Is this only me, or all this one-vs-two AoA sensor talk seems some kind of diversion from the real problem with this plane.
I mean, if one-sensor based MCAS failed twice so early in the life span of the plane model, what is the probability that a two-sensor model will fail pretty soon as well? The math should be simple, we have all data needed: combined hours flown by all planes of the type and number of failures (at least two known, which can help us to estimate a MTBF of the sensor).
If the sensor had just stopped responding, there wouldn’t have been any problem. The planes would keep flying, the sensors would get replaced, and everyone would be fine.
What happened was that the sensor gave erroneous readings. The MCAS system reacted to those erroneous reading and crashes the plane.
With two sensors, you can detect failure. It’s very unlikely that both would fail simultaneously. If they did, it’s very unlikely that both would provide the same erroneous readings.
Airspeed is required for safe flight. The failure on that flight was detected immediately, it just couldn’t be handled. AoA on a 737 MAX is not required for safe flight and the system just needs to refrain from taking any action if it fails.
I haven't heard of it ever activating except in the incident/accident flights. It's required for certification, but you would either have to be mishandling the plane or get in some extreme weather for MCAS to activate.
Think about it like the Antilock brakes on your car. Suppose the wheel position sensor fails. It's fine if the car puts up a warning light and says that you don't have antilock brakes anymore. You can drive fine without them until you can get them fixed with a minor safety impact. It's not fine if the wheel position sensor fails and this causes the car to slam on the brakes going 65mph down the highway.
ABS isn't the best example because it does prevent lots of accidents in its own right, including a >50% prevention rate of some types of accidents in rainy, snowy, or icy weather. The overall fatal accident reduction is 15% for cars and 27% for trucks and light trucks. Source: https://crashstats.nhtsa.dot.gov/Api/Public/ViewPublication/...
And, anecdotally, I've had ABS kick in in some occurrences for which I was very thankful.
Having a safety system that rarely fails to prevent an accident is much different statistically than a safety system that rarely causes an accident.
Suppose the crash probability on a normal flight is 1/1E7, but without MCAS it's 100x more dangerous, or 1/1E5.
Suppose MCAS failure probability is 1/1E6, the probability of an additional crash due to the failure of MCAS is 1/1E11, which is acceptable.
The problem is that in practice, the crash probability if MCAS fails is empirically 2/3 instead of 1/1E5, because MCAS actually causes the crash rather than merely failing to prevent a crash.
The first thing I read in your link seems to be the opposite of what you wrote:
"ABS has close to a zero net effect on fatal crash involvements."
Further down, there is a chart which seems to show that ABS is associated with a huge increase in fatal accidents in inclement weather, and a large increase in side impact accidents, both fatal and non-fatal.
It handles fine, except it doesn't handle like a Classic/NG 737. This is a problem because pilots were trained to expect it to handle like a Classic/NG. The discrepancy between reality and pilot expectations is the gap MCAS was meant to fill, such that it wasn't necessary to correct pilot expectations.
It sounds like in normal flight you could cope without it, not easily enough that you'd trust an entire fleet without it, but enough that in the rare case of a detected AoA sensor failure, you could land the thing in a controllable way.
If I recall, it made it more prone to stall in certain conditions. I'd like to call that hazardous, but without test pilot feedback I'm not sure how to classify it. My recollection from articles a few months ago is that they added MCAS not due to simple differences in handling, but due to a potentially hazardous difference in handling.
Mentour Pilot on youtube, a 737 instructor, has a few videos about it. The gist is that in any plane when you're close to stall, you want to pitch down and increase airspeed over the wings. Depending on the precise circumstances you do this by pitching down and throttling up. However in the case of every 737 and in fact any aircraft with engines slung below the wings, the act of throttling up the engines causes the airplane to pitch up. The reason is because the engines are not in line with the center of mass. Imagine rowing a row boat with only a single oar.
This is something all 737 pilots are trained for, so they have to balance that pitch up from the engines throttling up by pitching the plane down more than they would otherwise need to. The precise relationship between throttling up and pitching up was changed when the 737 was modified to create the 737 MAX. Namely, on the 737 MAX the pitch-up is more extreme. It is not so extreme that it makes the airplane a bad design, but it is extreme enough that pilots need to not expect the legacy 737 behavior.
Had pilots been trained for the performance characteristics of the 737 MAX specifically, it would have been perfectly fine. But they weren't, and instead MCAS was meant to paper over the difference so pilots could be kept in the dark (which is cheaper but borderline homicidal...)
