If you get a reading of 20 on one and 34 on the other, you disregard both and disable the system.
There’s a big difference between a system which must work and a system which must not go wrong. For example, the fly by wire system in an Airbus must work. A failed sensor must not disable the system. Thus, you need at least triple redundancy to keep functioning in the event of a failure.
Boeing’s MCAS system, on the other hand, doesn’t need to work. The plane flies just fine without it. It merely needs to not go crazy. Two sensors is sufficient.
I've read several of these articles about the MAX and I'm not seeing the explanation for how allowing MCAS to fly the plane only on input from AOA sensors (1, 2 or 5) is different from asking pilots to fly the plane with a fogged-up windscreen. Why not cross-check against the true horizon, for example? Doesn't seem safer to unnecessarily disregard context.
MCAS only exists to paper over a small handling deficiency. Apparently nobody (at least nobody with the power to force a change) thought that it could pose a safety problem. It’s not safety critical, so who cares if it fails? Except that it can fail in a way that crashes the plane.
MCAS only exists to paper over a small handling deficiency.
Per the article MCAS was originally intended to handle uncommon edge cases but was extended to cover additional (low speed) deficiencies. This expanded scope is what made MCAS as problematic as it is because it did away with the second input (accelerometer) and expanded the authority dramatically (from something like 0.6 degrees to 2.4 degrees of stabilizer movement).
The problem occurred in that that sensor had a privileged (unoverridable) pipeline to the horizontal stabilizer.
The pilots knew something was going wrong. That wasn't the issue. The issue was that the bloody thing could mistrim the plane to the point of nigh irrecoverability, and no one knew enough about it until two planes full of people plunged out of the sky.
The plane may be able to fly just fine; but the way this thing was developed and brought into mainstream use had critical problems in terms of essential information being communicated.
All the decisions and motivations behind these lack of communication have to some point been traced back to trying to circumvent regulations in order to prop up share price by scoring sales of a new airframe of comparable efficiency to the a320neo.
True horizon has nothing to do with angle of attack. Angle of attack is the direction the wind is coming from relative to the aircraft. It's possible to have a nose up attitude relative to the horizon, and have the actual aircraft motion be downwards at 10,000 feet per minute.
There’s a big difference between a system which must work and a system which must not go wrong. For example, the fly by wire system in an Airbus must work. A failed sensor must not disable the system. Thus, you need at least triple redundancy to keep functioning in the event of a failure.
Fly-by-wire Boeings still only have two alpha vanes. Go ahead, take a look at the next 777 or 787 you come across.
> When you do that you now have an aircraft the pilots aren't certified to fly.
It would increase risk. But for that increased risk to materialize into harm, the plane would also need to experience an unlikely, near-edge-of-flight-envelope situation that the working MCAS was intended to handle.
This would be comparable to a plane with any other mechanical defect that is discovered in-flight. If the above situation is expected to be too-risky to continue the flight and repair on the ground, then it would give cause for an emergency landing.
There’s a big difference between a system which must work and a system which must not go wrong. For example, the fly by wire system in an Airbus must work. A failed sensor must not disable the system. Thus, you need at least triple redundancy to keep functioning in the event of a failure.
Boeing’s MCAS system, on the other hand, doesn’t need to work. The plane flies just fine without it. It merely needs to not go crazy. Two sensors is sufficient.