What level of fault tolerance is needed?
Is a software fix sufficient? Is the B737M flight controllers reliable enough for the task?
The software changes to the B737M made the detection of a ’trim runaway’ failure mode much more difficult since it is behavior is changed, and masked by other faults and noises.
It may also have increased the frequency of the trim runaways.
If the original DFMEA/Design Risk Assessment had the conclusion that a ’trim runaway’ is something that is easy for the pilots pilots to handle, then the safety case is limited to providing reliable ’cut-out’ switches (And some training).
If the conclusion in the new DFMEA/Design Risk Assessment is changed since it can’t be expected that the pilots reliable can detect and isolate the fault, then this drive a significant change to the hardware (and software) requirements.
It is not enough to have redundant sensors as the voting between flight controllers can also fail. The actuator and its electronics as well as the network may also fail.To me it seems that the THS control is moving in to the realm of a software controlled primary control surface (since if can overpower the muscle strength of pilots if not isolated fast enough). In essence requiring a FBW like system with full byzantine fault tolerance.
What are the capabilities of the existing THS control system:
-Fail safe by means of lock-step operation?
-Voting between fail-silent replicas with byzantine fault tolerance?