Computer Error Caused Qantas Jet Mishap

highways sends word that preliminary investigations into a Qantas Airbus A330 mishap where 51 passengers were injured has concluded that it was due to the Air Data Inertial Reference System feeding incorrect information into the flight control system — not interference from passenger electronics, as Qantas had initially claimed. Quoting from the ABC report: "Authorities have blamed a faulty onboard computer system for last week's mid-flight incident on a Qantas flight to Perth. The Australian Transport Safety Bureau said incorrect information from the faulty computer triggered a series of alarms and then prompted the Airbus A330's flight control computers to put the jet into a 197-meter nosedive ... The plane was cruising at 37,000 feet when a fault in the air data inertial reference system caused the autopilot to disconnect. But even with the autopilot off, the plane's flight control computers still command key controls in order to protect the jet from dangerous conditions, such as stalling, the ATSB said."

uhh huhs

[pak9rabid (1011935)]

I'm sure this comes as no surprise to the /. community. Nice to see the truth actually did surface though.

Re:Don't forget the spin

[icebike (68054)]

So what if they do make such claims?

If all it takes is a kid with a gameboy to bring down the Airbus then their entire fleet should be grounded.

The aircraft systems design would be completely unsafe as there are far more powerful transmitters in any urban area.

No, in truth, Airbus planes would be raining from the skys if it were indeed susceptible to such interference. It would have never been certified.

But more important, why did the controls not respond to the pilots? Why would the computers be programmed to prevent a Stall in an *diving* aircraft?

Re:Don't forget the spin

[im_thatoneguy (819432)]

If the pilots lost consciousness they would lose control of the aircraft and may slump on to the controls and put the plane into an unsafe course.

The computers put the plane INTO a dive to prevent a stall they *thought* was taking place.

In this case the pilots attempted to abort the 'safety' maneuver but the computer decided that the pilots through incompetence or perhaps incapacitation did not actually intend to kill all aboard and took the action it thought was necessary.

Re:Don't forget the spin

[jherekc (460597)]

I'm sorry Dave, I'm afraid I can't do that...

Re:Don't forget the spin

[AlecC (512609)]

RTFA. The computer was being fed random and wildly varying attitude inputs. It first pitched up, then dived, presumable responding to different random attitude inputs.

Regarding the earlier point: ATC people say they regularly hear the distinctive "ditda ditda" of an active cellphone on their channel because the pilots haven't turned off their own cellphones. So (a) active cellphones are failing to crash planes, even on presumably the most sensitive part of the craft, the flight deck, and (b) pilots know it and don't care.

Re:Don't forget the spin

[AB3A (192265)]

Most active cell phones won't cause problems. Hell, I've accidentally left my cell phone on while flying IFR and I didn't notice a thing. The track on flightaware didn't show any problems either.

The problem is that we don't know for certain that the cell phone is working properly. This is why we have regulations such as 14CFR91.21 [gpo.gov] and policies that below 10,000 AGL, you may not operate any instruments.

A quick look at NASA's ASRS database shows 9 entries concerning potential interference from portable electronic devices. So this isn't just an academic concern. Several of these entries indicated that the reporters had seen these sorts of issues before, but that it hadn't been reported.

When the flight crew tells you to shut off your toys before landing, gentlemen (and ladies, if there are any here) SHUT IT OFF! The risk of a screw-up is not yours to take. You can scream and holler at the flight crew about the injustice of denying you ten more minutes on your crack-berry once you're safely in the terminal building. Until then, their word has the full force of Admiralty Law. Shut it off or they'll do it for you.

Re:Don't forget the spin

[Lord Ender (156273)]

The flight crew adamantly demands a shut off my iPod shuffle, which has the EM characteristics of a wristwatch. I will continue to ignore them.

Re:Don't forget the spin

[electrictroy (912290)]

Nonsense. The air is thin but not THAT thin. B-29 Superfortresses routinely flew at that height, via human piloting. You don't "need" an autopilot.

>
>>>incorrect information... prompted flight control computers to put the jet into a 197-meter nosedive.

Nice. I hear that car manufacturers want to include similar accident-avoidance measures in cars. That's just what I need - my car's old computer going senile, and suddenly swerving me head-on into oncoming traffic.

Re:Don't forget the spin

[Jules Labrie (756572)]

Yes and no. Yes, the air is not THAT thin, but first there is a big difference in the security requirements between 21th century airlines and WWII military aviation. Second, the A330 has a very different (and more fuel efficient) wing profile from the B-29, which stalls at only 91kts.