To put this another way, in some hypothetical universe where the 737 MAX was the first 737 ever, it would have been introduced without MCAS and pilots would have said it handles like a dream. Then, when the 737 NG was introduced after the 737 MAX, there might have been a reverse-MCAS system implemented to make the NG handle like a MAX. That reverse-MCAS system may have then failed catastrophically.
MCAS was not designed to make the 737 Max behave like the 737 NG or Classic. It was designed to make the 737 Max certifiable at all.
The problem with the 737 Max is that the engine nacelles are further forward and larger than previously, so the lift that the nacelles make at high angle of attack is greater. This results in less stick force being necessary to maintain a high angle of attack than at lower angles of attack. This is uncertifiable behavior. Hence, MCAS, to augment the manuvering characteristics of the 737, to increase stick forces at high angles of attack.
In a hypothetical universe where the Max was the first 737, it'd be fly by wire and all the stick forces would be synthetically generated anyway.
It will not satisfy the current handling requirements, hence either making it completely unairworthy or a special category with vastly different handling from usual passenger-rated airplanes.
No, the accident report mentions only a failure of the air speed indicator on the pilot side. The copilot and backup indicators were working, but the crew failed to recognize that.
I think the point is at least both sensors wouldn't fail literally at the same exact second. There would be a period of time where the sensors are disagreeing, and that would alert the pilot about what is going on.
> It’s very unlikely that both would fail simultaneously. If they did, it’s very unlikely that both would provide the same erroneous readings.
They don't have to fail simultaneously in a flight. And they don't have to fail by internal sensor problems.
There are many cases in which they can simultaneously fail and give same readings, article even mentioned such types of events:
>> That probability may have underestimated the risk of so-called external events that have damaged sensors in the past, such as collisions with birds, bumps from ramp stairs or mechanics’ stepping on them.
And AF447 gives an example when such erroneous readings combined with pilot errors may lead to.
If they’re damaged on the ground, surely it’ll be noticed that the sensors are claiming an extreme AoA while just sitting there, and they’ll be fixed.
AF447 is an example of a fly by wire system that has to keep working no matter what happens, thus a bunch of redundant systems and a series of alternate modes the system can fall back on to operate in a degraded state.
MCAS, in contrast, is not a critical system. It could shut down with no problems at all. These crashes happened only because it didn’t shut down when faced with a failed sensor, because it couldn’t detect the failure.
> If they’re damaged on the ground, surely it’ll be noticed that the sensors are claiming an extreme AoA while just sitting there, and they’ll be fixed.
AoA sensors by design don't work reliable in low speed and they don't work at all on the ground.
> AF447 is an example of a fly by wire system that has to keep working no matter what happens, thus a bunch of redundant systems and a series of alternate modes the system can fall back on to operate in a degraded state.
AF447 is a good example that two AoA sensors can simultaneously have same erroneous readings. It's not that unlikely.
AF447 had two working aoa sensors that never disagreed. It didn’t have an aoa indicator in the cockpit though. You can infer what the aoa is by the vertical airspeed and engine output though. The inputs from left and right stick canceled each other and it power on stalled out of the sky landing belly first. This was pilot error because they had unreliable airspeed indication due to pitot tube icing.
Airspeed is a critical system while aoa is not. (Unless aoa is tied to mcas like in the max jets)
Can you elaborate on AF447? I’ve never heard of the AoA sensors being connected with that crash, and a quick search indicates that they were working fine.
I've confused AF447's Pitot tubes with AoA sensors. But I think point is still valid: two sensors _can_ simultaneously have same erroneous readings and we have to be sure pilots can handle such situations.
First: I said it’s very unlikely, not impossible. Second: the failure of AF447’s pitot tubes was detected immediately and the system switched to an alternate law as a result; this contributed to the crash because the pilots were less familiar with how the system operated in that mode. Third: AoA sensors operate by a completely different mechanism so even if this was what happened (it wasn’t) this demonstrates nothing relevant.
You’re just badly arguing details while ignoring the actual point here.
> With two sensors, you can detect failure. It’s very unlikely that both would fail simultaneously. If they did, it’s very unlikely that both would provide the same erroneous readings.
> First: I said it’s very unlikely, not impossible.
> You’re just badly arguing details while ignoring the actual point here.
