Originally Posted by
gums
Salute Ferry !!
I love it.
Although I flew very sophisticated aerospace vehicles, I am not quite ready to let HAL run everything at this time. And you are correct about not providing the human crewmembers with realistic training and practice for that one day they may have to actually perform their 'Chuck Yeager" routine. The "children of the magenta line" still live, and there's more of them every year.
CASE IN POINT:
The Lion 610 and previous flight's MCAS problem would not have been handled successfully by HAL, especially if the same sfwe shop did the design and code. At the time of Lion 610, the problem facing the plane was not the basic "runaway trim" that most of us think about. Then there;s the stall warning! HAL would likely have commanded some nose down, huh? Did HAL know altitude above the terrain or note the rising terrain ahead? Did the sfwe folks think that MCAS would activate at takeoff speed, and a few hundred feet and not at the other end of the envelope doing a banked turn at 20,000 feet? Would HAL have reduced power at 700 feet with stall warning shaking and been aware that getting too fast would reduce elevator effectiveness due to "blow up" with AND trim being commanded?
The single point of failure, the AoA doofer, that everyone points out was only the first event in the sequence that eventually resulted in loss of control. Just like almost all crashes. Few are the result of one thing going tango uniform. And that is where HAL has trouble, but the carbon-based lifeforrms can connect things that HAL's father had not thot of, and then do something not "programmed". You know, turn off both electric stab switches before treating the stall warning and not experiencing continuous trim in one direction.
Gums opines...
/sarcasm/ Ahhh but you miss the magic of automation: Hal would -never- get itself into a incipient stall in the first place./sarcasm/
Gums: thanks very much for your 'real world' perspective on all of this
It is true that MCAS is only active when autopilot is disabled, the autotpilot does not get confused by the non-linear change in control force.
Also true HAL could handle all the available sensors without sensory overload so in this case quite possibly the AOA disagree would have just been logged and flight continued.
Although there would have been more than 2 if HAL was in full charge, I hope
Very long term I can see that a fully automatic system might -overall- be safer but anything that has to rely on 'human exception handling' is a far from there.
If anything this whole mess point to a major issue when different philosophies are intermingled, 9 parts "the pilot is in control", one part "except when we don't think so".