OK, once more and then I'm signing off for a bit - I've noticed my handle cropping up far too often in the last few pages for it to be healthy.
Originally Posted by
Svarin
- a philosophical aspect, as I explained in earlier posts : since the system is built in such a way as to claim final authority (under certain circumstances) over the aircraft control surfaces, it should be questioned first ... Its central position in the design and its criticality in a Loss Of Control accident should make it the subject of extremely careful scrutiny as a matter of principle.
And you can bet it is, right now, the subject of lab tests and simulator runs that will take months to perform and collate the data from.
As an introduction, it must be stressed that "protections" are provided in many forms for this aircraft, and the really assertive forms of protection ... come ... directly from the main Flight Control Computers, the PRIMs, even in manual flight, and even in alternate 2 law, albeit in a less severe version. Only Direct law and worse remove all protection.
Their design, however, is very clear on the fact that loss of speed information -> no more autothrust -> practically no stall protection.
I very much doubt that such apparently unrelated, simultaneous, totally different failures (external cause -> icing + internal cause -> wiring) were ever considered together during the design phase of the Flight Control System.
Actually, what you're describing would be relatively trivial to set up on the test bench, and is the very epitome of what software engineers refer to as an "edge case"
This extraordinary combination precisely affected the one computer which ended up being tasked with :
- interpreting sidestick commands on the pitch axis.
- sending orders to the hydraulic servo jacks located on the elevator moving parts.
- sending orders to the electric THS motor.
A series of tasks for which it is eminently capable
- providing whatever "protection" it deemed necessary to provide while in its undefined state (unreliable ADR data + lost connectivity with one ADR)
But it knows that no speed information -> no stall/overspeed protection.
It is a "baked in" assumption in the design of the system that if it is ever incapable of making a judgment, then ultimate control authority is given to the pilot, who has an array of instruments and, in daylight, can see outside and use external references if necessary, something the system cannot do.
PURE SPECULATION BEGINS
...
-Then overspeed protection undesiredly kicks in (second on protection priority list) which pulls the nose up, again without the pilot knowing why.
Problem being, there is no speed indication - the flight management computer knows this, and is therefore unable to command either overspeed or stall protection. It's all there in Alternate 2 (aka Alternate "NO PROT" - is it becoming clear yet?).
But it sure makes one think twice about "protections", especially multiple, contradictory ones.
The question is, how can a protection that has been disabled by design cause the scenario you describe to unfold?
Originally Posted by
BarbiesBoyfriend
I think these guys may have been poorly served by their (A/P loving) training.
Instinctively I'm inclined to agree with you. On the other hand my mind goes back to the Birgenair 757 incident, where a long-serving pilot who came out of the Turkish military was just as flummoxed by a similar situation. Which leads me to wonder - regardless of whether training turns out to be a factor, what part does temperament have to play?