Originally Posted by
GlobalNav
The root cause in a nutshell. The failure mode has been demonstrated, fatally, to be catastrophic. A single, even a double, sensor input would not be a satisfactory architecture to prevent it, and safety standards require that the associated enabling software have the corresponding design assurance level "A". A very expensive fix, and more delay, if implemented.
While implementing MCAS as FDAL A would be good solution, I'm not certain that it's the only solution.
I'd have to go back through the rules. Multiple systems at various DALs combining together (and some requirements of not less than some level). And without the actual fault tree it's all speculation as to how they combine/interact. System safety is not a back-of-the-envelope endeavor.
Personally I think anything that can directly move a flight control surface should be IDAL A these days, but I don't write the rules. And it's a lot harder when dealing with legacy systems that were developed before DO-178B, ARP4754, and AC 1309-1B (still a draft, though accepted for compliance of FAR 25.1309)