Computer Error Caused Qantas Jet Mishap 389
highways sends word that preliminary investigations into a Qantas Airbus A330 mishap where 51 passengers were injured has concluded that it was due to the Air Data Inertial Reference System feeding incorrect information into the flight control system — not interference from passenger electronics, as Qantas had initially claimed. Quoting from the ABC report: "Authorities have blamed a faulty onboard computer system for last week's mid-flight incident on a Qantas flight to Perth. The Australian Transport Safety Bureau said incorrect information from the faulty computer triggered a series of alarms and then prompted the Airbus A330's flight control computers to put the jet into a 197-meter nosedive ... The plane was cruising at 37,000 feet when a fault in the air data inertial reference system caused the autopilot to disconnect. But even with the autopilot off, the plane's flight control computers still command key controls in order to protect the jet from dangerous conditions, such as stalling, the ATSB said."
Re:Questions: (Score:5, Informative)
They never did, the initial reports that they were looking at laptop was a mistake by the journalist. Qantas said they were looking at the onboard computers (ie. the computer that was flying the plane) and the journalist thought computers that were on board (ie. the laptops that passengers were using).
Not an isolated incident (Score:5, Informative)
Re:well duh (Score:5, Informative)
I think you missed his point. It isn't the airlines that banned those things, it is unrelated but authoritative departments of government which did.
The blame for what you mention rest with agencies other then the airlines.
Re:Questions: (Score:4, Informative)
Quantas' claims (Score:5, Informative)
From the summary: "not interference from passenger electronics, as Qantas had initially claimed"
Care to show me where Quantas claimed that? It seems to be all the rage to say that Quantas are shifting the blame, but so far I've seen nothing at all to indicate that was the case. What I *have* seen was a statement from Quantas saying they were investigating passenger electronics as a possible cause. Now I know it doesn't make such good news, but I'm afraid there's a world of difference between being investigating something and trying to place the blame on it. Unfortunately that's a distinction that appears to be lost on the crowd...
Re:Not an isolated incident (Score:2, Informative)
Re:Questions: (Score:5, Informative)
Qantas HAD an excellent reputation for safety, but that is surely history now. What was it about 6-12 months ago they moved all of their international flights maintainance offshore. Qantas engineers went on strike etc. Lo and behold yet another outsourcing operation is falling flat on its face, unfortunately this time it could come at the expense of lives.
I'd be staying well away from Qantas international flights until they sort their shit out.
Re:Thanks, I'll pass on that flight... (Score:1, Informative)
The main point here is that the computer was doing the SAFE thing, in response to the inputs it was given. Why it did not have redundant inputs in this case will remain to be seen, but nevertheless.
The accident statistics of fly-by-wire planes can be looked up, and they're not very different from other planes.
That being said, there's been some controversy over the methodology used to develop the Airbus flight control systems, so if you're very paranoid you might want to stick with Boeing (n-version programming at Airbus vs. 1-version with more verification at Boeing).
Re:Questions: (Score:4, Informative)
When their A320 debuted at the French airshow, the computer got very confused at take off and simply refused to allow the pilot to pull up more than 20-30 feet off the ground, causing the a/c to crash into the forest at the end of the runway.
I remember reading about that in high school. It's one of the "cautionary tales" in The Day the Phones Stopped Ringing [amazon.com]. While the computers were initially blamed, the final conclusion was human error caused by a misplaced confidence in technology. It wasn't that the computers wouldn't let them pull up. The plane was physically incapable of pulling up when the pilots tried to. The pilots were maneuvering to give the crowd a good look and they believed the computers wouldn't let them do so if the plane couldn't handle it.
Re:Questions: (Score:5, Informative)
Queensland And Northern Territory Aerial Services.
Re:Questions: (Score:4, Informative)
Swiss German (Score:2, Informative)
Swiss German is a spoken only language [1], the Swiss write standard German [2]. And the LHC is in French spoken part of Switzerland and therefore the official project languages for the LHC are English and French.
[1] Meaning: There are no official spelling rules and if one wants to write down Swiss German anyway one has to make up spelling on the fly.
