Originally Posted by
Cleared Visual
Although I am not a pilot, I have some experiencing in testing (non aviation) automated systems and have seen some poorly written code before. I think Silverstrata summed up a simple fix that might be a step in the right direction.
I am responsible for developing safety related systems and although the 'spirit' of the suggestion may be sensible even a simple fix is actually more complex and requires more consideration than is immediately obvious. The MCAS feature is important for safety so adding code that can disable shoudl not be done without careful consideration. It will double the probability of a failure although making teh failure behaviour different (disabled). Should the pilot be warned it is disabled ? if so in what manner and under what conditions?
The actual code is not as straightforward as suggested. The two AoA sensore will frequently not read exactly the same and the readings wil be noisy so when they are compared the output of each AoA sensor must be filtered and the comparison must allow a tolerance window. What if the disagreement is intermittant? Should the system reenable itself or stay off?
We should consider other solutions for example limiting the maximum trim that can be applied or considering the state of other controls. The point is to select a solution which is safe under normal and forseeable fault conditions. The impact on teh pilots and general human factors under normal and fault conditions also have to be considered. The first solution we think of maybe a good one but we can't afford to make changes without making sure everything has bene considered.