PPRuNe Forums - View Single Post - Ethiopian airliner down in Africa
View Single Post
Old 29th Mar 2019, 10:49
  #2723 (permalink)  
PiggyBack
 
Join Date: Jan 2013
Location: UK
Age: 63
Posts: 37
Likes: 0
Received 0 Likes on 0 Posts
Originally Posted by Torquelink
From Bjorn Fehrm of Leeham today:

If you have a flight control function which is triggered by a single sensor, it means the likelihood it being incorrectly activated is there. Then you implement a nonhazardous augmentation function!
.
This all comes back to a proper hazard/failure analysis and that the analysis needs to include the possibiity of all failures including software failures. If safety relies on SW to ensure that the augmentation function is non-hazardous then the risk of that SW failing needs to be controlled appropriately. In this case the MCAS SW even after the fix clearly has a level of at least hazardous and needs to be developed to at least DO-178 - level B. Was/is this the case for MCAS? If it is not then the fix should not be accepted.

It is important that looking at the root cause of this accident that the investigation does nots stop at the pilots actions and the poor design of MCAS but is pursued as far back as possible into why the design error occured, why it was not picke dup as a problem in development and why the aircraft was certified despite having a design error which could cause a hazardous situation to arise so easily.
PiggyBack is offline