VicMel

Boeing first needs to get over the first high hurdle of gaining confidence in MCAS. As a former aviation safety assessor, I find it incredulous that even if Boeing had decided the MCAS software was only DO-183C Level C (when the evidence now shows it should have been Level A), there was still no-one in their organisation (from QA to coders) who pointed out having software directly control the stabiliser based on the use of only one sensor is a very bad idea! Perhaps someone did and they were told (in no uncertain terms), ‘the pilot will cope’. Perhaps ‘someone’ suggested it might be a good idea if MCAS was disabled when GPWS was active or altitude was less than, say 500 feet, but was ignored. I have little confidence in the robustness of the MCAS software to the extent that I think it could now be a ‘prime suspect’. The probability of the same hardware failing on three different flights, especially as on JT043 no fault was found, seems to me unlikely. The MCAS software might not have been thoroughly scrutinised and tested for possible software self corruption, overflows, processor overload, never ending loops, interrupts clashing etc, etc. It could be that a large value of AoA caused a value overflow in the software leading to arbitrary behaviour of the MCAS. However, whatever the root cause of the failure turns out to be, the problem still remains that a non Level A software package can control the stabiliser. Regardless of whatever patch(s) are introduced, at some time in the future there is an unacceptable probability that a bug could emerge causing the MCAS to continually demand a ‘nose down’.