My point here was that with two AoA sensors you can't reliably detect failure. They can both fail simultaneously and provide the same erroneous readings. And because it's not that unlikely we have to be sure that pilots can handle MCAS problems when two AoA sensors fail.
> Second: the failure of AF447’s pitot tubes was detected immediately
Because A330 have three pitot tubes, right? Not two out of two sensors?
I'm not arguing about AF447 case, I gave it as an example that two sensors _can_ have same erroneous readings.
Airbus engineers were not sure that can happen in real life, so stall warning issue was a real surprise for them.
Increased redundancy in airborne systems is very unintuitive. Double redundancy can be more dangerous than having a single system (at least when you're talking engines or sensors anyway).
Triple redundancy is the norm for the specific reason that it's highly likely for symmetrically placed sensors to be prone to failing in the same way not long after each other, but having a third differently placed can keep you flying.
Although there's at least one instance where an Airbus plane had two AoA sensors malfunction at the same time and outvote the last remaining sensor.
This is why critical systems are built with higher degrees of redundancy and graceful degradation of operational envelope in mind.
Training on how to deal with unaided flight is also absolutely essential. Many Airbus accidents where pilot's were caught off guard when the automation that kept them from breaking out of the operating envelope failed.
Long story short; Boeing has put themselves in the unenviable position of having delivered a product in ways that are not only illegal, but deadly, and short of pilots accepting a significant burden in the form of being as good at or better than the MCAS system at this point; a lot of man hours and capital has been expended to end up in a situation where every MAX is in a not inconsiderable risk of being scrapped.
Assuming that’s true, the fact that it has happened before does not mean simultaneous failure is not incredibly unlikely. Unlikely things do happen. One might call it extraordinarily bad luck.
> " it’s very unlikely that both would provide the same erroneous readings. "
You're assuming that faulty sensors will tend to have random output. But since we're talking about a real life mechanism, it seems likely it has some erroneous states that are more likely to occur than others. For instance if the mechanism often fails up against one of it's mechanical limits, the sensor might erroneously read out the limit position every time.
You can't actually say anything about the distribution of failure states for a sensor without evaluating that particular sensor.
> It’s very unlikely that both would fail simultaneously.
Ice, insects, birds, and volcanic ash are all things that tend to cause the pitot and the static tubes to become blocked. When you encounter ice, insects, birds, and volcanic ash, it is often the case that you get multiple simultaneous blockages. Blockages of the various tubes are not statistically independent events in practice.
Would it trouble everyone to get a basic grasp of what we’re talking about before replying? I’m getting a little tired of constantly correcting basic stuff in the replies.
Well the other issue is the system used that bad sensor data to automatically correct the pilots with no indication of why or how to even turn it off. The pilots knew the system was wrong and couldn't force the place to correct.
You get a reading of 20 on one sensor and get a reading of 34 on the second, which one is correct. To achieve reliability a minimum of five sensors need be used. four primary and one back-up. If three primary agree then system normal. If two primary disagree then switch to backup.
If you get a reading of 20 on one and 34 on the other, you disregard both and disable the system.
There’s a big difference between a system which must work and a system which must not go wrong. For example, the fly by wire system in an Airbus must work. A failed sensor must not disable the system. Thus, you need at least triple redundancy to keep functioning in the event of a failure.
Boeing’s MCAS system, on the other hand, doesn’t need to work. The plane flies just fine without it. It merely needs to not go crazy. Two sensors is sufficient.
I've read several of these articles about the MAX and I'm not seeing the explanation for how allowing MCAS to fly the plane only on input from AOA sensors (1, 2 or 5) is different from asking pilots to fly the plane with a fogged-up windscreen. Why not cross-check against the true horizon, for example? Doesn't seem safer to unnecessarily disregard context.
MCAS only exists to paper over a small handling deficiency. Apparently nobody (at least nobody with the power to force a change) thought that it could pose a safety problem. It’s not safety critical, so who cares if it fails? Except that it can fail in a way that crashes the plane.
MCAS only exists to paper over a small handling deficiency.
Per the article MCAS was originally intended to handle uncommon edge cases but was extended to cover additional (low speed) deficiencies. This expanded scope is what made MCAS as problematic as it is because it did away with the second input (accelerometer) and expanded the authority dramatically (from something like 0.6 degrees to 2.4 degrees of stabilizer movement).
The problem occurred in that that sensor had a privileged (unoverridable) pipeline to the horizontal stabilizer.
