Originally Posted by
tdracer
I've posted this before, but some either didn't see or have forgotten:
The certification process groups failures into four categories - Minor, Major, Hazardous, and Catastrophic. These have associated acceptable probability numbers - 10-3, 10-5, 10-7, and 10-9 per flight hour, respectively (occasionally modified to per flight cycle).
The entire problem with MCAS started early in the design process were the malfunctioning of MCAS (either erroneous activation or failure to activate when needed) was judged to be "Major" - Major is considered to be no big deal, readily handled by the crew with a moderate increase in crew workload (I'm quite familiar with Major since most 'benign' engine failures are considered 'Major')
Since 'Major' failures are allowed to occur at a rate of 10-5/hour, redundancy is not required (BTW, apparently those who made that judgement also assumed that the flight crews would be told about and trained with regard to MCAS, but somewhere along the line that requirement was dropped).
Now, if someone had really sat down and thought about it - what the impact of a bad AOA sensor activation MCAS along with all the other bells and warnings that would be going off (stick shaker, unreliable airspeed, etc.) they might have realized that MCAS malfunction was at least Hazardous - but that obviously never happened prior to the first MAX crash. So the certification process for MCAS followed the (correct) process for a "Major" system. Now, if someone along the line realized that MCAS was worse than Major and withheld or hid that information - that's fraud and someone should be prosecuted for it. But if it was all an honest mistake - it's just that, a horrible, tragic, mistake, but humans design aircraft and humans make mistakes. I have it on good authority that there was at least one attempted suicide among the people who worked MCAS. These were not cold-blooded accountants that made these decisions - they were real, flesh and blood humans with feelings that made a horrible mistake. Was management pressure to keep things simple and 'on the cheap' a factor? Perhaps, but I know that I often experienced those pressures, and it never made me do or design something that I honestly believed was wrong.
This is perhaps the best summary that I have ever read of how MCAS came to be. What is missing is what happened between the first and the second crash. If the full consequences of an AoA failure had been overlooked when MCAS was designed they were certainly very clear after the first crash. Surely Boeing engineers went back over it with a fine tooth comb at that stage in the simulator and elsewhere and realised what a s--tstorm would be created in the cockpit by such a failure. That was the time to come clean with the airlines and pilots. They could have simply issued an AD to say that if you encounter unreliable airspeed at takeoff, do not retract flaps. They could have explained the MCAS algorithm and how it would not kick back in until x seconds after the last trim input. Instead they doubled down to say that if only the pilots had followed the old trim runaway procedure, it would all have been fine. Boeing gambled that they would get a firmware fix out before another similar AoA failuire occurred. Someone made a decision to gamble with people's lives. Someone in Boeing management made that bet but the people on the Ethiopian flight paid the ultimate price for it.