The article didn't seem to mention this crucial detail [1]: The original approval was based on Boeing's claim the MCAS had a max control of 0.6 degrees of the 5 degrees possible. This later became 2.5 degrees applied repeatedly, so 5 degrees.
The 0.6 claim meant that the MCAS system qualified for a max risk of hazardous (people injured), not not catastrophic (ie plane loss).
FAA officials claim that: (1) the mcas shouldn't even have qualified as a hazardous risk, and (2) they were unaware that it could fully control tail deflection.
There are at least three decision makers that are probably in trouble: whoever let the MCAS have a max rating of hazardous, whoever allowed the MCAS more control, and whoever didn't notify the FAA. Hopefully management rather than line-level engineers though, because this seems like a company failure.
[1] https://www.seattletimes.com/business/boeing-aerospace/faile...
> The 0.6 claim meant that the MCAS system qualified for a max risk of hazardous (people injured), not not catastrophic (ie plane loss).
My god. So that is why they only used one AOA sensor rather than comparing both -- and offlining MCAS if they disagree -- they thought it was DAL C (maybe because 0.6 degrees of stab trim likely can be countered with elevator deflection) and not DAL A.
And since there was no annunciator on the flight deck to indicate that MCAS was kicking in, the flight crew on the incident aircraft weren't able to diagnose the problem (since it didn't act like a traditional trim runaway) and do the appropriate actions to disable the electric trim control before it was too late.
Horrific.
For a long time I've used a saying I originally got from a pilot (iirc), "It's not the first problem that gets you, it's the 2nd and 3rd".
In this case it's looking more like a sequence of survivable problems in short order leads to aircraft loss, as you said, horrific.
I completely agree for the LionAir crew. For Ethiopia, I can’t imagine any 737-Max crew could step into a cockpit not having the NNC for stab trim runaway, whether MCAS or not, reviewed and top of mind and have the idea of killing electric trim at the first hint of a trim issue.
As I understand it the copilot on Ethiopia had around 200 of flying total, in any plane. The copilot usually manages checklists. At 200 hours it was probably their first emergency.
Still, the Runaway Stabilizer memory item [1] has the pilot switch the stab trim cutout switches before moving on to the printed checklist.
[1] "I. Runaway Stabilizer" on https://www.theairlinepilots.com/forumarchive/b737/b737memor...
If annunciators are eventually mandated, I wonder if we'll ever see a situation where MCAS legitimately intervenes, and a pilot in a panic turns it off while approaching stall.
Sounds far fetched, but this whole situation and how its been handled seriously undermines confidence in safety systems you shouldn't be worrying about in an emergency; and the right combination of issues certainly takes down planes, as seen with Lion Air
Well there's an option for dual AOA but neither Lion or Ethiopian took it. In the case of AOA disagreement a light illuminates. Source https://twitter.com/trevorsumner/status/1106934415610073091 and https://theaircurrent.com/aviation-safety/southwest-airlines...
That's not quite accurate. The plane has dual AoA in either case. The option is for AoA indicators and disagreement light.
So, the US airlines who bought the option will have a disagree light, but it's still the case that their MCAS is only being fed by one sensor, so they could experience the same control problems.
That is true, here's a source https://qz.com/1574441/a-warning-signal-that-could-have-prev...
A pet peeve is people not sourcing corrections
Maybe it's because we're looking at the design with hindsight, but it seems strange to me that the AOA disagreement light would be an optional feature.
> And since there was no annunciator on the flight deck to indicate that MCAS was kicking in
It is fairly clear when its trimming, theres a noisy wheel spinning on the pedestal between the pilots.
https://i.redd.it/m4yrvqi2d6oz.jpg
eh. if you're trained to look at it as a source of problem and primed by the flight log that it might be acting up, otherwise it's easy to overlook.
For anyone else curious about what DAL means:
Design Assurance Levels (DAL)
DAL A describes flight electronics hardware whose failure or malfunction could cause a catastrophic, hazardous, or severe condition that would result in the deaths of everyone aboard the aircraft.
DAL B describes flight electronics hardware whose failure or malfunction could cause a severe or hazardous condition that could involve some loss of life.
DAL C, meanwhile, describes hardware whose failure or malfunction would result in a major flight condition that likely will involve serious injuries.
DAL D describes hardware whose failure or malfunction would result in a condition that causes only a minor non-life-threatening flight condition.
DAL E, finally, describes hardware whose failure or malfunction would have no effect on the aircraft's operational capability or pilot workload.
>https://www.militaryaerospace.com/articles/2016/11/safety-ce...
> max risk of hazardous (people injured)
Still, relying on a single sensor when failure could cause multiple injury is grossly negligent. I don't know what failure rates are mandated for this risk level but a single sensor probably doesn't meet that. When you coumpound that with the fact that they sold a "premium" redundant version of that system with proper alarms in case of disagreement between sensors, then it's not hard to conclude that they put their commercial interests first, and people's safety second.