Originally Posted by
Fortissimo
The second sentence here is only true if Boeing had realised that this could be the outcome of a single AOA source failure. If they had that knowledge and did nothing about it, then the courts will no doubt take that into account in due course because the failure to communicate it or manage the risk would indeed be seen as cynical. Please don't construe this as Boeing bashing - that would be as unhelpful as trying to shift responsibility to the perceived shortcomings of the two operators concerned. Play the ball rather than the man.
I am at a loss to understand how Boeing engineers could not/did not foresee the dangers in their original implementation of MCAS. Any aircraft manufacturer is certainly aware that sensors can fail, and when a safety-critical system can be activated based on sensor inputs, that there need to be provisions for sanity checking of the sensor data.
The Gulfstream IV, designed in the late 1980’s, has a stall warning and protection system called the “Stall Barrier”. A stick shaker that activates when sensed alpha is approaching the stall regime, and a stick pusher that activates when alpha increases even further. The pusher is required due to the dangers of deep stall in a t-tailed aircraft.
But - the stall computer does have provisions to anticipate sensor failure. The shaker can activate based on a high alpha reading from only one of the two AOA sensors, but the pusher will not activate unless BOTH AOA sensors are in agreement.
The stall warning system on the (relatively ancient) CRJ-200 is even more conservative when it comes to sensor-data sanity checking. The CRJ stall warning computer monitors the position of both AOA vanes. If there is any significant disagreement as to position, the stall warning system will deactivate with “STALL FAIL” amber CAS warning to alert the crew. In addition, the stall warning computer monitors airspeed from no fewer than FOUR discrete sources: the left and right primary air data computers, and two additional Mach/airspeed transducers. If any one of the four airspeed data sources differs from the other three by more than a few knots, the stall warning system will again vote itself out of service with the same “STALL FAIL” CAS message.
I assume that Bombardier engineers figured it was better to deactivate the stall warning system (after alerting the flight crew), than to have a situation where a false stall warning might be issued due to faulty air data when no stall actually exists.
This in an aircraft that first entered service over 20 years ago.
Though MCAS is not a stall warning/stall protection system per se, if it activates at the wrong point in the flight envelope, the results can be disastrous as the two crashes prove. Yet, unlike the conservative engineering principles shown by Gulfstream and Bombardier engineers, Boeing chose to make the system dependent on a single sensor - with no apparent thought as to the negative consequences that could ensue if that single sensor provided incorrect data. Even more appalling is the fact that in the original design, the MCAS would repeatedly reset and reactivate, winding in more and more nose-down trim, with no apparent knowledge of the current position of the HSTAB, or the number of previous activations.
These issues are allegedly addressed in the software update for the MCAS system, but how could such a flawed design have ever passed muster in the first place?