MCAS Certification - single sensor/no warning
Thread Starter
Join Date: Dec 2018
Location: South Pole
Posts: 10
Likes: 0
Received 0 Likes
on
0 Posts
MCAS Certification - single sensor/no warning
(If this thread is in the wrong area, or the topic has been addressed somewhere in the 2,700+ posts regarding ET302, please advise/correct as necessary..)
I find it simply unbelievable that a flight control system, using a single input sensor, could ever have been certified as safe. Surely, a fight control system is a safety critical system, and such systems would need redundancy. So, it seemed logical to look and see what the FAR's require. As far as I am aware, the relevant section is FAR Part 25 Subpart D - Control systems, which says (relevant parts highlighted):
My understaing is that:
Given MCAS is there to stop the pilots inadvertently causing a stall because they haven't been told the pitch characteristics are different to the NG, doesn't this mean that if the input to it from the single AOA sensor fails, it does not meet 25.672(c)(1)? As well as probably 25.672(c)(1) and (2) and (3)?
Cheers...
I find it simply unbelievable that a flight control system, using a single input sensor, could ever have been certified as safe. Surely, a fight control system is a safety critical system, and such systems would need redundancy. So, it seemed logical to look and see what the FAR's require. As far as I am aware, the relevant section is FAR Part 25 Subpart D - Control systems, which says (relevant parts highlighted):
§25.671 General.
(a) Each control and control system must operate with the ease, smoothness, and positiveness appropriate to its function.
(b) Each element of each flight control system must be designed, or distinctively and permanently marked, to minimize the probability of incorrect assembly that could result in the malfunctioning of the system.
(c) The airplane must be shown by analysis, tests, or both, to be capable of continued safe flight and landing after any of the following failures or jamming in the flight control system and surfaces (including trim, lift, drag, and feel systems), within the normal flight envelope, without requiring exceptional piloting skill or strength. Probable malfunctions must have only minor effects on control system operation and must be capable of being readily counteracted by the pilot.
(1) Any single failure, excluding jamming (for example, disconnection or failure of mechanical elements, or structural failure of hydraulic components, such as actuators, control spool housing, and valves).
(2) Any combination of failures not shown to be extremely improbable, excluding jamming (for example, dual electrical or hydraulic system failures, or any single failure in combination with any probable hydraulic or electrical failure).
(3) Any jam in a control position normally encountered during takeoff, climb, cruise, normal turns, descent, and landing unless the jam is shown to be extremely improbable, or can be alleviated. A runaway of a flight control to an adverse position and jam must be accounted for if such runaway and subsequent jamming is not extremely improbable.
(d) The airplane must be designed so that it is controllable if all engines fail. Compliance with this requirement may be shown by analysis where that method has been shown to be reliable.
§25.672 Stability augmentation and automatic and power-operated systems.
If the functioning of stability augmentation or other automatic or power-operated systems is necessary to show compliance with the flight characteristics requirements of this part, such systems must comply with §25.671 and the following:
(a) A warning which is clearly distinguishable to the pilot under expected flight conditions without requiring his attention must be provided for any failure in the stability augmentation system or in any other automatic or power-operated system which could result in an unsafe condition if the pilot were not aware of the failure. Warning systems must not activate the control systems.
(b) The design of the stability augmentation system or of any other automatic or power-operated system must permit initial counteraction of failures of the type specified in §25.671(c) without requiring exceptional pilot skill or strength, by either the deactivation of the system, or a failed portion thereof, or by overriding the failure by movement of the flight controls in the normal sense.
(c) It must be shown that after any single failure of the stability augmentation system or any other automatic or power-operated system—
(1) The airplane is safely controllable when the failure or malfunction occurs at any speed or altitude within the approved operating limitations that is critical for the type of failure being considered;
(2) The controllability and maneuverability requirements of this part are met within a practical operational flight envelope (for example, speed, altitude, normal acceleration, and airplane configurations) which is described in the Airplane Flight Manual; and
(3) The trim, stability, and stall characteristics are not impaired below a level needed to permit continued safe flight and landing.
(a) Each control and control system must operate with the ease, smoothness, and positiveness appropriate to its function.
