In the first, Boeing 737 MAX changes beyond MCAS, Fehrm lays out the cascade of warnings that resulted from a single angle-of-attack sensor failure:
As FAA and Boeing played through what happened in the MAX crashes in Boeing’s engineering simulators, the cascading alerts triggered by a faulty single Angle of Attack (AoA) sensor stood out:This is an example of the hand-off problem that is inherent in sophisticated automation (see First We Change How People Behave and the numerous comments). Clearly, giving even expert pilots only 4 seconds to comprehend and react to this confusing rush of warnings would have been unrealistic, even if the pilots had been informed about and trained on the MCAS system that was causing them, which they weren't.
Several trim related failures in such an environment relied on the Pilots identifying the trim misbehavior within four seconds. When flight crews from different airlines were flying these scenarios, it became clear such assumptions were unrealistic.
- Stick shaker went on on the affected side from rotation and stayed on all the time, despite the aircraft flying with the correct speed and not being close to stall.
- IAS (airspeed) UNRELIABLE alert triggered
- ALT (altitude) UNRELIABLE alert triggered
- AOA (Angle of Attack) UNRELIABLE should have shown but didn’t because of a bug in MAX’s software that tied it to the optional display of AoA on the Pilot’s Primary Flight Display (PFD, the Pilot’s electronic horizon display).
- The speed tapes on the Pilot’s Primary Flight Display behaved strangely, showing too low speed and high speed concurrently in the ET302 case.
In the second, Fehrm points out an interesting difference between the FAA's and the EASA's requirements for re-certifying the 737 MAX in 737 MAX ungrounding, ANAC’s and EASA’s decisions:
The other condition has its root in the disconnection of Speed Trim, MCAS, Autopilot, and Flight Directors should the two Angle of Attack systems disagree. EASA will temporarily revoke the 737 MAX certification for Required Navigation Performance – Authorization Required (RNP AR) approaches.Duplicating systems is never a good approach to fault tolerance, they must be triplicated. In the 70s BA used Tridents on the Edinburgh to London shuttle. Their autoland systems were triplcated, and certified for zero-visibility landing. I experienced my first go-round when, on my way from Edinburgh to Miami for a conference, the approach to LHR in heavy cloud was interrupted by the engines spooling up and an abrupt climb. The captain calmly announced that one of the autopilots disagreed with the other two and, as a precaution, we were going around for another try. On the second approach there was no disagreement. We eventually landed in fog so thick I couldn't see the wingtips. Only the Tridents were landing, nothing was taking off. My Miami flight was delayed and after about 10 hours I was re-routed via LGA.
Should the AoA monitor trip, Speed Trim, MCAS, and more importantly, Autopilot and Flight Directors disconnect, it puts a crew in a very tight spot as the difficulty of such approaches are high (they require special crew training and certification). You need all the tools you have in such approaches and don’t want a sudden disconnect of the Autopilot and Flight Directors combined with Speed Trim warning, followed by AOA, IAS and ALT DISAGREE.
The revoke of the RPN AR approach certification is temporary. One can guess it will be allowed again once a synthetic third AoA sensor is introduced to the MAX. It creates a voting “two versus one” situation when one of the sensors presents suspicious values. It would then result in an AOA DISAGREE warning, but the Autopilot and Flight directors would stay on and IAS and ALT would still get the required AoA corrections. The AOA DISAGREE is then an indication for required maintenance rather than a major system hiccup.