Pax. It's been a while since I had anything to do with fault trees but presumably part of the technical evidence underpinning the design solution to MCAS would have started by the need to show that a failure outcome for the system was less than some low, and acceptable, probability threshold. This logic would have a starting event which represented the need for the system to intervene, the aircraft being in the dynamic state that challenged it's stability for which help was needed. That logic sequence must have given the right numbers even when subevents like aoa sensor failure were included.
However the next page of the analysis, and a new fault tree, would be considered, this to cover eventualities on the system intervening when it shouldn't. AOA faults would be one initiating event and would be ascribed a probability of occurrence. To my layman mind, this would be more probable than the starting event in the first tree, ie AOA failure is more likely than the aircraft finding itself in a bad dynamic state.
What I can't understand is if this were true then the rest of the fault tree after AOA failure must also get to an acceptably low probability despite the fact that it is the more likely event chain to start with. Subsequent mitigations, such as the intervention of a trained crew, would have to have a correspondingly low failure rate to make up the numbers.
Can't see the numbers for that working out.
Would love to see the workings out but don't suppose we ever shall.