Re:Don't forget the spin

[B30-7A (1222610)]

The A330 also has much more powerful engines but neither of those really matter. The reason the pilot controls didn't respond is a matter of fly-by-wire philosophy. Do you allow the pilot to put the plane is a situation that will stall the plane or worse break it, or do you prevent the pilot from flying outside the capabilities of the plane. Airbus's philosophy is the latter. The only problem is - what if the flight control computer is wrong.

You do *not* need an autopilot to fly at that altitude. And yes I am an autopilot engineer.

Re:Don't forget the spin

[DaveAtFraud (460127)]

Typically, recent civilian and many military aircraft are "three dimensionally stable". The only exceptions to this are stunt planes and fighter aircraft. For pretty much everything else, the airplane will not only continue to fly straight and level once trimmed but will even return to straight and level after a control is deflected. That is, push the yoke forward and the increased speed causes additional lift and the plane returns to level flight. Deflect the yoke the other direction, the rudder or the ailerons and the same sort of "counter force" does the same thing; the plane returns to level flight. It just won't necessarily be on the same course as before. This is something that is typically demonstrated to a student pilot on their first flight with an instructor.

The old inertial autopilots kept a plane on the same course based on the directional gyro, turn and bank and rate of climb devices. Good enough to give the pilot a break but they only kept the plane headed in the direction originally input. Modern autopilots tie into the global positioning system and on-board navigation computers to allow things like a great circle route to be flown under autopilot that also corrects for changes in wind.

Only a very few recent fighter planes are so unstable that they require the on-board computer to keep the plane flying. The F-117 was the first such aircraft deployed. The idea is that making a fighter plane unstable means that it has no inherent preference as to which way to fly thus making it more maneuverable. On the other hand, there is no incentive to design such instability into an airliner and lots of reasons not to (like what happens when the autopilot fails).

Cheers,
Dave

Re:Don't forget the spin

[Lord Ender (156273)]

Auto-pilot can make mistakes. But humans make mistakes much more frequently. We are all safer if we turn the piloting of heavy machines over to computers. That California train wreck never would have happened if we had taken the emotional, error-prone sack of meat out of the control system.

Re:Don't forget the spin

[Nobo (606465)]

Nonsense. The air is thin but not THAT thin. B-29 Superfortresses routinely flew at that height, via human piloting. You don't "need" an autopilot.

Firstly, the B-29 had the wings of a glider and cruised at 220 knots. The Airbus by contrast has swept wings optimized for cruise at .82 mach. What makes you think your intuition about the B29 is worth anything given the differences between those aircraft?

Secondly, the B29 was flown by autopilot in cruise. Preview "Bringing the Thunder" on Google books, page 155, for the memoirs of a B-29 pilot.

That said, this is not even an autopilot issue. The true source of this problem is the flight control system of the Airbus, which features a "self protection" system that intends to prevent the aircraft from stalling at any expense, and in this case, actively threatens the safety of the aircraft itself.

The truly frightening thing about this is that the air data computer clearly resumed normal operation at some point during the dive, and the aircraft was recoverable. Had this been a permanent failure of the air data computer, an airbus pilot has no way to override the aircraft's intentions and recover from the dive. An airbus pilot can only watch, as the airplane says, "No, really, I'm stalling, I have to hold the nose down and pick up airspeed!". With a failed ADC computer constantly and erroneously telling flight controls that the aircraft is in stall, an Airbus would dive, trying to recover, until it impacts the ground.

By contrast, A pilot of a Boeing aircraft can tell his aircraft that it's worldview is wrong and fly it by hand in any circumstance.

This represents a fundamental difference in philosophy. Airbus trusts the computer and the system more than it trusts the pilot -- It says that the probability of a systems failure causing incorrect control commands and threatening the aircraft is less than the probability of a confused, tired, or impaired pilot losing control of the aircraft. Boeing, by contrast, trusts the pilot more than it trusts the system.

There have been aircraft accidents where an Airbus aircraft has crashed in situations where a Boeing aircraft would have been flyable by a human pilot.

There have also been aircraft accidents where a Boeing aircraft has crashed due to incorrect pilot procedures which could have been overridden by an Airbus aircraft's flight control system.

Each philosophy has its risks and rewards.

Re:Don't forget the spin

[phoenix321 (734987)]

If you need an autopilot to keep the airplane from stalling, then yes, you probably have a stall within seconds after disconnecting the autopilot. And in a stall situation you have no lift from the wings, therefore the plane will immediately and rapidly lose altitude. Modern Airbus and Boeing are engineered to dive forward in these cases, so the stall is self-limiting in the sense that the aircraft will fall until the air is denser or airspeed is higher to let the wings generate lift again thus recovering from the stall.

