I used to work as a controls engineer. Sensor fusion and redundancy is one of the most basic concepts in controls, and yet it was totally absent from a system that was responsible for flying the aircraft. There is more redundancy built into your office building's HVAC system than was built into the 737's MCAS. That really is inexcusable.
Actually, per the article, the lack of redundancy was central to hiding the feature from the FAA, keeping it out of the FOM, and ensuring the avoidance of any scenario that would entail extra pilot training. Whether two or three sensors, any disagreement among them would have involved a more complex system, and would risk necessitating an in-cockpit notification of that disagreement, and the ensuing training so the pilots understand the exact consequences of the disagreement and a procedure for mitigating it.
And the article explicitly dings Southwest Airlines as having provided Boeing a financial incentive to avoiding them needing additional simulator training.
> Whether two or three sensors, any disagreement among them would have involved a more complex system, and would risk necessitating an in-cockpit notification of that disagreement, and the ensuing training so the pilots understand the exact consequences of the disagreement and a procedure for mitigating it.
The in-cockpit notification light, "AOA Disagree," was a paid upgrade [1].
a. The AoA disagree alert is standard, not a paid upgrade.
b. The AoA indicator is a paid upgrade.
c. In most 737 MAX's, the disagree alert did not function correctly (did not function as they supposedly intended) unless you bought the paid upgrade for the indicator.
d. Neither the alert nor indicator were considered safety equipment, they were considered advisory.
e. If the alert indicates a caution or warning, it's going to be listed in the flight manual, and decently likely a procedure for understanding and handling that condition must exist, and if so it's going to be a part of a training regimen, the very thing airlines wanted to avoid.
The two changes already planned: decoupling the disagree alert and angle indicator. Upon disagreement, MCAS is disabled. That means the disagree alert is at least cautionary now, because it means the airplane's stall behavior will be different than other 737s. That absolutely will require simulator training for pilots.
One of the most central questions is whether the assessment that the disagree alert was not "safety equipment" was wrong. That MCAS, in an angle of attack disagree condition, can so quickly induce, entirely on its own, catastrophic mistrim at low altitude, is rather damning. It suggests the risk assessment process is flawed.
