Originally Posted by
djmp
Incorrect, per the FAA report and resulted in safety related design changes to the MAX series. And relevant to United as they were flying the same plane type.
What Explorer is pointing out is that you are over-simplifying a complex series of events.
Lion Air installed an unairworthy AoA vane/sensor on the accident airplane in an attempt to fix an unrelated problem. It was that unairworthy part which caused the unscheduled MCAS activations on the next two consecutive flights. They also failed to replace the unairworthy part after the first incident of unscheduled MCAS activation and sent it back out on what turned out to be the accident flight.
Egypt Air had a bird strike on takeoff which caused the the left AoA vane to detach. That's a very unlikely occurrence but could happen to any flight. That crew was also aware of the findings from the first accident and the importance of following the established procedure.
During certification, every potential failure mode is analyzed and assigned a risk level which ranks the seriousness of that potential failure. Mitigations are created to reduce the risk. In the case of MCAS, an unscheduled MCAS activation was given a relatively low risk score because it could easily be mitigated by the existing stabilizer runaway procedure. (Every transport jet I have flow as had such a procedure and we were trained to accomplish it)
Another possible mitigation would be to compare the values from the two AoA sensors and require agreement before an MCAS activation. This was not done because combining the two inputs creates additional failure modes in which the data from one bad sensor could corrupt the data from the good one because there is no third source to serve as a tie-breaker. This type of dual system is used in many aircraft, including the 737, where two independent data sources are used to separately drive the data to the Captain and F/Os instruments. When a discrepancy occurs, the flight crew uses procedures to isolate the bad data and use the good data going forward. Most long-haul aircraft use triple-redundant systems which give the third tie-breaking source for when one system fails or is corrupted. The only transport jet that I've flown that included the triple-redundant system was the 767/757.
That leaves flight crew performance. Neither accident flight crew followed established procedures in their response to the unscheduled MCAS activation. This was almost universally ignored in the media's reporting of the accidents. I've commented, at length, on this in other threads. The bottom line is that both of those airplanes were flyable using established procedures and the skills that every qualified jet transport pilot should posses.
After the two accidents, the assumption that the unscheduled MCAS activation failure mode could be mitigated by the existing procedure was reevaluated based on the two accident crews failing to follow the procedure. The lengthy delay in recertification was due to the complexity of providing the cross checking and mitigating all of the new potential failures that it created.