The hardware is already there. The aircraft already has two AoA vanes, the fix is to use both of them instead of just one.
Do you think that MCAS is a PID controller?
The MCAS is a Control System , PID is one single controller. MCAS may have hundreds of controllers, signal conditioners, filters, etc etc. Are you saying that MCAS has no PID controllers ?
I get it Richard Pearce. If I understand correctly, there are two vanes - one on each side. Based on my work with Safety Instrumented Sytems, the lesser risk lies in 2oo3 (triplex) voting than in 2oo2 voting (duplex) and hence the question.
I wonder if there couldn’t be a single kill switch in cockpits that would disarm all auto-pilot or auto-anything controls leaving the aircraft flyable by manual pilot inputs only. It seems in an emergency where the pilots don’t understand why the aircraft is behaving erratically, activating the kill switch could help with any confusion over what system is currently making inputs to the aircraft.
I thought the B1 was Rockwell and B2 was Northrup. Did Boeing license manufacture or something?
Sure, though it’s still not fool proof. I suspect that by using 2oo2 *and *limiting the MCAS to just one trim input they’ve reduced the risk to an acceptable level. They’ve made spurious activation far less likely and they’ve also made it more manageable.
Sidebar:
The advert I’m getting on Tapatalk under this thread is “Air Canada now hiring!”
As I understand it, there are already kill switches for each of the individual aspects of autopilot. Pilots can just turn off the one that’s causing a problem while keeping the helpful ones. In an emergency, would you really want to suddenly double your workload by having to manually configure thrust, trim, speed brakes, etc. while taking into account weight imbalances, engine thrust variances, air pressure, airspeed, and a dozen or more other things that change how the plane responds to control inputs?
The problem with the mcas is pilots weren’t properly informed about this autopilot-like functionality. Boeing said there was no meaningful difference between the max 8 and the previous version that would require additional training. And most airlines trusted Boeing’s claim only requiring their pilots to undergo an hour or so of tablet-based (e.g. on an ipad) training.
The problem is when the pilot doesn’t know which system is causing the problem. As stab in the dark or a last resort a pilot may happily double his workload if it would mean disabling a system causing critical problems and the pilot doesn’t know what system it is. ISTM that a flight computer has its fingers in so many pies at any given time that it might be hard for a pilot to know exactly what the computer is doing to what system and when.
I just thought there could be instances (e.g. the Indonesian and Ethiopian crashes perhaps) where a confused pilot might wish to go back to basic manual flying since he/she doesn’t understand what the computer is doing to his/her plane. Land the plane by hand at the nearest airport, have a beer and curse Boeing later.
ETA: Or maybe these jets today are impossible to fly manually? Still, there must be a difference between work the computer does that helps a lot and saves pilot-effort but has little bearing on the actual control of the plane, and things the computer does that actively affects the flight of the aircraft. The latter would be the things I postulate could have a kill option.
They were already in manual flight, it is one of the prerequisites for the MCAS to operate in the first place. I’m not sure having an “all automation OFF” button would’ve helped because I don’t think they realised it was an automation problem they were dealing with.
It depends on what you mean by “manually”. There will always be artificial systems between the control surfaces and the pilot’s controls, whether they be mechanical or computer. But even fly-by-wire aircraft can be reduced to a state where control input has a direct relationship to control surface deflection, and they fly just fine. That said, the B737 is not fly-by-wire and so if the autopilot, auto-thrust, and auto-trim are turned off, it is fully manual.
I’m saying that MCAS is a fuzzy logic control system, that is, a non-linear controller using a mixture of analog and discrete inputs, running on a general purpose processing unit. As I said above, I don’t think that it runs on a fuzzy logic controller unit.
Fuzzy logic was positioned as a an alternative to Programmable Logic Units and PID controllers, combining the features of both. The poster above wondered if fuzzy logic would be suitable. My reply is (again) that it is suitable, but not using the hardware originally suggested.
I believe you that the control system in question uses fuzzy logic, but that means something specific— surely you can have a non-linear controller that uses a mixture of analog and discrete inputs but no fuzzy logic whatsoever?
As an interesting further illustration, here is an Avherald account of the A321 flight where two AOA sensors froze at the same time to the same incorrect high value during an entire flight.
While the Airbus has three AOA sensors, the system disregarded the correctly working third sensor because it disagreed more than the allowed value with the two malfunctioning sensors.
The pilots should always be able not only to turn the robot off but to also to pull harder if necessary (if they don’t realize to turn it off). ISTM the problem with MCAS was not so much that the robot was “super strong” but that it was super insistent.
