When three pitot heads are rendered inop due to external influences, in this case supposed icing of some description, the design represent a single point of failure.
So let's put four pitot heads on there. From there I can amend what you wrote:
When four pitot heads are rendered inop due to external influences, in this case supposed icing of some description, the design represent a single point of failure.
We can play this game all day long. Four pitot tubes isn't enough, let's put five, five pitot tubes ... ... ... Fifty pitot tubes isn't enough... blah blah blah. You can keep adding more and more of anything to prevent any failure but it's not practical.
Great point Graybeard. I'm still trying to figure out why a system with five computers, quadruply redundant, only had 3 pitots and statics, double redundancy. Plenty of lesser planes have four pitots.
Five computers are there for redudancy of the computers, not the airspeed system. You need to keep in mind that the supreme fear of everyone with FBW systems (prior to the supreme fear of pitot tubes and computers acting strangly) is computers FAILING in flight. Analogous to cables snapping in flight in a mechanical system.
Or couldn't he have ignored the drop of two and relied on the one not changing rate?? Instead there is 'Disagree' when one might have been 'reliable'?? That one could remain servicable but be dropped as a disagreeble partner means there aren't actually three independent samplers?? IOW, could a 'pair' be 1,1a, where a is two seconds ago, meaning consistency? After all, stability can be sampled as well as rate of change, or fault.
I find this statement amusing coming from you. You're asking a computer to determine which airspeed sensor is reliable? This is a situation where (as a designer of control systems) I would be running away as fast as I could. Unless I have a good model of what is happening I wouldn't want to be designing logic to figure out which one is right. The idea of the triple redudant system is that you can use a very simple model to determine which is right. The system will fail in an obvious way and independently of others in the voting pool. If you have to resort to examining each sensor for cues of failure you are probably going to have far too many false positives. I'd punt this to pilots who, even poorly trained, are probably more reliable than my system.
Couldn't Otto have been made smart enough to recognize a drop in all three measured airspeeds with little or no change of angle of attack? He should be able to fly pitch and power as good as a pilot could.
I'd think this would be a good idea too. Since it's not done, I'd assume there is a reason. I have noticed a tendency to keep sensors separate rather than try to crosscheck values with other sensors in a tangential way. I also don't know why autopilots don't fly pitch. This is a very common system for UAVs, this is used in every autopilot where I work. These are both very good questions.