Originally Posted by
Peter H
Nice thoughtful post.
Not only is there no prohibition against multiple or ambiguous malfunctions, but in some case
their occurrence is by-design (intentional or not). Naively as SLF I assumed that this would
be identified by some sort of dependency-tree analysis at design-time, and their occurrence
identified and prevented if possible, or at least allowed for in operating procedures.
AoA-high failure seems to be a perfect example, leading to the triggering of things like UAS,
autopilot drop-out, stall-warnings, and inappropriate MCAS activation (in the absence of flaps
and other blocking states).
Quite correct. For my part, one of the significant takeaways from the MAX accidents is how quickly an AOA malfunction on a 737 can create a domino effect of faults that sets up a very challenging situation for the aircrews - and this is whether we are talking about an NG or a MAX. I won't parse out all the details, but if you step through everything that happens from the initial fault, there are multiple checklists to run and multiple systems that are degraded or rendered inoperative. In addition, a variety of erroneous fault conditions are generated which have the potential for misleading the crew if they do not clearly understand exactly why those faults are being generated. That being said, I don't believe this malfunction would be any more challenging than a takeoff engine failure, with the key difference being that we practice engine failures all the time. AOA failures, not so much.