Your excellent writeup covers lots of important things but seems to miss one important fact re pitot tube icing: in the case of the loss of AF447 and all on board, there were pitot tube icing issues already identified and various remedial programs were in progress, but its importance hadn't been fully recognised, and combined with various other unrelated failures, it led to the loss of AF447 and all on board:

Article includes links to the original definitive history, showing that the "must never happen" state of two identically failed pitot tubes outvoting the one good pitot tube had been a worryingly frequent occurence over a few years, but in general, some other part of the picture had prevented a "must never happen" failure becoming a disaster.

When all the failures and omissions line up together like holes in pieces of swiss cheese, well we know what happened on AF447.

General Swiss Cheese model overview below [1].

It's not rocket science (well, actually, maybe it is - see e.g. O rings and Feynman's addendum to the space shuttle inquiry report) e.g. via [2].

But when the regulatory authorities start accepting modifications to equipment and procedures without proper understanding of the implications, we all stand to lose.


"The Swiss cheese model of accident causation is a model used in risk analysis and risk management, including aviation safety, engineering, healthcare, emergency service organizations, and as the principle behind layered security, as used in computer security and defense in depth. It likens human systems to multiple slices of swiss cheese, stacked side by side, in which the risk of a threat becoming a reality is mitigated by the differing layers and types of defenses which are "layered" behind each other. Therefore, in theory, lapses and weaknesses in one defense do not allow a risk to materialize, since other defenses also exist, to prevent a single point of failure. [etc]"


