Originally Posted by
Mr Optimistic
(pax). I can just about see why MCAS failure would be a major hazard (rather than catastrophic as it is still possible to recover and fly). However DAL -B has a max failure rate of 10^-7 per year. Is that really a credible reliability for the AOA sensor and processing?
Hazard criticality is determined first. Then based on that you design at the appropriate assurance level.
But DALs don't have failure rates.
And the criticality probabilities are per flight hour, not per year. And that's per flight hour of the entire fleet/type, not a single aircraft.
How the individual probabilities for parts of a system/subsystem add up depends on the relationships, determined in the FTA (fault tree).
And FWIW, in a FTA software failures have a probability of 1. There's really no way to calculate the probability of a defect in software, just as there is no defect free software (of any reasonable complexity).