situation (two fatal crashes). Therefore the system needs to be redesigned. A increased probability of false negative may be acceptable, if it can significantly reduce the probability of false positive. Both errors are still possible, and both consequences still exist, but the tradeoff is shifted to favor one versus the other.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Mar 31 at 10:57









            Daniel KiracofeDaniel Kiracofe

            3,542623




            3,542623












            • $begingroup$
              A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
              $endgroup$
              – Robert DiGiovanni
              Mar 31 at 12:52








            • 1




              $begingroup$
              @RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
              $endgroup$
              – StephenS
              Mar 31 at 18:32










            • $begingroup$
              So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
              $endgroup$
              – Robert DiGiovanni
              Mar 31 at 18:57










            • $begingroup$
              @StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
              $endgroup$
              – TomMcW
              Mar 31 at 21:35






            • 1




              $begingroup$
              @DanielSparing, A single point of failure is not necessarily a dealbreaker in design if the overall system remains acceptable, and conversely a triply redundant system may not be any safer than a single one if not designed properly (look up Sioux City crash). Again, all comes back to weighing probabilities times consequences. Reducing single points of failure is certainly good, but sometimes there is no better alternative
              $endgroup$
              – Daniel Kiracofe
              Apr 2 at 1:10


















            • $begingroup$
              A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
              $endgroup$
              – Robert DiGiovanni
              Mar 31 at 12:52








            • 1




              $begingroup$
              @RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
              $endgroup$
              – StephenS
              Mar 31 at 18:32










            • $begingroup$
              So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
              $endgroup$
              – Robert DiGiovanni
              Mar 31 at 18:57










            • $begingroup$
              @StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
              $endgroup$
              – TomMcW
              Mar 31 at 21:35






            • 1




              $begingroup$
              @DanielSparing, A single point of failure is not necessarily a dealbreaker in design if the overall system remains acceptable, and conversely a triply redundant system may not be any safer than a single one if not designed properly (look up Sioux City crash). Again, all comes back to weighing probabilities times consequences. Reducing single points of failure is certainly good, but sometimes there is no better alternative
              $endgroup$
              – Daniel Kiracofe
              Apr 2 at 1:10
















            $begingroup$
            A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
            $endgroup$
            – Robert DiGiovanni
            Mar 31 at 12:52






            $begingroup$
            A positive should not activate an uncommanded downtrim to the extent that the aircraft is unflyable, although whether or not it automatically activates could be discussed. Lack of override training was fatal. The MCAS itself wasn't, but could be improved.
            $endgroup$
            – Robert DiGiovanni
            Mar 31 at 12:52






            1




            1




            $begingroup$
            @RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
            $endgroup$
            – StephenS
            Mar 31 at 18:32




            $begingroup$
            @RobertDiGiovanni MCAS failure looks exactly like runaway trim, which B737 crews have supposedly been trained to handle for decades. Indeed, many MAX pilots in the US have reported handling it fine, so Boeing's decision seemed sound. However, they didn't account for foreign pilots not being as well trained nor how often the system would fail.
            $endgroup$
            – StephenS
            Mar 31 at 18:32












            $begingroup$
            So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
            $endgroup$
            – Robert DiGiovanni
            Mar 31 at 18:57




            $begingroup$
            So more needs to be done. Good idea, bad execution. Yes, better training. And more input from the pilots. It could be better. If the 737 is at the end of its design life, this (and the placement of the oversized engines) may have been one step too far, but continued research and development of MCAS may help save more lives in the future.
            $endgroup$
            – Robert DiGiovanni
            Mar 31 at 18:57












            $begingroup$
            @StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
            $endgroup$
            – TomMcW
            Mar 31 at 21:35




            $begingroup$
            @StephenS MCAS failure does not look like runaway trim. Runaway trim would be a constant movement in one direction or the other. The MCAS did not do this. It would trim nose down, but the pilot trim input would stop it and trim it back where they wanted it. Then there would be a few seconds before it activated again. Without knowledge of MCAS that behavior would be very confusing to the pilot.
            $endgroup$
            – TomMcW
            Mar 31 at 21:35




