Originally Posted by silverstrata View Post

What Boeing REALLY needs to do is have multiple inputs to the MCAS, so it is not reliant on a single AoA sensor. At the very least MCAS needs to drop out if it senses a mismatch between the AoA sensors, and just flag an error-fault. The last thing MCAS should be doing is activating its protocols, when it must know that the AoA sensors are in disagreement.

This I entirely agree with and have stated previously myself! Why would critical software ever rely on unverified data from one single item of hardware? It doesn't make sense. If you have foolproof and fail safe redundancy then throw on whatever software that you want. The software only acts on the data, if the data's always good then the software always does what it's meant to do. You don't build a luxury palace on sand, you put in solid foundations first- safe and secure infrastructure then the luxury add-ons.

How can an aircraft's certification be reliant on one single AoA vane always functioning correctly? I know it's been brought up about Airbus having 3 sources, but if you designed it correctly, you could have 100 mini AoA sensors for this function, and only let the software control flight surfaces when at least say 60 are in agreement! The software isn't the problem, the problem is the fact that the software relies on a single data source that isn't verified. Others have commented about the AoA being cross-checked against ASI etc. before making control inputs, that would be a good start.

AND... if you're going to throw in different functions and automated controls onto an aircraft, please have the decency to let the professional crew know what they are and how they work first, just in case they do something they shouldn't!

P.S. How many backdoor, certification reliant, automated controls are there that can function when AP is off? Or is MCAS the the only one so far?
