What is an example of a system like MCAS?

Question

The related question "Is it common for automated control systems to use non-redundant sensors?" does not ask about a specific example, nor are specific examples provided in the answer.

The criteria for my question:

Activates on its own, or always active.
No light/text indication of it being active.
No specific disable switch.
Relies on 1 sensor when 2+ exist.
The system is not disabled when the 2+ sensors disagree.

As you can see, these properties are modeled after what is known about MCAS.

This question isn't about the 737 in particular but about any commercial (fly-by-wire or not) airplane, so eventually the answers should specify the model, and if possible the justification of the design.

"Fixed". Indeed it doesn't matter if it is fly by wire or not. — ShinTakezou, Mar 27 '19 at 22:48
To simplify, it's not about the lack of redundancy, but for the presence of redundancy which isn't used; e.g., 2 (or more) AoA sensors, but the system uses only one. — ShinTakezou, Mar 28 '19 at 07:43
The Q text seems to address this N-sensors-but-1-used thing — if one disregards the other more strict criteria/properties in my Q — but does no ask for other example. I don't know if this isn't enough to qualify mine as not a duplicate. For now I hold that it's a different question. — ShinTakezou, Mar 28 '19 at 07:50
So, basically, ignoring all the rest that could have made a difference, those 5 duplicate-watcher are saying that if I want to ask for examples, I need to edit that duplicate answer. Interesting. — ShinTakezou, Mar 28 '19 at 13:00
I deleted my answer because thrust idling is displayed on the FMA. Kindly take the following as a constructive comment: I agree (and I voted leave open) that the questions are related but different. However, as you say, you wrote a tedious list, which actually makes for a laborious read. My recommendation is to rewrite the question in as few words as possible. If the question can't be summarized in a short title, then it won't find audience, and given the many unknowns about MCAS, may give the impression of a leading question. — , Mar 29 '19 at 07:40
I wanted to be precise to avoid answers like "the autopilot" or alike. Reading just the title isn't a good sign, and if one can't/don't want to read the tedious list, he or she could at list skip the question and leave it alone, or comment as you did suggesting to make it briefer and clearer. — ShinTakezou, Mar 29 '19 at 07:51
Related (and may answer the underlying question): Why are on-board computers allowed to change controls without notifying the pilots? — , Mar 29 '19 at 07:56
Maybe closer, but it searches for reasons (I am not), not for “names” of (sub)systems. (I am used to be enough aware of what I am searching and asking for, so I don't get the underlying part.) Also, I want to exclude (sub)systems you won't be able to fly without (like in the F-16). (Again, think about MCAS: if it didn't exist, you could anyway fly — and even likely avoid by your own the stall situation it should have helped with... but this wouldn't be in my criteria or it'd seem there's an underlying assertion about that system being unuseful.) — ShinTakezou, Mar 29 '19 at 08:45
I have applied my recommendation as a way of helping, kindly see the revision notice. — , Mar 29 '19 at 10:13
I really appreciate your efforts! I was going to modify it by myself — though likely I haven't the gift of brevity you have — needed just more time which I can't use now. Thanks alot again for your time! Let's see if it works and someone comes with an answer. — ShinTakezou, Mar 29 '19 at 10:31

score 5 · Answer 1 · edited May 30 '19 at 16:16

5

Irrespective of 737 MAX MCAS, I haven't seen similar decision relying on a single sensor on 777 or on 757.

Similarly I found nothing similar on Airbus 320, 330, 340, 350, or 380. On these Airbuses, 3 sensors are used for critical decisions, thus the faulty sensor is isolated by voting the data. If the 3 sensors are diverging (no 2 sensors giving similar data), the system goes into safe degraded mode, and the pilots are informed by automatic displayed message.

edited May 30 '19 at 16:16

fooot

72,860
23
237
426

answered May 28 '19 at 18:37

user40476

1,772
9
27

2

I’m not surprised. Aeronautical engineering 101: never rely on only one single input if it can cause loss of control. – Koyovis May 28 '19 at 22:11
2

There's another puzzling matter rambling in my mind and that I feel (maybe wrongly) it should be 101 fact: if the autopilot disconnects because of sensors disagreement, any other automatic system which uses one of those now-disagreeing sensors should be disconnected too (with loud warnings or whatever): disconnecting the autopilot but needing an active action by the pilots to disable those other systems seems very illogical to me. – ShinTakezou May 29 '19 at 19:11
If I understand, you believe, it would have been better to inhibit automatically any MCAS trim in case of AOA disagree, probably it will be like that in the future when the aircraft will be allowed to fly. – user40476 May 30 '19 at 09:43
@ShinTakezou That would make those systems dependent on (in this case) the autopilot, which seems to me to add to the possible failure modes. What if it's the autopilot code that reaches the wrong conclusion for whatever reason, and not a problem that would affect other systems? You risk suddenly disconnecting a whole slew of perfectly working systems, throwing warnings and errors at the pilots as you go. Take something like QF32, but made worse by the plane actually acting up beyond spewing messages at the flight crew. Basically pretending that a system doesn't exist seems the worse approach. – user May 30 '19 at 22:31
1

