[SystemSafety] Boeing 737 Max Correctness by Construction

Kinalzyk, Dietmar AVL/DE Dietmar.Kinalzyk at avl.com
Fri Jul 10 15:32:57 CEST 2020


Hi Olwen,

they did simulations already in November 2016 but outcome by experienced pilots “awful behavior of the software” was not recognized in the management.
Hiding of problems in the management counts for me more than technical route causes here.
Ref, sorry only in german:
https://www.sueddeutsche.de/wirtschaft/boeing-737-max-absturz-ursache-untersuchung-1.4647909

Best regards
Dietmar KINALZYK
Principal Development Engineer
Product Safety & NON-PT Safety
AVL Software and Functions GmbH
Im Gewerbepark B29, 93059 Regensburg
Germany
www.avl-functions.com

Von: systemsafety <systemsafety-bounces at lists.techfak.uni-bielefeld.de> Im Auftrag von Olwen Morgan
Gesendet: Freitag, 10. Juli 2020 14:55
An: Tom Ferrell <tom at faaconsulting.com>; systemsafety at lists.techfak.uni-bielefeld.de
Betreff: Re: [SystemSafety] Correctness by Construction




Well-designed stress tests could have simulated a faulty AoA sensor.



Olwen


On 10/07/2020 11:45, Tom Ferrell wrote:
On 10/07/2020 11:24, Olwen Morgan wrote:

<snip>
With MCAS, iterated tests or stress tests of the software might have revealed the problem.

<snip>

I would suggest you are still looking at this as a software problem.  The MCAS behavior that led to the crashes also involved a single threaded and malfunctioning Angle of Attack (AoA) sensor.  There was also involvement of the pilot in resetting the MCAS which allowed it to make multiple unbounded control inputs.  While this could have all been simulated to test the software in isolation as suggested, it is unlikely in my view that this would have surfaced what was a complex behavioral problem at the aircraft level.

From: systemsafety <systemsafety-bounces at lists.techfak.uni-bielefeld.de><mailto:systemsafety-bounces at lists.techfak.uni-bielefeld.de> On Behalf Of Olwen Morgan
Sent: Friday, July 10, 2020 6:34 AM
To: systemsafety at lists.techfak.uni-bielefeld.de<mailto:systemsafety at lists.techfak.uni-bielefeld.de>
Subject: Re: [SystemSafety] Correctness by Construction



On 10/07/2020 11:24, Dewi Daniels wrote:

<snip>

 requirements engineers only considered a single activation of MCAS. They do not appear to have considered the possibility that MCAS could activate repeatedly, eventually driving the stabilizer to a fully nose down position.

<snip>



This goes nicely with my example of the Wichman-Hill PRANG. The essence of the required behaviour is a condition on repeated calls to the routine that generates a single random number. Only iterative testing could provide confidence in its correctness. With MCAS, iterated tests or stress tests of the software might have revealed the problem.



Olwen











Yours,

Dewi Daniels | Director | Software Safety Limited

Telephone +44 7968 837742 | Email d<mailto:ddaniels at verocel.com>ewi.daniels at software-safety.com<mailto:ewi.daniels at software-safety.com>

Software Safety Limited is a company registered in England and Wales. Company number: 9390590. Registered office: Fairfield, 30F Bratton Road, West Ashton, Trowbridge, United Kingdom BA14 6AZ


On Fri, 10 Jul 2020 at 10:42, Michael Jackson <jacksonma at acm.org<mailto:jacksonma at acm.org>> wrote:
CbyC is invaluable in avoiding errors in reasoning about formal models. But the relationship of a formal model---whether of a computer or of the real world of a cyber-physical system---may be a more prolific source of faiure. Recent posts cited the 737Max8 disasters. Were these due to formal errors in MCAS code?

-- Michael Jackson


_______________________________________________
The System Safety Mailing List
systemsafety at TechFak.Uni-Bielefeld.DE<mailto:systemsafety at TechFak.Uni-Bielefeld.DE>
Manage your subscription: https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety<https://urldefense.com/v3/__https:/lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety__;!!Oq50-tQ!5mEv8mFepFmJDme35SE9uO3fZcR1LEFQL2gc06NuxnGd_yi3R-rDjHrSE4attYfeZEVU$>




_______________________________________________

The System Safety Mailing List

systemsafety at TechFak.Uni-Bielefeld.DE<mailto:systemsafety at TechFak.Uni-Bielefeld.DE>

Manage your subscription: https://lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety<https://urldefense.com/v3/__https:/lists.techfak.uni-bielefeld.de/mailman/listinfo/systemsafety__;!!Oq50-tQ!5mEv8mFepFmJDme35SE9uO3fZcR1LEFQL2gc06NuxnGd_yi3R-rDjHrSE4attYfeZEVU$>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/pipermail/systemsafety/attachments/20200710/664904aa/attachment-0001.html>


More information about the systemsafety mailing list