Jumbo Driver, sky 9,
you may find the report on the oil-seal incident you mention in our
Compendium of Computer-Related Incidents with Commercial Aircraft under the heading "Eastern Airlines L1011 Common Mode.... 1983"
pax 2809 asks
Originally Posted by pax2809
what is actually certified? Not really the a/c itself (after a s/w update, it is no longer the same a/c)
Actually, yes, the aircraft itself is what carries the airworthiness certificate. Yes, it is not in a strict sense "the same aircraft" after a SW update, and this is what worries SW safety people. However, it is the same aircraft as far as the certificate goes, unless something awful is installed and discovered (in which case the certificate will be quickly revoked). SW updates are offered by the manufacturer of the kit at regular intervals and each is "controlled" by controlling the process by which it is developed and offered and what it must show to be approved. There is an incremental process: for example, I don't think one has to perform MC/DC testing on each update. MC/DC testing is an extremely high resource swallower and according to some who have tried to quantify its effects, does not appear to improve the quality of the code.
Attempting to control quality by process does not work to guarantee SW quality; there is no significant correlation that anybody has been able to nail down. However, it "stands to reason" (whatever that phrase might mean) that controlling the process by which code is developed is likely to lead to better quality SW than without.
ArcticLow says
Originally Posted by ArcticLow
Precising the AAIB: the human-electro-mechanical chains of command from the left hand on the throttle levers all the way to (and including) the valves that control fuel flow all worked correctly.
and presages his further discussion on this premiss.
I doubt anyone at the the AAIB would agree to such a statement without qualification. People who do forensics of this sort know that your conclusions are only as good as the data you have, and the data you have is both selected (in terms of parameters) and sampled (recorded only at discrete time points). And that goes for *all* data. Suppose a computer commands a valve to open. You may record the command on the data recorder. Is the position of the valve sensed? You may record that also if it is. Is the sensor working correctly? You are unlikely to record that, but maybe there are duplicated sensors. But was there a common-mode failure of the sensors allowing erroneous readings to be recorded? These are not theoretical questions: all of the phenomena mentioned have arisen in recent incidents. There is one phenomenon that is even worse: in which one and the same data signal is interpreted in two different ways by two different devices (say, one way by the data recorder and another way by the intended receiver). Such phenomena are known as Byzantine failures, and a series of such almost led to the airworthiness certificate for one common aircraft type being withdrawn in the early 2000's, which would have been a commercial disaster for worldwide aviation.
So there are a lot of ways in which reality can slip through the cracks in the data. I think you have to take the AAIB wording literally: "The recorded data indicates that there were no anomalies in the major aircraft systems." The first five words of that sentence are essential. They go on to say that the autopilot and autothrottle "behaved correctly" and that the EEC and associated systems "were providing the correct commands". That leaves large parts of the continuous physical-electric-electronic causal system for producing thrust that are not yet addressed by what has been written. I have confidence that they will be, if nothing else is found in the meantime.
PBL