AF447
Join Date: Jun 2009
Location: Iowa
Posts: 9
Likes: 0
Received 0 Likes
on
0 Posts
@24victor
I certainly did read what you posted. Your definition of a single point failure, as applied to pitot tubes in this case, really doesn't make any sense. That is what I was trying to get at in my post. Saying that something which is triple redundant can have a single point failure because all three failed at once makes no sense. If ALL systems of a redundant system fail, that isn't a single point failure, it's really bad luck.
I see what you're getting at by saying that icing causes the single point failure behavior. However, each system is designed to mitigate these risks individually.
It's a design issue, not coping with some worse than expected environment, that makes a single point failure.
I certainly did read what you posted. Your definition of a single point failure, as applied to pitot tubes in this case, really doesn't make any sense. That is what I was trying to get at in my post. Saying that something which is triple redundant can have a single point failure because all three failed at once makes no sense. If ALL systems of a redundant system fail, that isn't a single point failure, it's really bad luck.
I see what you're getting at by saying that icing causes the single point failure behavior. However, each system is designed to mitigate these risks individually.
It's a design issue, not coping with some worse than expected environment, that makes a single point failure.
Join Date: Jul 2000
Location: Thailand
Posts: 942
Likes: 0
Received 0 Likes
on
0 Posts
Following MacBearo's idea about using the RAT for speed reference; a piece of bendy plastic affixed to the windscreen with a few engraved lines on it might do just as well, but would not be very scientific.
If the situation is as surmised, pitot icing follwed by an upset, then the ability to restore one's attitude becomes paramount. If all the sensors/instruments are giving erroneous/conflicting/confusing results then it is going to be next to impossible to establish which way is up.
Coupled with the piece of bendy plastic could be a small weight hanging on a strong thread attached to the the fwd glareshield! Remember, gravity sucks.
Cost; about 40 pence.
If the situation is as surmised, pitot icing follwed by an upset, then the ability to restore one's attitude becomes paramount. If all the sensors/instruments are giving erroneous/conflicting/confusing results then it is going to be next to impossible to establish which way is up.
Coupled with the piece of bendy plastic could be a small weight hanging on a strong thread attached to the the fwd glareshield! Remember, gravity sucks.
Cost; about 40 pence.
Last edited by rubik101; 30th Jun 2009 at 01:13.
Join Date: Jun 2009
Location: ATL
Age: 67
Posts: 131
Likes: 0
Received 0 Likes
on
0 Posts
triple redundant
1. lose one, down to two - 1st level of redundancy, and singly redundant if you exclude human interaction.
2. IF one of the remainder disagree, the pilot chooses which one he likes - 2nd redundancy level, but only due to human interaction.
3. Lose the last one, no backup. System is doubly redundant.
Now that the potential for multiple pitot heads to be offlined by a single meterological phenomena has been clearly established by the recent spate of incidents, the current system, shown to have no redundancy to this catastrophic failure mode, becomes a single point of failure in the safety analysis and as such will have to be addressed.
The idea is that you must have enough barriers (layers of cheese) in place to make it extremely improbable to end up catastrophic. So what we are looking for here in the investigation are evidences of other layers of assumptions that might have been at play here.
Join Date: Jan 2008
Location: Los Angeles
Posts: 27
Likes: 0
Received 0 Likes
on
0 Posts
As Mac'B said, pitot systems work well for the most part, are simple and reliable and understood by pilots, maintainers and designers alike. However, the recent spate of pitot system problems have highlighted a weakness in the design of the "system" in that it relies on multiple-instance of the same technology to achieve the necessary redundancy, and the validity of this reliance has been seriously brought into question.
If pitot icing of some description did overwhelm the system on AF447 it will most likely be declared to be a non-survivable event, one in which all redundant systems have failed. The fallacy in this though is that other similar events have proven survivable as long as there's daylight and a workable natural horizon for reference.
As to the technology change, it's not obvious to me what would be the way to go. One thing I do know, however, is that there's the opportunity for improved combinatorial logic using existing sensor fit that I would guess is being hammered out right now as we speak.
Rgds.
24V
If pitot icing of some description did overwhelm the system on AF447 it will most likely be declared to be a non-survivable event, one in which all redundant systems have failed. The fallacy in this though is that other similar events have proven survivable as long as there's daylight and a workable natural horizon for reference.
