Thursday, March 28, 2019

AoA Vane must have Failed, the Boeing Fix is In, Senate Grills FAA

New information confirms that MAX is similar to the NG, that the AoA analog interface is connected to two different computers, the Stall Management Yaw Damper (SMYD) and Air Data Inertial Reference Unit ADIRU) (which supplies the Flight Control Computer (FCC)). The SMYD uses AoA for Stall Warning and is evident by activation of Stick Shaker. FCC hosts MCAS, and if AoA from ADIRU too high it can trigger MCAS. The significance is that both SMYD and FCC responded to AoA large bias on JT043/JT610, and therefore, the AoA sensor must have been producing that erroneous output. The AoA sensor is what failed.

Boeing has confirmed that AoA disagree Alert will become basic, that AoA disagree will inhibit MCAS from triggering, and that MCAS cannot issue more than one trim command without AoA recovery. 

The Senate grilled FAA acting Administrator Dan Elwell over excessive delegations and allowing Boeing to sell "safety critical items". Elwell stumbled on some key points, notably describing the 737 MAX as Fly-By-Wire and that the aft column cutout switch can stop MCAS trim commands.

Both Boeing and the FAA continue to insist that MCAS "runaway" is easy to detect and simple to respond to, but neither of these claims align with observations.

In 2006, a 747-400 experienced an AoA sensor with a large positive bias. The AoA sensor had not been assembled correctly, and a set screw allowed the Vane input shaft to rotate relative to the resolver, introducing an offset or bias.  In this case, the bias was somewhat random.

When the unit was placed on test, it failed the part of the test schedule where the vane, positioned at discrete points throughout its operating range, should result in specified electrical outputs supplied to the ADCs. These were somewhat random in nature and subsequent disassembly revealed the main drive gear to be loose, being able to rotate freely 360° around the main shaft. The counter-weight was also found to be loose and had a free play of about +/‐ 2 ° rotation. Examination of the main gear revealed that the set screw that secured it to the shaft was not fully tightened: the overhaul manual specifies an assembly torque of 4.0 ‐ 4.5 inch‐pounds for this item. This was established as the reason for the random readings of the resolver outputs with respect to vane displacement, which thus resulted in the right ADC receiving erroneous angle of attack data. 


The "random" offset described in the 747 case does not match what was observed in JT043 and JT610, where the large bias remained fixed.

Reliability of the AoA sensor was evaluated over a 4-6 year period, with a mean time between unscheduled removals was 93,000 hours. A typical airframe is modeled at about 100,000 hours, so the AoA vane typically last nearly the lifetime of the airplane.



Related to the 747 report is the lack of any correlation from AoA large bias to Airspeed and Altitude Disagree. There should be a clear relationship from AoA disagree to causing Airspeed and Altitude Disagree (due to incorrect static port compensation). This is true for flight crew benefit (if AoA disagree, expect Airspeed and Altitude Disagree) and for maintenance, to not service Air Data and instead service AoA. It was apparent in this instance, and yet it shows up again in Lion Air 13 years later (no correlation of Airspeed/Altitude Disagree to an AoA malfunction).  One stick shaker on and the other off is AoA disagree, even if you don't have a dedicated alert.

In prior posts I have postulated whether SMYD had become a function in the FCC on the MAX. I was wrong. The SMYD appears on the 737 MAX pretty much as the 737 NG. This is a significant realization. The AoA vane has one analog resolver output connected to the ADIRU, and one output connected to SMYD. The ADIRU provides AoA to the FCC, where MCAS uses it for triggering its trim command. On JT043 and JT610, stick shaker and MCAS appear to be triggered. This means both SMYD and ADIRU/FCC AoA sensed angle were in agreement, subjected to a large bias. This means the AoA sensor output was in error, not any input signal processing. The removed vane prior to JT043 exhibited a different failure (out of range) and there is no information released from ET302.

The SMYD faults from Air Data invalid (from ADIRU) must be related to AoA signal not being available for static port compensation. 


