RSS

Sudden Pitch-Down Raises Questions About Computerized Flight Controls

Wed, Oct 22, 2008 — David Evans

Articles

“The nature of the initiating event has not yet been determined,” according to an Australian Transport Safety Bureau (ATSB) statement regarding a 7 October incident in which a Qantas A330-300 experienced two terrifying plunges that hurled some passengers and flight attendants into the ceiling. About 50 people were injured, and at last 10 of the 300 passengers suffered broken bones and lacerations after they were thrown from their seats on flight QF72, which was en route from Singapore to Perth.

Most of those injured were at the rear of the aircraft.

After the incident, which one passenger described as falling 8,000 feet (although the aircraft in reality dropped some 1,000 feet before the pilots recovered it to level flight), the captain declared an emergency and the airplane diverted and landed at Learmonth Airport, about 750 miles from Perth. The seriously injured passengers and three injured flight attendants were evacuated for medical treatment, and two smaller Qantas airliners were dispatched to pick up the remaining stranded passengers.

ATSB investigators were sent on a chartered aircraft to begin the incident postmortem.

The gut-wrenching dive was first attributed to clear air turbulence. Not so, according to ATSB chief investigator Julian Walsh. Based on initial investigation, he said the fault lay with a computer unit that detects, through sensors, the pitch-angle of the wing relative to the free-stream airflow (i.e., air as yet uninfluenced by the aircraft’s passage). One of the plane’s three Air Data Inertial Reference Units (ADIRU) malfunctioned, sending erroneous data to the Flight Control Primary Computers (PRIM) and, since the airplane – then cruising at 37,000 feet – was on autopilot, triggered a drop in altitude of some 650 feet, followed by another drop of about 400 feet.

With the autopilot disconnected, the flight crew recovered the aircraft and diverted the flight to take care of the injured.

Given the airplane’s altitude, it was close to the so-called “coffin corner,” where the difference between cruise Mach buffet speed and stall speed is much reduced, presenting the specter of loss of control. However, this possibility is considered to be remote, in light of retrieved DFDR (digital flight data recorder) data.

“It is probably unlikely that there will be a recurrence, but obviously we won’t dismiss that,” Walsh told reporters. An ATSB statement offered those comforting words:

“It is important to note that in fly-by-wire aircraft such as the Airbus, even when being flown with the autopilot off, in normal operation, the aircraft’s flight control computers will still command control surfaces to protect the aircraft from unsafe conditions such as a stall.”

Manufacturer Airbus has generated an Operator Information Telex to its A330 and A340 customers (the two airplanes share the same avionics), portions of which were published by Qantas as a memorandum to its Airbus crews. This Qantas communication provides a detailed account of the circumstances surrounding the 7 October event:

“The preliminary analysis of the DFDR, Post Flight Report (PFR) and BITE 9Built-In Test Equipment) data allows [sic] to establish the following preliminary sequence of events:

“The A/C was flying at FL 370 with Autopilot and Auto thrust system engaged without any reported or recorded anomaly, when the IRS [Inertial Reference System] 1 Fault had been triggered and the Autopilot automatically disconnected. From this moment, the crew manually flew the aircraft to the end of the flight except for a short duration of few seconds.

“From the time the IRS Fault 1 has been triggered, the recorded parameters of the ADR [air data reference] part of ADIRU 1 included erroneous and temporary wrong values in a random manner. These values are spike values and not sustained values. ADIRUs 2 and 3 seemed to have operated normally.

“The abnormal behavior of the ADIRU 1 led to several consequences:

“ – Unjustified stall and overspeed warning

“ – Loss of altitude information on Captain’s Primary Flight Display (PFD)

“ – Several ECAM [Electronic Centralized Aircraft Monitor] system warnings.

“About 2 minutes after the initial IRS Fault, the ADIRU spikes generated very high, random and temporary values for the angle of attack, leading to:

1) the flight control laws commanding nose-down aircraft movements (A/C pitch attitude decreased from 2º nose-up to 8º nose-down and vertical load factor changed from 1g to -0.8g)

2) The Flight Control Primary Computer (FCPC) ‘F/CTL PRIM 1 PITCH FAULT’ ECAM warning was triggered.

“The timely crew response led to recover of the A/C trajectory within seconds. During the recovery, the vertical load factor did not exceed 1.6g and the maximum altitude loss was 650 ft.

“The DFDR data show that the ADR 1 continued to generate random spikes.

“A second nose-down aircraft movement was encountered later on, but with less important effects in terms of aircraft trajectory. It also led to generate the ‘F/CTL PRIM 2 PITCH FAULT’ ECAM warning. This, combined with the previous ‘F/CTL PRIM 1 PITCH FAULT’ ECAM warning led to a switch from NORMAL to ALTERNATE law.

“The BITE message of the ADIRU 1 does not include a failure or maintenance message. However … other system failure messages … have been demonstrated as spurious but generated by the ADIRU 1.

“Tests performed on the A/C following the incident did not reveal any abnormal results that would [explain] the reason for the event.

“At this stage of the investigation, the analysis of available data indicates ADIRU 1 abnormal behavior is likely to be the origin of the event. The type of ADIRU involved is Northrop Grumman (previously Litton), PN [part number] 465020-0303-0316 …

“Airbus is working together with the ATSB and the supplier to identify the ADIRU failure mode. Additionally, as the same ADIRU PN is fitted on single-aisle family aircraft, Airbus is currently checking if temporary measures are also required on these aircraft types.

