back

Boeing 737MAX: Automated Crashes

Underestimating the dangers of designing a protection system

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
01:00:47
Language
English
Abstract
Everybody knows about the Boeing 737 MAX crashes and the type's continued grounding. I will try to give some technical background information on the causes of the crash, technical, sociological and organisational, covering pilot proficiency, botched maintenance, system design and risk assessment, as well as a deeply flawed certification processes.

On the surface of it, the accidents to two aircraft of the same type (Boeing 737 MAX), which eventually led to the suspension of airworthiness of the type, was caused by faulty data from one of the angle-of-attack sensors. This in turn led to automatic nose-down trim movements, which could not be countered effectively by the flight crew. Eventually, in both cases, the aircraft became uncontrollable and entered a steep accelerated dive into terrain, killing all people on board on impact.

In the course of the investigation, a new type of flight assistance system known as the Maneuvering Characteristics Augmentation System (MCAS) came to light. It was intended to bring the flight characteristics of the latest (and fourth) generation of Boeing's best-selling 737 airliner, the "MAX", in line with certification criteria. The issue that the system was designed to address was relatively mild. A little software routine was added to an existing computer to add nose-down trim in situations of higher angles of attack, to counteract the nose-up aerodynamic moment of the new, much larger, and forward-mounted engine nacelles.

Apparently the risk assessment for this system was not commensurate with its possible effects on aircraft behaviour and subsequently a very odd (to a safety engineer's eyes) system design was chosen, using a single non-redundant sensor input to initiate movement of the horizontal stabiliser, the largest and most powerful flight control surface. At extreme deflections, the effects of this flight control surface cannot be overcome by the primary flight controls (elevators) or the manual actuation of the trim system. In consequence, the aircraft enters an accelerated nose-down dive, which further increases the control forces required to overcome its effects.

Finally I will take a look at certification processes where a large part of the work and evaluation is not performed by an independent authority (FAA, EASA, ...) but by the manufacturer, and in many cases is then simply signed off by the certification authority. In a deviation from common practice in the past, EASA has announced that it may not follow the FAA (re-) certification, but will require additional analyses and evidence. China, which was the first country to ground the "MAX", will also not simply adopt the FAA paperwork.

Talk ID
10961
Event:
36c3
Day
3
Room
Ada
Start
6:50 p.m.
Duration
01:00:00
Track
Science
Type of
lecture
Speaker
Bernd Sieker
Talk Slug & media link
36c3-10961-boeing_737max_automated_crashes

Talk & Speaker speed statistics

Very rough underestimation:
145.3 wpm
817.5 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
145.3 wpm
817.5 spm
trimaircraftflightboeingcertification737systemenginesfaamcascontroltalkmaxnoseberndtimepilotssoftwareanalysisstabilizercriteriapilotcomputerquestionattackfailureflyanglehoursthingsextremelymajorelectricnumberforcesmovementbitbiggermicrophonedatamicgroundexactlyhourbasicallysensorsafetyversionhighcase