Did I understand this right that a safety critical software relies on two sensors?
Speaking of redundancy:
" On September 22, 1981, Eastern Airlines Flight 935 departed Newark, New Jersey, and suffered an uncontained failure of its number two (tail) engine at 14,500 feet (4,400 m), while en route to San Juan, Puerto Rico. The fragments from that engine damaged three of its four hydraulic systems resulting in fluid loss in them. The rudder pedals also jammed. The fragments struck but did not puncture the lines for the other hydraulic system; the captain was able to safely land the aircraft ... "https://en.wikipedia.org/wiki/Lockheed_ ... _incidents
I found Fukushima hard to believe. Each Indian shopkeeper knows one can't keep an emergency generator in the rain. How to keep emergency generators for a nuclear power plant in a tsunami area on ground floor?
In 2008 in Germany an axle of a high speed train ICE 3 broke. After that they reduced the time between checks from 300.000 km to 60.000 km.
Shortly later a similar axle in a train designed to bend in curves to allow for higher speeds had a 2mm deep crack, which led to further reduced intervals. The railways were fast in buying new ultrasounds.
Of course the railway blamed Siemens and Siemens was not keen to quarrel with the railway management, which are politicians.
So Siemens agreed to design new axles.
How urgent that was can be seen on the fact that finally only 50, not all trains, got new axles and that also till 2017.
Which means around nine years after the axle broke. Cars have rubber tyres which dampen vibrations.
Evidence suggests to me that checking the axles of trains (specially high speed ones) every 300.000 km is not good enough
(Similar you should check your tyre pressure more often than every 300.000 km.)
Maybe for safety critical products/ services companies need to employ people in a position of authority who got testified from their former school that they they have a defiant personality disorder.
Or during search for engineering employees:
"At equal suitability people with defiant personality disorder will be given preference."
Additionally one could post Proverbs 9,8 in each manager's office:
"Do not rebuke mockers or they will hate you; rebuke the wise and they will love you."
Or maybe Proverbs 13,18:
"Poverty and shame shall be to him that refuseth instruction: but he that regardeth reproof shall be honoured."
Though the last sentence may not be true. Boni for managers probably continue.