That doesn't seem like it's asking enough whys to me. Why was the MCAS system necessary? Why didn't the sensor fall back to its backups?

There are underlying hardware concerns, from the wings to the sensors themselves, that may require retrofits. MCAS can be patched, but I'm not convinced that a patched MCAS can fully address the hardware concerns.

> Why didn't the sensor fall back to its backups?

MCAS was added to the autopilot/flight computer system, which was brought forward from previous 737 designs, where there are two flight computers, each with an independent set of sensors; in case of disagreement, between the flight computers, autopilot would disengage and return control to the pilot. And in general, the types of things a pilot would do in response to commanded nose down would disable the autopilot until manually engaged again.

Unfortunately, MCAS acts autonomously, was not disclosed to pilots, and was not able to be disabled without also disabling electric trim control. Because it was built on top of the existing flight computer, which is safe enough, the behavior doesn't appear to have been separately considered.

From what I've read of the proposed fixes in news stories, it doesn't really address the root issue in my mind that the pilots should be able to turn off MCAS; although it does seem likely that it would activate erroneously less often, and that the plane will remain more controllable in the event that it does activate erroneously, it still seems like the situation would be dangerous in case it arises; which would seem possible if both Angle of Attack sensors failed in the same way at the same time. A third AoA sensor might help detect broken sensors, and make it less likely that all three would return the same wrong value simultaneously, but a switch to turn off MCAS would follow the Boeing philosophy of giving pilots control and letting them handle rare events.

Part of the MAX complexity was keeping MAX handling sufficiently similar to legacy 737s that you wouldn’t need new Certs for pilots.

Boeing will have a lot more freedom if it can do away with that.

But I don’t know if they can do that without bringing up the MAX to modern standards. The 737 is an old design.

But I largely disagree with grandfathering new planes because they’re built to an old design.

We don’t allow it for cars, why would we for aircraft?

My understanding is that the second sensor was listed as optional and not required. Therefore airlines decided to not select the option to save costs.

This is not the airlines fault. The second sensor should not have been optional if failure of the first sensor might lead to catastrophic failure.

Why didn't the sensor fall back to its backups? Because, unfathomably, it was designed to only listen to one sensor. Why? Absolutely no good reason that anyone can see. Can that be fixed? Absolutely, change the code to listen to both sensors. It's not a whole lot more complicated than that.

And if one of two sensors fails, which these exposed sensors do often, how do you know which one it is?

Intuition says you need three.

If one of two sensors fails, and the computer sees that, it knows not to fight the pilot, which was the problem, wasn't it?

That's fine, but seems self defeating. Now the pilot needs training to fly without MCAS, so why have it at all?

Your question applies to all systems that can fail, so the implication must be wrong.

You either make sure it doesn't fail, or you can continue flight without it. Either way, it has to be fail safe.

There is a backup to extend the landing gear if the primary hydraulic system fails, the plane can fly with one engine out, we make sure that even if an engine explodes it does not damage the air-plane, etc.

On the latter point, you can continue flying without autopilot or landing-assenting electronics and pilots are trained to do so.

MCAS has failed on all counts, it has been very unreliable and fail-deadly.

The system should have a number of alternatives. The first would be to consult the gyro system.

Change the code to listen to both sensors? And which one should it use as truth when they disagree?

In what manner is the plane unstable?

>It's a software and sensor reporting problem in the rushed-to-market new MCAS system - both fixable obviously.

Its a lot more than that...planes crashed and people died.

It doesn't matter if you fix the underlying problems, there will be a giant loss of confidence in the company and the product. That is all rightfully so, the company put profits in front of safety, and there is no reason to believe that will be fixed.

It might shock you, but this is far from the first time an airliner crashed due to fixable problems.

Time heals all wounds, so to speak. Boeing suffered a pretty bad PR problem, which then drove cancelled orders and more. It will take time to earn that trust back with the 737-MAX, however there's still plenty of 767, 787, some 747, and a few 757's still flying without any problems.

>It might shock you, but this is far from the first time an airliner crashed due to fixable problems.

It may shock you that pilot error is the leading cause of airline crashes.

Nevertheless, to your point these crashes occurred due to "fixable problems" sure...and anytime a plane crashes due to "fisable problems" legally it goes without saying there was negligence. But what seems to be ignored here is there was more than negligence...based on the documents already made publicly available the company knowingly shipped the planes with the issue.

>Time heals all wounds, so to speak.

Well I'm sure that was what the managers thought when they minimized the engineers concerns about these aircraft...then again you don't see very many Zeppelins flying around nowadays.