Talk:Maneuvering Characteristics Augmentation System/Archive 1

This is an archive of past discussions about Maneuvering Characteristics Augmentation System. Do not edit the contents of this page. If you wish to start a new discussion or revive an old one, please do so on the current talk page.

I heard that the relevant sensors are only duplicated so if one develops a fault, the MCAS can become dangerously unreliable and drive the nose down erroneously. Surely triple redundancy should be industry standard?92.23.35.206 (talk) 17:34, 12 March 2019 (UTC)

The article will be updated when there is reliable press to support the discussion. Until then, discussion is speculation better conducted on Facebook or Twitter. There is already a certification requirement for redundancy in the control computers and software (RTCA/DO-178C). I don't know about requirements for sensor redundancy. It's a Mom and apple pie argument. Who argues against redundancy? The market and regulators do when it costs or weighs too much for its benefit. We used to believe that two engines were required to fly passengers in the clouds. We used to believe that four engines and a crew of three were required to fly across the ocean. No longer. Now we only require two of each. Rhadow (talk) 17:59, 12 March 2019 (UTC)

I'm not sure who you mean by "we". I still believe that four engines are required to fly across the ocean. Mock wurzel soup (talk) 09:45, 13 March 2019 (UTC)

"We" includes regulators, manufacturers, airlines, and the passengers who choose to fly. Many models of twin-engine A320, A330, B767, and B777 (and others I don't know) are certified for ETOPS (transoceanic) operation. This is not the forum for that discussion, though. Rhadow (talk) 12:08, 13 March 2019 (UTC)

As someone that has recently flown across both the Altantic and Pacific on the twin-engine Boeing 787 Dreamliner, I can confidently state that four engines are not a requirement for transatlantic flights. Four was never a requirement, although three engines was a requirement until ETOPS was introduced in 1985 (hence the introduction of trijets). In fact, when the A380 and 747 stop production in the next few years, the only four-engine passenger plane still in production will be the Russian Ilyushin Il-96. I'd highly recommend the Wendover Productions Small Planes Big Oceans video on the subject. --Ahecht (TALK
PAGE) 15:03, 9 May 2019 (UTC)

@92.23.35.206: Also lack of double redundancy. There are 2 physical AoA sensors and 2 FCC, 1 on each side, but the software (including Mcas) running on each FCC uses only one sensor, on the same side, ignoring the other side. There isn't any kind of redundancy, not just in Mcas, also in the Speed Trim System (STS). The STS is present on the 737 NG too, but it's more predictable and 4 times slower. Even with the software update, if the two sensors deviate by more than 5.5 degrees, Mcas can't tell which one failed, so it simply stops working.

Developing redundant systems is very complex. In a proper, dual-channel system 2 computers each run 2 independently developed software on 2 different processors, comparing the output for agreement. "The first issue was letting MCAS operate on a single vane. Boeing can revise MCAS to be a legitimate fail-safe design by fully utilizing both Flight Control Computer (FCC) channels in a brick-wall fashion. Any software patch to stub in a voted AoA vane on one side may not be fully fail-safe. As each FCC has a dual processor, both processors should agree for any command to be issued, yet this still may not be as compelling as using both FCC channels."^[1]
— Aron Manning (talk) 04:22, 10 May 2019 (UTC)

Whether duplex systems are enough depends to a great extent on whether the loss of one would be safety-critical. For example long-range airliners were required to have at least three engines until safe operation on a single engine could be demonstrated. Two AOA sensors are usually enough, however the special circumstances surrounding the MCAS design and operational regime make that questionable in this particular case. We absolutely need WP:RS before we can comment on it here. — Cheers, Steelpillow (Talk) 13:50, 15 May 2019 (UTC)

In case of Mcas the loss of functionality (augmentation) is less critical, than the loss of integrity (runaway in the accidents).

Per Lemme's assessment: the Mcas being part of the FCC, but not the AP is a single-channel system. At any time only one FCC is "augmenting" the flight controls, so triple-redundancy is very far from this. Speed Trim System is very similar to Mcas, so much that the FAA admin presented the Mcas as part of STS (debatable). Lemme says about it: "Speed trim appears to be a single channel, single processor command. I can only assume MCAS is as well." Obviously Boeing won't disclose this information.

Lemme goes into detail on the safety levels used in certification: "Generally the system Design Assurance Level (DAL) is tied to the level of the hazard created. Where loss of function creates major hazard, DAL C mandates the software and hardware development levels. A single threaded hardware solution would easily meet DAL D, but would be pressed to meet DAL C without redundancy."

He summarizes with: "The alternative use of a dual-channel solution, where both autopilots must agree ..., would yield significant benefits."^[2]. Proper geek stuff, so this is for the technical-minded editors.  Aron M🍁 (➕)  16:13, 15 May 2019 (UTC)

sources about the software updates say that when the two sensors disagree the MCAS will not activate in the future. The Verge article said that the original software is also not connected to the disagree alert; it takes whatever bad data it is given. the sensors read differently on the ground in the black box data. MCAS acted on this when the flaps retracted.

Anyway, a triple redundant sensor can still fail if two of them froze in the same position; it would outvote the one not frozen. Shencypeter (talk) 12:04, 18 May 2019 (UTC)

Like others said the point of multi redundancy does not guarantee a reliable result every time, but dual or triple redundant systems recognize faults, and is either capable of disabling completely or voting on the better pair, or average, of data. The SPOF is unable to do any of this. We need to have RS still... Shencypeter (talk) 15:10, 22 May 2019 (UTC)

The media is most interested in the lack of double redundancy. The two sensors are there, but the software only uses one on the same side as the FCC it runs on (there's one FCC for each side). It costs nothing (one line of code) to compare the two values, as the software update will do, no additional sensor or hardware installation necessary. This is truly mind-baffling, it shows a design that ignores the basic principle of redundancy even if it's there for free. Redundancy is so universal in avionics, that it's the baseline: the cables are doubled, there are 2 FCCs, both FCCs have 2 different processors, there are 2 thumb switches for the trim, and - new with the NG - 2 cutout switches for the trim motor. The whole chain is doubled, and that has significant costs. Redundancy in software costs nothing, yet it is missing. This is as negligent as flying up to FL410 without PACs turned on.

With the redundancy in the software update Mcas will be disabled if the two readings differ with more than 5.5 degrees (primary source). In comparison with tripple-redundancy Mcas would still work in 1 sensor failure, but "according to Boeing" Mcas is not necessary to safely fly the plane. Opinion: there will be few cases when Mcas disables, even fewer when the pilot goes into high AoA maneuvers too; in those cases the pilot will be surprised by the handling, and there have been crashes caused by such surprises (see Boeing 727 lessons). Naturally such crashes will be deemed pilot error, although Boeing is pushing the "no simulator time necessary" doctrine. Pilots should be trained for the stall tendency with Mcas disabled (an unstable condition). —Aron M🍂 (🛄📤)   16:25, 22 May 2019 (UTC)

I would just caution editors here that the talk page is for suggesting improvements to the article not for debating the subject of the article, please see WP:NOTFORUM. Let's stay on track, please. - Ahunt (talk) 16:52, 22 May 2019 (UTC)

we can’t defend sources without discussing the topic though :-) Shencypeter (talk) 12:51, 27 May 2019 (UTC)