[SystemSafety] "FAA chief '100% confident' of 737 MAX safety as flights to resume"
Peter Bernard Ladkin
ladkin at causalis.com
Fri Nov 20 14:25:58 CET 2020
Tom,
This aircraft has a system that automatically puts the aircraft out of trim in certain edge
situations in the flight envelope. As a pilot I consider that a POS; I can barely believe anybody
can have done that, but they did. As a safety engineer I consider that neither appropriately
conservative nor safe, no matter whether everyone now knows about it or not.
Second, are we completely sure after Amsterdam, Jakarta and Addis that there are no more critical
channels that are not (at least) duplicated? Has Boeing really redesigned the entire electronics to
be two- to three-channel? Personally, I doubt it.
The limitations of the certification procedures that are now in place to identify hazards and their
mitigation were pointed out in October 2019 by the JATR, and again by the House Transportation
Committee a year later. Namely, the current practice identifies and mitigates hazards which involve
crew action in isolation, not holistically. This is how the ineffectiveness of the trim wheels in
specific cases of runaway trim was missed. It took a video from an anonymous training pilot and a
bunch of 1970's-80's 737 pilots who remember it from then, as well as a rereading of D.P.Davis, not
anyone from Boeing or FAA, to point it out.
Few if any of those inadequate HazID/HazAn procedures have been magically fixed in a year and a half.
This aircraft used to be mechanical and is getting to be a big cyberphysical system. It exhibited
one massive problem, twice, shortly after service introduction.
Suppose you install a new copy of <your favourite OS> on your machine, and it crashes repeatedly in
one particular way. The manufacturer tells you "oh, we've fixed that in our <current> release". How
confident can you be that there aren't any more such phemomena lurking in the system? From
experience, most of us would say "not very."
Bev Littlewood, Harold Thimbleby, Martyn Thomas and I have just considered this question in light of
the Post Office Horizon system scandal in the UK.
That may be argued not to be a similar issue, of course, because there is no suggestion so far that
the various implicated cyberphysical subsystems did anything other than behave according to their
design. But the overriding phenomenon is the complexity of the design and the unforeseen
interactions between system components. And what you might think of it once the manufacturer has
fixed the most glaring infelicities.
(For example, the Horizon system generated phantom transactions. That's absurd, you might think --
it takes a person, a user, to initiate a transaction. Not so. There were transactions that occurred
without any human interaction at all, anywhere, as far as anyone could tell. I think it was guessed
to be faults/failures in touchscreens.)
Given all that, I sympathise strongly with Olwen's attitude. I may well share it myself.
PBL
Prof. Peter Bernard Ladkin, Bielefeld, Germany
ClaireTheWhiteRabbit RIP
Tel+msg +49 (0)521 880 7319 www.rvs-bi.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/pipermail/systemsafety/attachments/20201120/36d36dd7/attachment.sig>
More information about the systemsafety
mailing list