Originally Posted by
Mad (Flt) Scientist
I think some people are overestimating the difficulty of a software design change.
Having been part of a significant software redesign of a flight control system for a part 25 aircraft, which addressed a multitude of failure cases (including some we found in the course of the redesign and the associated design reviews) and which included some fundamental architectural changes, easily of greater scope than going from flip-flop alternating single input to dual inputs, and which took us from incident, through grounding, return to test flight, (re)certification and EIS inside a 12 month period, with frankly an order of magnitude less resources than Boeing can put on this task, I have to say that the timescales are more than achievable.
What appears (from the outside) to be delaying a return to flight status isn't the complexity of the task, frankly. It's FAA now going into complete CYA mode and every other decision during the MAX certification being dragged out and placed under a microscope. With the people looking through the microscope (who are not just the FAA, or even industry authorities, but every politician or journo sensing a news opportunity) sometimes having little conception of how the delegated/overseen certification process is supposed to work. (And has worked well for years)
From the standpoint of software functionality, I would not strongly disagree. But considering how this aspect of the airplane was certified, I can hardly imagine the certified software has the appropriate Design Assurance Level. I say this because the entire design of the system (including interfaces) demonstrates an underestimation of the hazard classification of malfunctions, particularly an invalid AoA input. Single AoA input with no comparisons with other sensors to validate the integrity of the input implies a low hazard classification - Minor or (less likely) Major, but certainly not Catastrophic as history has established. To bring the software up toe DAL A from what was likely no more than C is NOT a trivial matter and amounts to starting from scratch to meet all the certification requirements.
Of course, considering the certification processes of the last several years, it would not surprise me if a way to avoid this complication by some sort of justification will be attempted by Boeing, in concert with FAA. The attention now given to this by other national/multi-national aviation authorities may prevent the FAA management from allowing such a shortcut, if indeed the FAA was tempted to try it.