"Swiss cheese" theory - lots of holes have to line up
With greatest respect Vic, you're bang on on a lot of stuff here (as are many others) but you've omitted a couple of important things.
1) On an aircraft, by design it's supposed to take multiple failures to turn a fault into an incident. This applies whether it's a people failure or an equipment failure or a bit of each.
It's sometimes called the "Swiss cheese" theory - so long as the various bits don't all line up the wrong way at the wrong time, things can go wrong but individual failures won't cause a crisis.
In the case of the AF447 incident, lots of things lined up inconveniently. And fatally.
2) The pilots *didn't* initially know they had a pitot problem. As you know, the pitot tube (airspeed sensor) is an essential part of flying an airliner, which is why airliners have three of them of two dissimilar designs.
As with other triple voting dissimilar systems, the theory is that in the case of a single random failure, two of the three will still work, and the control system will know to trust the two that agree.
On AF447, two pitot tubes failed *identically, at the same time* due to a weather-related design fault (which again was provoked by a combination of factors- aircraft design and pitot design).
This is a "must never happen" condition - two simultaneous identical failures - but it did happen, and to make things worse, it was actually already known that the combination of aircraft design and pitot design in this picture had "issues" but the proper fix (change to a different design of pitot) hadn't yet been put in place on this aircraft.
Additionally, the fault wouldn't have become visible (the pitots wouldn't have frozen) if the crew hadn't decided to fly *through* rather than *round* a storm.
Two out of three pitots feeding identical duff info to the control system, and nothing (and no one) spots it - no need to check, because it's a "must not happen" failure mode. Right...
So that's several pitot-related opportunities for things to have gone differently.
There are other opportunities which are not pitot-related which could have seen a different outcome; one of the more notable ones would have been for the senior captain (who was resting) to be dragged in to the cockpit rather earlier. Or to have flown round (rather than through) the storm.
Stuff like this rarely has one single cause. It's all described in great detail in the accident investigation reports, and the AF447 Wikipedia article isn't bad either.
Hope this helps, and that you don't mind the clarification. Apologies for any minor errors on my part - I'm doing this from memory.
Biting the hand that feeds IT