“However, initial investigation … seems to indicate that [the] single-aisle family aircraft flight control system is more robust against this ADIRU failure mode.”

Why single-aisle Airbus models are “more robust” than double-aisle models like the A330/A340 is an unanswered and tantalizing question.

The faulty unit will be sent to the U.S. component manufacturer for testing. Qantas said the preliminary findings showed that the fault was likely to lay with the component (i.e., the manufacturer) rather than with the airline. “This is clearly a manufacturer’s issue and we will comply with the manufacturer’s advice,” the airline said in a statement.

Apparently, for that specific type of ADIRU, Airbus has substantially modified the checklist in response to an inertial reference fault. Now, both parts of the unit, the IR [inertial reference] and the ADR [air data reference] will be turned off. Due to the “random spikes” fault in ADIRU 1, it is hard to say if the crew had the proper tools to determine if the ADR was at fault and to turn it off before the sudden pitch down.

As one commentator noted, “How strange, the protection which is supposed to protect, sent the passengers through the roof. That Airbus is a VERY complex machine.”

The ATSB statements of 10 and 14 October, admittedly preliminary, lead to further questions that hopefully will be answered in the final report.

First, additional data is being downloaded from the airplane. According to the ATSB, “This data is essential to the investigation and includes additional data not recorded on the Digital Flight Data Recorder.” If data deemed “essential” to understanding what happened is not on the DFDR, perhaps it should be, and the requirements for DFDR information-capture need to be revisited and upgraded.

Second, if the ECAM action had been carried out, which isn’t clear, ADIRU 1 would have been switched off, and no injuries would have resulted. The system does not automatically discard a faulty unit but does identify it and advises the crew to first select a reliable source of information, and then to turn off the faulty unit. Qantas is not yet out of the woods.

Third, recall the Malaysia Airlines (MAS) B777 incident of 3 August 2005, in the same geographic area, where the crew reported reaching the overspeed limit and the stall speed simultaneously passing through 38,000 feet. The aircraft pitched up and climbed to about 41,000 feet. Subsequent examination of the suspect ADIRU revealed that one of several accelerometers failed at the time of the occurrence, and that another one had failed some years before. ADIRU’s have two accelerometers in each reference plane (i.e., pitch, yaw and roll). In the Malaysian event, one accelerometer failed and the back-up was then automatically pressed into service. Eventually, that backup failed, causing false information and a sudden nose-up pitch. Allegedly, there is no warning of this insidious failure. The MAS incident and others highlight the fact that every potential failure might not be tested for beforehand – especially in the fly-by-wire area – so a system hazard may lurk for years before the right set of circumstances occurs. Conceivably, that could be a cascading failure scenario that no one had ever thought of beforehand. Indeed, as the Federal Aviation Administration said at the time:

“Since [AD 2005-10-03] was issued, we have received a recent report of a significant nose-up pitch event on a Boeing Model 777-200 … while climbing through 36,000 feet … A review of the flight data recorder shows there were abrupt and persistent errors in the outputs of the ADIRU. These errors were caused by … using data from faulted (failed) sensors. This problem exists in all software versions after PN 3470-HNC-100-03 … and including versions mandated by AD 2005-10-03. While these versions may have been installed on many airplanes before we issued AD 2005-10-03, they had not caused an incident until recently, and the problem was therefore unknown until then.”

There seem to be any number of potentially hazardous flaws in Boeing, Airbus and other manufacturer’s fly-by-wire systems that will rear their heads in untested scenarios. Obviously, this raises a question about the rigor of system testing before and during aircraft certification.

Fourth, and most important, these questions cry out for answers:

– Why wasn’t the fault in ADIRU 1 screened out by comparison to the other two ADIRUs?

– Why were “spikes” treated as valid input by the primary flight computers?

Image

Transmission towers at Exmouth for submarine communications. Are they a source of interference that caused the Qantas A330 upset?

– Is shielding from external energy adequate? One theory is that the spikes were caused by high levels of HIRF (high intensity radio frequency) from various very high-powered transmitters for submarine communication located at Exmouth on the northwest cape, to which the Qantas A330 was in close proximity at the time of the incident. Thus, the spikes raise relevant questions regarding the shielding of fly-by-wire systems from HIRF.

– Was the possibility of erroneous input to the primary flight computers from the ADIRU considered in the hazard analysis during the design phase? If so, with what result? If not, why not?

– How was one wayward ADIRU able to bypass a multitude of protections designed to prevent such a flight disturbance? In this instance, the following protections appear to have been ineffective:

– Load factor limitation.

– Pitch attitude correction

– High speed protection

– Maneuver load alleviation (MLA)

– Turbulence damping function

– System redundancy

We’re suddenly back to looking warily at software design standards for fly-by-wire aircraft, and whether they provide an adequate assurance of safety under all conditions, not just a narrow assurance of proper computer coding. As the Qantas A330 incident may well point out, in aviation a malicious code is not the precondition for a malevolent or malignant outcome. The ATSB said on 14 October, “The aircraft contains very sophisticated and highly reliable systems.” The “highly reliable” is true in terms of no similar event having occurred, but one should have a healthy respect for latent flaws that were not envisioned during design.


Comments are closed.

Nolan Law Group