>Like, why does such a critical system like MCAS take only a single AoA sensor as input
The classic approach is to have three sensors, so in case one fails you can know which one. Having two only indicates something is wrong but is not useful on the fly.
Of course, even with triple-redundant systems failures can still occur.
Air France 447 [1] three independent air data systems, two of them failed due to environmental conditions
XL Airways 888T [2] three independent AOA sensors, two failed because the plane was washed without the right covers in place
US Airways 1549 [3] two independent engines, both disabled by bird strike at the same time (No fatalities)
Qantas Flight 72 [4] three independent inertial reference units, bug in voting system if a single sensor's output had multiple spikes 1.2 seconds apart (no fatalities)
An in the data centre, no amount of power-supply redundancy will save you if a technician pulls out the power cables on the wrong server :)
Three with a disagree algorithm is definitely what I’d expect out of such a critical system, but two with signal averaging would still be much better than just one.
Or alternatively with two, and disabling MCAS if they disagree, seems a better solution than having one and having no way to tell if it is working (keeping in mind both can still fail simultaneously). Not an ideal solution but better.
Unless I am misunderstanding what signal averaging is (quite possible) isn't it possible that in situations where the average of a signal is still going to crash the plane, a 50/50 guess is actually more likely to end up with a better chance?
If true, it's possible signal averaging isnt necessarily the best choice
In 2008, on a customer-acceptance flight of an Airbus A320, two of the angle-of-attack sensors froze and those two sensors then outvoted the third. When the pilots went to demonstrate the stall-prevention system, they were not aware of the malfunctioning sensors. The plane crashed, killing the seven people on board.
The same problem arose again on a 2014 Airbus A321 Lufthansa flight leaving Spain. Eight minutes after takeoff, two of the angle-of-attack sensors froze at the same pitch. This time, after a drop in altitude, the pilots were able to regain control and complete the flight. [1]
I don't think the fundamental problem with MCAS was the number of sensors, but that it was too difficult for the pilots to override MCAS when it faulted.
Boeing has been using only two for quite a time. Having a failed and a working one would simply indicate that something is wrong, but this information is valuable anyway -- it could be used to prevent MCAS from engaging based on wrong data, exactly one of the features the new software update is bringing.
Besides, those AoA sensors are EXTREMELY reliable. So reliable that some have raised the hypothesis that the real problem is not in the sensors themselves, but in some piece of hardware or software between them and the flight computers.
It seems plausible to me since failures in those sensors are too rare in the other planes but, despite that, they allegedly failed in two 737 Max 8s and in a really short timespan.
The classic approach is to have three sensors, so in case one fails you can know which one. Having two only indicates something is wrong but is not useful on the fly.