            1




            1




            $begingroup$
            @DanielSparing, A single point of failure is not necessarily a dealbreaker in design if the overall system remains acceptable, and conversely a triply redundant system may not be any safer than a single one if not designed properly (look up Sioux City crash). Again, all comes back to weighing probabilities times consequences. Reducing single points of failure is certainly good, but sometimes there is no better alternative
            $endgroup$
            – Daniel Kiracofe
            Apr 2 at 1:10




            $begingroup$
            @DanielSparing, A single point of failure is not necessarily a dealbreaker in design if the overall system remains acceptable, and conversely a triply redundant system may not be any safer than a single one if not designed properly (look up Sioux City crash). Again, all comes back to weighing probabilities times consequences. Reducing single points of failure is certainly good, but sometimes there is no better alternative
            $endgroup$
            – Daniel Kiracofe
            Apr 2 at 1:10











            0












            $begingroup$

            Having two of the same type of sensor may not improve things as icing conditions could easily cause disagreement just when it was needed the most. A second system, such comparison of airspeed, pitch to the horizon, power setting, and vertical velocity (In addition to what the pilots are doing) may be much more useful.



            Grossly changing the horizontal stabilizer pitch in an uncommanded manner only worsens the situation when the pilot needs to be in control. Breaking a stall is done by releasing the elevator. A properly designed air craft will almost immediately unstall, especially if it is caught early. Strict adherence to aft CG limits greatly improves safety as well.



            A more pilot friendly MCAS may work as follows. Design the elevator such that, in conjunction with the horizontal stabilizer, it does not have enough pitch authority to stall the plane under normal flying conditions. An aircraft of this type, with a properly set CG, at full aft elevator, will lose airspeed, start to sink, and "mush" forward with the nose dropping.
            Have amber and red stall warning lights.



            If a stall warning occurs (real or not), pilot and computer check second system data.
            If stall is real, pilot activates MCAS. (toggle switch)



            The MCAS would ONLY increase the elevator throw rate and travel. Much like dual rates in
            R/C planes, this would hugely increase pitch authority, but would always be under the control
            of the pilot. Once stable flight is restored, the pilot turns off the MCAS.



            Best luck to Boeing getting this fixed.






            share|improve this answer









            $endgroup$













            • $begingroup$
              The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
              $endgroup$
              – StephenS
              Mar 31 at 18:35










            • $begingroup$
              That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
              $endgroup$
              – Robert DiGiovanni
              Mar 31 at 19:02












            • $begingroup$
              @StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
              $endgroup$
              – TomMcW
              Mar 31 at 21:42










            • $begingroup$
              So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
              $endgroup$
              – Robert DiGiovanni
              Mar 31 at 22:58






            • 1




              $begingroup$
              This does not seem to answer the actual question but seems like more of a general essay on how you feel the MCAS system should be designed.
              $endgroup$
              – Sanchises
              Apr 3 at 10:03
















            0












            $begingroup$

            Having two of the same type of sensor may not improve things as icing conditions could easily cause disagreement just when it was needed the most. A second system, such comparison of airspeed, pitch to the horizon, power setting, and vertical velocity (In addition to what the pilots are doing) may be much more useful.



            Grossly changing the horizontal stabilizer pitch in an uncommanded manner only worsens the situation when the pilot needs to be in control. Breaking a stall is done by releasing the elevator. A properly designed air craft will almost immediately unstall, especially if it is caught early. Strict adherence to aft CG limits greatly improves safety as well.



            A more pilot friendly MCAS may work as follows. Design the elevator such that, in conjunction with the horizontal stabilizer, it does not have enough pitch authority to stall the plane under normal flying conditions. An aircraft of this type, with a properly set CG, at full aft elevator, will lose airspeed, start to sink, and "mush" forward with the nose dropping.
            Have amber and red stall warning lights.



