Originally Posted by
Water pilot
However, aside from that, what they are talking about is not only really hard, but now you have to test scenarios of erronious computer shutdown at any frigging time during the duration of the flight. This is really the same rancid logic behind MCAS; a solution for an extremely rare event now creates its own problem in much more common situations. How many benign problems are in the processing code that are now going to trigger this 'kill' subroutine? What happens if the two computers get into a war with each other? How robust is the communication line between the computers, which was probably never designed to deal with the amount of data that now has to be transferred?
No wonder they did not want to completely document what they did.
Retrofitting logic like this sounds to me like an even bigger disaster-in-the-making than MCAS.
Triple modular redundancy has three systems and a majority voting system for a reason: if you can't trust a single module to be sufficiently reliable at performing its own operation, how can you possibly trust it to monitor the dual redundant module sufficiently reliably to trust it to shut it down!? And trying to add this on to a system that was never designed, in a rush to get ungrounded... sounds terrifying.