Lion Air replaced the vane prior to JT043.


The error that was found on the 747 would have been evident if the vane output was checked against a calibrated position (by rotating the vane to particular points, the output has an expected value). If the failure was internal to the AoA sensor, then it should have failed the installation test. If it was bent (as I had originally concluded), then the calibration would be fine and the only hope is visual inspection.

The vane removed prior to JT043, the vane on JT043/JT610, and the vane on ET302 (presumably) all failed in some manner. This trend will surely be subject of further investigation.

Boeing has released a description of the MCAS related changes they are proposing.

  1. Flight control system will now compare inputs from both AOA sensors. If the sensors disagree by 5.5 degrees or more with the flaps retracted, MCAS will not activate. 
  2. An indicator on the flight deck display will alert the pilots to AoA Disagree.
  3. If MCAS is activated in non-normal conditions, it will only provide one input for each elevated AOA event. 
  4. There are no known or envisioned failure conditions where MCAS will provide multiple inputs.
  5. MCAS can never command more stabilizer input than can be counteracted by the flight crew pulling back on the column. 
  6. The pilots will continue to always have the ability to override MCAS and manually control the airplane.

1) MCAS will be inhibited if AoA sensors disagree is the feature missing from the very beginning.

2) The AoA Disagree Alert will ensure maintenance is directed to AoA sensor. I hope it will also correlate to Airspeed Disagree and Altitude Disagree.

3) MCAS will have one trim command, reset only after AoA shows a recovery. 

4) No known or envisioned failure modes is a grandiose statement. Of course there are failure modes, the point is managing the failure rates by design features. 

5) This is a bit of a misleading statement, but the point is that with at most a 2.5 degree nose down trim command, there is sufficient elevator to offset the pitch command. This assumes the airplane was roughly in trim when MCAS applies its trim, not for example if the stab/elevator start from a mistrim position. 

6) Boeing is touting the ability to hit the cutout switch to stop MCAS.
Boeing has created updated CBT to accompany the software update. Once approved, it will be accessible to all 737 MAX pilots. This course is designed to provide 737 type-rated pilots with an enhanced understanding of the 737 MAX Speed Trim System, including the MCAS function, associated existing crew procedures and related software changes.
Pilots will also be required to review:
  • Flight Crew Operations Manual Bulletin
  • Updated Speed Trim Fail Non-Normal Checklist
  • Revised Quick Reference Handbook
The AoA indicator remains a customer option, but it is now a no-cost option.



Boeing and the FAA continue to claim that MCAS malfunction is easily detected and all flight crews are at the ready with the runaway stabilizer checklist and using the cutout switches. Yet what has been shown with JT043, with JT610, the flight crews were not able to detect the MCAS malfunction as a runaway stabilizer. We don't know what happened on ET302 yet.

For the first time, Boeing admits MCAS is an extension of Speed Trim, which I have long suspected, and why it was designed with a single input. Speed Trim is constantly applying stabilizer trim commands in manual flight. This masks MCAS trim commands. Further, MCAS trim commands are effectively a slowover and in the case of the Lion Air flights, intermittent. These factors, combined with the flight deck effects from the high AoA value causing high workload, interfere with the expected human response.  There has yet to be any acknowledgement of this, rather the opposite by ignoring it.  The FAA repeatedly made the same assertion, the MCAS malfunction is easy to detect.

