The FAA did not catch the error in the FMEA Document.
A Seattle Times story cited a Boeing engineer who stated that the FAA did not require the details of the FMEA, only the summary results.
https://www.seattletimes.com/seattle-ne ... afeguards/
"You turn in your answer," he said. "You don't have to document all your work."
Sorry, been too busy to follow this thread:
You are correct; and that is what I would expect. The FAA (and in my industry the NRC) does not see all the work that goes into a FMEA. Just the summary FMEA.
I'm going to describe how FMEAs work where the error almost certainly happened (and likely how). Its been a while since I've described this in this or the crash threads. I think it's very relevant though.
This also relates to the current discussion on potential negligence liability (more on that after I describe FMEAs)
Failure Mode Evaluation & Analysis (although slightly different terminology can be used).
My experience with them is that they are a Form in the 20-30 pages in length that starts off asking for a functional description of the component or system, listing all parts and functions - and any changes from a previous version of the component or system.
The Form you used is based on the component or system (Mechanical components and systems will have a different Form than electronic circuits, from items that have programs in them, etc).
The Form will be broken into into logical sub segments based on what is typical for that kind of component or system.
Each section will then ask a series of questions essentially generated from the previous history of failures from identical or similar components and systems (and the old FMEA Forms of designs 15 years ago that I've reviewed were only about 1/2 as long as the current ones... we keep "finding" new failure modes). Also, probability and significance have changed too (we learn things). Note that FMEAs start with all the accumulated knowledge to date about failure modes, probability of occurrence, and significance (although at times there is room to argue some things a bit one way or another). This is not just asking someone to list what they think can go wrong, its probability, and significance.
I also note that it's been my experience that when a person is first introduced to the forms, they are totally shocked at how many ways (or modes) we already know something can fail.
For each question you have to answer 1st if that is possible or not with the specific component or system. If yes, what is the probability of failure, and the worst case significance when it fails.
I've personally reviewed FMEAs; and at times I've had to ask the preparer for his analysis behind their probability and significance. I have challenged those several times which caused revision to their analysis (and always both My and Their Supervisor and/or Managers thanked me for that, even if the person doing the rework did not - actually only one "author" did not thank me). I once "delayed" final approval of about a half billion dollar project for a month or so on this (a significant Plant Output Up-rate with major equipment changes). That brought a "thank you" from both plant management and out of state corporate leadership (and at least a smile from the regulator's inspector).
But, all that ends up on the form is the result. Not the analysis.
At the end of each sub-section is an open question with a block; generally worded along the line of "Can you conceive of any other potential failure mode in this area not covered above? If so, list them and analyze them."
The person filling this out is fully aware of what the component or system is supposed to do (they will be a key member of the design team); and they are often thinking about how good a job they did. It's very hard for them to see their blind spots or what they missed (that is human nature).
The people reviewing the form will also be fully briefed on the purpose of the design and why things are done the way they are done. They are very susceptible to "Group Think" and may easily miss seeing what was missed (there is a reason those Forms have doubled in length in 15 years in the Nuclear Industry). Actually, for the controls the forms from the suppliers may be the same ones as for aircraft as some of the companies supplying safety critical controls to nuclear plants are supplying safety critical controls to the aviation industry (I have a friend in aviation who is in a position to know - and we talk the same shop when talking about regulations and safety critical requirements, although their are some technical terms that are different. As far as I can tell almost everything regulation and process wise has an exact parallel between nuclear and aviation, except things related to the different end use.
As far as I know, the kind of failure that occurred with the 737max MCAS system has never occurred before. Thus, questions related to it was not on the FMEA Forms for that kind of system (I'm sure they will be in the future).
Now you are asking people to think of things no one has never thought of before or documented a failure like it before; and the form generator is innately blind to what they may have missed, and the others are often highly susceptible to "Group think."
Not easy at all, and only a small % of people have a tendency of routinely thinking outside the box - and just look at how the forms have grown with new failure modes and the changes in probability and significance over the years to see how often things are missed at this stage.
If this kind of failure had been identified at this step in an initial FMEA form; with even an approximately close analysis of significance and probability: I am very sure that the design of the system would have been changed and the kind of MCAS failures that occurred in both events would almost certainly not have (and at least not two failures in about 6 months). Management would not have anything to say - except possibly thanks for finding that. It's not safe. We have to make it safe (or at least arguably so) to meet the probability and severity standards.
I cannot speak about the Aviation Industry; but all of my industry contacts tell me that my personal experiences are not unique; that the Nuclear industry encourages and supports you in finding this kind of stuff - and says "Thank you" when you do.
I have not seen the actual assessment that identified that the failure as at the FMEA stage (there are sources for that). But, I'm pretty sure that its at the "Think of any unasked modes of failure" stage in the process (and that the Forms will grow in length because of it).
Which brings up to the concept of criminal negligence. Intent does not have to be proven. From a practical standpoint the reasonableness of expecting the outcome is considered. A non aviation example (which has played out in the courts in the USA several times in their various cases): If I were to take my hunting rifle out and target shoot in the back yard of my house, and miss whatever I set up as the backstop (or even inadvertently shoot in an unexpected direction) and the bullet penetrated my neighbors house and caused injury of death. I'd almost certainly be held criminally negligent. If I did it with a pellet gun, and unknown to me the neighbor was working on his house and he removed a section of the wall... I would almost certainly not be (no one expects a pellet to have enough energy to cause injury if it gets to my neighbors house).
If I take my hunting riffle out to my brothers place and unknown to us someone happens to be walking in the backwoods half a mile away and I inadvertently injure or kill them. I almost certainly would not be.
If someone has told the police that they intend to kill me (this did actually happen once), and I shoot him while he is breaking into my house (which did not happen- but I thought it was going to one day) - and a bullet goes though a neighbors house wall and caused injury or death. I would almost not have been charged or heald criminally liable.
As it applies to a FMEA: If the error is at the open block question of "Can you think of..." stage. That is, in my opinion, at the point where it is not reasonably foreseeable, and no criminal charges would likely be filed or likely stick in court. Now if they directly missed on a question directly asked... that, in my opinion, would likely be chargeable.
Hope that helps.
Have a great day,
Edited to add: I'm not claiming to be a perfect FMEA reviewer. Others found issues at times where I did not. That is why a team of different people review FMEAs.