Originally Posted by
derjodel
Remember, MCAS is required for (self) certification, so it needs to be there in certain conditions. But it simply can't be there with only two AOA sensors, no matter how you hack it. Whatever you do, it could happen that MCAS does't engage when it should -> hence no certification, or it does when it's deadly.
This is the key I think, triggering MCAS only when both FCCs (and therefore both AOAs) say so would surely be comparatively trivial and they would have done that IF the certification allowed it, ergo it likely doesn't.
Other points to consider:
- the earlier AD implies that MCAS still operates (presumably by design) even in event of AOA disagree (if that warning option is fitted)
- one (only) AOA sensor is on the MMEL for NG, but
not for MAX
- speed trim
is on MMEL, even for MAX
- MCAS... is not
All starts to look like MCAS is a "must work", more so than speed trim (also required for certification, but can be MELed). What seems to have gone very badly wrong is the assessment of the
consequences (rather than the
likelihood) of incorrect activation.
As you say, you can't fix this with just two AOA inputs. Adding a third AOA sensor (or calculated reference as on 777/787) to allow everything to work with one failure is going to be a big job.