Originally Posted by
SRMman
Sorry for entering this discussion rather late, but just a question about the four failure categories described by tdracer. The suggestion is that a higher categorisation would have been appropriate, eg Hazardous.
Assuming the probability number was increased from 10-5 to 10-7, what additional steps typically would have been expected for MCAS to meet certification requirements?
The short answer is that some level of redundancy would probably have been required to meet the 10-7 requirement - there is sometimes a case for a single thread "Hazardous" system, but you need reems of historical data to back up the reliability claims - the AoA sensor simply doesn't have the level of reliability. Catastrophic
must have redundancy - both the FAA and EASA are on record as not accepting probability arguments for single failures for systems with catastrophic consequences.
In addition, if the system had been judged to be Hazardous or Catastrophic, it would have received far more scrutiny from the feds - since 'Major' is considered to be a big deal, they don't tend to look at them very closely.