Another issue I think that the hazard assessment undervalues is the removal of the aft column cutout switch for MCAS commands. This feature is related to human factors as well, where a pilot encountering a nose over dive may not reliably trim stabilizer nose up, but rather will simply pull back on the yoke. Without the aft column cutout, and under the failures in the software today, but also possibly due to hardware failure, the MCAS commands can drive the stabilizer to an out of control situation. I understand why Boeing cannot use the aft column cutout switch with MCAS. I would then counter that MCAS failure is Hazardous. I would expect a second processor and hardware path to ensure on single hardware failure could not drive MCAS trim commands (effectively FCC trim commands if by hardware failure).  This feature already exists for autopilot command mode. Perhaps Speed Trim is also vulnerable.
When in the approach mode, the CPUs calculate the same roll and pitch commands. The CPUs compare these commands before they send them to the A/P actuators. When in autoland, the two processors look at sensor data to make sure the control surfaces move correctly. Also, both CPUs continue to look at engage and interlock signals. 
If the commands or signals do not agree, either CPU can disengage the autopilot. This occurs because the MCP needs the high and the low engage/interlock signal to engage the autopilot and keep it engaged. The CPU 1 can remove the high signal and the CPU 2 can remove the low signal.
The response to a stabilizer runaway is to cutout the electric trim. Nowhere does anyone caution the consequences of using manual (turn the wheel manually) trim. The manual trim wheel can be very hard to turn if subject to high aero loads, and particularly if the elevator is commanded significantly (loading the stabilizer). 



Centauraus, on pprune.org, provided an interesting post:
After some research in my aviation library I think I have found the answer to my original questions of the meaning of the Boeing term "relieving aerodynamic loads." 
Extract from the Boeing 737-200 Pilot Training Manual February 1982 page 04.80.31. Edited for brevity. Runaway and Manual Stabiliser - Recovery from Severe Out-of-Trim 
"In an extreme nose-up out-of-trim condition, requiring almost full forward control column, decelerate, extend the flaps and/or reduce thrust to a minimum practical setting consistent with flight conditions until elevator control is established. Do not decrease airspeed below the minimum maneuvering speed for the flap configuration. A bank of 30 degrees or more will relieve some force on the control column. This, combined with flap extension and reduced speed should permit easier manual trimming. 
If other methods fail to relieve the elevator load and control column force, use the "roller coaster" technique. If nose-up trim is required, raise the nose well above the horizon with elevator control. Then slowly relax the control column pressure and manually trim nose-up. Allow the nose to drop below the horizon while trimming. Repeat this sequence until the airplane is trim. 
If nose-down trim is required, slowing down and extending the flaps will account for a large degree of nose-up pitch. If this does not allow manual trimming then the reverse "roller coaster" can be performed to permit manual trimming." (I read somewhere it was called the Yo Yo manoeuvre) 
Boeing "Airliner" magazine published in May 1961 discussed the above subject as it applied to the Boeing 707 by stating: "To trim the stabilizer manually while holding a high stick force on control column. As the airplane changes altitude, crank in the desired trim change. Correct airplane attitude after a few seconds with elevators. Relax stick force again and crank in more trim. Repeat this procedure as necessary until proper 'trim' position of stabilizer is established." 
We learned all about these maneuvers in the 1950-60s. Yet, for some inexplicable reason, Boeing manuals have since deleted what was then - and still is - vital handling information for flight crews. 
Finally, author D.P.Davies comprehensively covers the subject of large trim changes, failure cases and Mach number effect on stabilizers, at pages 38 to 42 in his fine book "Handling the Big Jets," A good case for current airline pilots to buy his book as it is still the best on the market, IMHO
The standard response to just hit the stabilizer cutout switches and manually trim is actually flawed. If the nose has been pushed down by significant mistrim (nose down stabilizer, nose up elevator), and as airspeed increases, it may not be possible to trim the stabilizer manually nose up without letting the elevator go to a neutral position. The reality, under the MCAS runaway scenario, trimming nose up immediately stops MCAS as well as trims the stabilizer back towards an in-trim position. At that point, you would be best off to cutout the stabilizer. 

Many flight crews may not know that you have to relax the elevator to manually trim the stabilizer if the loads is too high.

