a thoughtful web.
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment
kleinbl00  ·  1846 days ago  ·  link  ·    ·  parent  ·  post: Uber's 5.6 Seconds of Incompetence

MCAS in general exists so that the MAX could be considered a 737 by the FAA which would allow Southwest, the biggest buyer of 737s, to not require recertification. Multiple sensors that could disagree would have forced the inclusion of a warning light informing pilots that the system had been disabled. You're right - that would have required additional training so instead, they made it so the system couldn't be disabled. And since it couldn't be disabled, there wasn't any point in informing the crew that it existed. So. Since we can't have a system with failsafe, we'll certify the system as not needing a failsafe.

    Ludtke didn’t work directly on the MCAS, but he worked with those who did. He said that if the group had built the MCAS in a way that would depend on two sensors, and would shut the system off if one fails, he thinks the company would have needed to install an alert in the cockpit to make the pilots aware that the safety system was off.

    And if that happens, Ludtke said, the pilots would potentially need training on the new alert and the underlying system. That could mean simulator time, which was off the table.

    “The decision path they made with MCAS is probably the wrong one,” Ludtke said. “It shows how the airplane is a bridge too far.”

    Boeing said Tuesday that the company’s internal analysis determined that relying on a single source of data was acceptable and in line with industry standards because pilots would have the ability to counteract an erroneous input.

https://www.seattletimes.com/business/boeing-aerospace/a-lack-of-redundancies-on-737-max-system-has-baffled-even-those-who-worked-on-the-jet/

In other words, the software designers decided that if things could go wrong, the pilots could always deal with it. even though they didn't know they might have to.