[SystemSafety] B737M MCAS
Peter Bernard Ladkin
ladkin at causalis.com
Tue Mar 19 15:47:09 CET 2019
On 2019-03-19 14:38 , Andy Ashworth wrote:
> In summary, there was a failure in the engineering of the overall system rather than a failure
> within a specific component or discipline.
Yep, I'd endorse that view.
Sumner makes a series of good points, but overstates them. He identifies nine "problems". A
superficial reader might think this is nine holes in the Swiss cheese. Little of that would be right.
The desire to use more fuel-efficient engines is a matter of advancing the engineering of the
aircraft. That would have happened anyway - Boeing would reeingineer a new airframe around the new
engines, but it seems they didn't think they could do so at the time, to the schedule they wanted
(they were having big issues with the Boeing 787 supply chain, for example).
The MCAS is there, not as a stall-protection system (which too many newspaper articles are calling
it), but as a solution to a certification problem, namely 14 CFR 25.173
https://www.law.cornell.edu/cfr/text/14/25.173 At high AoA, in a so-called "wind-up turn", the stick
response to higher AoA becomes lighter. Regs say it should become heavier. The reason it becomes
lighter is that the nacelles for the new engine generate lift at high AoA, which acts forward of the
centre of pressure. I understand this was discovered after the design was stable; indeed, during
flight test, I think (I may be wrong about this).
None of this to this point is in any way problematic. Neither are such developments unexpected. The
Boeing 777, for example, encountered a fuselage oscillation frequency of (I think it was) 3 Hz or so
during flight test, which made the ride at the front, and the control, very uncomfortable. It was
fixed with damping through the FBW system, as I recall. (Maybe someone with a better memory than I
have can fill in the details better.)
But what then happened was apparently a system-engineering brouhaha to which Andy rightly draws
attention. A system was installed that rendered the airplane out-of-trim in pitch, automatically and
irrevocably (you are not supposed to be able to pull the breaker, because the system is required for
certification compliance; it always has to be active). First, the system depends for its inputs, and
therefore for its trigger conditions, on a sensor that otherwise is not critical on this airplane
(there has been lots of discussion about AoA indications over the decades, and the consensus at B
was/is that it is a nice-to-have, not a must-have). I have a query out as to whether this sensorics
was upgraded to DAL A as a consequence of the MCAS mod. I suspect it was not. It surely will be now,
when the mod comes out. How B will do that remains to be seen; it surely requires significant system
modification. Second, I cannot see how to resolve the issue that a system required for airworthiness
compliance renders a flyable airplane out of trim in pitch.
I don't think it is any wonder that the DoT is on the case legally.
PBL
Prof. Peter Bernard Ladkin, Bielefeld, Germany
MoreInCommon
Je suis Charlie
Tel+msg +49 (0)521 880 7319 www.rvs-bi.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20190319/7136d058/attachment.sig>
More information about the systemsafety
mailing list