As with other safety-critical systems, the development of the A330/A340 flight control system during 1991 and 1992 had many elements to minimize the risk of a design error. These included peer reviews, a system safety assessment (SSA), and testing and simulations to verify and validate the system requirements. None of these activities identified the design limitation in the FCPC’s AOA algorithm.The ADIRU failure mode had not been previously encountered, or identified by the ADIRU manufacturer in its safety analysis activities. Overall, the design, verification and validation processes used by the aircraft manufacturer did not fully consider the potential effects of frequent spikes in data from an ADIRU.Airbus has stated that they are not aware of a similar incident occurring previously on an Airbus aircraft.
Perhaps as we move into the future where pilots can no longer be assumed to have thousands of hours of actual hands-on instrument flying experience before taking command of transport aircraft, autopilot systems will have to be designed with more robust failure modes that assume less about the crew's ability to take over unexpectedly. The fact that those systems are not there is one of the reasons that drove me to write this book. We still need to be pilots and be able to take over at
Remember, the autopilot doesn't think anything. It IS stupid. It only does what it is told to do, and when it can't do that - it's pilot time! However, if the pilot get's lulled into believing that it is the autopilot that is smart, then it is HE that might be the "stupid sh&t!"