As to the technology change, it's not obvious to me what would be the way to go. One thing I do know, however, is that there's the opportunity for improved combinatorial logic using existing sensor fit that I would guess is being hammered out right now as we speak.
Rgds.
24V
24victor
Yes can be done. From basic aerodynamic theory it follows that velocity squared is inversely proportional to angle of attack. So when flying in a steady state (eg S+L) there is a one to one relationship between speed and angle of attack. So you could have software convert angle of attack into a calculated airspeed (might not be super accurate, but better than nothing) or better still, have the angle of attack displayed directly to the pilots.
If you lost all pitots, you would transition to using thrust to fly an optimum angle of attack (and hence indirectly an airspeed). Flying angles of attack instead of airspeed is routine stuff for modern fighters. For example on the F/A-18 when on final approach, the pilot does not fly a speed, but flies a constant angle of attack as displayed in the HUD.
The use of angle of attack in the event of a total loss of airspeed indications is discussed in this Boeing article:
Aero 12 - Angle of Attack
The relevent text is:
An alternate system will need to be developed which delivers accurate airspeed without using M. Pitot's somewhat ancient approach.
If you lost all pitots, you would transition to using thrust to fly an optimum angle of attack (and hence indirectly an airspeed). Flying angles of attack instead of airspeed is routine stuff for modern fighters. For example on the F/A-18 when on final approach, the pilot does not fly a speed, but flies a constant angle of attack as displayed in the HUD.
The use of angle of attack in the event of a total loss of airspeed indications is discussed in this Boeing article:
Aero 12 - Angle of Attack
The relevent text is:
AOA backup indication following pitot or static system failures. The AOA instrument described in this article is useful as a backup for unreliable airspeed indication caused by pitot or static source blockage because the calculation of indicated AOA is not greatly affected by pitot or static pressure inputs for its calibration, and the displayed value has not been normalized.
Pitot or static system failure requires the flight crew to take several fundamental steps to resolve the problem (see "Erroneous Flight Instrument Information," Aero no. 8, Oct. 1999):
* Recognize an unusual or suspect indication.
* Keep control of the airplane with basic pitch and power skills.
* Take inventory of reliable information.
* Find or maintain favorable flying conditions.
* Get assistance from others.
* Use checklists.
Recognition of a problem will be accomplished by instrument scanning and cross-check practices or crew alerts, depending on the design of the system in the airplane. In this respect, AOA instruments can be useful as an additional cross-check.
Present procedures for unreliable airspeed call for flying the airplane by reference to pitch attitudes, and refer the pilots to reference tables showing pitch attitudes for various configurations, weights, and altitudes that will result in safe angles of attack and speeds. AOA could be useful if the relevant data is included in the pitch and power tables that already exist in the nonnormal checklist procedures. AOA would be most useful in flying the airplane in multiple failure conditions where all pitot or static sources are affected, making all airspeed indicators unreliable.
Care should be taken when flying the airplane by reference to AOA in lieu of airspeed. Control should be made by reference to pitch attitude, using AOA as a cross-check to ensure that the pitch attitude results in the desired speed or AOA. Attempting to follow AOA or speed indications too closely without stabilizing the airplane in pitch can lead to an oscillatory flight path.
Pitot or static system failure requires the flight crew to take several fundamental steps to resolve the problem (see "Erroneous Flight Instrument Information," Aero no. 8, Oct. 1999):
* Recognize an unusual or suspect indication.
* Keep control of the airplane with basic pitch and power skills.
* Take inventory of reliable information.
* Find or maintain favorable flying conditions.
* Get assistance from others.
* Use checklists.
Recognition of a problem will be accomplished by instrument scanning and cross-check practices or crew alerts, depending on the design of the system in the airplane. In this respect, AOA instruments can be useful as an additional cross-check.
Present procedures for unreliable airspeed call for flying the airplane by reference to pitch attitudes, and refer the pilots to reference tables showing pitch attitudes for various configurations, weights, and altitudes that will result in safe angles of attack and speeds. AOA could be useful if the relevant data is included in the pitch and power tables that already exist in the nonnormal checklist procedures. AOA would be most useful in flying the airplane in multiple failure conditions where all pitot or static sources are affected, making all airspeed indicators unreliable.