The resulting forces are well within design limits of current airframes but may seriously injure passengers that had not used their seatbelts or were walking around at this moment.

Moderators on crack

[Free the Cowards (1280296)]

Overrated? What the hell? How can this post possibly be overrated with a score of 2? Come on, you asshole moderator. Show your face and defend your score. I dare you. I'm sure you're far too cowardly to do it, but I dare you to come here and reply to my post and tell me why you think this post is "Overrated". No doubt you're too chicken to do it, but I'll be waiting.

Re:Don't forget the spin

[by Anonymous Coward]

No. I am a pilot, and you are confusing 37000 feet with 56000 feet. At the altitude where the U-2 flys, over 3 miles higher than 37000 feet, the stall and maximum allowable speeds are nearly on top of each other.

At 37000 feet you have a wide margin of speed available between stall and cruise. What gets closer together is the airplane's top cruise speed and the Mach limit.

The dive after autopilot disconnect is crap; the airplane should be trimmed for level flight by the autopilot to save fuel and system wear.

The dirty secret about airbus airplanes is that the autopilot is never really disconnected; the flight computers will always play 'nanny'. In this case, the computer got 'vertigo' and said 'ZOMG we're too steep', slammed the plane around to keep up speed. Wrong move by the wrong system. If the autopilot disconnects, the airplane should hand control to the pilots, not try to tear the plane apart.

Looking at the article, people suffered spine damage as a result of the (improper) maneuver. Considering that one Airbus aircraft has had a tail fall off in flight due to stress cracking, I'd wonder if this airplane hadn't exceeded it's structural G-force limits during the computer's unscheduled aerobatics.

Re:Darn News !

[phoenix321 (734987)]

Did you fit that magnetron inside the mouse or did you just bluetooth-enable your microwave?

Questions:

[Ethanol-fueled (1125189)]

From TFA:

"About two minutes after the initial fault, (the air data inertial reference unit) generated very high, random and incorrect values for the aircraft's angle of attack," the ATSB said in a statement.

Correct me if I'm wrong but don't most modern aircraft have an inertial navigation system and a seperate angle of attack transmitter protruding from the plane? Why no redundancy?

The incident was the fourth involving Qantas planes in two-and-a-half months[read TFA for the other 3 incidents]...

The plane's French-based manufacturer has issued an advisory on the problem and will also issue special operational engineering bulletins to airlines that fly A330s and A340s fitted with the same air data computer, the ATSB said.

Does Qantas' aircraft maintenance suck or does Airbus' quality control suck? Do both suck?

Finally, shame on the PR guys for blaming passenger electronics. Maybe it's a feature, not a bug...in case any government decides that they want to make another 9/11 ;)

Re:Questions:

[by Anonymous Coward]

They never did, the initial reports that they were looking at laptop was a mistake by the journalist. Qantas said they were looking at the onboard computers (ie. the computer that was flying the plane) and the journalist thought computers that were on board (ie. the laptops that passengers were using).

Re:Questions:

[MrNaz (730548)]

The real reason:

"It looks like you are trying to fly a commercial airliner. Would you like me to:
a) Make an announcement to passengers
b) Call the stewardess for some more coffee
c) Compensate for the incredibly high angle of attack"

Re:Questions:

[The Good Jim (642796)]

Umm... the attitude sensor was a Northrop Grumman part, used in some Airbus models (2 A330 models, and A340) and "some other non-Airbus" aircraft. So it doesn't sound like an Airbus problem - it may even also be a Boeing problem! And it sounds like a software problem, not a Queerarse maintenance issue, for once! But what happened to quadruplex-redundant FBW - are only the flight control computers truly quadruplex redundant? It sounds like a single point of failure in a design which should have considerable redundancy. Jim

Re:Questions:

[Achromatic1978 (916097)]

Qantas. Not Quantas.

Queensland And Northern Territory Aerial Services.

Re:Questions:

[zolaar (764683)]

I believe it's pronounced "KROY-kee"

Re:Questions:

[William Robinson (875390)]

Why no redundancy?

Exactly my thought.

IANAE, but the Wikipedia says An ADIRU acts as a "single, fault tolerant" source for both pilots of an aircraft., and there are 3 ADIRUs.

