Thank you very much
A33Zab for this great technically enlightening information.
I will repeat again that I do not believe this design would be flawed
in general, but that it ended up in an unexpected/unforeseen/viewed-as-impossible condition
in this particular case.
What brings me to this view is the simultaneity/combination of unreliable airspeed (the Probe stuff) with unexpected loss of ADR1 by PRIM2 (the Wiring stuff). I do not believe such scenario was ever considered in design. It is way too far out of bounds, and I do not expect any design to take this strangest of cases into account.
I am therefore not discussing a design flaw, but a very strange failure combination, that is so strange as to put the whole flight controls system out of its designed domain. According to logical consequences of this dual failure, PRIM2 could have returned alone to Normal law (an undesired outcome) while PRIM1 & 3 would have correctly latched Alt2.
A33Zab :
There's only 1 PRIM in control and that will be the one which is capable of computing the highest level of law. (=NORMAL LAW, ALTERNATE, DIRECT).
The priority order is PRIM 1, 2, 3, FCSC.
According to this, if PRIM2 had reverted to Normal it should take over control. This would fault PRIM1, if I understand right. PRIM1 was indeed faulted, but much later in the sequence.
However, PRIM1 is perfectly justified in operating Alt2 because of the UAS situation which triggered the 10 seconds monitoring process.
Remember this process did not trigger the NAV ADR DISAGREE condition immediately (as was the case in the Air Caraibe incidents) but at 02:12 approx.
PRIM1 being justified in operating Alt2 because of UAS, it can see no reason to defer to PRIM2 and its Normal law. Logically, the maximum control law should be Alt2. This is not an internal fault from PRIM1 which prevents it from computing Normal law, it is an external condition that justifies its operating Alt2.
If the MONITORING PRIM's decide that the output of PRIM in CONTROL is not in agree with their own output a message would set and PRIM in CONTROL role will be transferred to the next PRIM acc. the priority rules.
The second interim report does hint at such a problem regarding the FMGEC1 FLR message. But again, this is later in the sequence.
However, if PRIM1 had remained Master, while PRIM2 had reverted to Normal and PRIM1 & 3 had latched Alternate 2, this means that PRIM1 is in COM (command) role, and both PRIMs 2 & 3 are in the MON (monitor) role.
But if PRIM2 reverted to Normal while PRIM3 latched Alternate 2, how would they agree on the fact that the COM from PRIM1 is wrong, for example ? I understand that PRIM1-COM could be outvoted by both other PRIMs-MON, but what if the monitoring PRIMs disagree ?
I take it that it would seriously delay recognition of trouble by the system. Such delay appears in the ADR DISAGREE and FMGEC1, PRIM1 and SEC1 faults/resets.
PRIM2 is never faulted. Its returning to Normal law would be the logical consequence of its losing ADR1 connection while searching for the outlier ADR.
Both PRIM1 and PRIM2 would have ended up in a condition where both would be justified by their programming in taking control.
-PRIM1 because it correctly recognized the UAS and correctly applied Alt2
-PRIM2 because it operates a "better" law : Normal (but it should not and fails to see this)
This looks like crossing logics with non-intersecting parameters where a decision cannot be made by logic alone.
How is this sorted out ?