The FAA has published its response to the 737 MAX certification debacle in the form of a 117-page Notice of Proposed Rulemaking (NPRM) that aims to rid the system of loopholes and regulatory gaps that played a role in the tragic crashes of the aircraft shortly after it was signed off. “The FAA proposes revised and new safety standards to reduce the likelihood of potentially catastrophic risks due to latent failures in critical systems,” the agency says in its overview of the NPRM. “With this action, the FAA seeks to reduce risk associated with airplane accidents and incidents that have occurred in service, and reduce risk associated with new technology in flight control systems.” The overhaul is directed at Part 25 transport category aircraft.
The NPRM focuses mainly on what it terms “latent failures,” which it defines as failures that are “not apparent to the flightcrew or maintenance personnel” and can combine with other failures with catastrophic results. In the case of the MAX, bad data from angle of attack indicators caused a hidden software system designed to improve handling characteristics to push a Lion Air and an Ethiopian Airlines aircraft into unrecoverable dives. A total 346 people were killed.
Because much of the technology is new, the way systems can fail are also new and that, says the FAA, requires an overhaul of the certification process. Fundamental to that overhaul is the standardization of safety criteria not only at the FAA but with regulators in other countries, the NPRM says. The document is likely to prompt much discussion among regulators and the industry, but the agency says it’s work that has to be done so that accidents can be prevented rather than serve as a primary source of data on aircraft flaws. “The proposed standards would also improve the likelihood that operators discover latent failures and address them before they become an unsafe condition, rather than discovering them after they occur and the FAA addressing them with airworthiness directives (ADs),” the NPRM says.
I have a mental picture of an engineer in a small sub-basement office next to the boiler room whose job it is to catalog for investigation all possible “Extremely improbable failure conditions” inherent in a new design. (Definition: “A failure condition that is not anticipated to occur during the total operational life of all airplanes of a given type.”)
Such people do exist; I work with them, in large commercial turbofan certification.
BZZZZT,,, “Hey Wally, you got room for another desk down there? We need to get the documentation moving on the single-pilot A9999 and it’s WAY more complex than the last one…”
I was that guy. Not on airplanes, but helicopters. Demonstrate compliance with CFR 14 FAR 25.1309/29.1309.
Yes…the process was deep and onerous, and I had cases for undetected flight control system failures. Yes…potentially catastrophic, especially when you add a layer of autonomy on them. Yes…the process says that you have to design it out, not put on bandaids or training or caution lights…and design it out to a prescribed level of reliability. And yes…autonomous flight control systems (to include FBW) require even more rigor.
My understanding is that the design relied on input from a single AoA sensor…so no idea how you can meet goals with a system like that. Again, full autonomy primary flight control, single sensor so no means to detect/isolate/control a failure condition.
I could go on, but I’ll just add that this article suggesting there was more than one AoA sensor involved goes against everything I’ve read, and considering the criticality of the system I would expect more than two to be involved.
You are correct. The system relied on data from one AOA sensor but there were two AOA sensors available and the disagreement wasn’t alerted because that feature was optional and neither airline bought it. I didn’t make that clear.
Any system needs competent people to make the system work. From my perspective, the Max was in trouble at the beginning when it was decided that Max was a “minor” change and did not affect training. Max failed the “Fit, Form, Function” test and should have been a major change. Once Max was was deemed a “minor” change – the die was set… (Hindsight is 20-20.)
It may take money to get competent people and the government may not have the budget to fix the problem. Some of the self-certification was caused by the government not having enough competent people.
… and NOW … many of them are STILL working in their BVD’s in their basements answering phone calls and emails.
Certainly it was presented as a minor change; merely an augmentation system. But then it was gifted supreme powers of control, and then given a single point of failure. What could possibly go wrong?
I said all 737 Max should have been grounded after the first crash. Am I that much smarter than NTSB and the engineers? What a shame it took a second crash to take action!
Boeing will be better off to get rid of this so-called new technology which really is not necessary. A simple warning display or alarm for the critical attack angle is quite enough for any pilot.
Sincere (non sarcastic) question: As pilots we are trained to identify contradictory information from instrument failures. We aren’t supposed to just fly the attitude indicator into the ground if our VSI and Altimeter are telling us that we are descending. So my question is – what happened at Boeing that caused/allowed them to design a system that would cause the aircraft to respond based only on AoA and disregard other information (vertical speed, altitude, etc) without causing the system itself to say “Hey, this doesn’t all add up. Something is WRONG.”
Well, it started when Harry Stonecipher came Boeing and and couldn’t understand why we had so many engineers! It’s because it takes a lot of engineers to make a new airliner. McDonnell-Douglas didn’t make a new, clean-sheet airliner since they merged back in 1966. The DC-8 was out already and the DC-9 had recently started delivery. The DC-10 was already on the drawing boards. So the people who took over management of Boeing had no idea how hard it was to actually make a new, or greatly modernized, airliner!
I’ve been wondering the same thing. Automated systems should take in all available data, from multiple redundant sensors; build a model of what the aircraft is doing; throw out any bad data or sensors; and finally issue commands to the flight controls.
They lost their way, and now they are trying to find it again … with a little help from the FAA.
There was a lot of issues that caused these accidents. Could Boeing done a betterment job of developing the MCAS system ( using bothe AOA probes), answer, yes, but that was nothing that couldn’t have been changed with service bulletin’s and or AD notes.
The stabilizer operating system did not change really from when they made the change from the JT8 engines (200/291 generation), to the CFM engines (300 series and up), that is when we got speed trim. The electrical operation of the trim is controlled by Manual Electric, Autopilot, and Speed Trim, all three of which go thru the same 2 switches that have been in the aircraft series starting with the 300’s.
The stabilizer trim runaway checklist has not changed since the 300 generation A/C were certified and used to be a memory item.
Crew factors were a very big factor in both accident’s, but the press does not want to hear about that. The individual airlines operating philosophy’s were a factor, but again the press does not want to talk about that either.
Most airlines in the US have a very high experience level to be initially employed, and even then a very rigorous training curriculum is employed to bring the new hire’s up to the individual airlines level of proficiency. During that training a lot of time and effort is given to some sort of CRM, and verbalize, verify, monitor, intervene (VVMI) is given, short statement, our crews talk and exchange ideas.
My professional and personal opinion is that Boeing was forced into adding the MCAS system to the speed trim system by the airlines due to union/ labor issues, not due to a faulty design.
As for the FAA, they are no longer an asset to aircraft safety. Our FAA burocracy has lost a lot of old school knowledge and has found a great way to protect themselves by just not approving anything, us GA guys see that all the time.