- - Understated the power of the new flight control system, which was designed to swivel the horizontal tail to push the nose of the plane down to avert a stall. When the planes later entered service, MCAS was capable of moving the tail more than four times farther than was stated in the initial safety analysis document.
- Failed to account for how the system could reset itself each time a pilot responded, thereby missing the potential impact of the system repeatedly pushing the airplane’s nose downward.
- Assessed a failure of the system as one level below “catastrophic.” But even that “hazardous” danger level should have precluded activation of the system based on input from a single sensor — and yet that’s how it was designed.
Gates has chosen not to stray far beyond the information he was able to source from contacts in the FAA. But for those wondering how ready airlines and foreign regulators will be to accept a new Boeing-designed FAA-certified fix, and the extent of any legal exposure, there are some big takeaways:
- Plainly there are several engineers/technical experts currently or previously in the FAA who were directly involved in the MAX certification and strongly disagreed with aspects of the MAX certification process and some of the technical judgments that were made. If Gates’s report is any guide there will be FAA technical experts ready to testify to investigators that the MAX process, at least as it relates to MCAS, departed from good practice in important ways.
- There is a particular concern that FAA managers, under pressure from Boeing to accelerate the certification process for commercial reasons, cut corners on the technical assessment work, in some cases delegating assessment to Boeing engineers to an extent the FAA technical experts felt was inappropriate.
- Late changes were made to the MCAS software in response to findings during flight testing. The original Boeing safety analysis said that MCAS would be able to trim the stabiliser up a maximum of 0.6º (out of a physical maximum of 5º up). It came as news to Gates’s sources that the limit had been increased to 2.5º in the final MCAS configuration. The higher limit meant that “each time MCAS was triggered, it caused a much greater movement of the tail than was specified in that original safety analysis document”. It is not clear whether the higher limit was recorded in the final version of the safety analysis document.
- Both the FAA engineers and foreign regulators who received the safety analysis believed the aircraft believed the aircraft was designed to the 0.6º limit. The change appears not to have been communicated to all those who could reasonably have expected to be advised.
- The original safety analysis, with the 0.6º trim limit, treated an MCAS failure as a “major failure” - rather than a more critical “hazardous failure” or “catastrophic failure”. This lower categorisation of the risks associated with MCAS failure appears to have allowed MCAS to be configured with a reliance on a single sensor rather than requiring sensor redundancy.
There is much more in the article. Gates says Boeing and FAA were given an opportunity to comment on key points 11 days ago – before the Ethiopian crash but chose not to respond substantively.
One obvious question will be the extent to which the shortcuts and other flaws in the certification process in response to commercial pressures might have increased Boeing and FAA’s legal exposure. (From a legal point of view, can anyone help us understand at what point does the natural interest of an OEM in seeking an expeditious certification process cross a line a line and incur legal hazard?)
Looks as if we can also now infer that non-US authorities who moved to ground the MAX before the FAA might have had good reason to question the integrity of the information they had originally been given by Boeing and FAA on the basis for the MAX’s certification. If they were still working off the original Boeing safety analysis the new information Boeing provided after the Lion Air crash would have been disconcerting, to say the least. It is not hard in these circumstances to see why they might have been ready to ground the aircraft without waiting for the FAA. And it is easy to imagine that they might be reluctant to accept Boeing/FAA certification of a new fix without doing their own assessment.