Even if the pilots are partly to blame it indicates a bad design philosophy. The hierarchy of mitigation in safety critical systems is
1. Engineer the hazard out so it no longer becomes possible
2. Use other systems to detect and safe the system (ideally, if it's a software hazard, use non-software mitigation)
3. Procedural or administrative mitigation
#3 is by far the least desirable, meaning you only use it as a primary mitigation if the other two are infeasible. If Boeing uses this defense I would want to know why they were not willing to implement the other, better methods, because it would seemingly point to managerial or technical deficiencies
The risk of MCAS was identified in the system safety analysis (SSA), but they didn't appear to do a thorough job (in hindsight, at least). The biggest mistake to me seems to be the erroneous severity attribute:
> Assessed a failure of the system as one level below “catastrophic.” But even that “hazardous” danger level should have precluded activation of the system based on input from a single sensor — and yet that’s how it was designed.[0]
1. Engineer the hazard out so it no longer becomes possible
2. Use other systems to detect and safe the system (ideally, if it's a software hazard, use non-software mitigation)
3. Procedural or administrative mitigation
#3 is by far the least desirable, meaning you only use it as a primary mitigation if the other two are infeasible. If Boeing uses this defense I would want to know why they were not willing to implement the other, better methods, because it would seemingly point to managerial or technical deficiencies