Originally Posted by
Just This Once...
I keep reading such explanations but to be clear, MCAS is always powered on. When and where it functions is defined by software alone. As such this is safety critical software and should meet the highest assurance levels. The designer did not wish for the aircraft to crash and may have set all the protection methods they could think of as a credible design goals. We have yet to learn if MCAS, as implemented, did respect the AP selection, flap configuration or anything else the designer had in mind.
MCAS being 'live' when it should not have been remains a plausible explanation. It ticks all the boxes for a latent failure - no direct indication to the crew, no failure modes displayed, no routine interaction with other systems, no BITE or similar and does not drive the stab at any point during a normal sortie. As long as it thinks the AoA is ok it does nothing.
Time will tell if functions like trim cutout, AP cutout, configuration cutout etc actually work. Given that the system seems to be blissfully unaware of the actual flight dynamics beyond simple unmonitored raw sensor data and will willingly fly the aircraft into the ground, I remain reluctant to accept the claimed operating envelope as gospel.
I guess I have spent too many years flight testing aircraft and my level of 'trust' has been swamped by 'verify'. As an aside, flight testing has become inconvenient in the last 15 years or so. We get more facetime and interaction these days post-crash - everyone is 'all ears' at that point. We need to get flight testing and training verified before an aircraft is released to the line. Kicking over aluminium at an accident site is just too late.
Just This Once - I am glad to hear your reluctance to take software designers' word for proper function and robustness to failure without rigorous validation and verification testing. That attitude drives the diligence that has brought the safety of our industry to such a high level. Let's not lose that as we move forward. With regard to MCAS and the Lion Air event, the response of the control system and the airplane as revealed via the flight data recorder was entirely consistent with intended MCAS functionality given the errant AOA signal it was following and the flight crew inputs. In addition, Boeing assures us that all of the interlocks and protections in the MCAS engagement logic that you reference were rigorously tested.
As I have stated before, I think a key element in evaluating the safety of any system (aviation related or otherwise) that involves operator interface is clearly stating what the assumptions are with regard to how the operator will respond to the various scenarios to that he or she will encounter. Those assumptions then need to be evaluated and challenged before they can be relied upon as part of the foundation of a safe system. From all that has been written about the motivation for MCAS and the way it operates I believe that the baseline MCAS design assumed the following:
(1) If the flight crew uses their pilot commanded electric trim (thumb switches) they will not stop trimming for more that 5 seconds until the column force has been trimmed to (or close to) zero.
(2) Repeated events of the automatic stabilizer control running the stabilizer away from trim when starting from an otherwise trimmed, relatively steady flight condition will be recognized by the flight crew as errant behavior of the automatic stabilizer control system and that the flight crew response will be to activate the stabilizer cutout switches to disable further automatic stabilizer control commands.
(3) The impact of an errant AOA signal feeding into MCAS would be acceptable at the expected failure rate based on assumptions (1) and (2) above.
Much of what we have discussed for a couple of hundred PPRUNE pages across several threads over the past four plus month has been essentially the merits of these three assumptions. I suggest that a good way to evaluate the MCAS updates that Boeing is about to introduce will be to ask what pilot responses they assume. Furthermore I recommend that we check the revised design specifically against these three assumptions to see which of them are no longer needed to declare MCAS safe. If the new design includes provisions that eliminate dependence on all three of these assumptions I will have much greater peace of mind the next time that anyone (particularly anyone I care deeply for) files into the back of a 737MAX.