29th Apr 2019, 00:16
TryingToLearn

Join Date: Mar 2019
Location: Bavaria
Posts: 17
I did not read the discussion for a weak and I find it partly very useless.
As an (automotive) safety engineer, I categorize the 'controllability' of an event in simple (>99%), normal (>90%) or difficult (<90%) according to ISO26262.
And yes, difficult and uncontrollable are the same.
So as long as less than 90% of the pilots here are saying 'piece of cake', it's the same as uncontrollable.
The reason is very easy: If you design a system, you can estimate an order of magnitude of the error probability. Sensor redundancy doubles the number fields on your lottery ticket, so would you bother about the exact probability, third digit? Probably not if you're going from one in a million to one in a trillion (lost flights / winning tickets...).
What's better? Rely on the estimate that 70% of professional pilots can handle the event with training instead of 40% or just make it one in a million years instead of 2 times in 4 months by a simple plain stupid sensor compare of existing sensors?

Together with other estimates (exposure, severity), where MCAS has both won the jackpot (highly probable situation with fatal outcome), this looks like a highly critical system to me.

As an engineer, this tells you that you really need redundancy. There is always a remaining probability (like lot's of goose at low attitude as common cause for a dive in the Hudson...) where the pilot may have a chance of not being part of the 'remaining accepted risk of flying' by our society. But how often did it happen? Based on how many planes in the air? Would anyone blame the captain if this would have gone wrong?
Recently I read the report and told another safety engineer that the FBW system prevented a stall while the pilot pulled the stick and would have caused it. The first question I got was: Did he count on this function? Like with ESP: you do not longer consider blocking tires, just press hard... The automation assists you even in critical situations, that's state of the art (instead of 37 turns on a handwheel).

The obvious underestimation of this MCAS function is one thing, but no engineer would DEACTIVATE an existing diagnostic function while at the same time ADDING a safety critical system to the (no longer) diagnosed input.
Especially with the explanation that this one true warning may cause side effects while the pilot gets shitloads of false ones (stickshaker...). But media reports indicate that this is the case.

This would scream at you at so many stages of the design process that it would be almost impossible to overlook. Except there is something wrong with your process..

In addition, if this turns out to be a defective cabling as whistleblowers describe, it would make things even far worse:
-> Cabling diagnostics are the first thing an engineer does on EVERY cable he can find. It's easy to implement and cuts the error probability a lot.
-> Range check is the second one and a no-brainer... (which pilot did ever encounter a real/plausible AoA of 75° from below? Free-fall at 0 speed, flying in reverse gear or over an active volcano?)
-> If this was due to a foreign object close to the cabling, this opens up another big question mark: Production quality?

So if this turns out to be a management decision (or management decisions involved), good night Boeing... The 'training penalty' definitely counts as a motivation to do so.
Not because of MCAS but because it would put all decisions regarding safety of the last years into question since they could also be infected by financial aspects (including the FAA).

In my opinion everything points in this direction, since this thing is too big to be overseen within the safety engineering process.

But please, point the discussion in the direction of duct tape in the cockpit in case the pilot has to tape the wings back in place like every real pilot would do...
You couldn't do Boeing a bigger favour than this. Fighting the value of the third digit while there are several digits missing and maybe enough holes in the cheese for other surprises.

PS: Yesterday I had a turnament on ballroom dancing, first one after a long break. I trained for years and guess what: I learned that I need to dance the choreography I trained for months once directly before the turnament because with all the adrenaline in my blood I simply could not remember it / access my long term memory. It's like a tunnel, lost, gone for a moment... Ballroom competition dancing is considered one of the sports with the highest stress hormon levels (competitive sports + thinking + uncontrollable factors like your partner) and I finally realized what that means and does to you...
Having his life immediately threatened is probably far better than this, and the pilots had the full load ('sportive-elevator-pulling' + thinking + a mad MCAS). Nothing prepares you for this, no simulator, simply nothing... It may be comparable to doing a math test after your first bungee jump with fear of heights after a fast run... Simply do the math... sure...

Last edited by TryingToLearn; 29th Apr 2019 at 00:40.