Originally Posted by
GordonR_Cape
Short answer: The autopilot and MCAS are different sub-systems running on each FCC.
The autopilot is a 3-axis system, and demands high integrity data from muliple sensors to operate safely.
MCAS is a subroutine of the speed-trim system, and both operate on a single axis of pitch via the horizontal stabiliser.
IMO this is where things went wrong. Speed trim is a closed-loop system, with limited authority in pitch, and failure is not catastrophic. MCAS was supposed to be closed-loop, but due to AOA failure it became open-loop. It also had larger authority, and unlimited scope.
Thus a safe and trusted sub-system became a monster, due to a combination of hardware error, faulty design, and lack of foresight.
Speaking as an engineer SLF, the number of bad design decisions and implementation errors impinging on this subsystem are amazing: To the actual repeat/cyclic MCAS with lethal authority, add
- single AoA use in MCAS
- AoA disagree light inoperative
- column override switch mods
- missing/removed MCAS documentation
- simulators with no clutches on trim wheels to feedback extreme trim force
I can only imagine that the engineering team was dysfunctional with respect to safety checks.
Edmund