Originally Posted by
ST Dog
But the hazard analysis said it was a major hazard, not catastrophic, and a single input is acceptable for a major hazard.
The analysis was wrong/incomplete, as the NTSB noted. But that's what the team was working from when they modified MCAS.
The root cause in a nutshell. The failure mode has been demonstrated, fatally, to be catastrophic. A single, even a double, sensor input would not be a satisfactory architecture to prevent it, and safety standards require that the associated enabling software have the corresponding design assurance level "A". A very expensive fix, and more delay, if implemented.