Ski, you have a VERY good understanding of the incident. I will answer your questions the best I can. And since I don't know how to do multiple quotes,
, I will answer like this....<<answer>>
Thanks, Baker. Good stuff from you as usual.
And yes, I did answer my own question. Thinking while typing, I guess.
The Av Week bit seems to fit the scenario that was gelling in my mind.
I agree that the single point failure presented by having only one AOA sensor is poor design. In nuke power, critical sensors were often arranged in triples. Three things monitoring the same parameter. If one fails (like short to ground, open circuit, otherwise implausible signal, etc), it sets an alarm, but system keeps working. If two fail, system will not act on the apparent parameter, but alarm and just sit there. (I was not a control engr, so the above is a loose generalization).
I see a few big flaws in the MCAS:
One is relying on a single AOA sensor as discussed.
Second is when AOA went WAY off (like 74deg nose up, right?) that in itself means signal is implausible. 74deg nose up means the AC is charging through the air nose up to the sky and belly first. It is not flying, and not in a stall. To put AC in nose down trim in this instance is crazy.
<<You can be flying or stalled in any configuration at any pitch angle. But yes, there should be a "reasonability algorithm"...which there will be on the correction which I will post on this thread....another Av Week article>>
Third is the repeated application of nose down trim. Even if you are approaching a stall, if the MCAS keeps applying downward trim (as it apparently did), is there not a point where the trim setting is so nose down that configuration is basically not fly-able?? (an actual question from this non aviator). So the system can automatically put the AC into a configuration that would be known to not fly?
<<That is pretty much what happened. Due to full nose down and increasing airspeed, the control "weighting" just kept getting heavier and heavier to the point they could not overpower the trim of the airplane...via the yoke or the manual trim wheels>>
In a true stall situation (MCAS's purpose) is there not some point of nose down trim that beyond which the system should say "I've done my bit, any further nose down trim is stupid)?
<First off, as I said in one of my initial posts on this thread, the purpose of MCAS is NOT stall avoidance. It does that indirectly. But its purpose is to make the airplane "feel" like the previous versions of 737s. The MAX had a tendency to pitch up in a turn under certain "rare" conditons. They put MCAS in to counter this pitch up tendency. It is weird in almost any aircraft to have to push the nose down in a turn. When you turn, you lose some of the vertical component of lift and you have to apply back pressure to maintain altitude. And no, there is no point in the current software that pimits the amount of nose down trim...it can go full nose down and did in this incident>>
Fourth: There really should be a way to simply turn off MCAS without disabling electric trim. And the pilots should have some clear indication that nose down trim is due to MCAS and not some other cause of runaway trim where the cutout switches are the correct fix.
<<That one simply is not going to happen>>
As configured, the only way to kill an erroneous MCAS trim command is to kill all trim control. Except for the trim wheels, but they were not usable due to aero loads.
<<True. They really aggravated the situation by never touching the power. In this article, it says had they left the switches off, the airplane was still flyable and "only" 50lbs of pressure was needed to control it. But they turned the switches back on and 2 quick flicks of the trim switches allowed MCAS to trim all the way to nose down and that was the end>>
It seems you could turn the cutout switches back on, trim nose up electrically, then when in proper trim go back into cutout, as the trim switches would over ride MCAS. (is that correct?) But the pilots did not know this, apparently. And you would have to be quick with the cutout as any delay would let MCAS dive you again.
<<They did exactly that. The only problem is they did not recover all of the trim they lost. In fact, they just bumped the trim enabling MCAS to do its thing one more time.>>
More I read about this, the more it seems Boeing really screwed the pooch in system design (barrier one preventing an accident fails). Then the pilots screwed up (barrier two fails). And the pilots were not trained or otherwise did not know the system (barrier three fails).
<<I agree fully>>
Somewhere in this system development there should have been a room full of engrs and pilots going methodically through the system asking questions like these:
OK, left AOA sensor poops on take off. What happens? What should the pilot do?
OK, MCAS goes nuts for whatever reason. Again, what happens and what should pilot do?
OK, pilot is in task overload, what will AC do?
OK, let's apply all possible failure modes in all possible flight scenarios and pick through the possibilities.
OK, lets repeat the exercise and assume this is a third world pilot that might not even be fluent in english.
Etc, etc..
Seems this was not done very well. Barrier four fails.
Just some rambling thoughts from a non-aviator. Not trying be an expert here at all, just trying to educate myself.
<<A very excellent assessment. Read my next post. It is on the fixes that they are incorporating. You should have been a Boeing engineer because they are doing everything you said!>>