Quote:
Originally Posted by Fuzz
We will have to see what the recorder says. If it shows the override switches were never thrown, then pilot error looks to be a big part of it. I don't really think a sensor failure fail mode should be "auto-crash" though. That seems like a big oversight.
|
I don’t work on planes but f you look at a process plant or oil facility you would have gone through a Hazard assessment to evaluate how effective your safety systems are in the event of a malfunction. In process plants a sensor failure might have a 1/10yr chance of occurring and if you’d combine that a failure would cause multiple fatalities you would likely have to have 3 independent Layers of protection that would stop the event from happening only one of which could be operator intervention.
From the articles about the Lion air crash a single instrument failure caused the crash with the only safeguard being operator intervention and the operators did not have a procedure for what that intervention should be becuase know one told them how the controls would function.
No facility in Alberta would allow its workers to work under such conditions.
At a minimum you would expect to see independent sensors tied to indenpendant control loops which have some sort of verification structure when the two sensors disagree. A sensor failure that causes the plane to crash without operator intervention is not safe.