But this isn't really "avionics and surface control" more than automatic lane keeping is a critical control system for the car. MCAS is a convenience feature that counteracts the plane's tendency to pitch up more than you want when climbing. Sure it can improve safety, so can lane keeping in a car. Neither are critical to operation. You can fly/drive perfectly safely without them so they need not be super hardened against failure because you can just switch them off.
> MCAS is a convenience feature that counteracts the plane's tendency to pitch up more than you want when climbing.
It's still controlling control surfaces.
> Sure it can improve safety, so can lane keeping in a car. Neither are critical to operation. You can fly/drive perfectly safely without them so they need not be super hardened against failure because you can just switch them off.
I'm not quite sure where to begin. Just because the absence of something would make the plane flight worthy doesn't mean the addition of it keeps the plane flight worthy.
Take your lane following example. Sure, they can be turned off, but that didn't help the person whose Tesla ran straight into a jersey barrier because it got confused by it and where the lane was. (https://www.popularmechanics.com/technology/infrastructure/a...)
If a mechanisms can control the vehicle, it is safe critical. It needs to fail safe under all conditions. The requirement to fail safe is part of what makes it a safety critical system.
In the most extreme of examples, adding a lane following module to a car that randomly swerves into jersey barriers once at speed and if the barrier is close enough would be a clear example of a situation where the automatic controls can cause a situation that a human could not possibly react to; hence, the system itself needs to be held to much higher standards.
MCAS is a convenience feature that counteracts the plane's tendency to pitch up more than you want when climbing.
Nope, MCAS is required to meet the requirements set forth by the FAA. That's not a convenience thing. Various nannies may seem like convenience things in a well balanced car, but they become far more important in a powerful, poorly balanced car like a Porsche 911 or Dodge Viper — cars that have earned reputations as widowmakers.
>But this isn't really "avionics and surface control" more than automatic lane keeping is a critical control system for the car.
Even if we suppose that is true and a fair comparison (which I wouldn't), the way failure modes are handled is key. If there is uncertainty about the sensors that control the feature which controls the avionics the system needs to halt. This is like keeping the lane control active when the computer vision algorithm used to detect the lanes is uncertain about where the lane is. Chances are it'll steer you into the next available tree and kill you.
I'm afraid everything you're saying is just very wrong:
> [Boeing self-assessed] a failure of the
[MCAS] system as one level below “catastrophic.” But even that “hazardous” danger level should have precluded activation of the system based on input from a single sensor — and yet that’s how it was designed.
Even at Boeing's understated safety risk, redundancy is required. And the system actually has much more risk than they stated, since it will eventually totally deflect the stabilizer -- as happened to both fatal flights, with the jackscrews found in their farthest position in the wrecks.
