Originally Posted by
silverstrata
What Boeing were trying to guard against with MCAS, is a repetition of the Sept 2007 pitch up event at Bournemouth, where a 737 pitched to 44 degrees nose up during a stall event. This happened because as the aircraft approached the stall the pilot gave full thrust to alleviate the stall, and because the engine pitch moment is greater than the elevators (when flying at slow speeds), the engines can overcome elevator authority and pitch the aircraft up uncontrollably.
<snip>
I think MCAS needed to be much more sophisticated, than a simple stall alleviation device. In fact, it is likely that the 737 needs a complete rethink and revision of its control system, which was designed in 1963 for the 727. There is only so much design-firefighting you can do, with a 60 year old design.
Silver
Silver, not really disagreeing with anything you wrote. I doubt you'd get much argument that MCAS needs a serious re-think.
Sadly, this wouldn't be the first time that the 'fix' for an accident cause was a main contribution in another accident. I rather doubt it'll be the last...
Cranbrook 737 crashed because - as a safety enhancement - Boeing disabled the thrust reverser in-flight by closing the T/R hydraulic isolation valve, which allowed the T/R to re-deploy when they rejected the landing to miss the snowplow -
https://aviation-safety.net/database...?id=19780211-0
Lauda 767 crashed because a reverser deployed in-flight when a mis-rigged sensor caused the auto-restow system - implemented to prevent a repeat of Cranbrook - allowed the isolation valve to open in flight. (Lauda is a bit personal and a very bad memory for me - auto-restow wasn't my system, but I was deeply involved in the investigation - I was half-sick for weeks - made worse because the effective gag order in effect during an accident investigation meant I couldn't talk to anyone about what was going on.)
I'm reasonably sure MCAS was properly certified, with the associated FMEA (Failure Modes and Effects Analysis), and perhaps a SSA (System Safety Assessment) - at least in the Propulsion world FMEAs are not probabilistic (basically shows no single failure is unsafe) and the SSA covers the probabilities for multiple or combinations of failures.
Again, I'm not involved and have no direct knowledge of what happened, but I can guess: Someone did an FMEA of MCAS - determined that the worse case failure was no worse than a stab trim runaway, which has a procedure - and decided it was acceptable. The people that reviewed it (including, in all likelihood, an FAA specialist) didn't dispute that - not recognizing how bad it might be if an overloaded crew didn't figure out what was happening.
I'm also reasonably sure there are some 737 flight control types who are pretty sick about it right now. I've never had an accident or serious incident attributed to a system that I was responsible for (and I pray that remains the case). But I know how the Lauda investigation affected me and trust me, it wasn't pretty. I can only imagine how much worse it would be if it was my system...
When it's all said and done, and a fix is certified and implemented, I have little doubt there will be some retirements and/or resignations among the 737 flight controls ranks - perhaps worse.