PPRuNe Forums - View Single Post - MAX’s Return Delayed by FAA Reevaluation of 737 Safety Procedures
Thread: MAX’s Return Delayed by FAA Reevaluation of 737 Safety Procedures
View Single Post
Old 13th Jun 2019, 05:21
  #370 (permalink)  
HighWind
 
Join Date: May 2008
Location: denmark
Posts: 9
Likes: 0
Received 0 Likes on 0 Posts
From Falcon 7X accident report: https://www.bea.aero/uploads/tx_elyd...0525.en_01.pdf
The highest design assurance level (DAL A) was assigned to THS ACMU modules and the HSECU. The highest verification and validation levels were therefore supposed to be in place throughout the design and safety analysis process. However they failed to identify the HSECU critical failure modes and did not anticipate THS runaway in normal law.
JAR 25.671: Control systems: General
The aeroplane must be shown by analysis, tests, or both, to be capable of continued safe flight within the normal flight envelope, without requiring exceptional piloting skill or strength after the following failures:
-A runaway of a flight control to an adverse position and jam must be accounted for if such runaway and subsequent jamming is not extremely improbable (Probability of 1 x 10-9 or less per flying hour )
From https://en.wikipedia.org/wiki/DO-178B
Level A, Catastrofic, is required for a failure rate better than 10E-9 pr. hour.

Ethiopian airliner down in Africa
So in sum, we have a non-DAL A system integrated with a secondary control system with no redundancy, monitoring, crew warnings or a dedicated means to disengage.
My own summary:
- MCAS is not the main problem. It just highlighted a latent design problem, present in all B737 versions.
-The B737 flight control system responsible for controlling the trim motors are not designed according to DO-178B level A.
- B737 does not have an extremely improbable improbable risk of a THS runaway, therefore it have been equipped with cutout switches as a memory item.
- B737 need to be capable of continued safe flight within the normal flight envelope, without requiring exceptional piloting skill even with the THS in the most unfavorable position.

So either:
- The system have to redesigned mechanically to allow the pilots to overcome the control forces on yoke, and manual trim throughout the envelope,
- Or the system have to be redesigned with a DAL A system including the chain from sensors, sensor voting, actuation, and monitoring of actuation to prevent a single fault form generating a runaway.
- Or the FAA (together with the aviation authorities in the rest of the world) somehow decide that it is safe based on operational statistics of the trim on the NG, grandfathering rights etc.

On the Falcon they were in a situation where the architecture supported DAL A, but the design process had failed to consider some failure modes, this made it an easier problem to solve than the MAX issue.
I can’t see how this can be solved by correcting some lines of code..
HighWind is offline