Originally Posted by
GlobalNav
Agreed. This failure mode, whatever it turns out to be, has demonstrated catastrophic consequences, possibly in two cases The system safety of the type design requires improvement. Training is not an acceptable alternative to safe design. I would be curious to know how a software "enhancement" answers the mail, and I wonder what the design assurance level of the software is.
Design Assurance Level assures the software is working as designed, whatever level
was used, I strongly suspect that the MCAS software
is working exactly as designed.
In my opinion, the design (of MCAS) is broken, but I am not sure the blame sits with whoever designed MCAS but rather with whoever designed the handling of the plane so that MCAS was required (and possibly then failed to spot the issue until very late in development). I suspect whoever designed MCAS was backed into a (coffin) corner constrained by schedule and to use only what hardware was already on the aircraft.