(b) Each element of each flight control system must be designed, or distinctively and permanently marked, to minimize the probability of incorrect assembly that could result in the malfunctioning of the system.
(c) The airplane must be shown by analysis, tests, or both, to be capable of continued safe flight and landing after any of the following failures or jamming in the flight control system and surfaces (including trim, lift, drag, and feel systems), within the normal flight envelope, without requiring exceptional piloting skill or strength. Probable malfunctions must have only minor effects on control system operation and must be capable of being readily counteracted by the pilot.
(1) Any single failure, excluding jamming (for example, disconnection or failure of mechanical elements, or structural failure of hydraulic components, such as actuators, control spool housing, and valves).
(2) Any combination of failures not shown to be extremely improbable, excluding jamming (for example, dual electrical or hydraulic system failures, or any single failure in combination with any probable hydraulic or electrical failure).
(3) Any jam in a control position normally encountered during takeoff, climb, cruise, normal turns, descent, and landing unless the jam is shown to be extremely improbable, or can be alleviated. A runaway of a flight control to an adverse position and jam must be accounted for if such runaway and subsequent jamming is not extremely improbable.
(d) The airplane must be designed so that it is controllable if all engines fail. Compliance with this requirement may be shown by analysis where that method has been shown to be reliable.
§25.672 Stability augmentation and automatic and power-operated systems.
If the functioning of stability augmentation or other automatic or power-operated systems is necessary to show compliance with the flight characteristics requirements of this part, such systems must comply with §25.671 and the following:
(a) A warning which is clearly distinguishable to the pilot under expected flight conditions without requiring his attention must be provided for any failure in the stability augmentation system or in any other automatic or power-operated system which could result in an unsafe condition if the pilot were not aware of the failure. Warning systems must not activate the control systems.
(b) The design of the stability augmentation system or of any other automatic or power-operated system must permit initial counteraction of failures of the type specified in §25.671(c) without requiring exceptional pilot skill or strength, by either the deactivation of the system, or a failed portion thereof, or by overriding the failure by movement of the flight controls in the normal sense.
(c) It must be shown that after any single failure of the stability augmentation system or any other automatic or power-operated system—
(1) The airplane is safely controllable when the failure or malfunction occurs at any speed or altitude within the approved operating limitations that is critical for the type of failure being considered;
(2) The controllability and maneuverability requirements of this part are met within a practical operational flight envelope (for example, speed, altitude, normal acceleration, and airplane configurations) which is described in the Airplane Flight Manual; and
(3) The trim, stability, and stall characteristics are not impaired below a level needed to permit continued safe flight and landing.
- there is an option on the MAX 8 to have an AOA disagree warning to the pilot, and an indication of what the respective (left and right) AOA values are.
- This option was taken by American airlines (from initial purchase), and was taken up for new MAX 8's orderd by Southwest, and being retrofitted to their existing fleet.
- However, neither of these options were taken by Lion Air.
Given MCAS is there to stop the pilots inadvertently causing a stall because they haven't been told the pitch characteristics are different to the NG, doesn't this mean that if the input to it from the single AOA sensor fails, it does not meet 25.672(c)(1)? As well as probably 25.672(c)(1) and (2) and (3)?
Cheers...
Join Date: Dec 2015
Location: Cape Town, ZA
Age: 62
Posts: 424
Likes: 0
Received 0 Likes
on
0 Posts
Your questions and concerns have been discussed many, many times in various threads about the Ethiopian MAX crash.
Perhaps best to read those threads, and re-post your question on one of them, if you still need answers.
Perhaps best to read those threads, and re-post your question on one of them, if you still need answers.
(If this thread is in the wrong area, or the topic has been addressed somewhere in the 2,700+ posts regarding ET302, please advise/correct as necessary..)
I find it simply unbelievable that a flight control system, using a single input sensor, could ever have been certified as safe.
I find it simply unbelievable that a flight control system, using a single input sensor, could ever have been certified as safe.
I would second Gordon's advice that you might find it useful to read that thread. Feel free to post back here if you feel that there is something that hasn't been covered in those 2,700 posts.
