Originally Posted by
tdracer
No direct knowledge, but I think part of what they are struggling with on the MAX is that the system where MCAS is resident was never designed to be flight critical - I'm guessing it was Design Assurance Level (DAL C) - now since it's understood MCAS is flight critical, they're having to re-certify it as DAL A. That's a big, time consuming deal, and they are finding some unexpected items that have been there all along (without causing problems) but need to be corrected to make it DAL A.
Agree....
The questions is what solution they are aiming for.
1) DAL C'ish solution where the aircraft can be brought under control after a runaway. (e.g. via.a new alternate trim motor)
2) DAL A solution that prevents runaway.
Solution 1 might not require MCAS to be more reliable than it is today (Failure rate DAL C 1E-5 hour)
The questions is what architectural changes are needed to upgrade to DAL A?
Are the FCC A/B hardware up to the spec, or do it need to be upgraded?
The Stabilizer Trim Electrical Actuator can also fail (In Stuck, or runaway mode).
So there need to be two Trim Actuators.
The runaway failure mode in the actuators is just as dangerous as the commands issued from MCAS running in the FCC A/B.
So the runaway detection need to be DAL A also, either by including this in the trim motor controls, or in the FCC's
And the 'relay logic' for manual trim and cutout also need to be changed, or completely removed and have trim stab switches wired to the FCC's instead.