It's a Boeing design error and the S/W patch allowing "the option" of using two sensors stinks of cover-up. AOA DISAGREE alert indicator is also an "option"?!
Using two sensors is still shitty because you have now doubled the probability of MCAS failure due to a sensor failure.
Multiple sensors iced up for the AF447 disaster. Would MCAS register a discrepancy with two sensors reading similar yet both are out to lunch?
I'll repeat the old adage "with two clocks you can never know the correct time". This MCAS system is never going to be stellar, even adding a third (sensor) opinion because the other pair can malfunction. It's just getting a slightly lower probability of failure, this is all Boeing can accomplish. Unless there was a gross S/W bug that is being fixed too.
In other industries with safety-critical design, you do fault-tree analysis and FMEDA to ensure you have coverage of a sensor problem, among other scenarios.
Clearly, Boeing bungled this and is showing a repeat bungle with their hasty "software fix" that cannot meet basic functional safety requirements even after piling on the algorithm smartness.
I've seen this before - a bad design safety-critical system is out there, sold in numbers and a corporation has a massive panic to fix it ASAP without changing any hardware.
Adding complex S/W algorithms (which can never be proven correct) is very dangerous.
Then I read this:"MCAS is implemented within the two Flight Control Computers (FCCs). The Left FCC uses the Left AOA sensor for MCAS and the Right FCC uses the Right AOA sensor for MCAS. Only one FCC operates at a time to provide MCAS commands. With electrical power to the FCCs maintained, the unit that provides MCAS changes between flights. In this manner,
the AOA sensor that is used for MCAS changes with each flight."
How do you come up with something so stupid?