[SystemSafety] Correctness by Construction

Olwen Morgan olwen at phaedsys.com
Fri Jul 10 16:40:47 CEST 2020


On 10/07/2020 14:23, Peter Bernard Ladkin wrote:
> <snip>
> The key event is unintended activation of MCAS. That was rehearsed in flight simulation, with what
> appears to be moderately correct conclusions for Release D (if you don't analyse and react correctly
> within 4 seconds, you have significant handling problems, and if you don't sort those out in the
> next 6 seconds, you're dead). See DoT IG report p21.
> It doesn't matter what causes unintended activation; whether it is a faulty sensor or something else. What matters is whether and how the event can be recovered.

Correct me if I'm wrong but I thought at least one key event in one of 
the 737 MAX crashes was that an AoA sensor had been inappropriately 
fitted to the airframe and consistently read around 20 degrees off?

How does a pilot recover from that?


>>> BTW, it doesn't require tests to deal with a faulty AoA sensor. The failure characteristics of AoA
>>> sensors are known. You can do it all with pencil and paper. What you don't necessarily know is the
>>> severity classification of the resulting event, which is why there are the simulator tests.

Do the AoA calibration/reliability data take account of faulty installation?


Stress tests written by viciously devious people who set out to give the 
system the mother of all canings might well have hit upon that case. 
What's the point in doing stress tests if you do not cover conditions 
that are outside the normal operating regime?



Olwen




More information about the systemsafety mailing list