The Senate hearing brought out some interesting tidbits. Of course there were accusations that the FAA has delegated too much to Boeing. There was outrage that Boeing charged for the AoA indicator (to which Boeing has relented and will offer it a no-cost option). FAA acting administrator Elwell made several key errors. 
  1. Elwell claimed the aft-column-cutout switch function works with MCAS. It does not. He may have been confused by Boeing saying elevator has sufficient authority to offset a 2.5 deg. mistriim. 
  2. Elwell claimed repeatedly that an MCAS malfunction was easy to detect as stabilizer runaway, and that every crew can deal with that. It has not been evident that MCAS malfunction is apparent to the flight crews, and as stated above, the recovery by cutout switch may leave the airplane under dire circumstances if reliant on manual trim.
  3. Elwell inexplicably claimed that the 737 MAX is fly by wire. It is not. Column moves cable which moves hydraulic actuator. Elevator feel system provides force feedback. This is fly-by-cable. 



The preliminary report from ET302 is expected in the next few days.


Stay tuned!


Peter Lemme

peter @ satcom.guru
Follow me on twitter: @Satcom_Guru
Copyright 2019 satcom.guru All Rights Reserved

Peter Lemme has been a leader in avionics engineering for 38 years. He offers independent consulting services largely focused on avionics and L, Ku, and Ka band satellite communications to aircraft. Peter chaired the SAE-ITC AEEC Ku/Ka-band satcom subcommittee for more than ten years, developing ARINC 791 and 792 characteristics, and continues as a member. He contributes to the Network Infrastructure and Interfaces (NIS) subcommittee developing Project Paper 848, standard for Media Independent Secure Offboard Network.

Peter was Boeing avionics supervisor for 767 and 747-400 data link recording, data link reporting, and satellite communications. He was an FAA designated engineering representative (DER) for ACARS, satellite communications, DFDAU, DFDR, ACMS and printers. Peter was lead engineer for Thrust Management System (757, 767, 747-400), also supervisor for satellite communications for 777, and was manager of terminal-area projects (GLS, MLS, enhanced vision).

An instrument-rated private pilot, single engine land and sea, Peter has enjoyed perspectives from both operating and designing airplanes. Hundreds of hours of flight test analysis and thousands of hours in simulators have given him an appreciation for the many aspects that drive aviation; whether tandem complexity, policy, human, or technical; and the difficulties and challenges to achieving success.

19 comments:

  1. It still ignores an underlying problem: if MCAS is needed for flight safety, how can you safely turn it off? If it is not needed for flight safety, why does it exist? And what are the numbers proving that it is sufficiently unlikely to engage on takeoff, which would kill everyone even if the pilots did everything right?

    ReplyDelete
  2. This is a surprisingly complex piece of kit.
    No KISSier solution available?

    ReplyDelete
    Replies
    1. Yes, for function this is a horribly over-engineered and expensive solution to a stunningly basic output requirement.

      A single military quality or sealed potentiometer would suffice, and looking at the FDR plot for this unit I'm forced to ask WHY this signal needs an Analogue to Digital (A/D) conversion at all - unless it's resolution, but I will check on that.

      Delete
  3. Think you found the explanation for ET302 crash. After cutout in a dive, you cannot trim manually quickly. In addition blowback can stop elevator!

    ReplyDelete
  4. In fact the inability to wind back the trim manuall under high elevator load is the only reasonable explanation for the second crash. For sure every 737 pilot was aware of the MCAS and the cutout switches after the AD following the LionAir crash. But the AD did not warn for this trap you describe.
    Thank you for sharing all your well thought analysis including corrections as facts evolve. IMHO best info on MAX here together with Bjorn Fehrm / Leeham.

    ReplyDelete
  5. Ron Belt March 30, 2019
    Peter, you mentioned, “The level of offset was identical JT043 and JT610, so I would have to assume it would have been present when installed, if they checked.”
    In response, I believe it may be possible that the testing process used after the installation of the new AoA sensor prior to the JT043 flight may have been the cause of the 22.5° offset. My reasoning is as follows.
    It is known that the range of rotation of the Rosemount 0861FL AoA sensor on the B737NG and B737MAX aircraft is ±110°. (See photo and drawing below, which show the F/O’s RHS sensor. The captain’s LHS sensor is the same 0861FL sensor flipped over about the horizontal [-A-] axis in the drawing).

