Originally Posted by
chrisl137
... analysis should have recognized the failure mode
this is the first part of the answer
the more important part of the answer is that the engineers and the analysts and the decision-makers (at all levels, and in all organizations) should NEVER have considered
redundant AoA sensor input as anything less than a safety-critical element of the system
Originally Posted by
chrisl137
... real life testing to verify the behavior of the aircraft with a simulated AoA sensor failure.
it’s very easy to simulate a sensor failure in either flight test or the simulator by pulling the circuit breaker
if I remember correctly, this would be considered a hazardous flight test condition and would probably have been a minimum-crew flight (pilots only, maybe a Test Director in the jump seat, no onboard observers); the preflight briefing would would go over both setup (to ensure stable flight conditions prior to pulling the breaker) and recovery procedures