Originally Posted by
GlobalNav
Problem is, you can test that software well under normal conditions and under discrete non-normal conditions, but you cannot possibly test for every potential software error because there are far too many. So the methodology of Design Assurance is used, to the degree determined by the hazard classification.
This system has twice demonstrated that its malfunction (even with software acting as intended) must be classified as Catastrophic. This means that proper compliance requires DAL A. Question is, what is the current DAL of this software? While coding changes might be proposed and completed with relative simplicity, an upgrade of the DAL requires a complete reaccomplishment of the software development.
Not a trivial task at all, and one I fear the FAA would not choose to impose. Hopefully, other CAA, including EASA, will not be so accommodating. We’ll see. Well maybe they won’t let us see.
That's exactly the point!
Mills of bureaucracy are turning slowly but are grinding fine. I'm confident that FAA has just changed teams.
After all the "promotion" of a certain fault's overall effect to hazardous has just been a week ago.
There is one small issue in your statment I would like highlight:
what is the current DAL of this software?
DALs are not only defined for software but also for hardware, requirments are coverd in DO-254.
Originally Posted by
HighWind
The Falcon 7X FBW system clearly has the functionality to monitor runaway, I just failed in the case of HB-JFN loss of control after pitch trim runaway.
Thank you for that link. I have become a fan of BEA lately.
This report is defenitly worth a read
So what we have at Falcon7x is a failure that was in the FMEA but whose local effects have been misjudged. A failure of a voltage regulator in the interal powersupply lead to a runaway ANU trim.
Because the overall hardware and software architecture was designed to DAL-A, it was no problem to fill that gap by adding code that verifies the integrity of the voltage regulator.
What HighWind, who has obviously some professional exposure to functional safety in industrial automation, and I who had some albeit little exposure to functional safety in automotive engineering (I successfully avoided becoming too involved), are questioning:
Originally Posted by
HighWind
Looking at the electrical diagram for the electrical trimming, I’m not sure if I can get this approved for anything but SIL1.
Originally Posted by
BDAttitude
Could you please have a look if the actuators electronics - which is hardware and software - have been designed to a suitable design assurance level. Which would be
DAL-B? DAL-A?
Uncontrolled dive is just a bit-flip away.
Is the overall system architecture of the horizontal stabilizer trim as we see it today anywhere near DAL-A?
I don't think so. Should it be, after the reevalutation pf the failure effects of a high speed electric trim runaway? I think so.
No link to the accidents suggested. To put it in the words of someone who I believe is a technical writer from Boeing: No smoking gun, but a loaded and unlocked gun lying on the table.
We shall see.