> “Who would design a system with a single point of failure?”
According to the original design, the MCAS was only supposed to adjust trim to a level that was easily overridden by the pilot essentially just pushing on the stick/adjusting the trim. If it had been implemented this way, sensor failure would not have been catastrophic and hence doesn't require redundancy. At some point this was either changed or implemented incorrectly so that MCAS had much more authority.
It was changed. Flight testing showed that much larger trim was required for MCAS to function, and that was implemented. The failure was not reassessing the risks after that.
That's pretty damning. I would have assumed Boeing of all people had a comprehensive change management system to automatically trigger a re-assessment in these cases.
They underestimated the aerodynamic instability and then decided just to give this auxiliary system total control. What possibly could go wrong? They should have gone back to the drawing board, putting of the launch and figuring out how to lift the airplane a bit higher. May have required them to lower the 737 prices for a while to stay competitive against the 320neo and may have cost them a fortune.
Feedback loops with high gain (strong engine pulling up, powerful MCAS pushing down) are difficult to control. Minor failures have out-sized impact. Adding rules to constrain the system introduces new operating modes all of them having the potential to confuse the pilots. And in this system the pilots are close to ground and have very little time to act.
According to the original design, the MCAS was only supposed to adjust trim to a level that was easily overridden by the pilot essentially just pushing on the stick/adjusting the trim. If it had been implemented this way, sensor failure would not have been catastrophic and hence doesn't require redundancy. At some point this was either changed or implemented incorrectly so that MCAS had much more authority.