| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by Someone1234 2657 days ago

Pilots have been pushing back hard on the narrative that this was simply pilot error.

The crux is that safety agencies never mandated training on these new systems, and new procedures weren't created with them in mind. Worse still procedures from older models of the same aircraft (such as automatic overriding of auto-trim) were removed without re-training on that either.

Lion Air had to repair the AOA sensor multiple times (replace, then flush), but a single sensor failure should not bring down an aircraft; and if the AOA sensor is that safety critical then why did Boeing put two of them instead of three (i.e. for cross-checking readings)? Either it wasn't safety critical and Lion Air's actions are reasonable, or it was and Boeing cut costs on safety.

So the justifications blaming either the pilots (who didn't get training, because safety agencies told them it wasn't needed) or maintenance (who were repairing a non-critical sensor that turns out to be safety critical) are weak.

2 comments

linuxftw 2657 days ago

> Either it wasn't safety critical and Lion Air's actions are reasonable, or it was and Boeing cut costs on safety.

This is an excellent point. Boeing can't have it both ways.

rocqua 2657 days ago

I recall reading on HN that a second AOA sensor was an option.

Someone1234 2657 days ago

If the AOA sensor is safety critical they need three, rather than two.

The inherent problem with two is if one is feeding false data, you don't know which one, whereas if you have three (or more; but an odd number) you can cross-check the data and drop the faulty one.

It is a very common strategy already for commercial aviation and is called "voting logic."

> A more reliable form of voting logic involves an odd number of three devices or more. All perform identical functions and the outputs are compared by the voting logic. The voting logic establishes a majority when there is a disagreement, and the majority will act to deactivate the output from other device(s) that disagree. A single fault will not interrupt normal operation. This technique is used with avionics systems, such as those responsible for operation of the Space Shuttle.

But the real crux here is: Is the AOA sensor safety critical or not? If it can fail-safe then they can likely continue as it is currently designed. But if its failure state can cause an aircraft crash, then it becomes a safety critical component.