No it doesn’t answer the question. If there are two sensors already installed, not requiring change, how come the MCAS only uses one, not both?

Instrumentation on an aircraft is usually designed with a pilot and copilot set. Everything down to the pitot tubes which feed the information is unique to that side of the aircraft. This harks back to the day when it was the only sensible solution when your guages are actually just directly reading airpressure differences.

Clearly these signals can be cross connected, because that's the solution Boeing are testing at the moment, but it's outside the normal design of aircraft systems.

Uhm.. I don't know.. I'm aware this is the case of airspeed indicators and many others, but, for instance, the autopilot is fed with readings of Pitot tubes from both sides and it disengages when the sensors disagree beyond sensible thresholds. Besides, such issue is brought clearly to the knowledge of pilots.

In the MCAS case, however, we are speaking about a computer which not only interferes in the flight controls, but also does that in a way impossible to override and it's too difficult for the pilots to spot the root cause.

To be clear, I think MCAS was a massive engineering failure for Boeing, I'm just pointing out why I think they didn't automatically say "hey, we've got two sensors, lets compare the readings before we act on it".

However, for the autopilot example, I don't think you are quite right. Typically there are multiple autopilots (2 or 3 is quite common), and each is driven by a different set of flight data. In some scenarios multiple autopilots are engaged at same time, for example during CATIII auto-landings but as far as I'm aware that is the exception rather than the rule.

It's true that the autopilot may disconnect if there is a warning like 'IAS Disagree', I suspect this is driven by a separate monitoring process though, rather than being an integral part of the system.

The article also states that 2 sensors is not enough as then you have two sensors that can disagree with no way to figure out the correct one.

Yes but at least you know the reading is faulty and avoid applying dangerous commands. Now I don't know if the stall it is meant to avoid is a greater risk than MCAS pushing the plane in the wrong direction.

Stalls can be extremely difficult to recover from as it means the wings have lost lift, and therefore the control surfaces (which you need to regain stability) have reduced or even complete loss of effect - a so-called 'deep stall'. As bad as MCAS is, it could theoretically (in practise, couldn't) be switched off in this scenario and the plane would be flyable. In the imagined scenario where the plane pitched up and began to stall, Beoing's logic is that without MCAS, the plane would be essentially doomed. Air France 447 crashed due to a (pilot-induced) deep stall; it was otherwise stable at cruising altitude.

The root cause is without doubt relying on a single sensor, and then downplaying the importance of the system so that nobody opted for the additional expense of the extra sensor. Boeing also have to answer for their lack of transparency; their flight control logic has always left the pilot fully in control of the plane, and can override any automatic system. This sets them apart from Airbus, which under almost all circumstances will defer to the computer.

In ways, the 737 MAX crashes are the antithesis of the 447 crash - the pilots thought they were in full command of the plane, whereas an automatic system designed to protect them malfunctioned, versus the pilots in the Air France plane believed the computer would protect them from exceeding the plane's capabilities, whereas the plane's computers could not get reliable data and passed full control to the pilots.

The analysis is not as simple as asking whether a stall is more or less dangerous than an MCAS failure. Firstly, MCAS does not prevent a stall; it is intended to make it harder to accidentally stall (and no sane pilot would deliberately stall an airliner in normal operations), in order to compensate for the design change that made it easier to do so. When considering alternatives such as whether to disable MCAS on a sensor discrepancy, one should ask both how likely each possible scenario in each alternative is, and how much risk it adds.

Where the risk analysis seems to have gone most wrong is that Boeing apparently grossly underestimated the difficulty of both figuring out what actions were needed to respond to the symptoms of MCAS failure, and to perform them. I don't know whether it was a significant factor in the former, but when the AofA sensor failed, it caused the stick shaker, as well as MCAS, to kick in.

The other mistake in analysis seems to be that when the power of MCAS was increased after initial flight testing, the additional risk it created was not properly taken into account. In particular, the ability of MCAS to drive the trim all the way forward appears to have been an unintended and overlooked side-effect of one design change.

It doesn't answer the question because it's still a speculation.

Full investigation is hopefully going to tell us what has really happened.