From TFA,

faulty computer triggered a series of alarms and then prompted the Airbus A330's flight control computers to put the jet into a 197-metre nosedive.

I wonder whether the control computers are programmed to take decision to nosedive just like that OR consult other ADIRUs OR alarm the crew before taking that kind of decision.

Having worked for nuclear installations where I designed automations for, which always demanded to have 2 out of 3 voting redundancy and a careful fault tree analysis making sure no single point of failure would lead to any kind of disaster, I feel the control computer might have been taking decision without consulting other ADIRUs OR all 3 ADIRUs went bad at the same time. And both cases look very scary.

Just my thoughts.

Re:Questions:

[dangitman (862676)]

Except that it was a journalist who made the claim of interference from a passenger's computer, not QANTAS.

Re:Questions:

[daver00 (1336845)]

Qantas HAD an excellent reputation for safety, but that is surely history now. What was it about 6-12 months ago they moved all of their international flights maintainance offshore. Qantas engineers went on strike etc. Lo and behold yet another outsourcing operation is falling flat on its face, unfortunately this time it could come at the expense of lives.

I'd be staying well away from Qantas international flights until they sort their shit out.

Re:Questions:

[aussie_a (778472)]

If Qantas cuts the costs of maintenance to such a degree that fatalities are not only likely, but inevitable, can anyone actually be charged with murder?

Re:Questions:

[TomSawyer (100674)]

When their A320 debuted at the French airshow, the computer got very confused at take off and simply refused to allow the pilot to pull up more than 20-30 feet off the ground, causing the a/c to crash into the forest at the end of the runway.

I remember reading about that in high school. It's one of the "cautionary tales" in The Day the Phones Stopped Ringing [amazon.com]. While the computers were initially blamed, the final conclusion was human error caused by a misplaced confidence in technology. It wasn't that the computers wouldn't let them pull up. The plane was physically incapable of pulling up when the pilots tried to. The pilots were maneuvering to give the crowd a good look and they believed the computers wouldn't let them do so if the plane couldn't handle it.

Re:Questions:

[Richard_at_work (517087)]

Correct - the Habsheim crash was caused by pilot stupidity in that he was both below the visible height of surrounding obstacles, and had brought the throttles back to idle. Engines take some time to come back from idle to 'take off - go around' thrust (TOGA), and he applied that thrust far too late.

Re:Questions:

[Goldenhawk (242867)]

The actual story turns out to be a lot more complicated than that. There is some evidence that Airbus didn't adequately warn pilots about two known problems: refusal of the engines to accelerate upon command, and an altimeter misreading problem (see http://www.airdisaster.com/investigations/af296/af296.shtml [airdisaster.com] for info).

What actually happened (the true data from the crash) may never be known, because there was an apparent attempt by Airbus to cover up the true cause, by faking the flight recorder data (see http://www.crashdehabsheim.net/CRenglish%20phot.pdf [crashdehabsheim.net] for info). I'm not generally a conspiracy theorist, but in this case there is a LOT of evidence that Airbus and many officials hid the truth, to protect the state-run company from the proper blame.

Aside from the controversy, it is widely accepted in the aviation community (my job, by the way) that the COMPUTER was the cause of the problems, not the engines or sensors.

Since that accident, I have heard of several other Airbus accidents related to flight control computer "fly-by-wire" anomalies, and a number of pilots with whom I work refuse to fly on any Airbus aircraft for this reason. It's not the fly-by-wire thing that bothers them - it's the Airbus way of doing things.

Re:Questions:

[lendude (620139)]

Whilst Airbus and Boeing may have differing philosophies regarding the use and role of on-board computer flight systems, and whilst these may have bearing on some incidents, please read up on the incident you are referencing - it's nothing like you portray it: Air France Flight 296 [wikipedia.org]

Re:Questions:

[I cant believe its n (1103137)]

Boeing a/c do have a lot of computer controls, but they can all be easily overwritten by the CO/FO flying the a/c.

That actually sounds worse, but you probably meant overridden.

No, the GP is correct and the process is called "flash and burn" :-)

well duh

[Brain Damaged Bogan (1006835)]

...but don't expect the airlines to care about the facts when they decide to stop letting you use electronic devices on their flights. Common sense didn't get in the way of them banning nailclippers, shaving razors, liquids and many other innocuous day-to-day items.

Re:well duh

[cheater512 (783349)]

The airlines dont ban those items.

Re:well duh

[sumdumass (711423)]

I think you missed his point. It isn't the airlines that banned those things, it is unrelated but authoritative departments of government which did.

