[airbreather]

And on the surface this looks like a reasonable comment, but it is exactly why there is a whole branch of engineering dedicated to understanding how to build safer systems. Counter-intuitive results abound.

So many issues - a simple switch usually has poor diagnostics, at least in one mode of failure, so you dont know it has failed until it is too late. A continuous measurement device connected to a computer/s will have a vast array of available diagnostics, 'most probably leading to less "dangerous undetected failures" than a simple switch, or combination of.

And "independent systems", sounds easy, but in practice full independence is almost impossible to achieve, and messy unpredictable humans dominate the common cause failures that overlap these systems.

There is more, much more, but this is why it is hard to right readable articles about these things, so much devil is in the detail that is hard to explain in bite sized portions.

[digikata]

"A continuous measurement device connected to a computer/s will have a vast array of available diagnostics, 'most probably leading to less "dangerous undetected failures" than a simple switch, or combination of."

Isn't this exactly the approach that failed in the MCAS system? And if you had a switchable independent system, a copilot would have righted the plane and flown on.

But really I agree with your overall comment, it's very difficult to know why a given safety design decision was made unless you are well steeped in the system - there are almost always little corner tradeoffs. That's why I added the "I suspect" to the front of my comment.

[airbreather]

This the approach that IEC61508 leads you down by the numbers, but it is also always better to cover off the unknowns with redundancy(multiple sensors) and diversity (different kinds of sensors) wherever practical.

However, more instruments mean more potential disagreements, so more complexity of possible outcomes/actions/diagnostics etc.

It becomes a balance for the best outcome and surprisingly when you go through all the factors there is still quite a bit of subjectiveness and sometimes the numbers for failure rates are so low that the calcs become extremely sensitive.

Additionally, there is always beta factor, which allows for common cause failures between instruments/systems. Often beta factors are the dominant factor numerically in a performance calculation, but are a) essentially traceable back to issues with humans (design, installation, maintenance) b) often vastly underestimated and represented as an average value, where in the worst cases are rare but very high - one tech installs both instruments incorrectly so they both read wrong but same