The pilots knew something was going wrong. That wasn't the issue. The issue was that the bloody thing could mistrim the plane to the point of nigh irrecoverability, and no one knew enough about it until two planes full of people plunged out of the sky.
The plane may be able to fly just fine; but the way this thing was developed and brought into mainstream use had critical problems in terms of essential information being communicated.
All the decisions and motivations behind these lack of communication have to some point been traced back to trying to circumvent regulations in order to prop up share price by scoring sales of a new airframe of comparable efficiency to the a320neo.
True horizon has nothing to do with angle of attack. Angle of attack is the direction the wind is coming from relative to the aircraft. It's possible to have a nose up attitude relative to the horizon, and have the actual aircraft motion be downwards at 10,000 feet per minute.
There’s a big difference between a system which must work and a system which must not go wrong. For example, the fly by wire system in an Airbus must work. A failed sensor must not disable the system. Thus, you need at least triple redundancy to keep functioning in the event of a failure.
Fly-by-wire Boeings still only have two alpha vanes. Go ahead, take a look at the next 777 or 787 you come across.
> When you do that you now have an aircraft the pilots aren't certified to fly.
It would increase risk. But for that increased risk to materialize into harm, the plane would also need to experience an unlikely, near-edge-of-flight-envelope situation that the working MCAS was intended to handle.
This would be comparable to a plane with any other mechanical defect that is discovered in-flight. If the above situation is expected to be too-risky to continue the flight and repair on the ground, then it would give cause for an emergency landing.
That's why you need 5 sensors or so on something this mission-critical. Enough that you can have a clear democratic majority if one or two goes on the fritz.
> what is the probability that a two-sensor model will fail pretty soon as well
It's actually higher than the probability that a one-sensor version will fail. With two sensors, you have an effective failure if either sensor fails, and the probability of that happening is roughly twice the probability that a single sensor will fail (assuming failures are independent, which is not necessarily a valid assumption).
However, with two sensors you can tell when one has failed (even though you may not know which one it was) and so the consequences of the failure might be less severe.
The problem is: now pilots need to be prepared to fly the plane with a failure sensor, which is to say, without MCAS. To do that, they will need additional training. Avoiding that was the whole point of MCAS in the first place. That's the reason it's taking so long to sort this out. Technically, it's an easy problem to solve. It's the economics that are daunting.
If MCAS is disabled for some reason because of sensor failure, how does that factor into the common type rating? Same goes for if they significantly lower how much input it provides.
The AOA sensors are effectively a consumable, and would undergo regular replacement over the life of the aircraft, the odds of BOTH of them failing at the same moment in the same flight is very very small.
Ok, that makes sense. But are the hours at which they got replaced are on order (or several) of magnitude lower than a two-sensor failure can occur? I hope it is calculated.
The point is that, as safety-critical equipment, you can't fly the plane if one is broken. So you'd need to have two fail within a single flight, and fail in the same way, in order to cause an incorrect activation of MCAS. With just one sensor, it's much more likely.
Note that Airbus uses three of these sensors on their planes, so that when one fails you know which one it is, and can still rely on the signals from the two remaining good ones. Then you replace the failed sensor before the next flight.
This works until two sensors fail in the same direction:
>The aircraft's computers received conflicting information from the three angle of attack sensors. The aircraft computer system’s programming logic had been designed to reject one sensor value if it deviated significantly from the other two sensor values. In this specific case, this programming logic led to the rejection of the correct value from the one operative angle of attack sensor, and to the acceptance of the two consistent, but wrong, values from the two inoperative angle of attack sensors. This resulted in the system's stall protection functions responding incorrectly to the stall, making the situation worse, instead of better.
That was my original question. What is the probability of them failing at the same flight in the same way (say they got frozen at the same angle, hit by blizzard, etc, etc). Intuition is that the chances are high given their low MTBF.
I have the impression that people are overlooking the sensors. They are suppose to be very, very, reliable. Two different planes got wrong reading from sensor in the same side, this seems to be a red flag for me. I wonder in what side of the sensor cable the problem is.
They’re not expected to be that reliable. They’re small vanes sticking out the side of the nose, vulnerable to bird strikes. The article mentions hundreds of reported failures over the years. The way to make the system reliable is redundancy.
You have a very poor understanding of probability. At a mean failure rate of 0.66 per year, it is quite probable for 2 failures to be spaced 4.5 months apart.
