Historically, accidents have commonly been caused by misleading instrument readings. In 1996, Birgenair flight 301 crashed into the Pacific after a series of errors initiated by a failure of the captain’s ASI. In a similar accident, another Boeing 757, AeroPeru flight 603, crashed due to altimeter failure. The initial cause of the loss of Air France 447 was pitot icing.

In these cases, the crew actually had enough good information from the other instruments to diagnose the error and recover, but failed to do so under the stress of the emergency because of confusion over which instrument they should believe.
It seems to me that the risk of this kind of accident could be easily (and cheaply) reduced by the following expedient:

Nowadays, the readings of all the instruments are, or surely could be, made available as analogue or digital signals. It would be simple to apply these signals to a continuously-running mathematical model of the aircraft's behaviour, detect which of them is inconsistent with the state derived from the other instruments, and display the appropriate warning. Where instrument redundancy is provided (e.g. captain and co-pilot have independent ASI), this task becomes trivial. Input to the model from the functioning ASI would provide an internally self-consistent state: Input from the faulty one would not. I suggest that most single-point failures could be identified in this way, and even multiple failures (such as might result from damage or ice) could be detectable, if not identifiable.

As a mere earthbound engineer, this may already be current practice that I am unaware of. If it isn't, perhaps some qualified person on this forum could comment or suggest objections to the idea.

Sure, there are various warning systems that will advise of a disagreement between data sources. If you have three sources you can probably identify the faulty one (should be the odd one out, but possibly not), if you only have two then you’re a bit stuck.

As I see these problems, a pilot needs situational awareness.

This means that you are aware of what's going on right now.

AF447 pilot issues - look at the GPS ground speed right in front of your face. Has it changed? No. Then DO NOTHING.

The Birgenair with crazy airspeed and altitude - DO NOT climb above your Rad Alt and use your GPS GS to return for landing.

I'm not being wise after the event, my airline trained us in the sim for this stuff. More warning systems mean more potential failures. It's called AIRMANSHIP. Know your aircraft and know your systems. If you want to command a big jet know your stuff, do your homework. I'm retired now and I must say that I wasted countless hours armchair flying scenarios that never happened but what if they did? Your command means that you must have thought through all possible scenarios.

Historically, accidents have commonly been caused by misleading instrument readings. In 1996, Birgenair flight 301 crashed into the Pacific after a series of errors initiated by a failure of the captain’s ASI. In a similar accident, another Boeing 757, AeroPeru flight 603, crashed due to altimeter failure. The initial cause of the loss of Air France 447 was pitot icing.

In these cases, the crew actually had enough good information from the other instruments to diagnose the error and recover, but failed to do so under the stress of the emergency because of confusion over which instrument they should believe.
It seems to me that the risk of this kind of accident could be easily (and cheaply) reduced by the following expedient:

Nowadays, the readings of all the instruments are, or surely could be, made available as analogue or digital signals. It would be simple to apply these signals to a continuously-running mathematical model of the aircraft's behaviour, detect which of them is inconsistent with the state derived from the other instruments, and display the appropriate warning. Where instrument redundancy is provided (e.g. captain and co-pilot have independent ASI), this task becomes trivial. Input to the model from the functioning ASI would provide an internally self-consistent state: Input from the faulty one would not. I suggest that most single-point failures could be identified in this way, and even multiple failures (such as might result from damage or ice) could be detectable, if not identifiable.

As a mere earthbound engineer, this may already be current practice that I am unaware of. If it isn't, perhaps some qualified person on this forum could comment or suggest objections to the idea.
Airbus already has Digital Back Up Speed. It's calculated by inserting AoA, load factor and weight in the lift formula. It's not based on any anemometric data. It's accuracy is within 10 to 15kts. ADR speeds are compared against it. In case of all 3 ADR or Pitot-static sources failure you will be asked to switch to it. The altitude comes from GPS.

Nowadays, the readings of all the instruments are, or surely could be, made available as analogue or digital signals. It would be simple to apply these signals to a continuously-running mathematical model of the aircraft's behaviour, detect which of them is inconsistent with the state derived from the other instruments, and display the appropriate warning. Where instrument redundancy is provided (e.g. captain and co-pilot have independent ASI), this task becomes trivial. Input to the model from the functioning ASI would provide an internally self-consistent state: Input from the faulty one would not. I suggest that most single-point failures could be identified in this way, and even multiple failures (such as might result from damage or ice) could be detectable, if not identifiable.

I have no doubt that this concept could be implemented. However, the cost of development and certification of inovative designs can be huge. Airframers will continue to use tried and tested methods that already have approval until the certification requirements change.

