It's the blanket exception that makes most fly-by-wire controlled aircraft airworthy. The problem here of course, is that you never had enough scrutiny paid to the fly-by-wire implementation to make sure that under no circumstances can the system fail non-operational.
This was the subject of much controversy back in the 60's when th 727 was being certified. It required additional workarounds (implementation of a stick pusher) to be certified airworthy in U.K. airspace.
That certification went through despite the protest of Test pilots at the time that certifying an airframe with a widget to "plaster over" non-compliant behavior would simply start a slippery slope of normalization of deviance whereby engineers would over time be able to certify less "passively" airworthy frames. Those pilots were absolutely correct; as by definition that is exactly what most fly-by-wire aircraft are. Airframes that are only rendered airworthy with the addition of computer logic.
See the Royal Aeronautics Society D.P. Davies Interview.
Should be in this one. The 727 section starts at 51:00
Equivalent level of Safety discussion starts at 1:01:00
Highly recommend to listening to all four episodes just because. It's informative, and for me was rather illuminative in terms of the constant conflict between aerodynamicists to leverage every trick possible to deliver more efficient designs, and pilots to ensure that planes don't become so complex to fly that they can't be reasonably saved even when things go wrong.
While history forces us to accept the validity of the approach (no one reasonably wants to kill Airbus); it is obvious there are ways that poorly implemented/communicated fly-by-wire piloting aids render an aircraft less safe. The MAX has illustrated one of these corner cases.
Furthermore, just read the article. They lay it out plain as day. The test pilots knew that the MAX's compliance and certifiability couldn't go forward in it's current configuration without being brought back into compliance with MCAS.
Despite that, testing to ensure this lynchpin system would not hit any edge case behavior with catastrophic results wasn't done; despite the fact that any reasonable engineer should have realized it was necessary. Give me a bit to drill through and I'll try to find the exact line this "equivalent safety exception" maps to. I'm not sure I'll find it because from the way Davies talks about it it strikes me as one of those possibly "unwritten" corollaries that tends to live beside anything codified. My main point though, is that this cavalier behavior with regard to airworthyness isn't unprecedented, and has been called out before. I fully accept it was different people working there then, but time and again I find echoes of an organization's risk management culture tends to survive the changing of the guard without active attempts to remedy it.
I don't accept that fly-by-wire airplanes are not FAR 25 airworthy in direct law where zero safe guards are in place. Those planes still have all the aerodynamic stability requirements in all three axis. Control surfaces move consistently with pilot stick input. You can't say the airplane is only airworthy when these safe guards are in place, and as soon as you're in some alternate law that the airplane is flying illegally (unairworthy).
Otherwise, every time such an airplane departs normal law, it should be reported (by plane's computer and pilots) that the flight became unairworthy in-flight. It became an illegal and unsafe flight. How does the mandatory incident reporting requirements get ignored in this case? Or maybe they aren't ignored by the aviation community, and merely go unreported to the public just how often airplanes depart normal law and are illegal flights? That'd be incredible, if it were true.
However, I think what we have in the case of the 737 MAX is altogether different from fly-by-wire. It's not clear to me from available reporting if the airplane, minus MCAS, did conform to FAR 25.173, all of it. If MCAS is required for the plane to conform to this section, and it either fails or is disabled, the pilots need to know the natural behavior of the airplane. They need to know they're in some equivalent of "direct law" (term used in fly-by-wire which the 737 is not) and the different flight behavior in place. And yet they didn't know, we now know they were intentionally not informed or trained.
So we have a case where something, MCAS, is so important that it's required for airworthiness, but has no redundancy, and totally insufficient self testing to know if it's spewing bogus data; and yet failure is not likely enough and/or not likely a big enough of a deal that pilots don't need any difference training for? Yeah I don't buy that shit and some heads absolutely need to roll for that, but at this point I have zero confidence they will. At least, not the correct heads will roll.
>I don't accept that fly-by-wire airplanes are not FAR 25 airworthy in direct law where zero safe guards are in place. Those planes still have all the aerodynamic stability requirements in all three axis. Control surfaces move consistently with pilot stick input. You can't say the airplane is only airworthy when these safe guards are in place, and as soon as you're in some alternate law that the airplane is flying illegally (unairworthy).
I absolutely hope that all fly-by wire aircraft meet minimum airworthyness standards in their minimum automation state. And I will admit my use of fly-by-wire is specifically constrained to the more general concept of a computer stabilized airframe rather than a more common assumption of it being associated with Airbus' particular implementation of fly-by-wire (I.e. Airbus Control Laws). The point I hope we can both agree on is that if you have an uncertifiable behavior corrected by an automation routine in a flight computer; the criterion of certifiability to be met is that the airworthy aircraft is airframe plus automation; not airframe without automation.
In that sense, there absolutely must be either sufficient redundancy to ensure that a pilot can land before the automation airworthyness is dependent on fails, or there must be enough training that should the automation fail, pilots are prepared to safely recover and land the plane. Neither of those is the case with MAX.
>Otherwise, every time such an airplane departs normal law, it should be reported (by plane's computer and pilots) that the flight became unairworthy in-flight. It became an illegal and unsafe flight. How does the mandatory incident reporting requirements get ignored in this case? Or maybe they aren't ignored by the aviation community, and merely go unreported to the public just how often airplanes depart normal law and are illegal flights? That'd be incredible, if it were true.
Dealing with the issue you describe here is/was a big part of the difference in philosophy between Airbus/Boeing.
With Airbus, they build the plane from the ground up with some degree of minimal automation in mind. These systems are designed to fail-operational, and with gradual decay of automated functionality in mind. I.e; the automation does as much as it can with the information it has available. Once inputs start disappearing, increased reliance on a pilot to replace the envelope protection software starts. An Airbus, to my current level of awareness, will never suffer an automation casualty that renders the frame unairworthy; and any such casualty that happens in flight that turns out to be recoverable in the sense of not resulting in an impact crater should be handled as an in-flight emergency.
With the MAX though, MCAS being disabled means that the aircraft no longer complies in terms of consistent stick force response curves in all requisite flight regimes. No matter how loudly Boeing protests it should never happen in normal flight, the rules are the rules. If it can't wind up turn, and maintain consistent stick force response curves, it shouldn't be flying as a civil transport aircraft. I.e. an MCAS casualty should be considered an in flight emergency.
This means, if you propagate through the fault tree, that AoA sensor malfunction/disagreement means a MAX should not be in the air as a civil transport. This is especially problematic, because unless you were Airbus, AoA sensors have hitherto rarely if ever been considered safety critical devices. So it would not be immediately intuitive to a pilot that a malfunction of an AoA sensor would potentially lead to a reasonable risk of catastrophic loss of the aircraft; at the hands of an undocumented and hidden automation system doubly so.
>It's not clear to me from available reporting if the airplane, minus MCAS, did conform to FAR 25.173
It did not. It failed to comply in terms of stick force response curves. That was why MCAS was created in the first place. To patch that non-compliance.
>So we have a case where something, MCAS, is so important that it's required for airworthiness, but has no redundancy, and totally insufficient self testing to know if it's spewing bogus data; and yet failure is not likely enough and/or not likely a big enough of a deal that pilots don't need any difference training for? Yeah I don't buy that shit and some heads absolutely need to roll for that, but at this point I have zero confidence they will. At least, not the correct heads will roll
Got it in one. The reason behind not training pilot's or making this system's importance clear to the FAA was because Boeing would then be liable for $1,000,000 per aircraft sold to Southwest if the pilots were required to undergo simulator training.