Care should be taken when flying the airplane by reference to AOA in lieu of airspeed. Control should be made by reference to pitch attitude, using AOA as a cross-check to ensure that the pitch attitude results in the desired speed or AOA. Attempting to follow AOA or speed indications too closely without stabilizing the airplane in pitch can lead to an oscillatory flight path.
Last edited by Bleve; 30th Jun 2009 at 00:53.
Join Date: Jun 2001
Location: East of the Sun & West of the Moon
Posts: 286
Likes: 0
Received 0 Likes
on
0 Posts
Quote Graybeard:
The safety analysis done in the design phase obviously accounted for a single pitot failure, for all conceivable reasons. Could the safety analysis not have considered the possibility of all three freezing over nearly at once, at night, in cruise?
Couldn't Otto have been made smart enough to recognize a drop in all three measured airspeeds with little or no change of angle of attack? He should be able to fly pitch and power as good as a pilot could.
The safety analysis done in the design phase obviously accounted for a single pitot failure, for all conceivable reasons. Could the safety analysis not have considered the possibility of all three freezing over nearly at once, at night, in cruise?
Couldn't Otto have been made smart enough to recognize a drop in all three measured airspeeds with little or no change of angle of attack? He should be able to fly pitch and power as good as a pilot could.
Quote Will Fraser:
Or couldn't he have ignored the drop of two and relied on the one not changing rate?? Instead there is 'Disagree' when one might have been 'reliable'?? That one could remain servicable but be dropped as a disagreeble partner means there aren't actually three independent samplers?? IOW, could a 'pair' be 1,1a, where a is two seconds ago, meaning consistency? After all, stability can be sampled as well as rate of change, or fault.
Or couldn't he have ignored the drop of two and relied on the one not changing rate?? Instead there is 'Disagree' when one might have been 'reliable'?? That one could remain servicable but be dropped as a disagreeble partner means there aren't actually three independent samplers?? IOW, could a 'pair' be 1,1a, where a is two seconds ago, meaning consistency? After all, stability can be sampled as well as rate of change, or fault.
Quote ClippedCub:
Great point Graybeard. I'm still trying to figure out why a system with five computers, quadruply redundant, only had 3 pitots and statics, double redundancy. Plenty of lesser planes have four pitots.
Great point Graybeard. I'm still trying to figure out why a system with five computers, quadruply redundant, only had 3 pitots and statics, double redundancy. Plenty of lesser planes have four pitots.
The pilot and the "computer" each have differing strengths. The design goal has to be to make optimum use of both. In the instance of a particular stream of data from 3 different sources becoming simultaneously different or uncertain you have a situation that most often, using a pilot's awareness of the total dynamic situation, will be solvable fairly quickly and without serious adverse input (though there have been exceptions, Birgenair & AeroPeru, etc.). But, for a computer which has limited capacity to "understand" the broader situation beyond the data streams, trying to code an algorithm that would correctly identify which data source, if any, was correct 100% of the time would be, if not impossible, then probably impossible to do within the time frame of a safe response. There would be a much higher possibility of an adverse control input and the pilot's judgement would not have been accessed at exactly the point where it becomes most valuable.
Using more sources won't resolve the problem, as in addition to the problem of 3 suffering the same failure you now also face the problem of ties where 2 say this and 2 say that, or 3 are simultaneously experiencing the same error but the 1 or 2 in minority are actually providing the accurate data. How would you cope with that scenario ... with even more complexities of logic.
The simplest, and in my opinion best answer to the problem is to let the pilot do the job of distinguishing good from bad in such rare instances. When they've isolated the bad data the good data can then be used by the remaining available systems.
ELAC
Join Date: Jan 2008
Location: Los Angeles
Posts: 27
Likes: 0
Received 0 Likes
on
0 Posts
Correct. A triplex system is three-selectable but dual-redundant - my apologies. As to the single-point-of-failure issue, the near-simultaneous failure of a three channel system due to a single cause is indeed a single point of failure to the system, no matter what the textbooks may say.
Rgds.
24V
Rgds.
24V
Join Date: Apr 2009
Location: Petaluma
Posts: 330
Likes: 0
Received 0 Likes
on
0 Posts
ELAC
If a computer uses sampled data from three sources, but must have agreement from two for a parameter, isn't it singly redundant? If one drops out, the only pair left have to agree. I was offering an emergency mode, and I still think it makes sense, were there indeed three blocked pitots? If it's important to have three, but eliminate a possible parameter supplied by one, wouldn't that be self defeating? In the absence of another pitot, and tossing a baby out with the bathwater is fatal, what am I missing??
