The associated safety assessments (FHA, SSA) failed to properly identify MCAS run-away risk (classifying it as MAJOR rather than HAZARDOUS), and did not take into consideration the stacked effects of three MAJOR events happening at the same time, which resulted in CATASTRPOHIC events.
It's kind of interesting to me that even something considered to be MAJOR didn't get sufficient scrutiny.
Patrick Ky's interview said that MCAS was not scrutinized because it was not flagged as safety related, isn't flagging it as MAJOR enough to gain the regulator's scrutiny?
It seems a lot of focus is on these classifications rather than the more basic engineering screw up, which was relying on input from one sensor known not to have high reliability.
You would think that scenario would have needed testing coverage regardless of classification as MAJOR vs HAZARDOUS vs CATASTROPHIC.
My mind goes back to one ST article where an unnamed Boeing engineer was asked about the classification and he said "You have to show your answer, you don't have to show your work".It seems they should have to show their work as well, no?
I have bolded your last statement; and do not believe "showing your work" on the final forms would result in a better review of a component or system.
I have several times described the process in the various threads. I refer to the form as Failure Modes & Effect Analysis (FMEA); although other names can be used. Boeing certification management and the FAA reviews these forms. Not the work that went into them.
My personal experience is that for each component or system the FMEA Forms are typically in the range of 20-30 pages; and have a long list of questions to be answered regarding very specific known or speculated failures. Can it occur (Y/N) If it occurs what is its significance and probability - which leads to a classification of the significance for that failure mode.
There is always an open ended question of can you conceive of any other failure mode that could occur with this system not identified above. If so, identify it and classify it (and it will be added to the next revision of the form).
At the end - the final classification of the component or system is driven by all the answers above (most significant of the above answers).
To provide a fully written answer and justification on each answer for those 20-30 pages of questions would likely blow the form to hundreds and perhaps a thousands+ pages; which then become to much for reviewers to effectively review.
What is done, is that the Draft form is provided to a team of other knowledgeable engineers and perhaps maintenance & operators (pilots) for them to review each answer and the resulting classifications. These people can (and do) question any answer that does not make obvious sense and it's to these people that the person who drafted the form has to provide their work to behind that question. My experience is that in about 25% of these cases the work behind the answer gets reworked and improved, and its not uncommon for the answer to that question to change (the other 75% is just a situation where the reviewers need to know the reasoning behind the answer - and they accept it once they hear it).
It also happens that the team decides to re-engineer how something is done to lower a classification rating in one area; and a revised FMEA is then submitted for review once the redesign is completed.
There has to be a consensus of the vast majority of the review team on every answer for the form to move to its Final and submitted to the Regulator (FAA in this case). I would estimate that a new aircraft has at least 1000 such FMEA's for all the various components and system; and the FAA get 20-30,000 pages of FMEA forms within the current usage (multiplying this by at least a factor of 10 to provide all the answers in my opinion is not going to provide an increase in overall review quality).
So the work is shown as part of the normal process, where relevant, to the review team. It is not generally shown to the Upper Management and the Regulator - unless the Upper Management or the Regulator questions the reason behind the answers on a specific question (in which case the work will be provided for that answer).
I've maintained from early on that the key issue here was a failure to properly classify at the FMEA stage. All other major actions and decisions essentially follows from that improper classification.
Also, my personal experience working with FMEA forms is that they are not easy to do - and take a lot of thought. Often many of the answers are based on "Engineering Judgment" as you cannot actually calculate a direct answer. But, again - you must get the review team to agree on that "judgement" call.
I've never seen anyone intentionally mis-classify anything. As a Root Cause Investigator I have seen cases where the classification process got it wrong.
From what I have read from the various reports issued (NTSB, JATR, etc.) I have not seen anything that suggest that within the procedures at the time that this was anything other than a misclassification, combined with some miscommunication on who in the FAA knew and when (did the right people know at the right time).
I am glad to see that Boeing at least considered a failure of the MCAS system that would result in multiple repeated actuations. It turns out a key assumption on Pilot response time was wrong (3-4 second response time appears to have been an industry standard, Pilot workload appears to have not been properly accessed - again this appears to be an industry issue): and now the industry and various countries will work together to come up with new standards. That is how the industry gets better.
I do not believe that the DOJ will find any criminal actions; or even any intent to cut corners on safety (they were intending to comply with the legal and industry standards for such a project).
The independent reports do indicate that that a modernization/upgrade of the procedures needs to occur for future aircraft and modifications as well to raise the standards over what existed during the 737Max certification period; which will increase overall aviation safety. Some of that is being done now by Boeing and the FAA. Other portions will require a change in Federal Law by Congress and the President of the United States. Some of this will be from the coordination of the various national regulatory agencies to come up with modern unified standards - and I'm sure that they have started to work on it (formation of appropriate international committees, etc.).
Back to my point: No. I do not think showing all the work on the FMEA Forms (or whatever other name is used) will add any real value or increase safety. In fact, I think it would overwhelm the reviewers to consider it which would lead to a less thorough review. They already have the ability to question any answer on those forms that does not make sense, and then see the work behind that answer.
Have a great day,