Conversation

Key part. They modified the 737 airframe to add bigger, more fuel-efficient engines to compete with Airbus. To make the handling characteristics the same, they added a "maneuvering characteristics augmentation system" so it would seem like the old 737 to pilots.
Image
3
5
But the MCAS did some automatic pitch correction that, it seems, would cause stall and crash if angle-of-attack data was wrong. And the sensor to warn the pilots of that AOA error was OPTIONAL?!?! 💀💀Lion Air didn't have it.
2
9
For those more familiar with software tech than airline, this is the equivalent of a "revert to classic UI" option in software. Except, the map-territory mismatches have different meanings. And on a plane, a glitch like that means crashes.
1
5
I assume the airframe and engine configuration is airworthy, so the problem is the "emulated UI" that tries to make the 737-MAX handle like the 737... via reshaping unstable dynamics. This is an awful design idea.
3
4
I think the plane needs to be grounded, the "MCAS" turned off (at least the part that's there purely to emulate the handling of the old 737) and pilots recertified on the "native" handling characteristics of what is essentially a new plane in physics terms.
3
8
The Lion Air case at least is a classic Perrow-style "normal accident" (interaction of two expected error cases leading to an unexpected error case: the AOA sensor error and Lion air not buying the "optional" warning package).
Replying to
I'm betting the Ethiopian Air case will turn out to be the same or at least similar. The details are too suspiciously similar for it to be otherwise.
1
1
Caveat: I'm taking the analysis in the OP at face value because it seems reasonable. Opinion may change once more details emerge on both cases.
2
2
I've been thinking about this stuff since the Air France case. In general, there are 2 architectural approaches to design human-in-the-loop control systems. The good one follows the contours of the physics. The bad one tries to treat it like a computer UI :(
2
20
If you're going to synthesize a UI divorced from the physics in any way, the autopilot must be truly fully autonomous so the pilot is not needed at all. if the pilot is needed for top-level exception handling, the UI must conform to the physics, not pilot convenience.
18