This is a rare absolute must-read. The 737-MAX needs to be grounded now. This is a more serious failure than I thought. theaircurrent.com/aviation-safet ht
Conversation
Key part. They modified the 737 airframe to add bigger, more fuel-efficient engines to compete with Airbus. To make the handling characteristics the same, they added a "maneuvering characteristics augmentation system" so it would seem like the old 737 to pilots.
3
1
5
But the MCAS did some automatic pitch correction that, it seems, would cause stall and crash if angle-of-attack data was wrong. And the sensor to warn the pilots of that AOA error was OPTIONAL?!?! 💀💀Lion Air didn't have it.
2
1
9
For those more familiar with software tech than airline, this is the equivalent of a "revert to classic UI" option in software. Except, the map-territory mismatches have different meanings. And on a plane, a glitch like that means crashes.
1
2
5
I assume the airframe and engine configuration is airworthy, so the problem is the "emulated UI" that tries to make the 737-MAX handle like the 737... via reshaping unstable dynamics. This is an awful design idea.
3
2
4
Replying to
The Lion Air case at least is a classic Perrow-style "normal accident" (interaction of two expected error cases leading to an unexpected error case: the AOA sensor error and Lion air not buying the "optional" warning package).
1
1
9
I'm betting the Ethiopian Air case will turn out to be the same or at least similar. The details are too suspiciously similar for it to be otherwise.
1
1
Caveat: I'm taking the analysis in the OP at face value because it seems reasonable. Opinion may change once more details emerge on both cases.
2
2
I've been thinking about this stuff since the Air France case. In general, there are 2 architectural approaches to design human-in-the-loop control systems. The good one follows the contours of the physics. The bad one tries to treat it like a computer UI :(
2
6
20
If you're going to synthesize a UI divorced from the physics in any way, the autopilot must be truly fully autonomous so the pilot is not needed at all. if the pilot is needed for top-level exception handling, the UI must conform to the physics, not pilot convenience.
6
18
But MCAS sounds critical, since the design seems to leave less room for error than the previous design. I don't think they can just turn it off. This may be 500+ planes to the scrap heap. Only a massive bailout will be able to save Boeing.
I don't think you can just "turn off" a fly-by-wire system and expect an operable plane.


