Originally Posted by
ST Dog
Configuration management is alive and well. Required for a DO-178 process (which is required for aviation). You even have to spell out how you will do it in planning documents, ostensibly before you start development. Changes are tracked, reviewed, connected to problem reports/change requests, etc. Lots of scrutiny.
The issue is does the code change trigger a safety review. DO-178 leaves it to the change maker or other reviewers to decide. But the guys writing the code and making those changes (and their management) don't really understand the airworthiness impact.
It is useful to keep in mind that as far as we know the MCAS software worked exactly as specified/designed/implemented.
No amount of SW process can catch a system level specification error so while important it is no a panacea for problems resulting from inadequate understanding and analysis at a global level.
What can help is a full fault tree analysis, done before the first accident. From other's comments this is done in aviation but not clear the rigour applied when 'minor' changes are made.
I have always been impressed at the ability of investigators ability to determine 'why it blew up' after the fact and often wondered what would result would be if the same resources and methodology was applied in advance.