There is actually a switch for exactly that purpose installed in the cockpit (Stabilizer Trim cut-off switch). The crash(es) could have been avoided with something as simple as flipping a switch BUT Boeing wanted to sell the MAX version as equivalent to the NG version, i.e. no conversion training needed. So the pilots never got instructed that there is a new system installed which might actuate the stabilizer trim. So they did not have the training to react properly to an MCAS malfunction since they did not even know that it is there
Additionally, for the same reason as above, Boeing did not add any MCAS malfunction warning messages to the system so the pilots were expected to diagnose a problem during a critical flight phase based on symptoms alone for a system they knew nothing about
The MCAS problem is both a training / information and a system design problem. You can either design a system which fulfills a high safety category requirement (similar to e.g flight computers in full fly by wire aircraft) which means redundant computing units and triple redundant sensor inputs or you can use a lower safety level but then you need to inform and train the pilots what to do when the system fails (or a combination of both).
As it is, Boeing failed in both regards. They did not provide a training syllabus on the system and their design does probably not fulfill the required safety level anyways.
Seems to me that this is the key consideration - the “safety requirement”.
I assume there are formal requirements in this regard. Do they cover this, the necessary degree of redundancy? Even if they do, I suppose there are different ways to interpret things.
Are there objective standards to which Boeing can be compared or is there some sort of assumption that Boeing, like other such companies, will make their own, at least equally strict ones?
If the FAA (or some other governmental body) finds that Boeing failed to comply with the ‘objective’ standards, are the penalties strictly financial? In theory, at least, could some Boeing people go to prison? Could they be convicted of, say, manslaughter or criminal negligence?
That’s a pretty standard fault-tolerant setup, actually.
The guiding regulation here is 14CFR 25.1309).
The regulation itself is not very detailed. Details are explained in the so called Advisory Circulars (e.g. AC 25.1309 (PDF)
If you install equipment in an aircraft, what you do is to assess the functions that this equipment provides. Each of these functions is assessed as to the criticality. There are five categories of severity:
- No safety effect: Failure of this equipment does not influence the safety of the aircraft (e.g. passenger entertainment system)
- Minor: Failure Conditions which would not significantly reduce aeroplane safety, and which involve crew actions that are well within their capabilities. These failures may involve slight flight plan changes or some passenger discomfort
- Major: Reduces safety margin to a significant extent, a significant increase in crew workload or impairing crew efficiency, or discomfort to the flight crew, or physical distress to passengers or cabin crew, possibly including injuries.
- Hazardous:Such a failure leads to e.g. physical distrass or excessive workload on the crew such that they cannot be expected to perform their duties accurately or severe injuries to or death of a small number of passengers
- Catastrophic: Multiple fatalities, loss of aircraft
Depending on the severity, your system then needs to have a certain reliability, e.g. the probability of failure for a function classified as Major must be remote (i.e. smaller than 10^-5). These probabilities are defined for all the listed severities.
Except for Catastrophic failures, there is no explicit prescription in the regulation that you need to have backups / redundant systems although this is usually the norm for systems which are classified as Major and above since it is not practical to show such high reliability for single pieces of equipment.
The following is what I heard / read, so take this with a grain of salt:
AFAIK, incorrect trim activation by MCAS was classified as Major. If you read through the description above, this is not particularly wrong (although you could also argue for a Hazardous classification) since you can argue that you can switch the system off easily and that a switched off system does not significantly reduce safety margins.
Here comes in the training and the crew alerting I have written before, because even a Major failure can end in catastrophy if the crew is not properly alerted to the failure and not trained how to react to it.
Wrt to criminal or civil penalties I have no idea. IANAL, but if I had to guess, criminal penalties usually only come into play when there was a clear case of negligence and not “only” someone being wrong.
Just as a minor clarification, this makes it sound like there is a switch labeled “Stabilizer Trim Cutoff”. The reality is subtly but perhaps importantly different. There are actually two switches, and they are labeled differently in the MAX than in previous generations of 737, and moreover, they were moved to different positions in different models. In previous generations they were labeled “MAIN ELECT” and “AUTOPILOT” under the “STABILIZER TRIM” heading, and could be moved to the “CUTOFF” position after removing a protective lock. In the MAX, they are labeled “PRI” (primary) and “B/U” (backup). The bulletin issued by Boeing after Lion Air states that both must be moved to “CUTOFF”. I guess my point is that if you haven’t been trained to expect this kind of behavior from the MCAS, the relevance of these switches is far from obvious. The pilots on the previous Lion Air flight with that same aircraft managed to figure it out with the help of a third pilot who happened to be riding in the jump seat. The pilots on the doomed flight never did.
This appears to be a key point about this whole thing.
There was, in fact, a malfunction warning system related to malfunction of the critical angle of attack sensors, but as said earlier Boeing inexplicably made this an option. There were actually two options related to this, one which gave actual AOA readings, and another which was a warning light signaling disagreement between the two sensors. Some airlines like Air Canada ordered both, others like Westjet had only the “disagree” warning. The Lion Air plane apparently had neither.
Thanks for the clarification. I checked again and you’re right, the FAA airworthiness directive says that you need to move both switches to the cutoff position. The System Differences training manual page that I saw says that you only need to set the PRI switch to Cut-out which removes power to the B/U switch in case of trim runaway.
I meant more a specific MCAS warning, since the pilots would still have to get from AOA disagree to MCAS failure. But yes, an AOA disagree warning already helps a lot.