Quote Graybeard:
The safety analysis done in the design phase obviously accounted for a single pitot failure, for all conceivable reasons. Could the safety analysis not have considered the possibility of all three freezing over nearly at once, at night, in cruise?
Couldn't Otto have been made smart enough to recognize a drop in all three measured airspeeds with little or no change of angle of attack? He should be able to fly pitch and power as good as a pilot could.
Quote Will Fraser:
Or couldn't he have ignored the drop of two and relied on the one not changing rate?? Instead there is 'Disagree' when one might have been 'reliable'?? That one could remain servicable but be dropped as a disagreeble partner means there aren't actually three independent samplers?? IOW, could a 'pair' be 1,1a, where a is two seconds ago, meaning consistency? After all, stability can be sampled as well as rate of change, or fault.
Quote ClippedCub:
Great point Graybeard. I'm still trying to figure out why a system with five computers, quadruply redundant, only had 3 pitots and statics, double redundancy. Plenty of lesser planes have four pitots.
This discusion is becoming schizphrenic. First it's "the computers take too much control away and make too many decisions" and now it's "they should be able to retain control and make decisions even when the basic data they use to operate has become seriously corrupted or unreliable". Which do you want?
The pilot and the "computer" each have differing strengths. The design goal has to be to make optimum use of both. In the instance of a particular stream of data from 3 different sources becoming simultaneously different or uncertain you have a situation that most often, using a pilot's awareness of the total dynamic situation, will be solvable fairly quickly and without serious adverse input (though there have been exceptions, Birgenair & AeroPeru, etc.). But, for a computer which has limited capacity to "understand" the broader situation beyond the data streams, trying to code an algorithm that would correctly identify which data source, if any, was correct 100% of the time would be, if not impossible, then probably impossible to do within the time frame of a safe response. There would be a much higher possibility of an adverse control input and the pilot's judgement would not have been accessed at exactly the point where it becomes most valuable.
Using more sources won't resolve the problem, as in addition to the problem of 3 suffering the same failure you now also face the problem of ties where 2 say this and 2 say that, or 3 are simultaneously experiencing the same error but the 1 or 2 in minority are actually providing the accurate data. How would you cope with that scenario ... with even more complexities of logic.
The simplest, and in my opinion best answer to the problem is to let the pilot do the job of distinguishing good from bad in such rare instances. When they've isolated the bad data the good data can then be used by the remaining available systems.
ELAC