    However, the report quoted above implies that the vane of the AoA sensor has no such end stops, because it states that if the main gear on the vane shaft becomes loose, then the vane can be rotated completely around 360°. Therefore, the end stops limiting the range of rotation of the AoA sensor must be elsewhere inside the sensor housing. Now, a review of the specifications of many types of resolvers on the internet shows that all resolvers have limitations on the ±angles they can be rotated through. This implies that the resolvers have stops inside them to prevent them from being rotated beyond their maximum angles of rotation. This implies that the maximum angle of rotation of the AoA sensor vane is limited by the stops in the resolver, and not by any stops on the vane or the shaft on which the vane is installed. Therefore, if one applies too much force to the AoA sensor vane to pin it against one of the stops, it is possible that this force can cause a slipping of the main gear on the vane shaft, causing the vane to be offset from the resolver while the resolver continues to read the same value because it is up against the stop inside the resolver. Therefore, an offset can be created between the vane angle and the resolver output angle.
    Now, we know from the maintenance records for the aircraft of flights JT043 and JT610 that an installation test was done after replacing the AoA sensor before flight JT043 because the maintenance engineer noted on 27 October 2018 that: “For troubleshooting due to repetitive problem perform replaced the angle of attack sensor in accordance with Aircraft Maintenance Manual (AMM) Task 34-21-05-000-001 and task 34-21-05-400-801 carried out. Installation test and heater system test result good”.
    But the Aircraft Maintenance Manual actually specifies TWO types of reference checks that can be performed:
    A recommended test using a test fixture similar to the one shown below. (Notice that it uses the two tooling holes on the AoA sensor to register the correct angular position). A maintenance technician outside the aircraft sets the AoA sensor vane to the angles 0°, -10°, and 10°, respectively, and either the same technician, or perhaps a different technician, checks the output of the ADIRU to see if the same angles are provided to the SMYD display.

    In the absence of a test fixture, a quick check can be done by setting the AoA sensor vane to the angles 0°, -100°, and +100°, the latter of which are the end stops of the vane travel. The output of the ADIRU is again checked to see if the same angles are provided to the SMYD display.

    ReplyDelete
    Replies
    1. 0861FL1 assy has Travel stops at + - 105 DEG (from AOA Vane Dowel Points, witch is also the Airplanes Azimuth line).
      It is not the Resolvers that limits the Maximum Travel, it is a Hard stop that stops the Counterbalance Weight. There are also an Viscous damper that will cushion any rapid Vane movements I.e. by wind gusts on the ground.

      Delete
    2. Per the picture from this article, it confirms the Rosemount 0861FL:

      https://www.heraldnet.com/nation-world/not-just-the-737-angle-of-attack-sensors-have-had-problems/

      Delete
  6. Ron Belt March 30, 2019
    The first reference check cannot cause an offset in the vane-to-resolver output angle. However, the second reference check CAN cause an offset in the vane-to-resolver output angle if the technician setting vane angle applies too much force while setting the vane against the end stop. Specifically, if the last angle to be tested is +100°, then the AoA sensor output will be offset in the positive direction as observed in the JT043 and JT610 flights. This offset will not be observed during the test because the resolver output remains pinned at its +100° output value. Only if the last angle to be tested is different from the +100° end stop setting will an offset be observed in the AoA output during the test.

    One further observation. Several posters have commented that the captain’s LHS AoA sensor that had an offset of 22° on flights JT043 and JT610 appeared to have a higher random noise on it than the F/O’s RHS AoA sensor. This may be the result of defective fluidic damper inside the captain’s LHS AoA sensor. This may indicate that the replacement LHS AoA sensor installed on flights JT043 and JT610 was, in fact, a reworked AoA sensor, which may explain why investigators want to review the procedures at the AoA sensor rework facility in Florida as well as the AoA production facility in Minneapolis. And if the sensor was a reworked sensor, perhaps the gearing between the vane and the resolver was not torqued high enough to prevent offsets being induced by pressure of the vane against the end stops.

