the MCAS relied on on a single sensor (that detected Angle of Attack) to determine if the plane was about to stall. This is bad. the part that makes no sense here is that the plane itself had two such sensors. MCAS was getting a bad AoA telling the system was about to stall when it was in fact in level flight.
Two such sensors are still imperfect- in the event one sensor goes bad, how does the system know which sensor is bad? this is why redundancy on sensors come in usually come in odd numbers- 3 would allow one sensor to go bad before reporting false information. 5 would allow two.
the fact that this was built into a production model of a commercial aircraft blows my mind- because my sole experience in building aircraft is building remote control things… that don’t need that redundancy (because nobody is on board) and even I know this.
Yeah, it should have been a A level criticality – functionally impossible to relay bad information, tri mode redundancy, shut down if it detects itself in error, etc.
the MCAS relied on on a single sensor (that detected Angle of Attack) to determine if the plane was about to stall. This is bad. the part that makes no sense here is that the plane itself had two such sensors. MCAS was getting a bad AoA telling the system was about to stall when it was in fact in level flight.
Two such sensors are still imperfect- in the event one sensor goes bad, how does the system know which sensor is bad? this is why redundancy on sensors come in usually come in odd numbers- 3 would allow one sensor to go bad before reporting false information. 5 would allow two.
the fact that this was built into a production model of a commercial aircraft blows my mind- because my sole experience in building aircraft is building remote control things… that don’t need that redundancy (because nobody is on board) and even I know this.
Yeah, it should have been a A level criticality – functionally impossible to relay bad information, tri mode redundancy, shut down if it detects itself in error, etc.