Hey PBL,
Thanks for the great post. It's clear from everybody that my ignorance knows no bounds.
It seems like the older I get, the less I know. However that's why I make these posts, in order to learn. And speaking of learning; since you offered, I would in fact, be interested to learn if Trent FADEC code is MC/CD tested. I stand corrected then: it's not millions, but hundreds of thousands of lines of FADEC code that are used (however I was told, it isn't the standard commercial version, additional cross check blocks have been added.) Isn't it conceivable that certain paths could result in an unexpected "rollback" to idle? From previous unexpected rollbacks I know that the flight crew isn't part of this decision to kill engine thrust. Personally I'd rather have partial power or explosive power to get the machine safely to the TDZ and then just junk the engine (instead of a rollback). But that's just me.
However, this does not suffice to test the code adequately. In fact, thorough testing is impractical. Far from "ten or twenty years", to reach the conclusion that there are no dangerous errors in the software would require testing for as long as or longer than the entire service life of the aircraft. It is impractical to reach a conclusion with any reasonable level of confidence through statistical testing that the software has a lower rate of failure than once every hundred thousand operational hours on average. This is a hard mathematical boundary, one with which critical-software developers have to work.
Fascinating insight.
Thank you for your frank honesty (even if it takes a beer to put out the flames.
) It's not easy being the point man for the Dinosaur Squad. You see, we dinos don't trust the goverment/industry to tell us the whole story. They've lied and covered-up so much in the past that taking an accident report at face value seems very foolish to many of us. It's more likely, considering human nature and liability, that they just quietly issued a new FADEC software"load" to fix the machines inability to deal with common ice in the fuel and upped the dia of the fuel lines.
And guys, sorry for the thread drift to 777 FADEC. Back to the subject, A320 shuttering in flight, PBL, I have another unfounded theory, since I'm not privy to any of the data beyond what I read here, that this A320 was severely cross controlled. Aircraft wants to go left with flight spoilers, but is confronted with excess right rudder introduced by a faulty centering solution every time power is interrupted. Plausible?
A friend told me:
the A320's most important flight control computers, the ELACs, each contain one Motorola 68000 and one Intel 80186 processor, which run the same algorithms, but I do not know if their software was developed by isolated teams. There are 2 redundant ELACs, and if they both fail, there are 2 SECs, which also provide pitch and roll control, albeit in a degraded mode (alternate or direct law.)
A question I have is does the roll logic know where the rudder trim is?
I'll betcha it doesn't. I'll betcha it just dumbly keeps feeding in more roll spoiler to counter the stronger rudder trim. The result is that the rudder wins, and a gross navigational error occurs. Not sure you can commend a computer crew who didn't disconnect this thing at the first sign of trouble.
But I wasn't there... they were probably fighting the ecam and paper check list from hell; so distracted, that nobody was flying the airplane, and I'll admit that many button pushers don't know how to trim the airplane for fastest mach, so the habit to disconnect and find out what's wrong just isn't there.
They have a:
Severe Fear of autopilot disconnect 
Now, just let me don my flack jacket here....
CC
still on the ragged edge