Originally Posted by
tdracer
It all traces back to one bad call - the failure of MCAS was deemed to be no worse than "Major" - basically that if the stab trim started doing something unexpected or that the crew didn't understand, they'd simply disable it (which used an existing procedure). "Major" failures don't require redundancy in design. In 20-20 hindsight, that was a fatally bad call, but at the time it must have seemed reasonable. All the problems with the MCAS trace to that - had it been identified as "Hazardous" they never would have implemented it the way they did.
Agreed.
The part I find scary is that (as I understand it) they did not reclassify it during the updates. It is still not implemented with the proper by now fairly well understood design techniques for redundancy in software control systems. Nor will it have had the same level of testing / review scrutiny of a critical s/w system (at least it wouldn't have been formally required to, perhaps for this particular fix they will have, but wouldn't be required to repeat that in the future).
The reason seems clear: difficult to retrofit. But it seems clear it should have been hazardous in retrospect after the two accidents. While the new intended limits (single activation, etc) should keep it out of hazardous range, it should have the proper redundancy & testing to confirm that software keeps it in the non-hazardous range. I.e. the potential is still hazardous so the software that makes it non-hazardous ought to be implemented to the higher standard. And as I understand it isn't.