Originally Posted by
Notanatp
I have no information about what process Boeing actually followed for the design and verification of MCAS, either initially or as it evolved to encompass a second requirement (i.e., low speed maneuvering). I don't know what kinds of specs were written, what kinds of reviews were held and what kind of testing was performed. But whatever process they followed, coding input validation and output constraints would have cost no additional money. Someone would have just had to think of it and do something reasonable. The more formal the process, the more likely this was to happen. But even with no formal process, it is really difficult to understand why the people who implemented MCAS didn't think of any of this.
I think it is a mistake to focus on the software and software development process. Certainly it would be sensible for their to be input validation/plausibility checks and these may or may not be present but the big issue was in the system design. It is quite clear that at a system design level this function and the software associated with it were not assessed as having a high safety impact. Everything flowed from this, a single sensor single channel system vulnerable to a single failure in a whole range of areas including the software design and implementation.
I don't see the solution as being primarily software either although software will certainly be involved. The best solution woudl be an intrinsic one, remove the need for the system to be present at all, this isn't going to happen. The next best solution is one which cannot fail unsafely due to a single failure. Various ways seem possible to achieve that but they are not purely software and they will take time to develop, verify and certify.