“Boeing underestimated the probability of AOA failure and did not assess the software risk correctly.”
I’m a software architect that has been in the position of signing off on safety software processes. The general concept, regardless of the industry standard (ISO 26262, DO-178C, IEC61508...), is to leave nothing to chance regarding the software. The failure matrix should have included multiple variants of the “AOA sensor failure” and respective tests should be traceable to these requirements.
My point is that this is either a failure of following safety process (ignorance, incompetence, or laziness at multiple levels within engineering) or the issue was raised within engineering and ignored, which I don’t believe. Either senior engineering managers ignored the problem or senior executive managers did. The safety processes for software would have included testing for this. It’s a simple input problem causing an output problem. Testing should include mis-calibration. It’s not hard to know that if calibration is needed for software to function properly that you must either be able to detect mis-calibration or bad data (like no data or erratic data or data that doesn’t make sense).
I get that a CEO is probably not a software expert. I just don’t buy that, at some level, the safety processes didn’t expose the need for such tests and “bad sensor” mitigation.
Self certification, where government oversight could be easily corrupted, isn’t something I agree with. The problem is the costs of the alternative. I believe this led to bad safety decisions being made, maybe not by the CEO, although as they said, the buck stops with him. That they knew there was a problem after the first crash and didn’t ground them all is a real problem for me. They were already working on a software fix - stated after the second crash in mere days after the event without needing to analyze the data recorder. Unacceptable.
The DO-178C process for certifying avionics software doesn’t allow self certification. The FAA must inspect all artifacts. What happened was that Boeing got two very green FAA DERs (Designated Engineering Representatives) to sign off on something they never saw. Boeing presented the design specifications and received approval to build MCAS, but then Boeing changed what they built without the DERs noticing. That was completely not how DO-178C works.