Why is not every airplane equipped with 3 angle-of-attack sensors?

Question

For critical systems, redundancy is built into the system. It is common knowledge among designers/architects to have three different inputs so in case one is faulty, input from the remaining two can be used to find (and shut off possibly) the faulty one (two against one).

Why is not every airplane equipped with 3 angle-of-attack sensors and triple modular voting when these devices are critical for the safety?

@DeepSpace: A320 has three, then again when two fail, the system thinks the third (good) one has failed. — , Mar 14 '19 at 09:28
Not only A320, all airbus aircraft have 3 AoA sensors. A350 even has additional 4th AoA sensor. — Mad Max, Mar 14 '19 at 10:49
Interesting. Would be nice to know how 3 to 4 AoA sensors are being read out. It could be 2 per pilot, and still no TMR. Related question: https://aviation.stackexchange.com/questions/60972/is-it-common-for-automated-control-systems-to-use-non-redundant-sensors?rq=1 — bogl, Mar 14 '19 at 12:00
From what I know, each 3 AoA sensors is connected to each of 3 ADIRUs. ADIRUs decide when to switch functionality internally based on input received by them. For A350, 4th AoA probe is connected directly to FCGS computer. — Mad Max, Mar 14 '19 at 12:27
@ymb1 Isn't that the case only when two fail in such a way that they provide the same value? If two out of three were to randomly fail, it seems pretty likely that they would fail in such a way that they provide different values, if any at all. IIRC, 888T was a common-mode failure: water freezing, presumably at about the same time in each. — user, Mar 14 '19 at 15:32
If the NY Times is correct, there is actually only one AoA sensor connected to the MCAS system at a time, and the option to switch this between the two sensors. — , Mar 14 '19 at 16:16
The statement that a faulty AoA sensor is the cause of either crash has not been confirmed by the investigators or regulators. — GdD, Mar 14 '19 at 16:35
Both the Lion Air and Ethiopian Air crashes are still under investigation; as such, this question is off-topic. — Vikki, Mar 15 '19 at 03:58
@Sean The question isn't about the crashes (especially as edited) so I don't think this is off-topic. — David Richerby, Mar 15 '19 at 10:40
The MQ9 Reaper had 3 AOA sensors. Also, the B2 bomber has 3, but it's crash in Guam is (I believe) due to all three giving bad AOA readings. Theory on redundancy is if the same mechanic is working on all three... — MikeY, Mar 21 '19 at 03:17
Do you really mean "every airplane"? Because if you include GA the answer is obviously cost and necessity: Cost is prohibitive and they aren't necessary. I might suggest you edit this to narrow down the type aircraft where you think having 3 sensors would make sense. — Michael Hall, Aug 12 '20 at 18:00

score 15 · Answer 1 · answered Mar 14 '19 at 08:12

Triple redundancy is necessary to detect a fault and exclude it. The system then continues to operate through the fault. Double redundancy is used to detect a fault but cannot exclude it, so the system stops operating. The important fact is that the faults they actually detect are identical.

Stall events are rare and are normally not expected in flight. There is no immediate hazard if handling augmentation or stall warnings are disabled. Therefore, there is no need for triple redundancy.

Simply put, if the system detects an AoA discrepancy, it can simply trip off and stay off until it is repaired on the ground.

If the double redundant system is ideally designed, then only a simultaneous fault will escape detection. Note too that if the same simultaneous fault occurs to two sensors in a triple redundant system, then it will also escape detection because it will outvote the correctly operating sensor. Therefore, both systems share the exact same failure mode.

Double and triple simultaneous faults can and do occur with common causes including environmental factors (AF 447), maintenance errors (XL 888), and birdstrikes (US 1549). It also allows faults in the voting logic (QF 72). Both recent AF and XL fatal accidents are signs of an overreliance of buying 3 of the same box and then calling it "safe".

"only a simultaneous fault will escape detection" Only if they fail in the same way. Suppose two sensors, one reading -1 and the other reading +1; you can know they are reporting different values, but without additional knowledge, you cannot know which one is correct. In the case of three sensors, if the value set is (+1, +1, -1) you can reasonably (see XL888T) conclude that the -1 is in error; however, if the value set is (+1, 0, -1) you cannot conclude which, if any, of the values are right or wrong. — user, Mar 14 '19 at 15:37
Whether faults are truly independent is another matter. Multiple AOA sensors are likely to have been made by the same factory (and probably around the same time), maintained by the same mechanics and are flying through the same air. That radically increases the odds of common mode failures, which will defeat any redundancy system. — StephenS, Apr 03 '19 at 15:06
@aCVn While true, AoA sensors failing simultaneously will almost certainly fail in much the same way: the only way they can realistically fail is through blockage (eg ice or debris). Ice buildup, for example, is likely to impact similar sensors in a similar way (see: AF447) — Jon Story, Apr 03 '19 at 15:06

bogl · Answer 2 · 2019-03-14T10:05:27.797

8

Two AoA sensors are more reliable than three!

Let's have a look at probability calculation, and assume the fault probability of one sensor to be p = 0.1 % (per flight, or whatever you like to choose). The probability of the same sensor to work as expected is q = 1 − p = 99.9 %.

