Cosmic Ray Threat to Automation Under Investigation

Mon, Nov 30, 2009 — David Evans

Articles, Featured

An interim investigation report raises more troubling questions than it answers. Australian investigators are now looking at cosmic rays as the possible source of an in-flight upset of a Qantas A330, having ruled out interference from a ground-based radio station, but they have not explored why the failure of a single computer component was not over-ridden by a supposedly redundant flight control system, and they have ignored one of the primary shortcomings of aircraft seatbelts that contributed to some of the injuries.

The case involves a Qantas fly-by-wire A330 on a 7 October 2008 flight from Singapore to Perth with 342 passengers and crew aboard. The aircraft, at 37,000 feet, flew near the Harold Holt Naval Communications Station on the northwest coast of Australia, and electromagnetic interference from the facility’s powerful antennas was initially suspected as the cause of the sudden pitch down of the aircraft. However, testing has ruled out this scenario and investigators are now looking at possible cosmic ray interference.

Supposedly, cosmic rays resulted in a false reading of high angle-of-attack on one of three air data inertial reference units (ADIRU’s) that resulted in a pitch-down of the nose in two phases, the first more dramatically, that together resulted in a loss of 700 feet in altitude. One flight attendant and 11 passengers were seriously injured, while 107 other passengers and crew received minor injuries in the sudden pitch-down. The cockpit crew declared MAYDAY and the aircraft diverted to the Royal Australian Air Force base at Learmonth, near Exmouth, western Australia, to obtain medical attention for the injured.

Damage to overhead ceiling panels as a result of the sudden pitch down.

Damage to overhead ceiling panels as a result of the sudden pitch down.

The Australian Transport Safety Bureau (ATSB) does not yet know why the flight dropped 300 feet, and then a further 400 feet. The ATSB’s 18 November interim report says:

“The investigation to date has identified two significant safety factors related to the pitch-down movements. Firstly, immediately prior to the autopilot disconnect, the air data inertial reference unit (ADIRU) in position 1 started providing erroneous data (spikes) on many parameters to other aircraft systems … Secondly, some of the spikes in angle of attack data were not filtered by the flight control computers, and the computers subsequently commanded pitch-down movements.”

Schematic of the A330 flight control system; note that three ADIRUs feed to the primary computers but that anomalous 'spikes' still got through.

Schematic of the A330 flight control system; note that three ADIRUs feed to the primary computers but that anomalous 'spikes' still got through.

Investigators have founds two other instances of anomalous ADIRU behavior, “but in neither case was there an in-flight upset.”

The case is not like the downing of Air France flight 447, also an A330, on 1 June 2009, ATSB investigators maintain. Although the same type of airplane, the French jet was equipped with Thales-manufactured pitot probes, while the Australian A330 was outfitted with probes supplied by Goodrich. The Goodrich probes are believed to be more resistant to icing and therefore yield more accurate speed readings. On the Air France jet, it is believed that digitizing of erroneous raw data, such as frozen pitot-static pressures, led the computer to believe the airplane was flying slower than it actually was, causing the autothrust to increase speed, and the aircraft then departed controlled flight. (See Air Safety Journal, ‘Prompted by Crash, Airworthiness Directive Issued on Pitot Probes’)

Investigators have now raised the possibility that cosmic radiation may have been responsible for the computer fault that led to the Qantas incident. According to the ATSB’s interim report:

“There is a constant stream of high-energy galactic and solar radiation interacting with the Earth’s upper atmosphere. This interaction creates a cascade of secondary particles. Some of the secondary particles, in particular neutrons, can affect aircraft avionics systems. A single event effect (SEE) is the response of a component caused by the impact of a single particle [emphasis added] … High density integrated circuits, such as memory devices and central processing units (CPUs) can be particularly susceptible to SEEs …

“The investigation team is evaluating the relevance, if any, of SEEs to the ADIRU fault that resulted in spikes being produced in ADIRU parameters.”

According to the Los Alamos National Laboratory, which is investigating circuit failures from cosmic rays:

“In the case of the latest, totally computer-controlled aircraft, these tiny cosmic gremlins could cause trouble, especially because the problem gets worse as atmospheric shielding dwindles at higher altitudes. At sea level, the shielding provided by the air is equivalent to more than ten feet of concrete shielding. The neutron flux at … 7,000 feet above sea level is approximately three times greater than at sea level; at 40,000 feet, the cosmic-ray neutron flux is several hundred times greater than the neutron flux seen on the earth’s surface.”

