PixelFlight wrote:According to the article Boeing went with one sensor system in order not to lessen the dispatch reliability of the aircraft, and keep it simple.
No doubt that Boeing can do FBW the right way. Boeing's FBW system is used in the 777, 787 and 747-8.
In practice, the 737 and 767 are the last Boeing Commercial Airplanes non FBW design still sold today.
If MCAS is dual sensor system and one AOA sensor fails the aircraft is AOG. if one sensor fails the aircraft can still be dispatched since one is enough according to MEL. If the MCAS sensor (the left one) fails, it is always the possibility to swap sensors so MCAS has the good one and the aircraft can stillfly.
this is according to normal aircraft design philosophy, if you need one system or part you put in two, so you can fly if one fails. If you need minimum 2 parts to fly, put in three so you can still fly if one fails.
At least it seems that Boeing had different ideas about redundancy or failure rate of the AOA sensors regarding dispatch reliability, than when they calculated the reliability of the MCAS system as a whole. I don't comprehend the calculated reliability of the MCAS system, to me it looks like it is more likely to win the jackpot three times in a row on your birthday, than a single failure of the MCAS system.
To me it looks like Boeing assessed the MCAS system a thousand times more reliable that the weakest link, the AOA senso.r
That’s an interesting takeaway. So, is it safe to assume that MCAS v2.0 is going to reduce the dispatch reliability of the MAX (of versions with MCAS)? If so, I wonder if any of the sales contracts have clauses regarding reliability expectations.
Putting a crimp in an otherwise fine theory, the MAX MMEL does not include AOA Sensor and therefore one sensor down is a 'no despatch'. (Single AOA sensor despatch was in the NG MMEL).
I would assume the intent was that AOA sensor for the FCC in control for the flight would always be available at T/O, so if a AOA failure was flagged on power up (not AOA Disagree, since this not checked until 400ft agl) e.g. AOA signal failure, then the A/C was not despatched. This would of course mean that if Lion Air had paid for AOA Disagree alert, it would have been posted on the JT043 PFD and would likely have been noted in the pilots reports and then would have obliged MX to address it and likely would have identified the AOA sensor as faulty and/or if MX had consulted the on board maintenance system, AOA Disagree would have been seen present and similarly required action. (ET302, of course, both AOA sensors were operative on T/O as far as we know).
As regards the reliability numbers, for MCAS 0.0 (pre development mod) this would have likely been something like the frequency expected for wind-up turn* the calculated MTBF for 'g' sensor* the calculated MTBF for AOA Sensor. However, as we know, the AOA Sensor MTBF as supplied by the contractor is directly related to internal failures of the AOA sensor and would likely not include externally induced failure such as FOD/Bird Strike or installation error. So unless, an additional factor was included in the calculation, they are ignored.
Incidentally, the AOA sensor failure modes, co-incident with the MTBF, supplied may also have been for internal failures only. There was a reference a read a little while ago that I can no longer put my fingers on, that would seem to confirm this and did not seem to include external induced failures. The list was suggested that used in the safety analysis and test flight regime development. So, it would seem it is possible that AOA failed high, either due to installation error or bird strike was not actually considered in either or in the design decisions.