PPRuNe Forums - View Single Post - AF 447 Thread no. 4
View Single Post
Old 1st Jul 2011, 16:41
  #615 (permalink)  
Join Date: Feb 2011
Location: Nearby SBBR and SDAM
Posts: 873
Why use redundancy in a System design


When you have 3, 5, 7, (odd number), etc. critical elements, your System is able to:

1. Compare elements trying to figure out the “truth” i.e. their correct “output”
2. “Vote” to select the best ones (the ones that are probably presenting correct results)
3. Implement a more “fault tolerant” system for a better (safer) System availability
4. Promote a “graceful degradation” in the overall system

But this is only valid for elements with low chances to fail simultaneously. This is well done In Airbus SAS planes with triple critical computing elements (acting as 5). A solid Engineering approach.

When you have identical elements, subjected to the same environment and clearly failing simultaneously (IIRC 38 cases of UAS analyzed since 2003) something should be done earlier (IMHO urgently).

The current redundancy is only useful when you have a Pitot heater failure, interface failure, “wiring”, etc. Simply because the chances of simultaneous failures of this category are near zero.

What is the net result of the current AS "redundancy"?

1. To degrade the System (no longer able to work at “full specs” due a plane itself limitation) triggering (without early warning*) a major reconfig in the plane control System

So the question? Why they used redundancy? The reason i call it “ridiculous” is because the use of n identical and non adequate AS sensors failing simultaneously is absolutely useless.

This seems a “conceptual error” that seems incorrectly being used in other a/c designs. And not helping in two very important "features"

1. Fault tolerance (a/c)
2. Graceful degradation (a/c+crew)

The only result of this redundancy is to realize that the plane is entering a dangerous "space". In a plane using improper AS sensor specification (non adequate product) of an important a/c element (to the control System)

AF447 crew, in the first moment, were informed on UAS condition? When (if ever) they realized the plane was affected by a "simple and brief" UAS condition?

I suspect F-GZCP was not equipped with the add on to warn on UAS like N805NW (A330-323). Is that true? (This UAS early warning “add on” should be a standard item and not an optional item for the operator)

I would prefer to know (immediately) the reason for Law change. Why? Simply because could provide a more graceful degradation situation (a/c+crew) when entering and facing “extreme” conditions.

AF447 (a/c+crew) apparently instead had an “accelerated degradation”, due (triggered by) a flawed System design using "redundant" inadequate AS sensors for typical (possible) atmospheric conditions.

The statistics (low UAS probability) is no excuses in this issue. Urgent results from R&D being done, is required. After all, Airbus SAS introduced "advanced planes" and this seems to be the inexorable industry trend.

(*) From an "instrumentation point of view" i guess it´s possible to have a safe early warning (real time) before a Law change triggered by this condition
RR_NDB is offline