[runciblespoon]

“After Boeing removed one of the sensors from an automated flight system on its 737 Max, the jet’s designers and regulators still proceeded as if there would be two.”

No, no, no. This is just more of shifting the blame from Boeing upper management. They couldn't use two Angle of Attack (AOA) sensors as when there was a differing reading there would be no way to know the correct reading, which is why MCAS used a single AOA sensor on the right-hand side.

[GuB-42]

When 2 sensors disagree the data are considered invalid and the software is supposed to handle the case.

Usually it means showing an alarm, putting the system relying on it on degraded mode and letting the pilot manually select the sensor he thinks is correct.

Reacting to such failures is a big part of an equipment certification process.

[empath75]

This doesn’t seem correct to me, but I can’t put my finger on why. Surely if both agree that’s more certainty than a single sensor reading. Granted a disagreement would be bad, but at least you would have some warning that one of them is wrong, whereas you would have none at all if relying on a single sensor.

[fhars]

It doesn't seem correct to you because they might have been trying to be sarcastic. Using two sensors would admit that they might disagree, and that there might be situations where the MCAS could not work. But there cannot be a situation where the MACS doesn't work if the MAX shall have the same type rating as previous 737s, so the sensors cannot disagree, and so it would be useless and wasteful to use two sensors. Issuing that disagreement warning would completely undermine the very reason for the existence of the MCAS.

[kejaed]

You wouldn’t be able to know which one was wrong but you’d be able to know and annunciate an AOA MISCOMPARE (which was an option on the Max) and then disable MCAS.

[weaksauce]

Which was not an option to upper management because that would cause training for the event of disengagement and a new type rating.

[HyperTalk2]

Why only two AoA sensors, then? Why not a hundred?

[bumby]

There are standards for how many independent inputs are needed based on the criticality of the system. It's not just a guess as to how many are sufficient. That's why the categorization of MCAS correctly ('catastrophic' vs. 'hazardous' is important)

[HyperTalk2]

No. If you have a hundred AoA sensors, then you know to trust that whatever 90% of them are reporting is the truth. You also know exactly which of the remaining 10% need to be repaired or replaced upon landing.

[bumby]

I'm not sure what you're saying a hard "no" to; that's a strange response to my point. Your response is a little naive in terms of the way sensors work. You won't necessarily know which are reporting "truth" because in reality there will be a range of values reported because each sensor has a bound of uncertainty. It comes down to understanding what level of uncertainty and reliability are necessary for the application.

In designing airframes, there's actually guidance along these lines to remove the ambiguity of how many sensors are necessary. You can use calculations to define what level of reliability is sufficient. As an example to this point, there are standards like IEC 61508 that outline the procedure for doing such calculations. Many organizations also create their own standards (e.g., five redundant sensors for mission critical systems, self-diagnostic sensors for safety critical systems etc.) It shouldn't be guesswork. It's a risk-based decision, not a subjective guess as to whether two or "a hundred" sensors are necessary.