Which is why IMHO the aviation solution will be adopted the driver will have the ultimate responsibility just like the pilot. Yes the automation may make a mistake, but it will be the drivers fault, just like it is the pilots fault (In SF crash the pilots selected the wrong mode for the automation, and did not monitor close enough).
Not at all true.
Autopilot and autothrottle modes are always announced on the display panels, in case the pilots forget. In that accident, the pilots selected an autopilot mode that resulted in the autothrottle getting turned off
by design. I am sure that was annunciated in case the pilots forgot what was supposed to happen. But they were too busy to look at the displays probably. By the way, displays are always at least dual, in case one fails.
In all the systems I know, when the autopilot is armed for an automatic landing, if it announces "Autoland", then it means every subsystem is a go. That means all sensors critical for autoland are working and in agreement, such as multiple navigation receivers working and in agreement (glide slope and localizer receivers), at least dual radar altimeters, etc... Multiple (2 or 3) computers must also be in agreement, etc...
These are hard requirements! If the system fails, it will abort the Autoland, annunciate it, and the pilots have to land by hand. If a hardware failure occurs prior to the Autoland mode being selected by the pilots, it will not engage the mode and tell them so. It's the FAA rule. The pilots are there in case one of the sensors or navigation receivers fail and the automatic pilot does not have sufficient redundancy for a safe landing.
The reason for the dual and triple sensors is this. Any single thing can fail, but it is nearly impossible for two or three to fail simultaneously,
and putting out exactly the same wrong information. So, by comparing them to verify that they agree, you can be sure that they all work.
Once one sensor of a pair has failed, the remaining one cannot be trusted 100%. Flight modes that are not critical can still use it, but Autoland is a nono. So, really critical sensors are triplex in order to still have a working pair if one of the 3 fails.
PS. In the early days, some of the indicators are just light bulbs. Now, light bulbs can burn out. So, the indicators have two light bulbs in it, and they are lighted by two different paths (a single wire can get cut or breaks for example).
When you push a button, there are actually two switches behind that, in case one fails to make contact. Again, there are separate wires going to each switch. It's serious stuff.
PPS. It appears that pilot's training was inadequate. The airlines are responsible for keeping their pilots up-to-date, and to send them for recertification or to refresh them on how to fly a particular aircraft.