Originally Posted by
TryingToLearn
Second problem, which worries me the most, is the use of just one input. There are 2 sensors, use them! Relying one only one probe with very low diagnostic coverage is just bad. Safety-critical systems should be single-point-fault tolerant. But this is also a technical system requirement. Such a decision is made 6 months before coding. Nobody questioned this?
I've pondered this question myself quite a bit. I'm not sure we will ever know the correct answer, but let me offer an observation. While the 737 has a lot of redundancy, that redundancy does not generally extend to two sensors coming to an agreement before one of them causes a system response.
The most obvious example is that if one stall computer (SMYD) senses an approach to stall condition, it will turn on one stick shaker and activate the Elevator Feel Shift Module (EFSM). I believe one SMYD can also activate the Speed Trim Stall ID function and the autoslats (I'm actually trying to confirm these last two. The aircraft maintenance manual (AMM) suggests this is the case, but I haven't found anyone at my company who can say for sure). If the left and right inputs disagree, you will get some kind of message, but the system response still occurs.
I could envision a scenario in which someone on the MCAS design team looked at how previous 737 models treated these system inputs and simply followed suit. The difference this time was the system response was more than an annoyance - it was, sadly in hindsight, an existential threat.