I've always been confused here on this, does that mean the 737 MAX has a high chance to have faulty reading from their AoA sensors? Or is that pretty much the industry standard right now? This has always seem like the actual culprit.
Sensors break. They get gunk on them. They ice over.
Generally a sensor with such a critical failure mode would be triple-redundant - if one fails, the discrepancy between sensors is flagged and the aircraft runs on the other two until the broken one is fixed. In this case, the aircraft had two sensors of the type (Angle-of-Attack), but MCAS was only listening to one of them.
Why isn't this compounded with something that works by estimating the AoA from other factors? A few simple gravity based sensors would be able to tell the vector of the plane, and simply assuming that wind (airflow) is parallel to the ground would go a long way. Or is the vertical component of the local airflow so variable?
When in flight, accelerometers only tell you what forces are being exerted by the wings and the engines, not which way is down. Consider, for example, the way the drinks in a cup don't spill when a plane turns.
I know that an airplane can make a roll that keeps the fluid in the cup, but when usual commercial planes fly, they don't do stunts, so usually there's no centrifugal force to mimic gravity. When a big jet points its nose down or up people and fluids feel it pretty much as if they were on the ground on a slanted flat surface as one of its edge is being raised or lowered.
Sure, this would probably worth next to nothing in turbulence, but in a simple take off and landing (where MCAS is already active and depends on AoA) it might help.
And of course I might be completely ignorant of most of the relevant problems with using any kind of gyroscopic or acceleration based sensor.
No, but cost probably does. There have been a number of satellites flown (GOCE, GRACE, SLATS) with the sort of equipment you'd need. With that equipment, simply measure the strength of gravity in multiple parts of the plane. This gets you altitude, just as GPS or air pressure would, and then you can determine the angle of the plane.
An edit as response to the followup mentioning Einstein, due to HN throttle:
Yes, yes... and it doesn't matter for this purpose, because you can measure gravity at multiple points within the aircraft and because gravity falls off with distance.
"Einstein’s ground-breaking realization (which he called “the happiest thought of my life”) was that gravity is in reality not a force at all, but is indistinguishable from, and in fact the same thing as, acceleration, an idea he called the “principle of equivalence”.
Thanks for the elaboration. Could you help me further understand one more thing? When you say MCAS only listens to one, does that mean during the time when one AoA sensor fails? Or it always listens to one during normal operation?
Also, it does seem like Boeing dropped the ball here to not build further redundancy here.
MCAS alternates between the left and right sensor each time the plane lands. With the Lion Air flight I think cycling the electrical power for diagnostic work caused MCAS to pick up the faulty sensor for two flights in a row.
Pilots and first officers tend to switch who has flight control on each leg of their flights (which is the Pilot Flying vs Pilot Assisting), and the MCAS system uses the AoA vane associated with the side of the cockpit that currently has flight control.
There is no good reason for only listening to one sensor.
There is a sort of good reason for having a split between pilot/copilot side: the instruments are redundant (both physically and electrically), so in the event of malfunction you can failover to the other side.
That actually sounds awful, sorry for my naivety if this is just industry standard. But for such a mission critical piece to have no redundancy build over it is just poor. Especially that it's prone to failure since it's situated on the outside of the plane.
It just seems to be that this is some terrible engineering done on Boeing's end of not fully understanding the critical situation here.
Generally two failures:
1. a lack of redundancy in a mission critical sensor
2. a blind trust on MCAS's priority over pilots
There is redundancy in the sensors, but the sensors are not being used in a redundant manner. There are whispers that the 767 fuel tanker (KC-46/KC-767) has a system similar to MCAS that will look at both alpha vanes for disagreement, which is a bit damning to say the least.
a blind trust on MCAS's priority over pilots
The entire purpose of MCAS is to engage only when the pilot is flying to prevent the pilot from doing something dangerous. Previous generations of 737 had the same problem but the MAX is more delicate and compounds it with nacelles that generate lift.
Part of the problem was that MCAS was originally designed with very little control authority, and so wasn't considered safety-critical. However, during testing they realized they needed to up the gain, and made pretty major retuning without reexamining their safety assumptions.
The lack of redundancy by default coupled with extreme profit seeking by Boeing for the 'upgrade' is inexcusable. TL;DR They shit out a faulty product hundreds died as a result
Even redundancy doesn't really solve the issue. The sensors are out in the same environmental conditions, so will likely all fail at once, for example a bad pattern of water followed by cold causing icing.
Instead, the sensors should detect failure, for example by using a motor to detect if the vane is stuck and cannot turn freely.
The flight controls should also be able to fly even if all sensors of a certain type have failled. Angle of attack for example can be approximated with an accelerometer and gyro well enough to keep the plane in the air.
You're right - you need to combine with altimeter or GPS, and for more accuracy you can also combine with wind direction forecasts or airspeed measurements.
The point is, there are lots of data sources, and with even a subset of them, it's possible to fly the plane to a safe landing.
