Originally Posted by
MurphyWasRight
It is useful to keep in mind that as far as we know the MCAS software worked exactly as specified/designed/implemented.
No amount of SW process can catch a system level specification error so while important it is no a panacea for problems resulting from inadequate understanding and analysis at a global level.
Indeed.
What can help is a full fault tree analysis, done before the first accident. From other's comments this is done in aviation but not clear the rigour applied when 'minor' changes are made.
That's bigger problem. One group says safety should look at it again and another says no. And like many past example, management makes a call based on multiple factors, but mainly how persuasive the people saying safety needs to look again are.
Sadly we will never see the problem reports/change requests and the other documentation surrounding the change in MCAS.
The FAA probably has it. The other investigators will. But not the general public, not that they could understand the arguments made.
I have always been impressed at the ability of investigators ability to determine 'why it blew up' after the fact and often wondered what would result would be if the same resources and methodology was applied in advance.
The methodology is. But when looking at 1000s of what-ifs, you have to decide which are credible and how likely they are.
After the fact you can see something happened and trace it through the system to see the effects.
But before that? How likely did the event seem?
I could probably put together a hazard assessment for MCAS and show it at several criticalities based on different assumptions and probabilities for different faults.