The blame for what you mention rest with agencies other then the airlines.

Maybe they should have...

[by Anonymous Coward]

...tried turning it off and then on again.

Been there, done that

[QuantumG (50515)]

put the jet into a 197-meter nosedive.

I've been in nose dives before.. it's awesome fun. Everyone is screaming and the assholes who refuse to keep their seatbelt fastened while seated quickly learn the *reason* why they request you to do this.

People pay good money for this experience [gozerog.com], and with a little malfunction or two they give it to you for free. When you throw in the fact that you could very well be experiencing the last few minutes of your short pathetic little life - you can't get a better adrenaline rush.

Re:Been there, done that

[Splab (574204)]

I was thinking the same, "that will teach them to buckle up".

I do feel bad for those buckled in who got hit by the assholes flying through the cabin though. Also for the poor smuck on the toilet.

Re:Been there, done that

[_Hellfire_ (170113)]

Also for the poor smuck on the toilet.

He must have been shitting himself...

Re:Been there, done that

[by Anonymous Coward]

Cheapest way to experience zero G? Go along to your nearest glider/sailplane club and have a trial lesson. If you ask nicely, some of instructors will give you an aerobatic flight (loops, wing-overs, stalls, but not spins).

If the cable breaks during a winch launch, at a couple of hundred feet, you go zero g in order to recover. The motto is that if the mud (on the floor) floats around your face then you got it about right, whereas if it plasters itself on the canopy then you were too enthusiastic.

Before you go solo (which you can do at age 16/15/14 depending on where you live) you have to be able to repeatedly demonstrate that you can recover from cable breaks and also from a spin started at 1000ft in which you are descending at 100ft/s.

Not an experience you will forget.

Re:Been there, done that

[e2d2 (115622)]

Astronauts in orbit are falling also but yet experiencing what is commonly referred to as "zero-G".

Sorry to get in the way of your.. whatever

Thanks, I'll pass on that flight...

[Dutch Gun (899105)]

...until you get all the bugs worked out of those systems. And unfortunately, lessons of these kinds are often paid in tragedy. These passengers should consider themselves lucky that the pilots reacted so quickly.

Not trying to be too flippant, as I can scarcely imagine the complexity of trying to create what essentially needs to be an infallible system in such a complex problem space. As a programmer, thinking about putting my life in the hands of a computer program scares the living hell out of me. The whole issue is that computers, by and large, lack "common sense", and are prone to accept garbage input without question.

Apparently, this was caused by "a malfunctioning computer". Isn't there sort of redundancy check on anything that could cause the computer to send the plane plummeting toward the earth? One faulty computer can cause this? I'm sure the article is over-simplifying the problem, but still...

Re:Thanks, I'll pass on that flight...

[jamesh (87723)]

Thanks, I'll pass on that flight ... until you get all the bugs worked out of those systems

It's interesting the way people rationalize things isn't it?

Statistically, you are far more likely to die in a car on the way to work than you are in a commercial passenger aircraft. Statistically, the computer system in a commercial passenger aircraft is far less likely to fsck things up than a human pilot (although that's saying nothing about the _size_ of the fsckup, should one occur...)

I drive around 600km a week in my car. A lot of that is spent at 110km/hour on a freeway, and at 100km/hour along some reasonably windy and hilly roads. I often think about the ways that such an activity could end rather badly for me, but it doesn't worry me greatly.

In about a week though I'm going to be getting onto an airplane for the first time in about 28 years, and the thought of it has me a little nervous - far more so than driving a car which is, statistically speaking, far more dangerous.

A car crash here in Australia will often make the news, possibly only locally unless more than a few people lost their lives. A plane crash of any reasonable size will make the news world wide, and will probably continue to do so for weeks after the event. The Quantas Airbus 'mishap' didn't kill anyone, and the majority of the passengers have probably mostly healed whatever injuries they did sustain by now, and yet here in Australia the incident still makes the news daily. The logical part of your brain should tell you that that is a comforting thing - it's so unusual that it is still newsworthy a week later. The less logical parts of your brain though are constantly reminded that while safe, air travel is not 100% safe.

For me I think the difference is the time I will have to contemplate things should something go wrong. In a car, the time between the realization of error (mine or someone elses) and things ending badly is going to be measured in seconds. In an airplane, the time between when I realize that things are not as they should be and the time when I won't be thinking anymore could be measured in minutes. That is a pretty chilling thought for me...

Re:Thanks, I'll pass on that flight...