            If a stall warning occurs (real or not), pilot and computer check second system data.
            If stall is real, pilot activates MCAS. (toggle switch)



            The MCAS would ONLY increase the elevator throw rate and travel. Much like dual rates in
            R/C planes, this would hugely increase pitch authority, but would always be under the control
            of the pilot. Once stable flight is restored, the pilot turns off the MCAS.



            Best luck to Boeing getting this fixed.






            share|improve this answer









            $endgroup$













            • $begingroup$
              The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
              $endgroup$
              – StephenS
              Mar 31 at 18:35










            • $begingroup$
              That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
              $endgroup$
              – Robert DiGiovanni
              Mar 31 at 19:02












            • $begingroup$
              @StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
              $endgroup$
              – TomMcW
              Mar 31 at 21:42










            • $begingroup$
              So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
              $endgroup$
              – Robert DiGiovanni
              Mar 31 at 22:58






            • 1




              $begingroup$
              This does not seem to answer the actual question but seems like more of a general essay on how you feel the MCAS system should be designed.
              $endgroup$
              – Sanchises
              Apr 3 at 10:03














            0












            0








            0





            $begingroup$

            Having two of the same type of sensor may not improve things as icing conditions could easily cause disagreement just when it was needed the most. A second system, such comparison of airspeed, pitch to the horizon, power setting, and vertical velocity (In addition to what the pilots are doing) may be much more useful.



            Grossly changing the horizontal stabilizer pitch in an uncommanded manner only worsens the situation when the pilot needs to be in control. Breaking a stall is done by releasing the elevator. A properly designed air craft will almost immediately unstall, especially if it is caught early. Strict adherence to aft CG limits greatly improves safety as well.



            A more pilot friendly MCAS may work as follows. Design the elevator such that, in conjunction with the horizontal stabilizer, it does not have enough pitch authority to stall the plane under normal flying conditions. An aircraft of this type, with a properly set CG, at full aft elevator, will lose airspeed, start to sink, and "mush" forward with the nose dropping.
            Have amber and red stall warning lights.



            If a stall warning occurs (real or not), pilot and computer check second system data.
            If stall is real, pilot activates MCAS. (toggle switch)



            The MCAS would ONLY increase the elevator throw rate and travel. Much like dual rates in
            R/C planes, this would hugely increase pitch authority, but would always be under the control
            of the pilot. Once stable flight is restored, the pilot turns off the MCAS.



            Best luck to Boeing getting this fixed.






            share|improve this answer









            $endgroup$



            Having two of the same type of sensor may not improve things as icing conditions could easily cause disagreement just when it was needed the most. A second system, such comparison of airspeed, pitch to the horizon, power setting, and vertical velocity (In addition to what the pilots are doing) may be much more useful.



            Grossly changing the horizontal stabilizer pitch in an uncommanded manner only worsens the situation when the pilot needs to be in control. Breaking a stall is done by releasing the elevator. A properly designed air craft will almost immediately unstall, especially if it is caught early. Strict adherence to aft CG limits greatly improves safety as well.



            A more pilot friendly MCAS may work as follows. Design the elevator such that, in conjunction with the horizontal stabilizer, it does not have enough pitch authority to stall the plane under normal flying conditions. An aircraft of this type, with a properly set CG, at full aft elevator, will lose airspeed, start to sink, and "mush" forward with the nose dropping.
            Have amber and red stall warning lights.



            If a stall warning occurs (real or not), pilot and computer check second system data.
            If stall is real, pilot activates MCAS. (toggle switch)



            The MCAS would ONLY increase the elevator throw rate and travel. Much like dual rates in
            R/C planes, this would hugely increase pitch authority, but would always be under the control
            of the pilot. Once stable flight is restored, the pilot turns off the MCAS.