@aCVn No, it would make activation of both systems dependent upon correct functionality of the sensors. – Koyovis May 31 '19 at 03:06
@aCVn I am not saying B should disconnect if A does in the sense that A is driving the disabling of B; I was saying B should disconnect on the same (subset of) conditions A disconnects — I hope the difference I am making here is clear. – ShinTakezou Jun 01 '19 at 16:08
I hope they will put 3 AOA so that disagreement, full disagreement, becomes improbable in a single flight before maintenance action, nevertheless assuming we get disagreement and the autopilot disengages, what’s the problem if MCAS is not active too! A normally flying pilot doesn’t need the MCAS to fly 737 NG. Why will he need the MCAS for the max. If the MCAS is just to hide a defective pitch stability, this plane should not fly unless they install, why not, 4 AOA. – user40476 Jun 01 '19 at 18:20
For better understanding please refer to the following website: https://www.nytimes.com/2019/06/01/business/boeing-737-max-crash.html – user40476 Jun 02 '19 at 08:42
It should be noted, that Airbus (A320, but possible with all later types too as the logic is basically the same) even had at least one incident where two-of-three AoA sensors agreed, but were the wrong ones (because they froze), and triggered alpha-limit (pitches the aircraft down similar to the MCAS). However the pilots were properly taught how to force the system in alternate law (disable the protections) and in Airbus doing so does not otherwise affect handling of the plane. – Jan Hudec Jun 03 '19 at 18:48
@JanHudec There also has been a case of all 3 AOA probes stuck at the same angle on an A320 and the aircraft subsequently being lost from a check flight because crew tried to demonstrate the (now defunct) low speed protection... – Cpt Reynolds Jun 28 '19 at 04:46
@CptReynolds, yes, but that case only caused undetected failure of protection, not spurious pitch changes, and thus wouldn't be a problem on normal flight. The spurious alpha-limit case is more similar to the issue in question. – Jan Hudec Jul 11 '19 at 21:45

Rusty Core · Answer 2 · 2019-06-28T22:17:57.467

Speed Trim System (STS) is very similar to MCAS and is used on the same aircraft. Moreover, Boeing maintains that it did not have to notify pilots about MCAS because MCAS is a part of STS, running on the same computer and controlling the same surface — the stabilizer.

In a way, MCAS is just an extension of the system that already existed on prior versions of the 737. Just like MCAS, STS can cause stabilizer to run away, and if pilots catch it too late, they can get themselves into a situation similar to Ethiopian Airlines Flight 302, because the recovery procedure is the same.

Recently it has been reported that another glitch had been found in the 737 MAX software. The details are sketchy, here is what the Seattle Times reports:

Exercises on a Boeing 737 MAX simulator in recent days showed pilots might have difficulty responding to the newly identified failure. Just as MCAS uses a motor to move a small wing at the tail of the plane to lower the nose, the latest issue could prompt that same wing to move without pilot commands. The tail wing is known as a horizontal stabilizer.

To me this looks like a bug with STS software. Because STS is used on earlier 737 versions, Boeing does not seem to appreciate too much noise around this issue, because it may affect the entire 737 fleet.

About MCAS being part of STS, I bookmarked this where you read: “Elwell clarified that MCAS is not an anti-stall system, but a supplement to the speed-trim system”. Anyway for some reasons this STS unextended by MCAS didn't cause too much trouble in the past, it seems. Maybe it has less authority? — ShinTakezou, Jun 28 '19 at 22:09
@ShinTakezou Yes, has less authority. Also, on the NG a pilot can turn STS off while keeping electric trim switches operable. On the MAX it is not possible. So yeah, even if STS goes haywire on the NG, there is better chance to recover than on the MAX — if pilots know about the function of EACH switch, because the recovery procedure tells them to turn BOTH switches off. I think they will know it now after the crashes. I expect Boeing to re-wire stab trim cutoff switches on the MAX to the NG configuration if it wants to fix the issue the way it should be fixed. — Rusty Core, Jun 28 '19 at 22:16

What is an example of a system like MCAS?

2 Answers2

Linked