    ReplyDelete
  7. Ron Belt 30 Mar 2019
    Peter,
    The Boeing 747 uses Rosemount AoA sensor P/N 0861HB, which has two resolvers. The Boeing 737NG and 737MAX use Rosemount AoA sensor 0861FL or 0861FL1, which have only one resolver. This means that on the B737, the left ADIRU and the left SMYD get their information from the same left AoA sensor output and the right ADIRU and the right SMYD gets their information from the same right AoA sensor output.

    ReplyDelete
    Replies
    1. Correction to Anonymous:
      The 737NG and 737MAX uses PN: 0861FL1 Rosemount AOA Sensor.
      This Part Number has TWO Resolvers and a Viscousus damper.

      Delete
  8. A faulty SMYD computer may short SIN to GND and the FCC would also see 0v in SIN. Two sensors will not fail in a row, unless the plane breaks them.

    ReplyDelete
  9. Boeing fix description items 3 & 4 kind of contradict - any failure condition that lead to repeated separate high AOA events would, it appears, repeatedly trigger MCAS. Are repeated AOA spikes known to happen? - er... QF72 anyone? There is also a reddit post about AOA vane oscillations being known to occur in certain flight conditions: https://www.reddit.com/r/flying/comments/b08h03/737_max_mega_thread/eidycdx/

    ReplyDelete
  10. Peter in question to this statement:
    " Examination of the main gear revealed that the set screw that secured it to the shaft was not fully tightened: the overhaul manual specifies an assembly torque of 4.0 ‐ 4.5 inch‐pounds for this item"

    Should not that Gear be set on a " Keyed " shaft? Why would something so critical be given over to a " set screw?"

    ReplyDelete
    Replies
    1. Exactly- set screw on a shaft works great for toys and record players. proper would be a Dshaped shaft with set screw or even a three sided shaft- collar arrangement with three set screws or better a D shaped shaft with a split ring to control fore and aft. It is amazing that the so called reliability records seem to show absent a bird strike or ramp rash or tighter is better or to fit it force it issue, they last the normal life of the airplane ??

      Delete
  11. Peter, in repsonse to the statement:
    " Examination of the main gear revealed that the set screw that secured it to the shaft was not fully tightened: the overhaul manual specifies an assembly torque of 4.0 ‐ 4.5 inch‐pounds for this item. "

    Why isn't that gear " set " on a keyed shaft? Why would something so critical be given over to a " setscrew?"

    ReplyDelete
  12. By Ron Belt, 23 April 2019

    Today’s edition (April 23, 2019) of the Minneapolis Tribune has an article about the Cirrus Model SF50 aircraft, telling that all 150 of these aircraft in the field have been grounded recently by the FAA because of three incidents involving the stall warning and protection system (SWPS). Quoting from the newspaper article: “The first incident occurred in November [2018] while an SF50 was under manual pilot control. In that case, the airplane activated several downward pitch commands along with stall warning, stick shaker, and several associated alerts. The pilot was able to stop the automatic pitch commands by pressing and holding an autopilot disconnect button and was able to safely land at the intended destination. In the second incident, the pilot reported a stall warning and stick pusher failure in flight. In the third case, the airspeed indicator went red and the stall warning and stick shaker were heard and felt while on descent. The autopilot was disengaged and the pilot was able to land without incident”.

    Quoting further from the newspaper article: “The FAA noted that Cirrus and Aerosonic, the Florida company that manufactures the sensor in question, have identified the probable root cause of all three flying incidents: a malfunction in the AoA sensor because of a quality control problem on the assembly line. The quality problem was narrowed down to two sets of sensor screws having improper torque and threading issues. The FAA has ordered that all AoA sensors on the SF50 models be replaced”.