            Best luck to Boeing getting this fixed.







            share|improve this answer












            share|improve this answer



            share|improve this answer










            answered Mar 30 at 22:54









            Robert DiGiovanniRobert DiGiovanni

            2,8361316




            2,8361316












            • $begingroup$
              The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
              $endgroup$
              – StephenS
              Mar 31 at 18:35










            • $begingroup$
              That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
              $endgroup$
              – Robert DiGiovanni
              Mar 31 at 19:02












            • $begingroup$
              @StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
              $endgroup$
              – TomMcW
              Mar 31 at 21:42










            • $begingroup$
              So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
              $endgroup$
              – Robert DiGiovanni
              Mar 31 at 22:58






            • 1




              $begingroup$
              This does not seem to answer the actual question but seems like more of a general essay on how you feel the MCAS system should be designed.
              $endgroup$
              – Sanchises
              Apr 3 at 10:03


















            • $begingroup$
              The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
              $endgroup$
              – StephenS
              Mar 31 at 18:35










            • $begingroup$
              That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
              $endgroup$
              – Robert DiGiovanni
              Mar 31 at 19:02












            • $begingroup$
              @StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
              $endgroup$
              – TomMcW
              Mar 31 at 21:42










            • $begingroup$
              So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
              $endgroup$
              – Robert DiGiovanni
              Mar 31 at 22:58






            • 1




              $begingroup$
              This does not seem to answer the actual question but seems like more of a general essay on how you feel the MCAS system should be designed.
              $endgroup$
              – Sanchises
              Apr 3 at 10:03
















            $begingroup$
            The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
            $endgroup$
            – StephenS
            Mar 31 at 18:35




            $begingroup$
            The compounding factor is that the B737 trim moves the entire stabilizer, so even full elevator deflection can't undo incorrect trim. One solution would be to auto reverse trim when fully deflected the other way.
            $endgroup$
            – StephenS
            Mar 31 at 18:35












            $begingroup$
            That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
            $endgroup$
            – Robert DiGiovanni
            Mar 31 at 19:02






            $begingroup$
            That scares me. With a dual rate elevator there would be no loss of control (although high rate would have to be handled very delicately). Stabilizer trim would be there as a backup. Traditional hierarchy is Hstab stronger than El, El is stronger than Trim. I imagine coarse trim for Hstab, and fine trim for trim tab (yet another potential backup).
            $endgroup$
            – Robert DiGiovanni
            Mar 31 at 19:02














            $begingroup$
            @StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
            $endgroup$
            – TomMcW
            Mar 31 at 21:42




            $begingroup$
            @StephenS Under normal circumstances there is enough elevator authority in the 737 to counter full nose down trim. The situation here is slightly more complex in that it appears the Lion Air pilots increased speed due to the incorrect stall warning. The increased speed may have limited elevator authority due to blowdown.
            $endgroup$
            – TomMcW
            Mar 31 at 21:42












            $begingroup$
            So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
            $endgroup$
            – Robert DiGiovanni
            Mar 31 at 22:58




            $begingroup$
            So, do they need to make the Hstab stronger? Another tidbit, when McDonnell Douglas merged, the MD90 and 737 filled similar roles. The MD80/90/95 lived on as the 717 before production ended. Their engines were rear mounted. A development was a flaps system mounted near the engines to assist pitch down in stalls. Could this be a precursor to a vectored thrust solution?
            $endgroup$
            – Robert DiGiovanni
            Mar 31 at 22:58




            1




            1




            $begingroup$
            This does not seem to answer the actual question but seems like more of a general essay on how you feel the MCAS system should be designed.
            $endgroup$
            – Sanchises
            Apr 3 at 10:03




            $begingroup$
            This does not seem to answer the actual question but seems like more of a general essay on how you feel the MCAS system should be designed.
            $endgroup$
            – Sanchises
            Apr 3 at 10:03











            0












            $begingroup$

            The new system will not be a single point of failure.



            Normally, the AOA sensors should not disagree. But then again, normally pilots should not be flying the aircraft near stall margins.