You have already seen from replies to your post that pilots believe they have the training and experience to ignore misleading data and only use the valid data. The accident record would suggest that some flight crew were not as good at this as they may have thought they were.

Bottom line is that operators are reluctant to pay for any system enhancements that don't have a relatively short term economic advantage. Systems that increase safety but which are not required for certification don't sell well.

There is an important caveat in that everything that adds complexity also adds ways for things to go wrong. Such a calculated figure, when continuously used to validate the air-data derived figures, in itself is based on sensor input. What if that sensor fails? Another single point failure that you were trying to avoid. What if the calculation is somehow incorrect? As mentioned, training already covers partial panel situations where one or more parameters are not available or cannot be trusted. Any pilot should be able to provide the needed error-checking based on basic inputs such as power setting, attitude and environment, although the accident record does not show a perfect score.

The latest iteration of DBUS fitted to new A320s looks amazing. Brilliant technology all in.

Actually I think one of the bigger problems these days from a human factor standpoint is simulators are rarely as up to date as the aircraft so the latest whiz so bits of kit are present on the jet but one can’t actually train their use. My employer only has one of their sims with the old BUSS embodied so only a small portion of the pilot group will have seen it properly in the sim. None will see DBUS unless they get it for real.

Boeing 787 (and I assume all newer models of 777) has a mode where airspeed can be provided without air data using AoA and can provide GPS altitude if air data becomes suspect.
This happens automatically and without any switching required. A simple system that works very well.

As I see these problems, a pilot needs situational awareness.

This means that you are aware of what's going on right now.

AF447 pilot issues - look at the GPS ground speed right in front of your face. Has it changed? No. Then DO NOTHING.

The Birgenair with crazy airspeed and altitude - DO NOT climb above your Rad Alt and use your GPS GS to return for landing.

I'm not being wise after the event, my airline trained us in the sim for this stuff. More warning systems mean more potential failures. It's called AIRMANSHIP. Know your aircraft and know your systems. If you want to command a big jet know your stuff, do your homework. I'm retired now and I must say that I wasted countless hours armchair flying scenarios that never happened but what if they did? Your command means that you must have thought through all possible scenarios.

No argument with your premise, but why do pilots sometimes (more often than we want to admit) fail to maintain situational awareness?

I have a hypothesis. One reason pilots fail to maintain situational awareness is that flight control and even navigation is often being performed by automation. The regular attention to instruments necessitated while flying manually is still "expected" of instrument pilots when automation is in control, but pilots are human, and such attention is replaced by other distractions of sight and mind.

Automation is not the problem, but the effect it has on pilot awareness is and that's where a solution should be sought. Consider today's electronic displays compared to the "steam-gauge" instruments of yesteryear. A speed deviation on the steam gauge, for example, was far more apparent than one on the moving tape when you consider the "quick-glance" of an instrument scan. The information displayed on an EADI is probably superior, but deviations are much less obvious unless close attention is paid. And under automatic control, close attention is not often paid.

I'd suggest a few improvements to electronic displays are in order. Deviations from target values should be more conspicuous before they present a hazard. They should be detectable with a quick-glance, such that corrective action is taken earlier. An indication of deviation that grows even more conspicuous as the deviation grows could help the pilots become aware of them and correct them earlier before they become hazardous.

Today, only deviations that are considered hazardous are alerted. By then the pilots are surprised by them, perhaps unbelieving at first, and corrections may be delayed or fail to be taken at all.

The deviation indictation I propose should not be an alert, because the condition is not yet a hazard. The indication itself, should not have an audible or flashing character, but its appearance (color, size, shape) should be distinctly different than a non-deviation condition.

Food for thought.

[QUOTE=Jhieminga;11323725]There is an important caveat in that everything that adds complexity also adds ways for things to go wrong. Such a calculated figure, when continuously used to validate the air-data derived figures, in itself is based on sensor input. What if that sensor fails? Another single point failure that you were trying to avoid. What if the calculation is somehow incorrect? As mentioned, training already covers partial panel situations where one or more parameters are not available or cannot be trusted. Any pilot should be able to provide the needed error-checking based on basic inputs such as power setting, attitude and environment, although the accident record does not show a perfect score.[/QUOTE
I take your point.The pilot may well be able to identify an error - provided he has noticed it, and there is no too distracting emergency going on. However, as to failure, there are two ways for this proposed system to fail. 1) It could indicate an error where none exists- in which case no harm is done except to worry the pilot unnecessarily: or 2) It could fail to register an actual error, in which case the pilot is no worse off than he would have been without the system.
For certain multiple failures, I concede that the system might be able only to indicate a Best Guess at the unreliable subset of instruments, but the warning could indicate the uncertainty.