One might say this is all very interesting but beside the point. Any component may fail, and the Airbus A330 is equipped with three ADIRUs. A failure of a single component, whether caused by cosmic rays or some other source, should not lead to near-catastrophic results. The computer should have been able to detect an ADIRU disagree and identify the bad data, or, if not possible, to just discard the angle-of-attack data altogether. Of course, such selectivity would not be the case in an event like the crash of the Air France A330, where it is suspected that all three Thales model pitot heads suffered the same internal icing malady – thereby overcoming the protections provided by triple redundancy.

One pilot commented as follows on the A330 avionics:

“In my experience, when a computer goes into the doze mode [described in the ATSB report as one where the ADIRU “stops outputting data for the remainder of the flight.”] and has to be rebooted, either the hardware failed, something in the software did other than what the programmer intended, or the system design failed to take into account all the possible consequences of all the programmers’ different intentions.

“Hardware faults caused by cosmic rays should happen at a statistically predictable rate depending on known parameters …

“(The) A330 has three ADIRUs. That’s why the readouts on one side were all over the place, the other pilot’s screen was showing perfectly fine … [because] they are each fed by their own independent units. However, the guy on the bad side was flying the plane, and the good ADIRU and the standby unit had no effect whatsoever. Now the question is ‘How come, since there are three redundant ADIRUs on board, there is no cross-checking of data between them?’ ”

The upset sequence as captured on the flight data recorder (FDR).

The upset sequence as captured on the flight data recorder (FDR).

What happened, if it’s to be dismissed as caused by cosmic rays, is simply unacceptable. The virtue of redundancy is supposedly protection from erroneous data on one channel. So the question isn’t so much what caused the glitch in the one ADIRU, but how this error got through the voting of the other ADIRUs and caused the in-flight upset. The integrity of the avionics shielding is also a subject of concern, given that a rogue neutron got through to cause the glitch.

There is another aspect of the case, quite separate from avionics reliability, that bears comment. That is in regard to the seat belt buckles, and some of them popping open. According to the ATSB, based on questionnaires returned from the flight’s passengers, of 147 seated at the time of the incident, 87 were wearing their seatbelts and 60 were not. Passengers wearing seatbelts received a significantly lower injury rate than those not wearing seatbelts, 36% compared to 92%.

These results are not surprising. What is disturbing is the potential for inadvertent seatbelt release, as documented in the ATSB interim report:

“Six passengers reported to the ATSB that they were seated with their seatbelt fastened at the time of the first upset, but that the seatbelt became unfastened and did not restrain them in their seats. Three of those passengers advised that they had their seatbelts lightly fastened, and three advised that they had their seatbelts loosely fastened. None of the six passengers could provide details of how their seatbelts released.

“(The) investigation identified a scenario whereby seatbelts could inadvertently release. For this to occur, the seatbelt had to be loosely fastened and the buckle had to be positioned in a vertical orientation underneath the right armrest prior to an upward force being applied. The lift-latch could then catch on the armrest and the buckle release.”

ATSB: 'Subsequent examination has shown that this potential for inadvertent release is not restricted to seats on the A330 aircraft type or the operator's aircraft.'

ATSB: 'Subsequent examination has shown that this potential for inadvertent release is not restricted to seats on the A330 aircraft type or the operator's aircraft.'

In other accidents and incidents, passengers have reported that the buckle was wedged in such a manner they could not pull on the lift-latch and release themselves from the seat. One woman told U.S. investigators she kept pushing on the buckle, as if it were the push-button release mechanism found on her auto seat belts.

So the older lift-latch model has two problems: it can release when the belt still has protective work to do, and it will not release when wedged between the passenger and the seat, or when the passenger is dazed and confused. One wonders why the aircraft industry hews to an outmoded design when the automobile industry years ago went from the lift-latch to the push-button release. The push-button design is immune to becoming uncoupled when in contact with the armrest or other structure, and people are familiar with how to release the buckle. The orange pushbutton design should be incorporated on all passenger jets. To receive a safety briefing on a 50-year old seatbelt latching mechanism shows how the industry invests in technology to increase fuel efficiency by a fraction of a percentage point while it puts passengers at unnecessary risk with obsolete, unsafe seatbelt design.

The larger question, though, is yet to be answered: How could an ADIRU failure make its way through to the flight control surfaces?

Comments are closed.

Nolan Law Group