I may seem to be opposed to computers, I am not, being highly critical doesn't mean I propose their demise.
If a computer uses sampled data from three sources, but must have agreement from two for a parameter, isn't it singly redundant? If one drops out, the only pair left have to agree. I was offering an emergency mode, and I still think it makes sense, were there indeed three blocked pitots? If it's important to have three, but eliminate a possible parameter supplied by one, wouldn't that be self defeating? In the absence of another pitot, and tossing a baby out with the bathwater is fatal, what am I missing??
I may seem to be opposed to computers, I am not, being highly critical doesn't mean I propose their demise.
Now that the potential for multiple pitot heads to be offlined by a single meterological phenomena has been clearly established by the recent spate of incidents, the current system, shown to have no redundancy to this catastrophic failure mode, becomes a single point of failure in the safety analysis and as such will have to be addressed.
The idea is that you must have enough presumed barriers present to make it extremely improbable to result in a catastrophe.
So even if the pitot icing is presumed to be present the investigation need examine all the other presumed barriers that might have been overcome.
Join Date: Jan 2008
Location: Los Angeles
Posts: 27
Likes: 0
Received 0 Likes
on
0 Posts
I don't agree that such a failure condition (common mode or single point) need be considered catastrophic
What's strange though is the recent rash of documented problems. Why now all of a sudden and why the A330?
I'm puzzled.....
24V
Join Date: Sep 2002
Location: La Belle Province
Posts: 2,179
Likes: 0
Received 0 Likes
on
0 Posts
To support ELAC's point.
In certification terms, we are simply not allowed to retain any systems "in the loop" - whether they be software or hardware - when they are reduced to "taking their best guess" which is what a computer system (just as a pilot) would be reduced to doing when faced by multiple contradictory data sources.
It might seem unfair, but the regulations allow us (the designers) to assume god-like omnipotence from the flight crew when required. We have to assume that systems can fail - but that pilots will unerringly follow the appropriate procedures and, when required to pull a rabbit from a hat, will invoke "airmanship" and all will be well.
A trifle faceatious, but given a situation where a pilot might make the right choice 99% of the time, and a software system 99.9% of the time, if the consequences of error are catastrophic I am more-or-less forced to dump the problem in the pilot's lap. because while it's acceptable for the pilot error rate to be 1%, a software catastrophic failure rate of 0.1% would never, ever, be certifiable.
Add to this that its essentially impossible for the software to cater for all combionation, and it becomes essential for the s/w to at some point "give up" and hope that the pilot can get himself out of trouble.
It's as if the software systems were a reliable and skilled trainee, but somewhat wet behind the ears in terms of thinking outside the box. It at least is pretty good at realising when it's outside its "skill level" and at handing back control.
In certification terms, we are simply not allowed to retain any systems "in the loop" - whether they be software or hardware - when they are reduced to "taking their best guess" which is what a computer system (just as a pilot) would be reduced to doing when faced by multiple contradictory data sources.
It might seem unfair, but the regulations allow us (the designers) to assume god-like omnipotence from the flight crew when required. We have to assume that systems can fail - but that pilots will unerringly follow the appropriate procedures and, when required to pull a rabbit from a hat, will invoke "airmanship" and all will be well.
A trifle faceatious, but given a situation where a pilot might make the right choice 99% of the time, and a software system 99.9% of the time, if the consequences of error are catastrophic I am more-or-less forced to dump the problem in the pilot's lap. because while it's acceptable for the pilot error rate to be 1%, a software catastrophic failure rate of 0.1% would never, ever, be certifiable.
Add to this that its essentially impossible for the software to cater for all combionation, and it becomes essential for the s/w to at some point "give up" and hope that the pilot can get himself out of trouble.
It's as if the software systems were a reliable and skilled trainee, but somewhat wet behind the ears in terms of thinking outside the box. It at least is pretty good at realising when it's outside its "skill level" and at handing back control.
Mad (Flt) Scientist
A trifle faceatious, but given a situation where a pilot might make the right choice 99% of the time, and a software system 99.9% of the time, if the consequences of error are catastrophic I am more-or-less forced to dump the problem in the pilot's lap. because while it's acceptable for the pilot error rate to be 1%, a software catastrophic failure rate of 0.1% would never, ever, be certifiable.
