Originally Posted by
Grummaniser
It doesn't take a double bit error to lose one bit of data - somewhere in the system between the RDVT fixed to the AoA vane and the bus, is an analogue to digital converter chip (or array of them) which will not itself be creating any error checking. The error checking will be added further downstream (quite possibly by the chip next to the A-D). A fault in the actual A-D chip could produce single bit errors which could only be identified by duplicating the A-D process.
In automotive acceleration pedals the duplicate sensor (potentiometer and/or magnetic angle sensor) and duplicate A/D conversion is standard. But all that effort would be mute if the communication channel is not error protected. So at least there is a robust CRC or even duplicate signalling channels.
As far as I understand in the AoA sensor and data bus neither is done so at any point errornous data could be created.
That would not even muster for an automotive acceleration pedal let alone more safety critical systems like brakes.
The only chance I see that that passes any functional safety analysis is at least two independent sensor data, and if they differ then either a safe system state is commanded or if this can’t be achieved, then a third input data (like in this case from the inertial system generated) will be needed.