[SystemSafety] Boeing 737 Max Problems with Faulty AoA sensing
Peter Bernard Ladkin
ladkin at causalis.com
Mon Apr 8 09:37:48 CEST 2019
For those not up to speed, so to speak, it turns out that the aircraft in the Ethiopian accident
flight ET 302 also had a faulty AoA sensor reading.
There has been comment about Boeing's internal processes, about the increasing amount of regulatory
design oversight tasked to the company itself rather than retained at the FAA, and about FAA design
oversight itself. One meme that has occurred multiply, in articles in the Seattle Times and
elsewhere, is that the FAA was under time pressure to complete the certification. This was
explicitly addressed by John Hemmerdinger in an article in Flight International, p9, edition of 26
March-1 April:
> The FAA describes the Max's certification as a thorough, five-year process. "We have no reports
> from whistleblowers or any other sources pertaining to FAA technical personnel being pressured to
> speed up certification of the Boeing 737 Max," the agency says.
Five years seems to me to be an adequate amount of time to recertify a modified airframe. Of course,
not if you don't adequately staff the project. I am not familiar with the effort required. Does it
take 50 person-years or 500?
There is a deeper puzzle here for system safety engineering. As well as a deeper worry or two.
The conclusion first: Someone screwed up the FMEA. But it is hard to understand how that might have
happened, as follows.
(1). Pitch control is obviously a flight-critical subsystem, so it needs and will have got an FMEA.
(2). How can you perform an FMEA on pitch control, and not consider faulty sensor input? Faulty
sensor input is the obvious fault class with which to start any FMEA. You can't just miss it out.
(3). If faulty sensor input was considered, then the ETA/Consequence analysis missed an
almost-deterministic consequence of faulty-high AoA. How on earth did that consequence get missed?
Ad 3: A more subtle question posed now twice by Steve Tockey (on a different list). The AoA sensed
value goes into an ADIRU before it gets to the SW. ADIRUs perform some filtering on the data, but
not on all (see QF72). How come the erroneous reading wasn't caught and filtered?
What lessons can be drawn? They are not pretty.
Putting air data into an ADIRU and passing it on to SW is standard stuff on almost any modern
airplane. If it is possible to screw up (2) and/or (3), then one wonders
A. How much of the rest of the FMEAs on this airplane are equally poor? And, thereby, what else lies
in store for the occupants?
B. What other aircraft types flying have undergone an equally-poor FMEA with the air data? Are
there unjustified assumptions being made concerning the processing of air data through ADIRUs?
Airbus, for example, was careful to make known that indeed the QF72 air data spikes had been
considered, but had been judged too improbable to implement prophylaxis. (That has now changed.)
PBL
Prof. Peter Bernard Ladkin, Bielefeld, Germany
MoreInCommon
Je suis Charlie
Tel+msg +49 (0)521 880 7319 www.rvs-bi.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20190408/313032d8/attachment.sig>
More information about the systemsafety
mailing list