Recreation simulations are not always revealing even for design engineers or accident investigators. This is why I argue for a direct cable back up of some sort.
Yes, that's what I was trying to say with my remarks that high-reliability in software cannot be shown by testing. The argument can be made for mechanical backup, but also for better software development methods (Correct by Construction, instead of "Validation by Testing", which is proven to be insufficient.)
Throw in moisture to the FADEC sensors and who knows what weird power solutions have been calculated? And what are you are really reading with that DFDR anyway? Probably not actual valve position, but rather a software command to an actuator thinking it has called for rated power. (just speculation on my part.)
Good software will have a lot of sanity-checks, i. e. will check its input parameters for consistency. Very simple checks are correspondance between EPR vs. N1/N2 (and even N3 in this case), or commanded/actual FMV position vs. actual fuel flow, or fuel flow and N1 vs. EGT, ...
There is another indication that the reduced fuel flow was not the consequence of the FMV not opening, but was present before, and also that the actual FMV position is measured independently of the EEC's commands:
The EEC recorded in its NVRAM that reduced fuel flow had been detected. Probably this would only be recorded if it was unexpectedly low. In consequence, the FMV was commanded to open more and more, up to fully open. (cf. AAIB SB 2008-03, p. 2):
Originally Posted by AAIB Special Bulletin 2008-03
Parameters recorded on the Quick Access Recorder, Flight Data Recorder and non-volatile memory from the Electronic Engine Controller (EEC) indicate that the engine control system detected the reduced fuel flow and commanded the fuel metering valve to open fully. The fuel metering valve responded to this command and opened fully but with no appreciable change in the fuel flow to either engine.
Do we know for certain that the DFDR records the actual metering valve position? If so, the Next question is how does it record that? Prox sensor? rheostat? actuator drive position? Fuel flow?
No, we cannot. And these are fair questions that we all have asked. To highlight the difficulty, the A320, with which I am more familiar, has 8 thrust lever angle sensors for each thrust lever. Two for the FADEC (high precision, contactless angle resolvers), and a pair of potentiometers for each of the three SECs for spoiler/autobrake conditions. I do not know which of these is used for the DFDR data. I assume it's one of the resolvers, but I just don't know. Similar question will be asked (by the AAIB, among others) for the B777's Fuel Metering Valve position.
I'm not ready to buy into a correct fcu fuel metering valve "positioned open" just yet. I'll agree that it was logged as being commanded open once every four seconds. I want to hear more from engineers and programers first.
I seem to recall that the actual position is measured and recorded independently of the EEC (FADEC), and not just the commanded position, since the FMV is such a crucial piece.
The developers who know for certain probably won't be allowed to tell us.
[The microsoft slam was just intended as over-the-top sarcasm; but thank God we don't fly around on windows.... We'd crash twice a day!]
Yes, I didn't think you'd mean that literally.
The really ugly part of this accident really is that every conceivable scenario is, a priori, "extremely unlikely", so if anyone can figure it out, it's the guys with all the data (AAIB, NTSB, RR, Boeing, QinetiQ, ...).
Bernd