Originally Posted by
22/04
I really am mystified that a device that arguably insidiously pitches the aircraft down even if cancelled during a potentially high workload situation and which relies of only one of two AOA sensors ever gained certification. Did the certifying authority fully understand MCAS - how explicit were Boeing in the certification process? Or am I interpreting incorrectly
Surely the STS is different - that is making small corrections both ways towards a desired situation.
That is a question requiring answering regardless of this ET crash. It is hard to believe how this logic made it through. For this to be fail safe, it would require 3 sources of data being evaluated. That way there is always an arbitration value. ie Capt side AoA, FO side AoA then a third AoA value not connected with Capt or FO. If this was in place the automated decision making process could evaluate 3 inputs and discard the erronous one.
At present even if there was error checking based on the non-flying side, how is it validated?