Originally Posted by
atakacs
This is an honest question: under what regulation / system was the the 787 MAX certified ? What are the actual regulations ? Does an FAA approval necessarily extend for the whole world ?
I understand in this specific case we have an extension of the original 737, thus not requiring a full review. Still, how far can you go with that approach ?
Of obvious particular interest: is it actually possible / legal to certify any autonomous flight control system (however benign, and MCAS isn't) that would get input from a single sensor ?
Tranport airplanes, actually the “type design” of transport airplanes, are certified by the FAA under 14 CFR Part 25. Other countries have similar, if not identical certification requirements. Other countries may choose to validate the FAA certification and certify the system under its own rules.
It is significant to note that, over time, these rules are amended, presumably to an increased level of safety and/or to address newer technology not originally addressed. For a brand new model, like the 787, the latest amendment at the time of application is applied. For the 737 (or 747) it gets complicated to establish the certification basis, which according to certain criteria uses various amendment levels for different subsystems depending (in a simplified description) on the amendment levels used in earlier certification for those systems. New materials, new designs and technologies dictate the most current amendment. (This is a simplified explanation to an increasingly complex process.)
One rule that can be complicated and controversial to comply with is “System Safety”, 25.1309. A key concept of this rule, for the systems that it applies to, is that the level of safety (probability of a failure event) must be commensurate with the level of hazard associated with it. A catastrophic failure event is one that may result in loss of an airplane and most occupants. It’s probability must be “Extremely Improbable” and numerically is on the order of one such event per 10E-9 flight hours, which practically means it would not happen (but...).
To design a system to keep the probability of a particular failure event to that level is
most expensive and accomplished through strategies like redundancy, dissimilar paths, and software design assurance level A.
Regarding your particular question about autonomous flight control systems, the FAA would probably apply a combination of existing rules at the latest amendment level, such as 25.1329, and to the degree that the system is considered “new and novel”, that is, not covered adequately by existing rules, one or more “special conditions”, which are new rules written specifically for that certification. Particular modes and functions that have a high degree of control authority and potentially catastrophic failure modes, a single sensor input could hardly comply with the requirements. There are many variables affecting the design strategies needed to assure the required level of safety. For example, are there reliable means to detect an invalid sensor signal and prevent its use by the system.
Too complicated a question for a short answer and one that would take tons of technical meetings and debates before an agreement would be reached.