Boeing 737 Max Crashes: Sensors Vulnerable to Failure

Sadly, another &quot;the sensor did it&quot; scenario. <a href="https:&#x2F;&#x2F;semiengineering.com&#x2F;dirty-data-is-the-sensor-malfunctioning&#x2F;" rel="nofollow">https:&#x2F;&#x2F;semiengineering.com&#x2F;dirty-data-is-the-sensor-malfunc...</a> The tragic example of the Lion Air crash of a new Boeing MAX 8 aircraft, which on Oct. 29 killed all aboard, may be heading toward “the sensor did it” category. The black box recovered from the flight showed inconsistent data from one of the two angle-of-attack (AOA) sensors. With one half of the data apparently incorrect, it was enough to trigger this plane’s anti-stall system into a nose down action, which the pilots wrestled all the way into the Java sea.

Root cause analysis: excessive pressure to keep type rating caused lax engineering to be considered acceptable.<p>Fix:let the FAA do it&#x27;s job independently

Realize some pilots lurk here...was the angle of attack sensor ever associated with an automatic system prior to MCAS?<p>Seems like previous errors would have been less impactful due to human observation and synthesis with other instruments, window observation, etc.<p>If so, it shows how GIGO works in automatic systems...this should have been scrutinized as AOA sensor was not above the 1:1,000,000 threshold for single-input systems w&#x2F;o failover.

Too much is being made about the sensors. From my pilot&#x27;s perspective it&#x27;s far worse that:<p>a.) MCAS can mistrim the airplane faster than pilots can even recognize what&#x27;s going on.<p>b.) Boeing and FAA directives still don&#x27;t account for a.), and therefore they&#x27;re still giving pilot&#x27;s inadequate advice. And it&#x27;s sufficiently bad that I think it&#x27;s intentional because the advice is consistent with prior Boeing 737 models: runaway stabilizer. If they came up with a better checklist to run that only applies to the MAX, that is suggestive that at least difference training is needed, and might even suggest a different type certificate is needed.<p>Much of this is discussed here which I found to be decent: <a href="https:&#x2F;&#x2F;www.satcom.guru&#x2F;2019&#x2F;04&#x2F;what-happened-on-et302.html" rel="nofollow">https:&#x2F;&#x2F;www.satcom.guru&#x2F;2019&#x2F;04&#x2F;what-happened-on-et302.html</a><p><i>incredibly it just dumps the stab and leaves it to the pilot to get it back.</i><p><i>Electric trim must be used to neutralize control column pitch forces before cutout!</i>

So if the sensors have a higher rate of failure then it looks like changing MCAS software to rely on both sensors may not be enough as there is a higher probability of both sensors malfunctioning and sending bad data to MCAS at the same moment. In that case, I am not sure how would MCAS behave.

I&#x27;m just amazed by how poorly this was implemented. Software engineers expect hardware to fail. This wasn&#x27;t just the work of a newb (or I hope it wasn&#x27;t). This was planned; both the requirements and the failure modes. Then implemented by another team, and the quality verified by another team, even a 3rd party. There wasn&#x27;t even a cutoff if it started operating outside it&#x27;s expected range, surely one of those people would have noticed the shortfalls. This software should have the same level of engineering as other systems&#x2F; parts of the plane.<p>Every phone I&#x27;ve had in the last decade has come with GPS (which includes altitude), giros and even magnetic compasses. So they can work out the angle of attack without the need for additional sensors, or at the very least a backup!<p>Is this a wider issue with software development in general? My guess is that many businesses are moving away from the waterful model, which can often go overboard with planning (not really a problem in aerospace..). To &#x27;Agile&#x27;, which I don&#x27;t think many people truly understand (especially some managers), often sidestepping the planning and documentation to software that appears to work fine, and senior management are overjoyed with the progress and become complacent.<p>This software wasn&#x27;t even a crucial feature. It was only needed when high power is applied to the engines (like during takeoff) to stop the nose feeling too light by existing 737 pilots. This wasn&#x27;t a jet-fighter, which would become unstable without the aid of computers. It&#x27;s a shame 338 died because of what is effectively a &#x27;schoolboy error&#x27;.

One thing I haven&#x27;t seen fully explained ( maybe it was but I missed it ). Were these vanes damaged on both of these downed flights? Why didn&#x27;t all the other 737 MAX 8&#x27;s crash around the world, Was it something about the flight profile or the weather? Can the plane be flown as-is with a sufficiently conservative flight profile?

Cessna 150&#x2F;152&#x2F;172 stall warning &quot;horn&quot; works by negative pressure. <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=Q1JRTCBkWKQ" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=Q1JRTCBkWKQ</a><p>And then the Cessna 182 has an aerodynamic switch that activates an electric &quot;horn&quot;. And in either case they can get jammed up with bugs. But we do a lot of training with slow flight, approach to stall, full stall, and recoveries including recovery from the ensuing dive and secondary stalls.

I&#x27;m wondering now if MCAS should be an active system. Perhaps it should instead just warn the pilots that it thinks a stall is imminent instead, like when you get the stick shaking.

I wonder if it&#x27;s feasible to build a guard to cover the AoA sensor to mitigate the ability of foreign objects damaging the vane.<p>Clearly it&#x27;d need to be very transparent to airflow—something like the face guards of an NFL player—a heavy gauge titanium cage or something like that.<p>Btw, the Wright Bros knew the importance of AoA and included one on the Wright Flyer. Implementation? — a length of straight stick parallel to the wing chord with a <i>bit of ribbon</i> affixed to the end :-D (KISS at work!)

All equipment on the plane has a potential for failure... the question is what systematic design and pilot training is in place to take action in the face of failures.

This thing is a small fin on a swivel. It&#x27;s a wind vane about 6 inches long, sticking out into a 500 mph airstream. It&#x27;s a heavy-duty piece of metal, but that swivel joint makes it vulnerable to bird strikes, freezing, etc.

The elephant in the room, which I&#x27;ve not yet seen alluded to: Boeing wants at all costs (which will be very high) to avoid having pilots be required to requalify with new MCAS software in flight simulators.

I am surprised that there is no ultrasonic method of measuring AoA.

This is not even remotely surprising, and by all standards should be taken into account in your implementation of dependent systems&#x27; gradual degradation fault modes.

<i>Everything is vunerable to failure</i>

Shouldn’t it be easy to detect a stuck sensor and then stop using its data unless it recovers?

3 is the minimum for any critical system.

So, 140 failures in 30 years of aviation... ~4 failures per year FOR ALL FLIGHTS IN A YEAR. That&#x27;s unreliable?

Shouldn&#x27;t the headline say &quot;Boeing 737 Max&quot; ? There&#x27;s a big difference compared to regular 737s