Originally Posted by
Loose rivets
Over these months I've become more and more bewildered by certain design-logic. Now this. What is it supposed to mean? Movements that are un-commanded, presumably meaning by the pilots, must mean movements made by MCAS. These are now going to be stopped automatically.
MCAS did not fail. The specifications/algorithms, altered late in the day, were to blame, inasmuch as they caused a catastrophic overload of warnings and handling difficulties that were beyond 'the average pilots' ability to manage. If MCAS is the only answer affordable answer, the suggested fixes, aired over the last weeks, sound logical.
Where are the erroneous un-commanded movements going to come from, given the quote implies it's not from the pilots and MCAS has been made safe?
I hope that they are making false activation of MCAS survivable, and also trying to minimise the frequency of false activations. Although
keeping the hardware unchanged means that the engineers are trying to do this with at least one arm tied behind their backs.
Making MCAS survivable probably entails both minimising its potential effects (e.g. only singe-shot) and providing a practicable SOP for handling it.
Minimising the frequency of false activation probably involves lots of sanity checks on the AoA readings both separately and collectively
(e.g. beware of at-extreme and stuck-at readings).
A major problem with collective AoA checks is that each AoA is only connected to one computer. So both computers have to be fully
operational and communicating with each other to perform them. It would not surprise me if that this unanticipated communication
was far from instantaneous.
My guess that this is where the self-correcting un-commanded movements might be coming from. One computer sees that its AoA
sensor indicates that MCAS is called for and activates it, then later gets information from the other computers AoA sensor that
suggests that this was a bad idea and aborts the MCAS activation. (A lot better that waiting for a time-out to discover that the
other computer is currently inaccessible.)
PS And keep your fingers crossed that the MAX really is aerodynamically stable without MCAS. Because this sort of system is going
to disable it in response to some classes of hardware failure.