Add to this that its essentially impossible for the software to cater for all combionation, and it becomes essential for the s/w to at some point "give up" and hope that the pilot can get himself out of trouble.
Add to this that its essentially impossible for the software to cater for all combionation, and it becomes essential for the s/w to at some point "give up" and hope that the pilot can get himself out of trouble.
Now we really do need the pilot error rate verified in this combination and even more important we need to understand if there is a conditional failure lurking that was not considered.
Such a conditional failure might be an unanticipated additional system failure given that one encounters presumed turbulence at night and presumed ice crystals and a presumed failure of the speed measuring system and its cascading computer effects with a 99% crew.
So where is the key that is being missed or do we have something completely different than the above presumptions
data I want more data, what other combinations were at play in the other events?
Join Date: Jun 2009
Location: Iowa
Posts: 9
Likes: 0
Received 0 Likes
on
0 Posts
Ironically, the tools of the trade really haven't changed much since the days of the A330. Airbus published a series of papers on their fly by wire system. I do not work in the airline industry directly, I do UAV work designing control systems. It's interesting when I talk to friends who do work for Rockwell Collins and such. They use the same tools I do when I design control systems. A330 used automatic code generation which I have also been using. Things have improved in usability and such as anyone would expect. Most of this isn't an issue of raw horsepower, but of design tools. A redesigned A330 would probably use a different digital bus, serial buses would be ethernet or optical, but the control laws would be very similar.
My point is that I think the design would be similar today because there is a reason they made the choices they did. I'd really love to talk to some of the Airbus designers.
My point is that I think the design would be similar today because there is a reason they made the choices they did. I'd really love to talk to some of the Airbus designers.
Guest
Posts: n/a
If all the systems, especially the pitot / static, gave up their dedicated jobs the aircraft falls back into direct pilot mode... Given the fact that at about 04:10 French summertime the alert level of any European is not at the peak level, it will be too easy to blame any human being at the controls for taking wrong actions based on wrong assumptions / identification.
We need to stop speculating about this as there is absolutely no evidence to this.
We do not even know for sure which presentation of individual problems was available to the crew, all guessing so far.
What caught my attention, as I am not an AB pilot, was the position of the pitot probes and TAT probes. as seen on photo posted by PJ2 in #2529.
They are all located very much on the lower side of the fuselage as well as very far forward. With an approximately 3 degr nose-up attitude in cruise (as I recall to have read here somewhere), a slow down in speed (as may be assumed due to turbulence induced climb) will expose these probes even more prominent to any weather condition the aircraft is facing.
It looks on the photo as if the captain's pitot probe and TAT probe as well as the stby pitot probe are less than a meter apart; excluding FOD as there is no evidence which allows hail to be assumed, there still remains the icing possibility, a fact which is obviously ascertained due to the various bulletins and modifications in force / progress.
Again, I am no AB pilot, but where are the pitot / TAT probes on the 340, are they at the same location?
May a different location of said items provide better protection, i.e. middle of fuselage behind window 3 and L1 door?
We need to stop speculating about this as there is absolutely no evidence to this.
We do not even know for sure which presentation of individual problems was available to the crew, all guessing so far.
What caught my attention, as I am not an AB pilot, was the position of the pitot probes and TAT probes. as seen on photo posted by PJ2 in #2529.
They are all located very much on the lower side of the fuselage as well as very far forward. With an approximately 3 degr nose-up attitude in cruise (as I recall to have read here somewhere), a slow down in speed (as may be assumed due to turbulence induced climb) will expose these probes even more prominent to any weather condition the aircraft is facing.
It looks on the photo as if the captain's pitot probe and TAT probe as well as the stby pitot probe are less than a meter apart; excluding FOD as there is no evidence which allows hail to be assumed, there still remains the icing possibility, a fact which is obviously ascertained due to the various bulletins and modifications in force / progress.
Again, I am no AB pilot, but where are the pitot / TAT probes on the 340, are they at the same location?
May a different location of said items provide better protection, i.e. middle of fuselage behind window 3 and L1 door?
Re-Ordere ACARS Messages
Having kept a close eye on a.net forums, I have noticed that two pilots who regularly post sane comment about this issue have done a lot of work to try and figure out what may have happened.