[tomRakewell (412572)]

In an airplane, the time between when I realize that things are not as they should be and the time when I won't be thinking anymore could be measured in minutes. That is a pretty chilling thought for me...

Don't worry! Most of the time, you never know what hit you in an airplane catastrophe. If the aircraft breaks up at 35,000 feet (as a result of a mid-air collision, fuel tank explosion, terrorist attack, etc.), you're none the wiser. You'll probably be killed by flying debris within a second, and if you survive the break-up, you'll have the oxygen boil out of your blood a few seconds after that.

Much more frequently, you'll hit a mountain while flying in zero visibility. Zero seconds to worry.

A large portion of accidents occur when the plane lands. Tail or wing strike, skidding off the runway, etc. These calamities are likely to occur even more rapidly than a car crash. You probably won't be able to complete the sentence "Oh shi----!"

Or maybe your plane is overweight and can't get enough power to take-off properly. In this case, you've got 20 seconds max to contemplate your fate. And it will probably take you 10 seconds realize that it is really happening. "Why is it taking so long to take off? Is the plane really flipping upside down? Is this REALLY happening?? Oh, oh, yes, it is..."

Being in a plane that plummets to the ground for a minute or two isn't that likely. When seated on your flight, you should really be aware that your life could be snuffed out without warning at any minute.

Re:Thanks, I'll pass on that flight...

[AJWM (19027)]

Strictly speaking, the Ariane 5 first flight mishap was a specification bug, not a coding bug, so it depends on your definition as to whether it was really a "software" bug. (Even more strictly speaking, it was a procedures bug: they left running an inertial measurement unit that wasn't needed after launch (it provided ground reference for the nav system while on the pad). They'd done this on Ariane 4 but the 4's flight profile didn't take the unit out of limits the way 5's did.)

oblig star trek blahblah

[ocularDeathRay (760450)]

SOOOOO.... you are saying the inertial dampeners were offline?

Not an isolated incident

[Davemania (580154)]

This isn't an isolated incident. Although I think the string of technical incidents suffered by Qantas isn't a coincidence either. "A global alert was issued in 2005 after a Malaysia Airlines Boeing 777 en-route to Kuala Lumpur from Perth experienced similar problems. Investigators found a software glitch in a unit made by the same US manufacturer as the one in the Qantas plane combined with a mechanical problem." http://www.australianit.news.com.au/story/0,24897,24499849-15306,00.html [news.com.au]

Quantas' claims

[myxiplx (906307)]

From the summary: "not interference from passenger electronics, as Qantas had initially claimed"

Care to show me where Quantas claimed that? It seems to be all the rage to say that Quantas are shifting the blame, but so far I've seen nothing at all to indicate that was the case. What I *have* seen was a statement from Quantas saying they were investigating passenger electronics as a possible cause. Now I know it doesn't make such good news, but I'm afraid there's a world of difference between being investigating something and trying to place the blame on it. Unfortunately that's a distinction that appears to be lost on the crowd...

DO178B

[gnieboer (1272482)]

For those that are interested in coding/test methodologies, the FAA created a system called "DO178B" which defined as set of software assurance standards for aircraft. (Note, it's not coding standards, it's assurance standards)

Wiki link: http://en.wikipedia.org/wiki/DO-178B [wikipedia.org]

It set different standards for different types of code. The movies would be Class E, a non-critical nav system maybe C or D, FCS probably A. But even then, the code can be made modular to decrease the assurance level required. For instance, an artificial horizon needs to work, right? But you normally have more than one in a cockpit. If one goes bad, you can use the other, not catastrophic. But the key is the pilot(s) need to recognize that it's busted. What if one froze in place in flight during landing? The pilot might follow it and go ka-boom.
So by itself, an electronic artificial horizon would require level A ($$$) software so that it 'never' fails. This is very very expensive (for level A the post-compiler machine code must be analyzed for possible compiler issues, and MC/DC http://en.wikipedia.org/wiki/Modified_Condition/Decision_Coverage [wikipedia.org] coverage)
So instead, they write it to a lower level, and then create a small set of code that cross-checks everything and kills off any horizon that's malfunctioning by placing a big "X" (or whatever) on the screen instead. Lower risk and greatly reduced cost.

Re:DO178B

[digitig (1056110)]

For those that are interested in coding/test methodologies, the FAA and EUROCAE jointly created a system called "DO178B/ED12b" which defined as set of software assurance guidelines for aircraft.

The important bit in that change is that they are guidelines, not standards; DO178b/ED12b is not mandatory (although compliance makes certification a whole lot easier).