[SystemSafety] Correctness by Construction

Peter Bernard Ladkin ladkin at causalis.com
Fri Jul 10 21:20:11 CEST 2020



On 2020-07-10 16:40 , Olwen Morgan wrote:
> 
>
> Correct me if I'm wrong but I thought at least one key event in one of the 737 MAX crashes was that
> an AoA sensor had been inappropriately fitted to the airframe and consistently read around 20
> degrees off?
> 
> How does a pilot recover from that?


It induces unwanted MCAS activation, which according to Boeing manifests as runaway stabilator trim.
The recovery for runaway stabilator trim was and is in the Emergency Procedures part of the FCOM.

The main issue here is that Boeing *assumed* (see the DoT IG report) that runaway stabilator trim
would be manifest. And then you have your 4 seconds, or 10 seconds. But it wasn't.


> 
> 
>>>> BTW, it doesn't require tests to deal with a faulty AoA sensor. The failure characteristics of AoA
>>>> sensors are known. You can do it all with pencil and paper. What you don't necessarily know is the
>>>> severity classification of the resulting event, which is why there are the simulator tests.
> 
> Do the AoA calibration/reliability data take account of faulty installation?

I don't know or see why it should do so. Correct installation of equipment is known to be and
treated as a safety-critical process in aerospace. And is assumed; MROs are certified.

In the Lion Air case, the organisations concerned lost their certification.

The "AoA disagree" flag is supposed to be raised in the 20°-off case. It wasn't. Boeing knew about
that beforehand, but neglected to inform operators.

It wouldn't have helped Lion Air during the accident event, but its permanent annunciation (had it
worked as intended) might have been noted by the pilots during the previous flight and a maintenance
log item raised.

> Stress tests written by viciously devious people who set out to give the system the mother of all
> canings might well have hit upon that case. What's the point in doing stress tests if you do not
> cover conditions that are outside the normal operating regime?
You are way off the usual aeronautical safety ball.

First, airplanes are physical things which work to physical rules. Second, over the decades in which
airplanes have been going wrong, these rules are known; they go wrong in specific ways. Those ways
are what safety engineers concentrate on. Not: "stress testing" a piece of SW; but: what is the
function, what are the conditions of its activation; what happens when it activates when it shouldn't?

To my mind, a major issue is that Boeing implemented a function which deliberately put a trimmed
aircraft way out of trim, and it could not be turned off. So what if it just activates when it
shouldn't, and puts the aircraft way out of trim?

"Stress testing" SW is not going to get you away from that fundamental situation.

PBL

Prof. Peter Bernard Ladkin, Bielefeld, Germany
Styelfy Bleibgsnd
Tel+msg +49 (0)521 880 7319  www.rvs-bi.de





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/pipermail/systemsafety/attachments/20200710/5159ff30/attachment.sig>


More information about the systemsafety mailing list