One poster (Mandala499) who is probably the most sane guy there, has done a good job of trying to figure out the timeline of the ACARS messages and re-order them according to their respective time stamps.
I have shamelessly (sorry Mandala) copied his good work here in order that someone on PPRuNe may make more sense (or gain a better insight) as to what went on at the time these messages were sent?
This is the list reordered...
0209 START
0210 34-11-15-0 FLR EFCS2
EFCS1, AFS - PROBE PITOT 1+2/2+3/1+3 (9DA)
9DA=HEATING ELEMENT PITOT 1 (6DA1/PHC1)
Heating Element Pitot 1 suspected failed.
0210 27-93-34-0 FLR EFCS1
EFCS2-FCPC2(2CE2) WRG:ADIRU1 BUS ADR1-2 TO FCPC2
No Data from ADIRU 1, ADR 1 & 2 no sending signal to FCPC2
No ADR Data from ADIRU 1 to PRIM2.
0210 27-90-45-5 WRN MXSTAT
EFCS1
ERROR NOTICED - Air Data Fluctuation/Inconsistency
0210 27-90-45-0 WRN MXSTAT
EFCS2
ERROR NOTICED - Air Data Fluctuation/Inconsistency
0210 22-10-00-0 WRN AUTO FLT
AP OFF
Autopilot Shut off for safety, result loss of 2 Valid Air Data Channels.
This prevents faulty Air Data from affecting autopilot into making the wrong actions.
Commence AP/FD FAULT ISOLATION PROCEDURE
System Filter & Check:
- DISAGREE AOA Sensor Data in FCPCs
- DISAGREE PITOT PROBE Data in FCPCs
- FAIL ADIRU 1 and 2
- FAIL ADIRU 1 and 3
- FAIL ADIRU 2 and 3
- FAIL ADIRUs
0210 22-62-01-0 WRN AUTO FLT
REAC W/S DET FAULT
Loss of 2 ADRs, autopilot cannot provide Windshear Protection.
0210 27-91-00-5 WRN F/CTL
ALTN LAW
2 ADR REJECTED, NAV DISAGREE NOT YET CONCLUDED - FAULT ISOLATION IN PROGRESS
0210 22-83-00-2 WRN FLAG
LEFT PFD LIMIT
Rejected ADR still feeding data to PFD
If there is valid ADR, it's not being selected for LEFT seat.
0210 22-83-01-2 WRN FLAG
RIGHT PFD SPD LIMIT
Rejected ADR still feeding data to PFD
If there is valid ADR, it's not being selected for RIGHT seat.
0210 22-30-02-5 WRN AUTO FLT
A/THR OFF
Autothrust Shut off for safety, result loss of 2 Valid Air Data Channels.
This prevents faulty Air Data from affecting Autothrust into making the wrong actions.
0210 34-43-00-5 WRN NAV
TCAS FAULT
Loss of ADR1 to Transponder 1 (if selected) or Loss of ADR2 to Transponder2 (if selected)
Loss of Mode C.
This is downstream of loss of ADR.
0210 22-83-00-1 WRN FLAG
LEFT PFD NO F/D
Automatic Flight System (AFS/FMGC) loss of 2 ADR sources.
Safety mechanism, prevents erroneous F/D for pilot to follow
0210 22-83-01-1 WRN FLAG
RIGHT PFD NO F/D
Automatic Flight System (AFS/FMGC) loss of 2 ADR sources.
Safety mechanism, prevents erroneous F/D for pilot to follow
0210 27-23-02-0 WRN F/CTL
RUD TRV LIM FAULT
Loss valid of ADR Data (require 2 ADRs) for FMGC/AFS
FMGC Flight Envelope Module locks in Rudder Travel for safety.
0211 34-12-34-0 FLR IR2
EFCS1X,IR1,IR3, ADIRU2 (1FP2)
ADIRU2(1FP2) - ADR2 self monitoring & PHC rejects own data
Loss of discrete data from ADR2 = PITOT 2, STATIC 2L, STATIC 2R, TAT 2, AOA 2.
