[m_mueller]

I assume that AoA sensor disagree would have been warned about still on the ground. Even if both fail, a new take off checklist will probably include comparing AoA information with analog instruments. If one sensor failure is 10E-5, two simultaneous should be 10E-10, multiplied with assumption of competence (say 99/100 will now know how to deal with it), which gives 10E-11 - 10E-12. I.e. I wouldn't worry about MCAS anymore after every plane has been updated.

What I would worry about is departure stalls, as MCAS doesn't seem to solve these. I wonder whether there isn't another 10E-5 to 10E-6 risk in there and people have just been lucky so far. Another MAX8 crash involving a stall would kill this plane I think, as it would prove much more that it's inherently unsafe.

[dvdkhlng]

> If one sensor failure is 10E-5, two simultaneous should be 10E-10.

That only holds if errors are statistically independent. See also Common Mode Failure [1].

[1] https://en.wikipedia.org/wiki/Common_cause_and_special_cause...

[pmyteh]

From the FDR data in the report, it seems that the AoA sensor disagreements on this flight didn't start until after takeoff. I don't know if this is the normal failure mode.

[SmellyGeekBoy]

Indeed. The speculation is that it was caused by a bird strike during takeoff.