Monday, October 28, 2019

Flawed Assumptions Pave a Path to Disaster

When MCAS (Maneuvering Characteristics Augmentation System) was implicated after Lion Air JT610 plunged into the sea, tragically taking 189 lives, the spotlights converged on the malfunction of a single Angle of Attack (AoA) vane. My first thoughts were that Boeing had some how overlooked this scenario or viewed it as inconsequential, based on blind faith that no matter what, the pilot would remain vigilant taking correct and timely action as the safety backstop. I could not wrap my head on how repeated applications of MCAS did not create unlimited authority in malfunction which would create a HAZARDOUS hazard.

Boeing had declared MCAS malfunction a MAJOR hazard.

JT610 Final Report
Why wasn't an MCAS malfunction treated as HAZARDOUS, which would have mandated a dual-channel, fail-safe design?

The answer lies in a number of buckets, which overflow beyond just MCAS:
  • a desire to justify design rather than direct safety
  • over-use of a convenient test condition restriction
  • blind reliance on unproven pilot response
  • misunderstanding the ramifications from removing an under-appreciated safety interlock
  • ignoring escalation from the combination of persistent hazards
  • incorrectly applying a convenient probabilistic factor to dodge the obvious conclusion
  • overlooking the ramifications from extending Speed Trim to provide Stall Identification