PRIMS workings
I think it makes more clear to copy your posting in whole and comment on specific parts of it.
I will repeat again that I do not believe this design would be flawed in general, but that it ended up in an unexpected/unforeseen/viewed-as-impossible condition in this particular case.
What brings me to this view is the simultaneity/combination of unreliable airspeed (the Probe stuff) with unexpected loss of ADR1 by PRIM2 (the Wiring stuff). I do not believe such scenario was ever considered in design. It is way too far out of bounds, and I do not expect any design to take this strangest of cases into account.
I am therefore not discussing a design flaw, but a very strange failure combination, that is so strange as to put the whole flight controls system out of its designed domain. According to logical consequences of this dual failure, PRIM2 could have returned alone to Normal law (an undesired outcome) while PRIM1 & 3 would have correctly latched Alt2.
I call this a most serious design flaw if it leads to such A/C behaviour,
why are you convinced PRIM 2 reverted to NORMAL LAW?
Why should PRIM 2 revert (as the only one) to NORMAL while there is a common ALT 2 situation declared?
A33Zab:
Quote:
There's only 1 PRIM in control and that will be the one which is capable of computing the highest level of law. (=NORMAL LAW, ALTERNATE, DIRECT).The priority order is PRIM 1, 2, 3, FCSC.
According to this, if PRIM2 had reverted to Normal it should take over control. This would fault PRIM1, if I understand right. PRIM1 was indeed faulted, but much later in the sequence.
[/quote]
Not faulted PRIM 1, being only capable of computing a lower law than other PRIMs would not fault a PRIM, only sets a maintenance message.
PRIM 1 was indeed faulted later in the sequence, however I will not be surprised if the outcome will be the result of pilot action as is SEC 1 message.
However, PRIM1 is perfectly justified in operating Alt2 because of the UAS situation which triggered the 10 seconds monitoring process.
Remember this process did not trigger the NAV ADR DISAGREE condition immediately (as was the case in the Air Caraibe incidents) but at 02:12 approx.
Just because! the NAV ADR DISAGREE was triggerd much later in the sequence the speeds didn't disagreed that much and/or that long enough initially to set the NAV ADR DISAGREE.
I really don't know how much time it will require to trigger this message.
EDIT:
In our A330 manual (Enhanced - equipped with BUSS mod) is stated:
if the ADR disagree last for more than 10s the PRIMs trigger the NAV ADR DISAGREE ECAM Caution.
The flight controls revert to ALTN 2 LAW
BEA:
Note: The inconsistency between the speeds displayed on the left side and on the ISIS lasted a
little lessthan one minute.
Why didn't it trigger NAV ADR DISAGREE earlier?
PRIM1 being justified in operating Alt2 because of UAS, it can see no reason to defer to PRIM2 and its Normal law. Logically, the maximum control law should be Alt2. This is not an internal fault from PRIM1 which prevents it from computing Normal law, it is an external condition that justifies its operating Alt2.
If and only if PRIM 2 could compute NORMAL LAW it would become the PRIM in control, no doubt about that,
if not this would be the serious system flaw and BEA/AIB should ring all available alarm bells.
AMM:
The Law is such that:
- each computer (FCPC) establishes the highest level of law (normal, Alternate or Direct) it can engage,
taking into account the results of the internal monitoring functions and the availability:
- of the ADIRUs.
- of the control components
- of the control surfaces, THS and S/F.
among the FCPC which can engage the highest level of law, the FCPC having the top priority is chosen.
If only 1 FCPC is capable of the highest level of law, this FCPC is selected whatever its priority level.
Quote:
If the MONITORING PRIM's decide that the output of PRIM in CONTROL is not in agree with their own output a message would set and PRIM in CONTROL role will be transferred to the next PRIM acc. the priority rules.
The second interim report does hint at such a problem regarding the FMGEC1 FLR message. But again, this is later in the sequence.
However, if PRIM1 had remained Master, while PRIM2 had reverted to Normal and PRIM1 & 3 had latched Alternate 2, this means that PRIM1 is in COM (command) role, and both PRIMs 2 & 3 are in the MON (monitor) role.
But if PRIM2 reverted to Normal while PRIM3 latched Alternate 2, how would they agree on the fact that the COM from PRIM1 is wrong, for example ? I understand that PRIM1-COM could be outvoted by both other PRIMs-MON, but what if the monitoring PRIMs disagree ?
FMGEC is different, there are only 2 a COM and a MON, if they disagree the 3rd reference is the crew. They have to decide which FMGEC failed.
Very remote (MON disagree) because all the FCPC's get the same information - ADR 1 + ADR 2 + ADR 3 - being valid or false.
(Except as you say PRIM 2 is missing ADR 1 data, but then again that could be a reason to prevent PRIM 2 to become in CONTROL, maybe only as last resource)
To give you an answer I guess the MON closest to COM will be validated and other MON declared due for maintenance.
I take it that it would seriously delay recognition of trouble by the system. Such delay appears in the ADR DISAGREE and FMGEC1, PRIM1 and SEC1 faults/resets.
PRIM2 is never faulted. Its returning to Normal law would be the logical consequence of its losing ADR1 connection while searching for the outlier ADR.
Both PRIM1 and PRIM2 would have ended up in a condition where both would be justified by their programming in taking control.
-PRIM1 because it correctly recognized the UAS and correctly applied Alt2
-PRIM2 because it operates a "better" law : Normal (but it should not and fails to see this)
PRIM 2 (or its connection with ADR 1 bus) is faulted but for maintenance only, this was no reason to declare it a total failure.
A total failure would mean the EXECUTION part is also not available.
This looks like crossing logics with non-intersecting parameters where a decision cannot be made by logic alone.
How is this sorted out ?
IMO the logic did sorted this out as designed, only - with respect - couldn't convince you yet.
Anyway we have to wait until end of july what actually happened untill then we will debate this matter.