I'm going to seize on this quote from Alistair:
Alistair Heaton said:
It started off as a single job system which only triggered an alerting system. Then the data was used to feed into other systems which wasn't a problem when those system had no direct control over the aircraft apart from say setting a cruise power. Now its being used to directly control the aircraft and its systems. But fundamentally the sensor and data handling and error trapping is the same as it was in the 1950's when it was developed when the limit of its authority was sounding an annoying alarm in the cockpit and triggering a vibrator on the stick.
It's an example of extension of the use of a device beyond its original intent or ability.
Just like the 737 has been extended beyond its original scope of performance.
So whether you focus on a narrow or a wide field, this happens. Sometimes the growth is carefully done, sometimes it's a kludge.
Here's an example:
About 15 years ago, operational regulations changed in the USA & Europe related to the heating of the pitot tubes (aerodynamic airspeed sensors). Heating them prevents ice from forming, so this example seems to be appropriate here. The rule change made it mandatory to alert the flight crew to a potential failure of the heater, letting them know that one of the airspeeds could be faulty. The rule was retroactive on aircraft based on the kind of operation used by the owner. Private owners didn't have to do this, but commercial operators flying scheduled routes did. This led to a zillion failure detection systems being figured out by technicians as "one-off" designs in dozens of aircraft types by hundreds of companies, rather than the aircraft manufacturers providing one common kit to upgrade each aircraft type that every operator could use. I got involved in a few of these, and made sure to have a number of functional and operational tests done to demonstrate that the system works every time it was installed, and include a supplement in the crew's flight manual to be clear on what the warnings mean.
Even so, for each type of aircraft and helicopter I repeated the system on, I had to come up with a new way to integrate it into the existing functions and warnings. One one aircraft, I was able to integrate the warning into the group of existing caution/warning lights, by picking my way through the fault logic board to find the spot. On another, no such caution/warning panel existed so it was just a pair of crude lights on the instrument panel, itself a crude layout from the decades before anyone heard of system design.
This is what it's like coming up with a new system, or modifying an existing system with new features on an aircraft that's already been designed and built. You have to take the machine as it is, and splice in the new stuff as smoothly as you can. If you do it well, you provide the crew with the intended improvement in their safety and a way to diagnose problems. Do it badly, and you confuse the crew or introduce a new mode of failure.
None of the aircraft or helicopters that needed this system had to undergo a FMEA, so it wasn't done. It is not part of the basic type design of most light aircraft or helicopters, certainly not old ones, and if you think about it, that's WHY they didn't have a warning system in the first place. The new rule didn't specify that FMEA was needed, either.
The introduction of that rule would have been completely different if the responsibility had been placed on the OEM's to provide the system.
No one believes the theory except the one who developed it. Everyone believes the experiment except the one who ran it.
STF
