Originally Posted by
ST Dog
"While Boeing considered the possibility of uncommanded MCAS operation as part of its functional hazard assessment, it did not evaluate all the potential alerts and indications that could accompany a failure that also resulted in uncommanded MCAS operation,"
It's a problem with how FHAs are done. And that's following the process for them. Go read ARP4754 and 4761.
True words sir,
NASA/CR–2015-218982 Application of SAE ARP4754A to Flight Critical Systems is a good primer for the process, and indicates both the complexity and the potential for missing the plot.
Quantitative analysis is a flawed concept.
NASA post Challenger evaluated the failure probability estimates that the engineers had come up with for various system failures. The critical level for man carrying space vehicles was easily exceeded by orders of magnitude on all counts, an some cases with an extra 8 zeros behind the actual failure rate with the loss of STS-51L. A more robust solution arises from Monte Carlo simulation or similar iterative analysis, but at the end of it all, irrespective of the method employed, it is a guess of the likelihood of an improbable outcome. Same issue arises with the risk assessment of nuclear power stations, (sorry of you live downwind of any) of NASA up to Columbia... (...ooops, I did it again....) and.... the U.S. nuclear weapons safeties... Goldsboro, North Carolina, Damascus Titan II, and... Russian "nooks", bucket o' sushine, Chernobyl, Kyshtym (golly where did that town go...) Severodvinsk, H.E.N. "Hiroshima" class nuke boats, Yankee II (missile oops), Golf II (missile oops), Stanislav Yevgrafovich Petrov, who is singlehandedly the reason civilisation wasn't accidentally wiped out on 26th September 1983..., Japans Fukushima design (which is as risky as 50% of Europes hot tubs) Tokaimura Tokai, Mihama-3,
You can throw all the maths you want to at an analysis, but then the solution is fundamentally down to reading chicken entrails. Sometimes we get it done and the answers make sense, but say, NASA suggesting that the likelihood of a shuttle loss was better than a million to 1 doesn't seem rational from the design, and certainly from the stats of the operation.
As a broken record, I say again that our persistent assumption of linear or quasi linear causation is fundamentally flawed. It may make regulators happy, it makes QA auditors and FOIs/ASI's happy, but the problem is the world doesn't work that way. It is the exception not the rule that accidents occur from a simple linear chain of events arising from errors or violations of process rules; accidents happen as often from multiple interactions all achieving resonant outcomes that exceed a limiting boundary. The problem of living in a stochastic world and treating it as linear is we are effectively fighting the last war not the next, we apply bandaids to the issue, rather than seek the inner truth as to the zen of the problem. Every time we add a new sentence or component to a process, we alter the condition in expected and unexpected ways, and the problem is that a number of within limit components of the system acting within their expected tolerances can result in the wild ride.