[SystemSafety] Correctness by Construction

Peter Bernard Ladkin ladkin at rvs.uni-bielefeld.de
Fri Jul 10 15:23:20 CEST 2020



On 2020-07-10 14:54 , Olwen Morgan wrote:
> 
> Well-designed stress tests could have simulated a faulty AoA sensor.

Which is beside the point.

There was such a test. There had to be. (Actually, probably many tests, given that there were five
versions of the MCAS SW to deployment.)

The key event is unintended activation of MCAS. That was rehearsed in flight simulation, with what
appears to be moderately correct conclusions for Release D (if you don't analyse and react correctly
within 4 seconds, you have significant handling problems, and if you don't sort those out in the
next 6 seconds, you're dead). See DoT IG report p21.

It doesn't matter what causes unintended activation; whether it is a faulty sensor or something
else. What matters is whether and how the event can be recovered.

If the event is classified as hazardous or catastrophic, then you get into the statistics of
occurrence and then you would have to perform fault analysis. (Which Boeing did, but inappropriately.)

BTW, it doesn't require tests to deal with a faulty AoA sensor. The failure characteristics of AoA
sensors are known. You can do it all with pencil and paper. What you don't necessarily know is the
severity classification of the resulting event, which is why there are the simulator tests.

PBL

Prof. Peter Bernard Ladkin, Bielefeld, Germany
Styelfy Bleibgsnd
Tel+msg +49 (0)521 880 7319  www.rvs-bi.de





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 484 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/pipermail/systemsafety/attachments/20200710/fe49e520/attachment.sig>


More information about the systemsafety mailing list