Originally Posted by
fotoguzzi
(Not a pilot) THY1951 had a faulty radio altimeter antenna that gave a valid but incorrect value. That single input caused the autothrottle logic to throttle down the engines. Were there any subsequent changes in logic, or did Boeing just reiterate that crew should monitor airspeed?
Now, one duff sensor apparently affects all manner of instruments and systems, and it sounds as if Boeing hope that an indicator light and a conflict warning will be the fix, and an existing trim procedure will work in this new case if the worst happens.
I imagine similar examples exist for weight-on-wheels sensors, the reverse-thrust system, and many more that I cannot conceive.
If I am being fair in the above, will the aviation world allow Boeing to continue this apparent philosophy of simple inputs, simple logic, and an aeroplane arguably simple to fly in manual mode when some part of the above fails? Will they be forced to make a more "foolproof" 'plane?
Airplane system design is driven by a very rigorous process of aligning functional availability and integrity with the associated failure hazards effects. Key questions that receive careful attention are:
1. What are the failure modes of a system?
2. What is the complete set of consequences of each failure mode?
3. What is the hazard level associated with continued operation given the full set of consequences of each failure mode?
4. What is the probability of each failure mode and can it result from a single failure?
Depending on the hazard level from 3 above there are requirements on the probabilities from 4. In addition there is a hard requirement that no single failure regardless of probability can lead to a catastrophic result.
The simplest design that is compliant with the guidance above is usually considered the best solution. Keep in mind that when adding to an existing system the simplest design will be the one that involves the least change to the baseline system - this may not be the same as what would be considered simplest were one starting from scratch.
Where the process described above above leads to single threaded designs and supports continued use of existing single thread designs that approach will continue. To add unnecessary levels of redundancy would drive up cost without providing required benefit.