Originally posted by xcitation:
At the end of the day I can't understand how one sensor (ok 3 redundant pitots) can take out something as critical as an entire flight system. It appears that there are too many dependencies in the software that causes the pitot failure to initiate a chain of software errors that are not handled. Instead the errors cascade to secondary software modules which go into failed state. Good electronic/software design seeks to minimize coupling and un-necessary dependencies. Error exceptions are handled gracefully and trapped.
The problem with redundancy is when there are common fault cases. For example if (hypothetically - not implying this happened with AF447) there is a certain environmental condition where a pitot sensor is susceptible to icing, this might apply to all three.
With three failed pitot sensors, there ain't a whole bunch clever software can do. Even with two failures, you have a big problem - two incorrect sensors in agreement with each other, or possibly three all disagreeing.
But be careful about blaming automation for this. How much better would a human pilot do with three separate sensors connected to three separate airspeed indicators? If indeed there is a pitot icing problem here, the problem is a mechanical/physical pitot/static sensor design problem NOT one in the software/automation.