Originally Posted by
QuagmireAirlines
True there. Odd & tragic & stupid how just ONE AOA (alpha) sensor can cause nose down pitch trim. One can argue about the Human Factors involved here concerning stress, panic, time to decide what to do, etc., but I tend to come down on the side of "don't over-stress tired human brains", from the Flight Controls Engineer viewpoint I have.
Assuming the crash was caused by the AOA alpha vane ... continuing on:
"Analytical Redundancy" would have prevented this problem, as it would add a third alpha to the dual vane measurement to break the tie between 2 vane sensors. ... Note that alpha = theta - gamma, received through air data & inertial sensors apart from the alpha vanes. That caclulated third alpha makes the system triple redundant, along with using median value selection.
You could even apply a (fourth redundancy!) reasonableness test on the alpha vane's sensor values by writing more software that applies plain old logical common sense: --> Can that high alpha value, seen all of a sudden, and when the airspeed is good, and when g's aren't being pulled, be a valid value of alpha? Remember we have pitch rate sensors, accelerometers, pitot-static tubes, etc. to help the alpha fault detection out. Remember alpha-dot = pitch rate - (accelerometer / speed); we can use all the kinematic laws to do this.
This certainly makes sense, but I'm not sure that two AoA vanes really constitute two sensors. Instead they are a special case as they are only semi-independant, (i.e expected to disagree somewhat when the plane is rolling and yawing). Analysing the difference between the two to try and detect a fault is possible based on other sensors, but adds the possibility of additional complex failures.
Originally Posted by
Hi_Tech
My Post #841
There has to be more protection in the system design for this not to happen. (Single source failure)
In the B777 which I am familiar with, each of the two ADIRUs (Air Data Inertial reference unit) receive both AOA inputs (There are two AOA sensors on most aircraft, same config on B737 also). This is compared with 'Calculated AOA' and a mid value is used. This is the redundancy built in the system on B777. Also each of the AOA sensor has two outputs, feed into two different computational channels. See the redundancy. There are actually 4 signals from two AOA sensors. Also there are two computed AoA values. So in total 6 signals.
The full text from the B777 AMM is as below.
AOA Redundancy Management
The AOA redundancy management logic uses a modified midvalue selection.
The modified mid-value selection chooses the mid-value of these three AOA values:
* Left corrected AOA
* Right corrected AOA
* Calculated AOA.
The AOA redundancy management logic receives inputs from the inertial and air data systems to calculate the calculated AOA.
Thanks for posting, and this 777 system is doing essentially what Quagmire was discussing, using additional sensor data to combine with the two AoA vanes in order to produce a pretty robust AoA. But if the same system is present on the MAX and the mid-value AoA is used for input to MCAS (and stick shaker, stall elevator feel changes), the single AoA sensor failure should not have caused MCAS downtrim in this accident. Some additional failure that also corrupted the computed AoA would be necessary to combine with the bad external sensor AoA data.