Well, the difference is that in all 737's up through the NG, the AOA sensor is for information ONLY, it does not control ANY flight control surface.
It may be used to provide a correction factor to the air data computer. On the 737MAX, however, through MCAS, it DOES control the trimmable horizontal stabilizer, which moves it into a totally DIFFERENT class of sensor. In this case, much greater attention to failure modes SHOULD have been given.
It also controls the stick shaker/stall horn, and several other computed indications like the 'eyebrows', but yes it doesn't touch any flight controls. The addition of such functionality without properly considering the risks of bad AoA data was the problem, not the AoA sensor itself. I think we are in agreement here, I just don't see the AoA sensor component failure itself as anything significant in this story, but you seem to be pushing it as a major part of the issue. The fundamental problem was the failure of the aircraft to appropriately react to that failure.
The AOA sensors on the MAX are NOT redundant! Only one is used at a time, although through the ARINC bus both flight computers can read both sensors.
Yeah, I misspoke here, redundant is incorrect terminology, since it can't recover from failure, only (potentially) detect it. They are (intended to be) fault tolerant, in that bad sensors will be detected, indicated, and data discarded, regardless of the fact that the ADIRU only uses one source of data at any one time. In any case, the point was that the AoA data isn't necessary for safe flight, so they could 'get away with' this methodology - as long as they correctly discard bad data - not that their detection of bad data was sufficient. MCAS is also not required for safe flight, and depends on the AOA data. As much as I think MCAS is a gigantic kludge and this sort of thing should never be acceptable in the design of an aircraft, the logic does make sense.
That's why there was an ($80K) optional AOA disagree light that could be purchased. Most airlines did NOT purchase this option, as then you had to TRAIN for what the light meant. So, the MAX has two flight computers. Only one is actively controlling flight control surfaces at any time. The active computer is switched every takeoff. The output of each computer drives the instruments on one side (captain / first officer), using the sensors (AOA, air data computer, etc.) on that side. So, while there is a "standby" redudant system of sensors, instruments and computers, it is NOT a dual redundant system. Most of the larger and newer commercial aircraft use triple-redundant systems with voting logic, so that any component that fails can be cut out of the control loops. Even the flight surface actuators have three separate actuators in series, so that any failure can simply be overridden by the other two.
but then made this programming an expensive "add on" price option, with no explanation as to what the system does, as far as the information buying clients were given.
AOA DISAGREE was not an optional feature. An AOA (value) indicator was the expensive option. The problem here is that AOA DISAGREE was broken for years due to a software bug/misunderstanding that Boeing instructed Collins not to fix once it was discovered, and neglected to inform its customers or pilots about. The 737MAX was certificated with this indicator available, so for regulatory compliance, it MUST be present, but wasn't due to the unfixed bug.
But, not the 737.
This is because these modern aircraft are fly-by-wire and depend on AoA data for safety of flight. I absolutely agree that 737MAX should never have been certificated without a modern FBW system and cohesive envelope protection. But, again, that has nothing to do with the AoA sensor itself.
As for the "several legs safely" comment, not quite true. (I'm getting the two 737 crashes confused, now.) So, first, every other flight, if the plane is left powered up, it switches which computer and sensors are being used. (If powered off, then it starts with computer #1 again.)
So, half the flights would APPEAR fine, but they had no backup computer/sensor set to fall back on. Then, at least one of the flights had the stick shaker and alarms going off for the ENTIRE flight! This, of course, is totally amazing, imagine the management pressure causing a pilot to complete an entire flight leg with this level of malfunction of the aircraft! That is clear mis-management, of course!
What I'm talking about is that the Lion Air aircraft flew several legs with a faulty AoA sensor. This was detected, logged by the crews, and looked into by maintenance. None of these flights had any safety issue because the failure was a hard one - the resolver failed open as temperature fell, the flight computers detected this and knew the data was bad, so it didn't lead to any safety (or otherwise) issues. Eventually maintenance got around to replacing the sensor with the accident one that had a calibration bias. It was after this replacement that the flight you're mentioning occurred, where the crew experienced the same conditions as the accident flight, and just managed to deal with it better. This just shows that AoA *failure* is not a problem for this aircraft, the problem was that the sensor appeared to be functional as far as the flight computers could tell, but was producing biased indications, which wasn't something the Boeing design handled properly.
Don't get me wrong here. The level of incompetence, malfeasance on Boeing's part, and the extent of regulatory capture of the FAA is staggering, and the people who were documented to have mislead customers and pushed to cover this up absolutely deserve jail time. I just don't want people to think that AoA sensors failing is something we should really care about - because it is going to happen and the systems must be designed to tolerate any sort of failure, including a bias like this.