Originally Posted by
EEngr
Technically, the MCAS software did not fail. But from an overall systems standpoint, it did. The software people may get off the hook for writing code that ran per the specification. But the spec missed an important failure mode. And was written for the wrong level of system criticality.
Yes EEngr! System criticality is the crux of the issue. You can debate for 4000 posts, if the pilots followed the correct procedure or not, why not, what they could have done, did do, didn’t do etc.
But, I t should never have been an issue the pilots should had to have dealt with, because there should have been more system redundancy.
When MCAS fails, it can be catastrophic, so its software cannot be anything else but level A. The hazard assessment appears to be the mistake that was made: the assumption was pilots would quickly treat it as a run away stabiliser, and so it would be relatively minor. Hence, it was safe to use one vane. That’s been shown (twice) to be wrong.
So...does anyone know: is the software now level A (DO-178C) or equivalent? Because I can’t see anyway it can be anything else, and the original issue needs to be corrected, or another gotcha may exist.
Sorry if it sounds like I’m on a soap box.....