Comment by Gibbon1

6 years ago

> Hardware engineers chose not to provide multiple sensors to validate AoA, hardware engineers did not provide a human-capable override. MCAS was designed to not be disabled by pilots, because doing so would make the plane a different aircraft according to the FAA.

I have two comments. One replace hardware engineers with 'management'

The second when I've read people talk about validating the AOC readings it makes me twitch a bit. Partly because my day job involves firmware that manages a self organizing sensors network. Validation of sensor data sounds easy until you force yourself to conceptualize what the system can know based on the actual data it sees and not your perceptions.

More there is a strong tendency to over focus on the ordinary case. And not all the edge cases. Very often dealing with edge cases is the fundamental problem. Consider designing the front end of a car. The primary design goal is actually 'passengers don't die when you drive it into a tree'

Problem with the MCAS system is it needs to work under all the edge cases, not just when the plane is flying in smooth air while the pilot is pulling the nose up. Like during a hard turn into wind-shear.

5 comments

Gibbon1

Reply
olliej  6 years ago

I don't mean validation == determine which one is correct, I mean "make sure they agree" and don't trust them otherwise, which, as far as I can tell, is how other Boeing systems work?

I mean there's also the space shuttle system where you have N redundant systems controlling N separate motors (or whatever), and assume that if you'll never have >= N/2 producing incorrect output. That's a "no validation" approach that works by virtue of the correct instruments literally overpowering the incorrect ones.

  • Gibbon1  6 years ago

    Supposedly an Airbus plane had triple redundant sensors and two of them failed with the same reading and the good sensor was voted off the island.

    I'm walking away with the following explanation. Boeing made a breaking change to the aircraft and did such a good job hiding it from themselves, the PAA, and pilots that they made it impossible for experienced pilots to handle things when it failed.

    • olliej  6 years ago

      [edit to clarify: I'm not disagreeing with Gibbon1, I'm literally just curious about these questions and would love to know the answers]

      oof, what makes AoA sensors so terrible? Also, it seems like if you have something that isn't particularly robust (pitot tubes apparently also being egregiously terrible in that regard), surely having a less accurate but more robust reference tool would be a good "oh bollocks" back up. e.g. additional redundancy based on different technology.

      2 replies →