Re: Boeing 737 and 737 MAX software

[Paul Rubin <no.email@nospam.invalid>]

Niklas Holsti <niklas.holsti@tidorum.invalid> writes:
> On the issue of Ada subtypes, it seems to me that if the SW
> specification, design and coding considers sensor faults (as it of
> course should), the normal approach for such critical SW 

One of the criticisms of the decisions leading to the MCAS software is
that the software is certified only at DO-178B level C, defined as
software whose consequences are (https://en.wikipedia.org/wiki/DO-178B):

    Major – Failure is significant, but has a lesser impact than a
    Hazardous failure (for example, leads to passenger discomfort rather
    than injuries) or significantly increases crew workload (safety
    related)  

This is instead of level A (catastrophic, the whole plane can be lost),
or level B (hazardous, people can be injured).  The rationale was that
at worst MCAS going wrong would change the nose pitch by a few degrees
and then the pilot could fix it.  They didn't consider the possibility
of it activating over and over again, tilting a few more degrees each
time.

Since the software was treated as level C, its development and
certification process was less rigorous than what it would have gotten
at a more critical level.

Certifying and developing this system at level C instead of level A was
itself obviously some kind of process failure.  I believe finding out
how that happened is one of the investigation's objectives.