NAV DISAGREE CONCLUSION DELAYED - ADDITIONAL FAILURES - RECOMMENCE FAULT ISOL
0211 34-12-00-0 FLR ISIS
ISIS (22FN-10FC) SPEED OR MACH FUNCTION
SUSPECT LOSS OF ADIRU1 AND/OR ADIRU3 FOR ISIS MACH
Suspect Loss of ADIRU3
NAV DISAGREE CONCLUSION DELAYED - ADDITIONAL FAILURES - RECOMMENCE FAULT ISOL
0211 34-12-00-1 WRN FLAG
LEFT PFD NO FPV
0211 34-12-01-1 WRN FLAG
RIGHT PFD NO FPV
0212 34-10-40-0 WRN NAV
ADR DISAGREE
NAV DISAGREE DISCOVERED - FAULT ISOLATION COMPLETED
Due to no further ADR faults occuring.
0213 27-90-02-5 WRN F/CTL
PRIM1 FAULT
0213 27-90-04-0 WRN F/CTL
SEC1 FAULT
0213 22-83-34-9 FLR AFS
FMGEC1(1CA1)
0214 34-10-36-0 WRN MXSTAT
ADR2
RESULT OF 32-12-34-0
0214 21-31-00-2 WRN ADVSRY
CABIN VERTICAL SPEED
LOSS OF ADR DATA
Open to comments?
One poster (Mandala499) who is probably the most sane guy there, has done a good job of trying to figure out the timeline of the ACARS messages and re-order them according to their respective time stamps.
I have shamelessly (sorry Mandala) copied his good work here in order that someone on PPRuNe may make more sense (or gain a better insight) as to what went on at the time these messages were sent?
This is the list reordered...
0209 START
0210 34-11-15-0 FLR EFCS2
EFCS1, AFS - PROBE PITOT 1+2/2+3/1+3 (9DA)
9DA=HEATING ELEMENT PITOT 1 (6DA1/PHC1)
Heating Element Pitot 1 suspected failed.
0210 27-93-34-0 FLR EFCS1
EFCS2-FCPC2(2CE2) WRG:ADIRU1 BUS ADR1-2 TO FCPC2
No Data from ADIRU 1, ADR 1 & 2 no sending signal to FCPC2
No ADR Data from ADIRU 1 to PRIM2.
0210 27-90-45-5 WRN MXSTAT
EFCS1
ERROR NOTICED - Air Data Fluctuation/Inconsistency
0210 27-90-45-0 WRN MXSTAT
EFCS2
ERROR NOTICED - Air Data Fluctuation/Inconsistency
0210 22-10-00-0 WRN AUTO FLT
AP OFF
Autopilot Shut off for safety, result loss of 2 Valid Air Data Channels.
This prevents faulty Air Data from affecting autopilot into making the wrong actions.
Commence AP/FD FAULT ISOLATION PROCEDURE
System Filter & Check:
- DISAGREE AOA Sensor Data in FCPCs
- DISAGREE PITOT PROBE Data in FCPCs
- FAIL ADIRU 1 and 2
- FAIL ADIRU 1 and 3
- FAIL ADIRU 2 and 3
- FAIL ADIRUs
0210 22-62-01-0 WRN AUTO FLT
REAC W/S DET FAULT
Loss of 2 ADRs, autopilot cannot provide Windshear Protection.
0210 27-91-00-5 WRN F/CTL
ALTN LAW
2 ADR REJECTED, NAV DISAGREE NOT YET CONCLUDED - FAULT ISOLATION IN PROGRESS
0210 22-83-00-2 WRN FLAG
LEFT PFD LIMIT
Rejected ADR still feeding data to PFD
If there is valid ADR, it's not being selected for LEFT seat.
0210 22-83-01-2 WRN FLAG
RIGHT PFD SPD LIMIT
Rejected ADR still feeding data to PFD
If there is valid ADR, it's not being selected for RIGHT seat.
0210 22-30-02-5 WRN AUTO FLT
A/THR OFF
Autothrust Shut off for safety, result loss of 2 Valid Air Data Channels.
This prevents faulty Air Data from affecting Autothrust into making the wrong actions.
0210 34-43-00-5 WRN NAV
TCAS FAULT
Loss of ADR1 to Transponder 1 (if selected) or Loss of ADR2 to Transponder2 (if selected)
Loss of Mode C.
This is downstream of loss of ADR.
0210 22-83-00-1 WRN FLAG
LEFT PFD NO F/D
Automatic Flight System (AFS/FMGC) loss of 2 ADR sources.
