Originally Posted by
PiggyBack
I think it is a mistake to focus on the software and software development process. Certainly it would be sensible for their to be input validation/plausibility checks and these may or may not be present but the big issue was in the system design. It is quite clear that at a system design level this function and the software associated with it were not assessed as having a high safety impact. Everything flowed from this, a single sensor single channel system vulnerable to a single failure in a whole range of areas including the software design and implementation.
I don't see the solution as being primarily software either although software will certainly be involved. The best solution woudl be an intrinsic one, remove the need for the system to be present at all, this isn't going to happen. The next best solution is one which cannot fail unsafely due to a single failure. Various ways seem possible to achieve that but they are not purely software and they will take time to develop, verify and certify.
As much as I do agree with you, I don't think anyone will be able to lock that genie back in the bottle. During my career I've seen numerous hardware problems beeing "software fixed" - of course it's only a dirty work around just as MCAS is. So software engineers must make sure that if something is done that way, it is properly done. And if it increases costs enough, maybe that's an encouragement to do it right next time.
And then someone comes a long and demands you to be more agile
. Just look at the suggestions to use multi core processors with multiple layers of non deterministic caching and predictive execution. Unfortuneately many managers are on the same "But my iphone can do this"-knowldedge level.