The sensors are redundant, but non-voting. They only have 2, IIRC, whereas 3 are required for a single bad sensor to not be able to cause catastrophic failure.
However, I am also astounded that this system and the AFM were approved as is.
However, I am also astounded that this system and the AFM were approved as is.
As I understand from earlier reading, There were two AoA gauges, but the one used depended on which pilot was flying at a given time. That means no redundancy. First, the AoA gauges need to have self diagnosis capabilities. A faulty sensor should not be controlling the actions of anything. A sick pilot is able to at least diagnose that he is sick and needs to see a doctor and not fly a plane. The gauges have difficulty knowing when they are malfunctioning. They should at least know when to not have confidence in their measurements and abstain from voting.
I watched an episode of Air Disasters on Sunday about QANTAS flight 72 in 2008 where there was a software error in the code for the device sending data to the fly by wire systems. It was reporting altitude as angle of attack. It was showing large quick changes in angle of attack, and commanded the plane into a negative G dive. The captain was able to get control again, but it tried to dive again. Thep pilots finally got control and diverted to a closer airport to make an emergency landing. The captain was a former US Navy pilot who used his experience as a fighter pilot to do a high speed landing in order to be able to recover in case the plane started going nose down close to the ground.
Malfunctioning AoA sensors causing dangerous commands to be sent by fly by wire systems is not an unprecedented issue.