Originally Posted by
737 Driver
The difference this time was the system response was more than an annoyance - it was, sadly in hindsight, an existential threat.
In case of an important 'warning' function you may want something fail-operational, your safe state is 'warn'. So you place an 'OR' logic within your redundancy.
In case of a -maybe dangerous- reaction and a fail-safe ('better do nothing') system, AND is the only solution.
Next question, where is MCAS?
a) Do you need fail-operational performance? Is this 'feel' in case of being close to stall very important? ->OR
b) Do you need to be fail-safe? Is a wrong activation critical? -> AND
c) Both? -> 3 Sensors, 2oo3 reaction, 3oo3 maintainance message
d) nice feature, doesn't do any harm? -> single sensor
There's no rocked science behind such systems.
But even if this system would rely on a single sensor. Range checks are also a valid method.
Close to stall at 75°AoA? Oh, we may need to adjust the feel a bit?!?
Even a 'no-brain' range plausibilization within the 1 sensor would have rescued one of 2 planes (fun fact: Such a range check is considered a 'low-coverage' method in automotive, estimated to catch 60% of all errors (ISO26262 part 5 annex D sensors...)).