Originally Posted by GlobalNav

The use of a single AoA sensor at a time, for a function that can do what it did in these two crash scenarios is the problem. The failure event that caused the loss of two airliners, so far, must be classified as Catastrophic, in the terms of 25.1309, and made to be Extremely Improbable (mathematically on the order of 10E-09). It was clearly not Extremely Improbable as certified. So the classification either needs to be upgraded or the system safety analysis called into question, maybe both.

Design strategies to meet this safety requirement may include redundancy (more than one AoA sensor), detection of sensor failure with corresponding steps to disable its input to the MCAS and others. Common causes that could lead to simultaneous failure of multiple AoA sensors must be avoided. As a previous poster noted, current AoA sensors can fail on the order of once every 100,000 hours, though I'm not sure that covers every failure mode. If the MCAS functionality must be assured for certification, then significant redesign of the system hardware architecture is necessary, not merely changing a few lines of code.

Furthermore, I don't know what the hazard classification was approved for MCAS, but it should be Catastrophic, which means that software associated with its function should be at Design Assurance Level A. Not sure what the software DAL is, but to modify Level A software and get the modification approved is not trivial (time-consuming and expensive).