Originally Posted by MechEngr

This is several questions. The first is whether the software that runs the MCAS algorithm is working correctly and how would the crew know it wasn't. This is the same unsolvable problem that software has always had. The usual approach is to hand an algorithm to a bunch of different software developers to run on different architecture computers and then depend on some other algorithm to decide if the answers are all close enough to select the "truth." This is seen in 2-of-3 voting systems, which are more, but not always, reliable.

The second is how will the crew know that MCAS software is operating correctly, but based on false inputs. This is similar to the first case because the crew isn't ever given raw data; it's all processed through some algorithm so it's back to some voting scheme. The way around algorithms would be to make a selsyn system that moved a mechanical AoA needle on the instrument panel, but it would not help if the needle or the AoA sensor was misaligned.

Did MCAS fundamentally fail? Not on the accident aircraft - the algorithm and resulting software did exactly what it was supposed to do with the information it was given. Which leads to the third question - can humans fail safe when it comes to creating algorithms and then creating the software to carry them out? I'd say the answer is mostly yes, but no guarantee.

What I think would work is a force sensor and monitor on the controls that would shout "PULL TOO HARD - RETRIM NOSE UP RETRIM NOSE UP RETRIM NOSE UP" and loop. This could operate outside all other software loops; it could have it's own box independent except for power. Add a 5 second delay against nuisance alerts and it should be good to go. The operation of MCAS wasn't the problem, the problem was allowing the buildup of excessive control forces that prevented the crews from holding the nose up because the plane was out of trim. .This covers all possible reasons for the trim to fail and tells the pilots what the solution is.