Two Sensors

The probability for

no fault: q² ≈ 99.8 %
a discrepancy (1 fault): 2 p q ≈ 0.2 %
an undetected double fault: p² = 10^-6

Three Sensors

The probability for

no fault: q³ ≈ 99.7 %
1 recovered fault: 3 p q² ≈ 0.3 %
undetected faults: 1 − q³ − 3 p q² ≈ 3 · 10^-6

Which solution is preferable?

Autonomous system

If we were talking about an autonomous system, like a drone or maybe a satellite, we would be looking at the ability of the system to take a decision on its own.

A decision cannot be taken with

2 sensors if a discrepancy or a double fault occurs. The probability for that is 0.2 %.
3 sensors if more than 1 fault occurs. The probability for that is 3 · 10^-6.

3 · 10^-6 is 667 times better than 0.2 %. The autonomous system is better off with three sensors and TMR voting.

Aircraft with pilots

The situation is different if the system is monitored by a pilot, who can intervene in the case of a discrepancy. A false positive alarm is acceptable. Undetected faults are not acceptable. The likelihood for an undetected fault is 1 · 10^-6 with 2 sensors, and 3 · 10^-6 with 3 sensors. The 2 sensor system is 3 times more reliable under this premise!

In addition, a single fault is more obtrusive in the case of the 2 sensor configuration. A single fault with three sensors - if noticed at all - is more easily ignored instead of being eliminated.

edited Mar 14 '19 at 10:05

answered Mar 14 '19 at 09:57

bogl

10,747
3
47
63

1

Ah good ol' Lusser's law. – Mar 14 '19 at 10:10
Logic in answer seems little odd to me. Why probability of sensor working in 3 sensor setup is q^3 and not 1-p^3? Isn't it that all 3 need not to be working for getting AoA information, only 1 is sufficient to do the job? – Mad Max Mar 14 '19 at 10:40
@MadMax: q^3 is (by definition) the probability for all 3 sensors working = no fault. 1-p^3 is the probability for 0, 1, or 2 faults combined. In a TMR configuration, 2 sensors are required for a correct results. 1 is not sufficient. – bogl Mar 14 '19 at 11:49
Originally gave +1 but after few days thinking realised that this is actually wrong. The three sensor case does not work like that. The system does not aggregate the ok/fail state, if it has that data it will just ignore failed sensors. What it aggregates is the actual measurement. So the relevant statistic for undetected is actually the probability of two sensors failing the same way and giving the same false measurement. Usually this also needs to happen at the same time as the system would generally ignore the sensor that it thinks is giving false data. (cont.) – Ville Niemi Mar 21 '19 at 02:43
It is actually that ability to distinguish between the failures that is the benefit of three source solutions. Without it it would be a two source solution with extra points of failure. Which is essentially what you describe in the answer. – Ville Niemi Mar 21 '19 at 02:45
Mind you the above assumes the logic is implemented correctly. You can implement either system absolutely wrong and between them Airbus and Boeing have done exactly that. – Ville Niemi Mar 21 '19 at 02:52
1

Dear @VilleNiemi, you are right that my answer does not reflect the situation in the B737M. Instead it covers one theoretical aspect. To describe the scenario, it is not sufficient to count the sensors, but it matters how they are evaluated. The subject question keeps changing and adapting to the incomplete knowledge we have about an ongoing accident investigation. This should be avoided. Do you have reliable information about the B737M design? I do not. I consider moving this answer to a different question (to be created). – bogl Mar 21 '19 at 08:23

score 2 · Answer 3 · edited Aug 11 '20 at 23:20

2

Regardless of the number of sensors, the pilot must have enough experience to tell what is going and just fly the plane. Checklists may help, but there may not be time. After the first 737 MAX crash, there was an Airworthiness Directive and a Notice to Airmen setting forth the way to deal with stabilizer runaway, whatever the cause, including MCAS. The 2nd crash occurred after the pilots first followed those procedures but then reversed them.

MCAS has been fixed. Regulators have stated and certified that point.

Pilot training has not been fixed. That's what needs to happen next.

edited Aug 11 '20 at 23:20

Ralph J

51,356
17
157
249

answered Aug 11 '20 at 18:03

steve ells

31
1

3

I think this does not answer the question. The question is not focus on the B737 MCAS but on the number of AoA sensor on every aircraft (not even restricted to airliner) and your answer does not address the number of AoA sensor. – Manu H Aug 12 '20 at 06:59
@Manu H, he is making a broader point that the number of AoA sensors is irrelevant if the pilot doesn't have the training or experience to recognize and react correctly to a failure. Because why stop at 3? Why not 4 or 5? Plenty of airplanes have no AoA sensor at all and they are flown safely every day. – Michael Hall Aug 12 '20 at 17:52

score 1 · Answer 4 · answered Jul 26 '21 at 11:40

I worked for Marconi in the 80s. The triple system was created in Rochester in the 1980s. The Triple-redundant was a design and marketing/safety philosophy for the new airbus which was the first fly-by-wire passenger aircraft - Marconi's engineers designed electro-mechanical flight controls for fighter jets, drones, airships, helicopters using the MIL-STD-1553 standard and the 1773 protocol. Every senior Marconi design engineer was trained in-house to fly his own light aircraft by the company - the company also had its own airport. I doubt any company in the world, including Boeing, could remotely match their internal expertise in flight controls at the time. If Marconi designed -in x3 AoA sensors they did this for a very good reason.