I want to know why the Boeing flight computer needs pitot tube input at all. Modern ublox GPSes can easily obtain 3D lock on multiple satellite constellations within a minute of booting. Several of these in parallel for redundancy if you are paranoid. Flight controllers on fixed wings don't even need a magnetometer to stabilize. Just GPS path heading. If all else fails, solid state accelerometers are very reliable. Accelerometer only based dead reckoning works great. If all else fails, a single accelerometer should be sufficient to get the plane relatively stable. A barometer can help too, but doesn't seem necessary. These systems can be easily combined with fallback logic to keep the plane in the sky. I just don't understand what is so hard about this for Boeing. I understand airspeed is not the same as ground speed, but this should provide enough information to the flight computer to keep the plane in the air or at least stable.
If all you are using is ground-based position/speed, then you are ignoring the very real possibility that the air you are flying through is not stationary relative to the ground. In actual fact, especially at high altitudes, the air can be moving very fast, and the difference between ground speed and airspeed can be the difference between flying and stalling.
Also, your GPS measurements give you position, direction, and speed, but they don't give you orientation. You would have to have another instrument to feed that into the system (such systems exist).
[Disclaimer: not an aeronautical enginner or pilot.]
Unfortunately, no. Stalling is a function of the wing's _angle_ relative to the flow of air, not of speed. If the angle is too sharp the air can't follow the curve of the wing. The critical angle is (pretty much) independent of speed. For example: if you stick your hand out of the window of a car traveling at 60 MPH, and hold it almost flat to the wind (say 80 deg.), then the air can't follow down the back of your hand. All of the "push" is backwards, and there's no push up. If you hold it at 30 deg. then the air flows around your hand, which deflects the air down and your hand up, very strongly.
Even if you're only traveling at 5 MPH, if you hold your hand at 30 deg. the air will flow around your hand and deflect it upward; it will just be a very weak effect.
The angle between the wing and the air flow is what is called the "angle of attack", and what the AoA sensors measure. The only other instrument that comes close is the Attitude gauge (the globe thing). However, it measures the plane's angle relative to the horizon, and air moving relative to the plane usually isn't parallel to the ground in conditions where the AoA matters.
Normally, speed is from a tube aimed into the air. Normally, direction is from a little fin that can spin.
There are lots of alternatives:
Direction can be via multiple tubes aimed into the air, each with slightly different direction.
Speed can be from a hot wire. Weather stations sometimes use this.
You can get both via lidar. You just need to make it sensitive enough to pick up a response from minute particles of dust or ice.
I think I just invented a new way: do a short-duration high-power pulse of an electron source or an EUV laser, causing the air to fluoresce at enough distance from the aircraft to be clear of the boundary layer. Track the motion of the fluorescing air with multiple cameras.
Unless you limit yourself to flying very near the ground and very near sea level, the speed of an aircraft is more complex than a single number. In fact four different speed numbers are commonly used: indicated airspeed, calibrated airspeed, true airspeed, and ground speed.
* IAS is the raw airspeed reading from the pitot tube.
* CAS is IAS corrected for instrument errors, e.g. if the plane is at an angle that disrupts air flow around the pitot tube.
* TAS is basically CAS adjusted for altitude and air pressure. It’s the aircraft’s speed relative to the air around it.
* Ground speed (or speed over the ground) is TAS adjusted for the wind. This is the number that GPS is going to give you.
IAS and CAS are particularly important for describing performance characteristics - if an aircraft stalls at 100 knots CAS, then it always stalls at that CAS. If you try to describe the stall speed in terms of TAS you go from a single data point to a graph of speed and altitude.
"Why (does) the Boeing flight computer needs pitot tube input at all ?" If there is a strong tailwind, the plane needs a much higher ground speed to avoid stalls.
If these accidents prove anything, it's that we need a computer that takes many different inputs (GPS from the tail and the nose, pitot, barometer, AoA indicator, input from the pilot, engine RPM, etc) and put them into a mathematical model of the airplane before overriding the pilot.
Additionally the AOA sensor - which is basically a weather vane - does not output usable data before the airflow around the airplane has reached certain velocity (it needs air flowing around it). Which is reported... by the pitot tubes.
I mean, if one-sensor based MCAS failed twice so early in the life span of the plane model, what is the probability that a two-sensor model will fail pretty soon as well? The math should be simple, we have all data needed: combined hours flown by all planes of the type and number of failures (at least two known, which can help us to estimate a MTBF of the sensor).