2175301 wrote:As far as I know, the kind of failure that occurred with the 737max MCAS system has never occurred before. Thus, questions related to it was not on the FMEA Forms for that kind of system (I'm sure they will be in the future).
As it applies to a FMEA: If the error is at the open block question of "Can you think of..." stage. That is, in my opinion, at the point where it is not reasonably foreseeable, and no criminal charges would likely be filed or likely stick in court. Now if they directly missed on a question directly asked... that, in my opinion, would likely be chargeable.
Thanks 2175301, great post, fascinating insight into the workings of what has to be one of the strictest-regulated industries.
However I do no agree with your opinion of where the error most likely occurred in MCAS 1.0 FMEA: in my opinion, the "catastrophic" classification should have stemmed directly from the "know failure modes" section, not from the "open questions" section in the back.
It's true that the kind of MCAS failures that killed 300+ people never occurred before, but that's only because no such design was ever allowed on an airliner. The nearest comparable system is - AFAIK - the MCAS system on KC-767A flying for the Italian Air Force, but it's wired with dual AOA input channels and input sanitation, i.e. it automatically disables itself on an AOA disagree condition (I have no idea about control authority).
In automation design, a single-input, unlimited authority controller with no input sanitation and no sane manual override option is almost guaranteed to fail catastrophically in a single sensor failure scenario (N.B.: in most automation applications, a "catastrophic" failure often only results in damage to equipment, but it's still the most unwanted outcome of operations). With AOA sensors having a none-too-high MTBF, the frequency calculation was straightforward (and grim reality confirmed it, sadly).
If anything, probably the flaw was difficult to identify because it was so fundamental, and none of the questions in the "known failure modes" section were anything like "is your design vulnerable to single-sensor failures and does the controller have unlimited authority and did you neglect to put in place even rudimentary input sanitation filters and did you change the function of the only cut out switch that could have disabled the controller without disabling the actuator?"
Not because any of the failure modes were unknown, but because no one could imagine that a group of professionals could line up this frankly unthinkable combination of basic design criteria violations in a single piece of equipment.