Safety mechanism, prevents erroneous F/D for pilot to follow
0210 22-83-01-1 WRN FLAG
RIGHT PFD NO F/D
Automatic Flight System (AFS/FMGC) loss of 2 ADR sources.
Safety mechanism, prevents erroneous F/D for pilot to follow
0210 27-23-02-0 WRN F/CTL
RUD TRV LIM FAULT
Loss valid of ADR Data (require 2 ADRs) for FMGC/AFS
FMGC Flight Envelope Module locks in Rudder Travel for safety.
0211 34-12-34-0 FLR IR2
EFCS1X,IR1,IR3, ADIRU2 (1FP2)
ADIRU2(1FP2) - ADR2 self monitoring & PHC rejects own data
Loss of discrete data from ADR2 = PITOT 2, STATIC 2L, STATIC 2R, TAT 2, AOA 2.
NAV DISAGREE CONCLUSION DELAYED - ADDITIONAL FAILURES - RECOMMENCE FAULT ISOL
0211 34-12-00-0 FLR ISIS
ISIS (22FN-10FC) SPEED OR MACH FUNCTION
SUSPECT LOSS OF ADIRU1 AND/OR ADIRU3 FOR ISIS MACH
Suspect Loss of ADIRU3
NAV DISAGREE CONCLUSION DELAYED - ADDITIONAL FAILURES - RECOMMENCE FAULT ISOL
0211 34-12-00-1 WRN FLAG
LEFT PFD NO FPV
0211 34-12-01-1 WRN FLAG
RIGHT PFD NO FPV
0212 34-10-40-0 WRN NAV
ADR DISAGREE
NAV DISAGREE DISCOVERED - FAULT ISOLATION COMPLETED
Due to no further ADR faults occuring.
0213 27-90-02-5 WRN F/CTL
PRIM1 FAULT
0213 27-90-04-0 WRN F/CTL
SEC1 FAULT
0213 22-83-34-9 FLR AFS
FMGEC1(1CA1)
0214 34-10-36-0 WRN MXSTAT
ADR2
RESULT OF 32-12-34-0
0214 21-31-00-2 WRN ADVSRY
CABIN VERTICAL SPEED
LOSS OF ADR DATA
Open to comments?
Join Date: Jan 2008
Location: s28e153
Posts: 199
Likes: 0
Received 0 Likes
on
0 Posts
Your nice pic needs editing, the LOC antenna is an old towel rail under the radome, lol.
What you are pointing at there, is the icing detectors.
Makes one wonder if the ECAM warnings were indicating 'severe icing'?
Last edited by division1; 30th Jun 2009 at 08:29.
Join Date: May 2002
Location: In a nice house
Posts: 981
Likes: 0
Received 0 Likes
on
0 Posts
Only 2 things to throw in to the mix.
The complete physical loss of an AOA probe can cause incorrect warnings - it has been known for the loss of this to cause a stall warning to occur, amongst other things.
Someone mentioned the OPC/LPC items and how its not always the best to train - suggest reading/ encouraging your airline to adopt ATQP, which is used by BA, Thomas Cook, EasyJet, Virgin and shortly to be used by Thomson. This is a more specific version of the LPC/OPC, I understand it is tailored towards the airline and the individual pilot.
The complete physical loss of an AOA probe can cause incorrect warnings - it has been known for the loss of this to cause a stall warning to occur, amongst other things.
Someone mentioned the OPC/LPC items and how its not always the best to train - suggest reading/ encouraging your airline to adopt ATQP, which is used by BA, Thomas Cook, EasyJet, Virgin and shortly to be used by Thomson. This is a more specific version of the LPC/OPC, I understand it is tailored towards the airline and the individual pilot.
Join Date: Jan 2008
Location: London, England
Age: 56
Posts: 300
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by [URL="http://www.pprune.org/members/302559-clippedcub"
ClippedCub[/URL]]Three pitots is double redundant, at best.
1. lose one, down to two - 1st level of redundancy, and singly redundant if you exclude human interaction.
2. IF one of the remainder disagree, the pilot chooses which one he likes - 2nd redundancy level, but only due to human interaction.
3. Lose the last one, no backup. System is doubly redundant.
1. lose one, down to two - 1st level of redundancy, and singly redundant if you exclude human interaction.
2. IF one of the remainder disagree, the pilot chooses which one he likes - 2nd redundancy level, but only due to human interaction.
3. Lose the last one, no backup. System is doubly redundant.