Originally Posted by
bimmerdriver
The role of the FCS is to make an aircraft flyable through the entire flight envelope, where aerodynamic forces change dramatically depending on speed, AoA, altitude, load, etc. There is nothing unusual or special about the MAX. The differences between the NG and the MAX are not unusually different or special than the differences between the A32X and the neo. They both rely upon the FCS to make them flyable according to the philosophies of their respective makers.
You & I have debated this issue in the past, so against my better judgment I'll give it one last shot. Yes, I'm including references for you.
You consistently understate the significant difference in the role that the FCS has in the 737 family, and the much more significant role that it plays in fly by wire aircraft such as the 777, 787, and the 3xx Airbus family.
In the FBW cases (B777, B787, A3xx), you are correct that the FCS is required in all normal situations. As a result, the entire system (hardware and software) is designated as safety critical. ref:
https://www.researchgate.net/publica...ontrols_system
In contrast, all (previous) versions of the 737 had "classical" control systems. There were either physical cables from the cockpit to the control surfaces, or electrical or hydraulic equivalents. No computer is involved in the movement of the flight surfaces. That's why the FAA didn't treat the 737 MAX FCS as a safety critical system. ref:
https://www.wsj.com/articles/faa-saw...sk-11557831723
You seem to like Bjorn, so you should read his series on flight control systems:
https://leehamnews.com/2019/07/26/bj...ectrical-wire/
Different to the A320, the 737 flight control system is architected so the aircraft can be flown and landed without functioning hydraulics. Hence its hydraulic system can function with a three circuit system with principally the same architecture but without the RAT pump.
Similar to the hydraulic system, the A320 electrical system has a higher redundancy level than the 737 to guarantee an uninterrupted supply of power to the FBW system. It has five levels of redundancy, whereas the 737 is fine with four levels.
For a mechanical system controlling hydraulic valves which in turn pressures actuators moving the surfaces, the highest risk for malfunction is mechanics which can jam (wires/links going bust from wear is not likely with the maintenance of modern jets) and hydraulic leaks.
The 737 mechanical pitch system is, therefore, divided into two complete systems; a left and a right system, Figure 1. These are linked below the feet of the pilots by a torque tube with a break-out clutch.
As described last week the feedback type FBW of the A320 has full authority for the pitch channel. Hence we must have a fault-proof redundancy concept, both for the control system and the infrastructure serving it. Figure 2 shows the redundant concept of the A320 FBW pitch channel.
The pitch channel has two Elevator Aileron Computers (ELACs) with their inputs and sensors which are backed up by two Spoilers Elevator Computers (SECs) with their set of inputs and sensors. In total, the pitch channel has four channels with separate computers which forms the redundancy concept.
The whole problem, from the outset, is that the 737 was never designed as a FBW system, and so the entire FCS infrastructure (hardware and software) was never build with the required levels of safety, testing, and redundancy. That doesn't mean it couldn't be done. It just means that it
wasn't done in the 737 family - because it wasn't necessary to do so.
And then along came the MAX, with the MCAS - a system that all of a sudden granted full control over a critical flight control surface, to a computer. Specifically, to a computer that was never designed nor tested as a safety critical system.
Of course it's possible to turn the MCAS into a safety critical system (and I believe that's what Boeing are now attempting to do). But that change will require far more than software changes - it will require hardware changes (for example, leveraging two computers in parallel, ref:
https://fortune.com/2019/08/02/boein...trol-computer/), and it will require a ton of additional testing and certfication.
For you to gloss over those facts is disingenuous at best.