Last week, we went through the core MCAS changes the FAA demanded from Boeing to lift the grounding of the 737 MAX 8 and 9. As the investigation into the MAX crashes deepened, changes were added beyond the core MCAS related changes.
A single sensor failure, like the Angle of Attack failures for Lion Air JT610 and Ethiopian Airlines ET302, triggered a multitude of failure warnings. These warnings absorbed the crew’s concentration, invalidating FAA certification assumptions on crew reaction times for critical trim failures. As a result, the FAA required additional crew alert and procedure changes for the MAX.
As FAA and Boeing played through what happened in the MAX crashes in Boeing’s engineering simulators, the cascading alerts triggered by a faulty single Angle of Attack (AoA) sensor stood out:
Several trim related failures in such an environment relied on the Pilots identifying the trim misbehavior within four seconds. When flight crews from different airlines were flying these scenarios, it became clear such assumptions were unrealistic.
The FAA went through Boeing’s System Safety Assessments (SSA) of the complete flight control system and its stabilizer control and demanded a complete SSA of MCAS, including upstream and downstream interfaces. A complete SSA includes Failure Mode Effects Analysis, Functional Hazard Assessment, and Fault Tree Analysis.
All possible failures were analyzed, and no scenarios were allowed that required immediate action of the flight crew. Boeing, therefore, introduced the Flight Control Computer (FCC) Trim Monitor to catch any faulty trim commands, be it for Speed Trim, MCAS, or Autopilot trim.
The Trim Monitor compares the trim commands from the two Flight Control Computers and checks if any difference exists between the computed commands.
If the monitor finds an anomaly, it stops the trim actions and displays SPEED TRIM FAIL. Speed Trim and MCAS stop working, the Autopilot disconnects, and the Flight Directors shut down. The change cleaned up alerts and stopped any dangerous trim actions.
The MCAS and Trim Monitor changes bring changes to the Pilots Flight Manuals, Checklists, Pilot training, and the content in Type Rating and Recurrent simulator training.
The changes affect procedures for Unreliable Airspeed, -Altitude and -Angle of Attack and then Runaway stabilizer, inoperative Stabilizer Trim, and failed Speed Trim.
All changes were reviewed by the four Certification Authorities (FAA, EASA, Transport Canada, Brazil’s ANAC) and checked by flight crews from the countries’ airlines. The crews had different backgrounds, experience levels, and proficiency.
The FAA then submitted all changes for public comment. FAA evaluated each comment to understand if it warranted any further changes to software, hardware, or training.
It’s the final result of all these steps that are the basis for the changes to MAX Software, Hardware (a wiring separation change to bring the MAX to current standards), Manuals, and Training. In total it forms the basis for the lifting of the 737 MAX grounding.
The MAX findings were continuously checked against the 737 NG to see if it should trigger any NG safety changes. As the NG has the steering column trim cut-out switches active at all times, no safety-related changes were necessary (the Pilots stop any miss-trims by just holding against with the Yoke, an instinctive Pilot action).
But the failure behavior of the NG and MAX and the actions they shall trigger are no longer identical. It’s not optimal for airlines operating mixed fleets. Therefore, a change package for the NG is the next step for Boeing to bring the types in sync for Manuals, Checklists, Procedures, and Training. FAA and Boeing have not told us the time frame for this package and if there will be any software or hardware changes?