PPRuNe Forums - View Single Post - Ethiopian airliner down in Africa
Thread: Ethiopian airliner down in Africa
View Single Post
Old 8th Apr 2019, 02:10
  #3564 (permalink)  
CurtainTwitcher
 
Join Date: Jul 2014
Location: Harbour Master Place
Posts: 662
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by TryingToLearn
To me (as a functional safety engineer) it looks like the designers made a very common beginners mistake at the very beginning while designing MCAS.
This mistake can sometimes even be found within training documents.

MCAS should only be active in rare situations and only change the feel (low impact).
It's like an airbag which is only needed in case of an accident where it may help you.
Therefore it got a low A rating.
But this is an availability rating, not safety!

Functional Safety covers a different question: What can go wrong if this functions fires off in the worst possible situation (by considering all possible situations). In this case at maximum speed and low height. And is there any kind of controlability?
Like an airbag explosion hitting and killing you (critical) while stepping out of the car (common situation) without any chance to avoid it (too fast).
-> It should have been rated higher, probably critical (C) as already mentioned
All further analysis, quality methods, redundancies (2 or 3 sensors), documentation, process requirements... rely on this rating which was probably wrong.
In addition they changed the maximum impact of the system later (0.6 to 2.5) and did not question the assumptions within the first analysis. This should happen automatically as part of the safety process.

MCAS had apparently a latent systematic (design) fault which ended up in a critical fault as soon as the AoA reading was wrong (2nd fault).
This is no beginners mistake. They apparently knew EXACTLY what they were doing. The only reason it was not classified as Critical is because in doing so would require a crew warning and thus more crew training. This allegedly would trigger penalties embedded in purchase contracts (the figure quoted was $1 million per aircraft for just one operator who had ordered 280 units).


System failed on a single sensor
The bottom line of Boeing’s System Safety Analysis with regard to MCAS was that, in normal flight, an activation of MCAS to the maximum assumed authority of 0.6 degrees was classified as only a “major failure,” meaning that it could cause physical distress to people on the plane, but not death.

In the case of an extreme maneuver, specifically when the plane is in a banked descending spiral, an activation of MCAS was classified as a “hazardous failure,” meaning that it could cause serious or fatal injuries to a small number of passengers. That’s still one level below a “catastrophic failure,” which represents the loss of the plane with multiple fatalities.
Seattle Times: Flawed analysis, failed oversight: How Boeing, FAA certified the suspect 737 MAX flight control system




This is much much darker than a rookie error, a Rubicon has been crossed...
CurtainTwitcher is offline