PPRuNe Forums - View Single Post - MAX’s Return Delayed by FAA Reevaluation of 737 Safety Procedures

13th Jun 2019, 08:03

#372 (permalink)

fdr

Join Date: Jun 2001

Location: 3rd Rock, #29B

Posts: 2,956

Likes: 470

Received 861 Likes on 257 Posts

Quote:

Originally Posted by HighWind

From Falcon 7X accident report: https://www.bea.aero/uploads/tx_elyd...0525.en_01.pdf

JAR 25.671: Control systems: General

From https://en.wikipedia.org/wiki/DO-178B
Level A, Catastrofic, is required for a failure rate better than 10E-9 pr. hour.

Ethiopian airliner down in Africa

My own summary:
- MCAS is not the main problem. It just highlighted a latent design problem, present in all B737 versions.
-The B737 flight control system responsible for controlling the trim motors are not designed according to DO-178B level A.
- B737 does not have an extremely improbable improbable risk of a THS runaway, therefore it have been equipped with cutout switches as a memory item.
- B737 need to be capable of continued safe flight within the normal flight envelope, without requiring exceptional piloting skill even with the THS in the most unfavorable position.

So either:
- The system have to redesigned mechanically to allow the pilots to overcome the control forces on yoke, and manual trim throughout the envelope,
- Or the system have to be redesigned with a DAL A system including the chain from sensors, sensor voting, actuation, and monitoring of actuation to prevent a single fault form generating a runaway.
- Or the FAA (together with the aviation authorities in the rest of the world) somehow decide that it is safe based on operational statistics of the trim on the NG, grandfathering rights etc.

On the Falcon they were in a situation where the architecture supported DAL A, but the design process had failed to consider some failure modes, this made it an easier problem to solve than the MAX issue.
I can’t see how this can be solved by correcting some lines of code..

Windy, that is about the sum of the problem. As far as I can see, the MCAS highlighted an issue, which is the inherent weakness of the stabiliser trim system architecture. As an industry, the constraints of a manual trim backup that could end up in a condition where manual trim change would be compromised was lost in the cracks (age creases... etc) What may have been well known 50 years ago has been forgotten, and finally bit back. The conditions affording protection provided under § 25.255(a) Out-of-trim characteristics were exceeded in both of these cases (3 seconds at normal for envelope speed is much less than MCAS was able to achieve); and the crew were left to learn what has been forgotten and untrained for the last x number of years. § 25.672 Stability augmentation and automatic and power-operated systems appears to need a change to comply if MCAS's activity remains as it is.

The Max is able to be flown safely without doubt. It does need crew training to ensure that they comprehend at an implicit level what occurs and what must be done to deal with both an MCAS fault and an out of trim case that reaches the extent of exceeding the manual trim capability. None of this is hard to do at this point, however it was fundamentally, demonstrably impossible for a crew in exremis to sort this out without full comprehension and rational and complete guidance. Recall that all of the simple fixes that we have today, all of the platitudes and mnemonics etc all arose from crews that found new corners of the envelope of our corporate knowledge, and paid highly for that headline. It remains my view that it is unjust to beat up or deride the crew of either of these planes for being what the industry trains and accepts, and in the absence of any overt action to get to the point that they did on the design, the manufacturer is also a result of the system that has developed, warts 'n all. Personally, if anyone needs a driver to fly the envelope of the Max with the fault and the cure, I'm happy to drive the aircraft as PIC to make the point. The plane even with the system as it stands can be flown, but it needed the information as to what was occurring to develop, and that has only come about post hoc.

Training is absolutely overdue for the crews on this type on the MCAS and the out of trim case that MCAS has resulted in. Do that, and the plane should be flying today.

Any Ops program/NAA is welcome to PM if they want the basis of the training needed to give assurance of the outcome, or wish to fly the envelope of the max out with this issue. The simulator QTG validation does need to be assessed separately, however the plane can be flown safely. I still suspect that the 672 and 255 cases need an ELS statement to be concluded, and that comes from doing rational training. If that was done, it would not be the first time that a method such as an SFAR was applied to a design that had taught the operators some lessons along the way, as the rice rockets and the RHC's have done before.

X-mas for RTS is not a solution, it is a lack of confidence in their own competencies in sorting out the necessary ticks in the box. Am not a fan of the SLUF, almost all other Boeings have been better, but you can't argue the success of the design to date. Post this saga, the Max should be the most successful Boeing aircraft design to date, certainly it will be the best of the SLUF's. X-mas as a schedule is reminiscent of awaiting the chicken entrails to dry just so, or pending Feng Shui to be deemed right. Inform the pilots, and then train them correctly on the issues.