From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=unavailable autolearn_force=no version=3.4.4 Path: eternal-september.org!reader01.eternal-september.org!.POSTED!not-for-mail From: Paul Rubin Newsgroups: comp.lang.ada Subject: Re: Boeing 737 and 737 MAX software Date: Thu, 18 Apr 2019 13:20:29 -0700 Organization: A noiseless patient Spider Message-ID: <87ftqfhxpu.fsf@nightsong.com> References: <8736mwi257.fsf@nightsong.com> <2590d3d8-5f91-4f59-897e-e0c9b7e1b5ca@googlegroups.com> <5f483f72-9213-4c63-b3f9-7150fc4e455f@googlegroups.com> <03d33940-85e9-4fc9-9f2b-2b43f2cfd6af@googlegroups.com> <47a71ba7-38cb-426b-8dad-564f08afbcb2@googlegroups.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: reader02.eternal-september.org; posting-host="808b527d8ee718e1acc97cb0cc3018a1"; logging-data="15353"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+W5WwSw4yP8x1kNkHvYD0B" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.3 (gnu/linux) Cancel-Lock: sha1:/ZWJAUD/SxoS9gNEHklQBnlICtA= sha1:XbGP4DfUNqyDG02rEmq3uuiuIdw= Xref: reader01.eternal-september.org comp.lang.ada:56161 Date: 2019-04-18T13:20:29-07:00 List-Id: Niklas Holsti writes: > On the issue of Ada subtypes, it seems to me that if the SW > specification, design and coding considers sensor faults (as it of > course should), the normal approach for such critical SW One of the criticisms of the decisions leading to the MCAS software is that the software is certified only at DO-178B level C, defined as software whose consequences are (https://en.wikipedia.org/wiki/DO-178B): Major – Failure is significant, but has a lesser impact than a Hazardous failure (for example, leads to passenger discomfort rather than injuries) or significantly increases crew workload (safety related) This is instead of level A (catastrophic, the whole plane can be lost), or level B (hazardous, people can be injured). The rationale was that at worst MCAS going wrong would change the nose pitch by a few degrees and then the pilot could fix it. They didn't consider the possibility of it activating over and over again, tilting a few more degrees each time. Since the software was treated as level C, its development and certification process was less rigorous than what it would have gotten at a more critical level. Certifying and developing this system at level C instead of level A was itself obviously some kind of process failure. I believe finding out how that happened is one of the investigation's objectives.