            However, if the sensors do disagree -- it will tell the pilots with a cockpit indication: effectively "MCAS will not rescue you today, watch your trim". It should also automatically log a report of the failure to the maintenance staff. This then becomes a maintenance item that must be fixed soon.



            You're right that either sensor failing will cause this, and you're right, that is a single point of failure of the MCAS system; but this would still require an unbroken string of pilot mistakes to cause a crash, and that string of mistakes isn't happening today on the thousands of 737 classic and NGs without any MCAS at all.






            share|improve this answer









            $endgroup$


















              0












              $begingroup$

              The new system will not be a single point of failure.



              Normally, the AOA sensors should not disagree. But then again, normally pilots should not be flying the aircraft near stall margins.



              However, if the sensors do disagree -- it will tell the pilots with a cockpit indication: effectively "MCAS will not rescue you today, watch your trim". It should also automatically log a report of the failure to the maintenance staff. This then becomes a maintenance item that must be fixed soon.



              You're right that either sensor failing will cause this, and you're right, that is a single point of failure of the MCAS system; but this would still require an unbroken string of pilot mistakes to cause a crash, and that string of mistakes isn't happening today on the thousands of 737 classic and NGs without any MCAS at all.






              share|improve this answer









              $endgroup$
















                0












                0








                0





                $begingroup$

                The new system will not be a single point of failure.



                Normally, the AOA sensors should not disagree. But then again, normally pilots should not be flying the aircraft near stall margins.



                However, if the sensors do disagree -- it will tell the pilots with a cockpit indication: effectively "MCAS will not rescue you today, watch your trim". It should also automatically log a report of the failure to the maintenance staff. This then becomes a maintenance item that must be fixed soon.



                You're right that either sensor failing will cause this, and you're right, that is a single point of failure of the MCAS system; but this would still require an unbroken string of pilot mistakes to cause a crash, and that string of mistakes isn't happening today on the thousands of 737 classic and NGs without any MCAS at all.






                share|improve this answer









                $endgroup$



                The new system will not be a single point of failure.



                Normally, the AOA sensors should not disagree. But then again, normally pilots should not be flying the aircraft near stall margins.



                However, if the sensors do disagree -- it will tell the pilots with a cockpit indication: effectively "MCAS will not rescue you today, watch your trim". It should also automatically log a report of the failure to the maintenance staff. This then becomes a maintenance item that must be fixed soon.



                You're right that either sensor failing will cause this, and you're right, that is a single point of failure of the MCAS system; but this would still require an unbroken string of pilot mistakes to cause a crash, and that string of mistakes isn't happening today on the thousands of 737 classic and NGs without any MCAS at all.







                share|improve this answer












                share|improve this answer



                share|improve this answer










                answered Apr 3 at 6:24









                HarperHarper

                4,754926




                4,754926






























                    draft saved

                    draft discarded




















































                    Thanks for contributing an answer to Aviation Stack Exchange!


                    • Please be sure to answer the question. Provide details and share your research!

                    But avoid



                    • Asking for help, clarification, or responding to other answers.

                    • Making statements based on opinion; back them up with references or personal experience.


                    Use MathJax to format equations. MathJax reference.


                    To learn more, see our tips on writing great answers.




                    draft saved


                    draft discarded














                    StackExchange.ready(
                    function () {
                    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faviation.stackexchange.com%2fquestions%2f61796%2fif-the-updated-mcas-software-needs-two-aoa-sensors-doesnt-that-introduce-a-new%23new-answer', 'question_page');
                    }
                    );

                    Post as a guest















                    Required, but never shown





















































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown

































                    Required, but never shown














                    Required, but never shown












                    Required, but never shown







                    Required, but never shown







                    Popular posts from this blog

                    "Incorrect syntax near the keyword 'ON'. (on update cascade, on delete cascade,)

                    Alcedinidae

                    Origin of the phrase “under your belt”?