    Although these three incidents differ from the Boeing 737Max incidents by involving a different aircraft, different electronics, and different AoA sensor manufacturer, they are astonishingly similar in their effects on the aircraft’s stall warning system and in the implication of a defective AoA sensor as being the suspected cause. And while the AoA sensors in question may have a totally different design, it is interesting that the FAA has narrowed down the root cause of the AoA sensor defect to “two sets of sensor screws having improper torque and threading issues”. A look at Emergency Air Worthiness Directive for this issue (AD No. 2019-08-51 dated April 18, 2019) reveals that the two screws in question are: “Two set screws that secure the potentiometer shaft to the AOA vane shaft [that] may have improper torqueing and no application of thread locker (Loctite) to secure the two set screws”. This could cause an offset in the AoA sensor output, just like that found in the two B737MAX incidents.

    For further information, see Air Worthiness Directive AD No. 2019-08-51, available at: (http://rgl.faa.gov/Regulatory_and_Guidance_Library/rgad.nsf/0/448c46c035e93a6e862583e0007291d8/$FILE/2019-08-51_Emergency.pdf)

    ReplyDelete
  13. Good work Mr. Lemme. My name is John Knox. I worked in flight control design staff at Lockheed Georgia during 1967-1983. I am not conversant with Boeing aircraft. I agree with your analysis in regard to the Boeing fix. I have some questions. As you say fix 1 should have been there. The aircraft had two sensors. It is difficult to explain why both were not used. Where did the 5.5 deg. difference originate. What is the probability that MCAS can initiate with this difference?
    Fix 2. I agree with your comments.
    Fix 3 relieves the intermittent action that should never have been there. How did MCAS originate? It came from flight test I'm sure but what maneuvers? I can’t see how these intermittent actions would make the aircraft more like NG or do anything but confuse the pilot and design for a runaway trim. Where was the Failure Effects and Mode Analysis (FMEA) team? It seems to me failure effects analysis was severely lacking in the design process. Has the system ever actuated in operational flight? Stall rarely occurs in high speed flight. Reliability analysis may show that one is safer without MCAS. However I don’t think Boeing would have MCAS unless there was a critical need perhaps due to the forward cg and engine causing a critical fast stall condition that makes the system flight critical. Then you have to have a system that not only needs to have protection from sensor faults but also has a reliable sensor input at all times. I think the MIL spec. would require three sensors.
    Fix 4. Failure modes should be investigated.
    Fix 5. Why isn’t elevator and stab position used to indicate mistrim and limit stabilizer position so that 5 always will hold. Why is the stabilizer used in MCAS as opposed the elevator that one would normally use for stall prevention? The stabilizer has probably over twice the elevator control power and is slow to respond and can cause run away trim. I have never seen the stabilizer used for stall prevention.

    Fix 6. This is what Boeing first said. Also from Boeing on this subject,
    “The reason for this design decision being that providing the pilot a way to easily override would negate why MCAS was implemented, the Pilot pulling so hard on the Yoke that the aircraft is flying close to stall. In other words, MCAS is a mechanism installed to correct an already present pilot error. Logically, this corrective intervention by the flight computer can only be cancelled through a dedicated operating sequence. It's also worth mentioning that even extreme yoke action, working on the elevators only, is not able to fully compensate extreme stabilizer positions, the control surfaces MCAS uses (apart from, I suppose, creating unpleasant flight characteristics).
    Huh? Why does Boeing disable the column cutout when MCAS is on? The elevator lacks enough control power? Does the pilot have to use the control wheel? This can difficult or impossible under conditions.

    ReplyDelete
  14. Lot of BS here - all design decisions and redundancy choices should always be based on documented component reliability and specified safety goals. A sensor with an MTBF of only 93,000 hours should have been unacceptable to the FAA. With a total fleet of 1000 aircraft flying 10 hours per day, a failure should be expected every five days! What a farce.

    ReplyDelete