PPRuNe Forums - View Single Post - AF 447 Thread No. 8
Thread: AF 447 Thread No. 8
View Single Post
Old 31st May 2012, 22:26
  #1011 (permalink)  
Peter H
 
Join Date: Jun 2008
Location: Cambridge UK
Posts: 193
Likes: 0
Received 1 Like on 1 Post
Keeping the pilots in the loop?
Please forgive a non-pilot commenting on pilot related matters, but there do seem to be s/w and human-machine-interface issues involved.

Current “fault-tolerant” systems work splendidly for the infrequent failures they are designed for, but do not handle "simultaneous" failures adequately.
This is highlighted by the response to the near-simultaneous common-mode pitot failures on AF447. Which lead to the scenario something like:
- “simultaneous” pitot failures
- erroneous "as-designed" decision by a “fault tolerant” system
- “as designed” behaviour by other plane systems ultimately resulting in a computer-assisted snafu.
- the auto-pilot drops out and the unsuspecting crew are abruptly left holding an ill-defined hot potato.
- the [startled?] crew fail to rise to the occasion (for whatever reason or combination of reasons).
- various loud warnings are given
- loud warnings largely ignored/unnoticed, although the stall warning was terminated prematurely in what looks like a s/w "feature" (as-designed but surely not as intended)

How much better if the crew could be warned in a more timely fashion, and when they were in a calmer frame of mind?.

Suggestion
In addition to the current s/w behavior, when the s/w identifies divergent sensor readings it informs the pilots. When the s/w believes that the situation is
resolved it again informs the pilots (e.g. divergence ended or sensor retired).

AF477 case
The [relaxed?] pilots are told "airspeed sensors diverging" some time before any problem occurs (10s of seconds?). Hopefully they use the information
to alert themselves and catch up with the plane. In particular, to look and think about speed-related issues (and AoA).

Sometime later they are told "retiring airspeed sensor X".

Hopefully, when the sh*t eventually hit the fan, they would be more prepared for the situation, and already primed to consider stall and UAS.

The downside
The obvious questions are: how often would false warnings occur, and just how disruptive would they be.

Any thoughts?

Regards, Peter

PS Presumably pitot tubes may momentarily flood in very bad weather, and the system is designed to cater for this. I'm assuming that soft
pitot outages are filtered out by time-averaging techniques, then candidate hard outages are evaluated by a fairly slow comparison process,
which is intended to give any transient behaviour time to dissipate.
Peter H is offline