Slashdot Mirror
Flawed Analysis, Failed Oversight: How Boeing, FAA Certified the Suspect 737 MAX Flight Control System (seattletimes.com)
In one of the most detailed descriptions yet of the relationship between Boeing and the Federal Aviation Administration during the 737 Max's certification process, the Seattle Times reports that the U.S. regulator delegated much of the safety assessment to Boeing and that the analysis the planemaker in turn delivered to the authorities had crucial flaws. 0x2A shares the report: Both Boeing and the FAA were informed of the specifics of this story and were asked for responses 11 days ago, before the second crash of a 737 MAX. [...] Several technical experts inside the FAA said October's Lion Air crash, where the MCAS (Maneuvering Characteristics Augmentation System) has been clearly implicated by investigators in Indonesia, is only the latest indicator that the agency's delegation of airplane certification has gone too far, and that it's inappropriate for Boeing employees to have so much authority over safety analyses of Boeing jets. "We need to make sure the FAA is much more engaged in failure assessments and the assumptions that go into them," said one FAA safety engineer. Going against a long Boeing tradition of giving the pilot complete control of the aircraft, the MAX's new MCAS automatic flight control system was designed to act in the background, without pilot input. It was needed because the MAX's much larger engines had to be placed farther forward on the wing, changing the airframe's aerodynamic lift. Designed to activate automatically only in the extreme flight situation of a high-speed stall, this extra kick downward of the nose would make the plane feel the same to a pilot as the older-model 737s.
Boeing engineers authorized to work on behalf of the FAA developed the System Safety Analysis for MCAS, a document which in turn was shared with foreign air-safety regulators in Europe, Canada and elsewhere in the world. The document, "developed to ensure the safe operation of the 737 MAX," concluded that the system complied with all applicable FAA regulations. Yet black box data retrieved after the Lion Air crash indicates that a single faulty sensor -- a vane on the outside of the fuselage that measures the plane's "angle of attack," the angle between the airflow and the wing -- triggered MCAS multiple times during the deadly flight, initiating a tug of war as the system repeatedly pushed the nose of the plane down and the pilots wrestled with the controls to pull it back up, before the final crash.
[...] On the Lion Air flight, when the MCAS pushed the jet's nose down, the captain pulled it back up, using thumb switches on the control column. Still operating under the false angle-of-attack reading, MCAS kicked in each time to swivel the horizontal tail and push the nose down again. The black box data released in the preliminary investigation report shows that after this cycle repeated 21 times, the plane's captain ceded control to the first officer. As MCAS pushed the nose down two or three times more, the first officer responded with only two short flicks of the thumb switches. At a limit of 2.5 degrees, two cycles of MCAS without correction would have been enough to reach the maximum nose-down effect. In the final seconds, the black box data shows the captain resumed control and pulled back up with high force. But it was too late. The plane dived into the sea at more than 500 miles per hour. [...] The former Boeing flight controls engineer who worked on the MAX's certification on behalf of the FAA said that whether a system on a jet can rely on one sensor input, or must have two, is driven by the failure classification in the system safety analysis. He said virtually all equipment on any commercial airplane, including the various sensors, is reliable enough to meet the "major failure" requirement, which is that the probability of a failure must be less than one in 100,000. Such systems are therefore typically allowed to rely on a single input sensor.
Boeing engineers authorized to work on behalf of the FAA developed the System Safety Analysis for MCAS, a document which in turn was shared with foreign air-safety regulators in Europe, Canada and elsewhere in the world. The document, "developed to ensure the safe operation of the 737 MAX," concluded that the system complied with all applicable FAA regulations. Yet black box data retrieved after the Lion Air crash indicates that a single faulty sensor -- a vane on the outside of the fuselage that measures the plane's "angle of attack," the angle between the airflow and the wing -- triggered MCAS multiple times during the deadly flight, initiating a tug of war as the system repeatedly pushed the nose of the plane down and the pilots wrestled with the controls to pull it back up, before the final crash.
[...] On the Lion Air flight, when the MCAS pushed the jet's nose down, the captain pulled it back up, using thumb switches on the control column. Still operating under the false angle-of-attack reading, MCAS kicked in each time to swivel the horizontal tail and push the nose down again. The black box data released in the preliminary investigation report shows that after this cycle repeated 21 times, the plane's captain ceded control to the first officer. As MCAS pushed the nose down two or three times more, the first officer responded with only two short flicks of the thumb switches. At a limit of 2.5 degrees, two cycles of MCAS without correction would have been enough to reach the maximum nose-down effect. In the final seconds, the black box data shows the captain resumed control and pulled back up with high force. But it was too late. The plane dived into the sea at more than 500 miles per hour. [...] The former Boeing flight controls engineer who worked on the MAX's certification on behalf of the FAA said that whether a system on a jet can rely on one sensor input, or must have two, is driven by the failure classification in the system safety analysis. He said virtually all equipment on any commercial airplane, including the various sensors, is reliable enough to meet the "major failure" requirement, which is that the probability of a failure must be less than one in 100,000. Such systems are therefore typically allowed to rely on a single input sensor.
In general if you have 2 sensors that disagree significantly, you disable all functions that rely on those sensors and issue an alarm.
You might be able to decide which sensor is correct from data from other systems, but that is another story
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
<quote><p>A system designed to overcome aerodynamic flaws of larger engines is not a major failure scenario?</p></quote>
<p>Of course it is, but what is the safe action? </quote>
The safe action is the one that nobody is talking about. The previous version of the 737 had engines so big that they had to flatten the intake on the bottom so it would fit under the wing. That should have been a clue that the existing 737 design was already at its limit. By putting even larger engines on it, they had to mess up the aerodynamic stability of the aircraft such that they had to implement this software fix just to get through the approvals. It's pretty obvious that someone should have said: "look, the 737 is great, but it's at end of life. We need to make a new aircraft design now."
Imagine if we were still flying the DC-3 with every new technological advance since it was designed kludged on to it even though it was never designed for them? At a certain point you need to realize that your design is at the end of its life and move on.
But that costs money, and apparently hundreds of lives.
In some sense nobody really made the decision to use this design without redundant sensors. According to the article, the system was approved with a relatively small amount of authority - it could only move the tail by 0.6 degrees. That wasn't a bad enough issue to warrant redundancy. The problem is that the authority was then increased to 2.5 degrees, more than 4 times larger, and the safety impact was simply never re-evaluated due to the rush to get it on the market. Even documents given to other country's air safety bodies still listed the 0.6 degrees. The explosive thing about this, which is why the article predates the second crash, is that this puts the whole process in doubt. How many other numbers in the documents are just fiction? How many other safety evaluation chains have not been updated due to the rush to market? Does this amount to fraudulent behavior on the part of Boeing? My expectation is that the engineer who upped the authority from 0.6 to 2.5 did so with the intent, possibly even documented, that the safety would be re-evaluated before the jet went to market.
It's also unclear why the authority was listed as 0.6 degrees when the system could repeatedly reset itself and do it again, effectively giving it infinite authority. That is more along the lines of your question, but I think it actually wasn't clear why the ability to reset was not included in the safety analysis. This really looks a lot like an updated safety analysis was planned, postponed, and then just never done until after the Lion Air crash.
The pilots thought it was relevant, they thought that without auto-pilot on there were no automatic systems overriding their controls.
Should they have treated it like any other trim failure, sure. Does the system betraying expectations increase the chance of cognitive dissonance and them failing to do so, of course.