[digikata]

"A continuous measurement device connected to a computer/s will have a vast array of available diagnostics, 'most probably leading to less "dangerous undetected failures" than a simple switch, or combination of."

Isn't this exactly the approach that failed in the MCAS system? And if you had a switchable independent system, a copilot would have righted the plane and flown on.

But really I agree with your overall comment, it's very difficult to know why a given safety design decision was made unless you are well steeped in the system - there are almost always little corner tradeoffs. That's why I added the "I suspect" to the front of my comment.

[airbreather]

This the approach that IEC61508 leads you down by the numbers, but it is also always better to cover off the unknowns with redundancy(multiple sensors) and diversity (different kinds of sensors) wherever practical.

However, more instruments mean more potential disagreements, so more complexity of possible outcomes/actions/diagnostics etc.

It becomes a balance for the best outcome and surprisingly when you go through all the factors there is still quite a bit of subjectiveness and sometimes the numbers for failure rates are so low that the calcs become extremely sensitive.

Additionally, there is always beta factor, which allows for common cause failures between instruments/systems. Often beta factors are the dominant factor numerically in a performance calculation, but are a) essentially traceable back to issues with humans (design, installation, maintenance) b) often vastly underestimated and represented as an average value, where in the worst cases are rare but very high - one tech installs both instruments incorrectly so they both read wrong but same