[SystemSafety] Correctness by Construction
Olwen Morgan
olwen at phaedsys.com
Fri Jul 10 16:40:47 CEST 2020
On 10/07/2020 14:23, Peter Bernard Ladkin wrote:
> <snip>
> The key event is unintended activation of MCAS. That was rehearsed in flight simulation, with what
> appears to be moderately correct conclusions for Release D (if you don't analyse and react correctly
> within 4 seconds, you have significant handling problems, and if you don't sort those out in the
> next 6 seconds, you're dead). See DoT IG report p21.
> It doesn't matter what causes unintended activation; whether it is a faulty sensor or something else. What matters is whether and how the event can be recovered.
Correct me if I'm wrong but I thought at least one key event in one of
the 737 MAX crashes was that an AoA sensor had been inappropriately
fitted to the airframe and consistently read around 20 degrees off?
How does a pilot recover from that?
>>> BTW, it doesn't require tests to deal with a faulty AoA sensor. The failure characteristics of AoA
>>> sensors are known. You can do it all with pencil and paper. What you don't necessarily know is the
>>> severity classification of the resulting event, which is why there are the simulator tests.
Do the AoA calibration/reliability data take account of faulty installation?
Stress tests written by viciously devious people who set out to give the
system the mother of all canings might well have hit upon that case.
What's the point in doing stress tests if you do not cover conditions
that are outside the normal operating regime?
Olwen
More information about the systemsafety
mailing list