[2] http://en.wikipedia.org/wiki/Standard_German [wikipedia.org]
DO178B (Score:5, Informative)
Wiki link: http://en.wikipedia.org/wiki/DO-178B [wikipedia.org]
It set different standards for different types of code. The movies would be Class E, a non-critical nav system maybe C or D, FCS probably A. But even then, the code can be made modular to decrease the assurance level required. For instance, an artificial horizon needs to work, right? But you normally have more than one in a cockpit. If one goes bad, you can use the other, not catastrophic. But the key is the pilot(s) need to recognize that it's busted. What if one froze in place in flight during landing? The pilot might follow it and go ka-boom.
So by itself, an electronic artificial horizon would require level A ($$$) software so that it 'never' fails. This is very very expensive (for level A the post-compiler machine code must be analyzed for possible compiler issues, and MC/DC http://en.wikipedia.org/wiki/Modified_Condition/Decision_Coverage [wikipedia.org] coverage)
So instead, they write it to a lower level, and then create a small set of code that cross-checks everything and kills off any horizon that's malfunctioning by placing a big "X" (or whatever) on the screen instead. Lower risk and greatly reduced cost.
Re:DO178B (Score:4, Informative)
For those that are interested in coding/test methodologies, the FAA and EUROCAE jointly created a system called "DO178B/ED12b" which defined as set of software assurance guidelines for aircraft.
The important bit in that change is that they are guidelines, not standards; DO178b/ED12b is not mandatory (although compliance makes certification a whole lot easier).
Re:Don't forget the spin (Score:2, Informative)
Re:Questions: (Score:3, Informative)
P.S. Qantas never claimed it was passenger electronics. The Australian Transport Safety Bureau (ATSB) http://www.atsb.gov.au/newsroom/2008/release/2008_43.aspx [atsb.gov.au] said that laptops could have interfered with the plane's on-board computer system... but the bureau also said in the same breath that it's too early to make that judgment. From that bland boring statement you arrive at Slashdots and dozens of other sensationlist news headlines: "Qantas Blames Wireless For Aircraft Incidents" http://mobile.slashdot.org/article.pl?sid=08/10/09/1427232&tid=270 [slashdot.org]
WTF? Even five at the source http://www.atsb.gov.au/newsroom/media.aspx [atsb.gov.au] would have determined that.
I come here for NEWS not fucking Fox-News...
Re:Questions: (Score:1, Informative)
Correct me if I'm wrong but don't most modern aircraft have an inertial navigation system and a seperate angle of attack transmitter protruding from the plane? Why no redundancy?
OK, I'll correct you. You're wrong. The "seperate angle of attack transmitter" (sic) feeds information to the Air Data Inertial Reference System; it isn't a separate system. Avionics has become more and more integrated as time (and costs) have progressed. I suppose an anology from the days of mechanical flying would be the VG toppling with the autopilot in command, IIRC there was a crash many years ago when such an event caused a fatal accident when VG failure was exacerbated by the AP failing to disconnect. Just the sort of thing that integrated avionics and flight control systems were supposed to prevent. Airbus use a triple channel ADIRU system; this simply *shouldn't* happen. Still, given Airbus' past record, I'm sure when one of these types of failures leads to fatalities it will be pilot error. Or maintenance error. Or maybe just an Act of God.
Does Qantas' aircraft maintenance suck or does Airbus' quality control suck? Do both suck?
Neither. You may be interested to learn that in the time I have taken to write this several hundred people have died in automobile accidents. None have experienced ADIRS failure on an Airbus. Qantas' admittedly freak oxygen bottle accident has put the media spotlight on them; they - shock horror - have since experienced a gear door problem and - gasp - a hydraulic leak. Gosh. Pretty routine failures pumped up by the press into something they're not. In my job with a major airline (not Qantas) I would say I see hydraulic leaks around once a week and gear retract problems perhaps once or twice a year.
Re:Questions: (Score:3, Informative)
We don't need to. The article you linked to says it was the pilot's fault. It's listed as 'Pilot error (disputed)' insofar as the pilot blamed a dodgy altimeter and some of the evidence was improperly handled, but he was still convicted of manslaughter for it.
Re:Don't forget the spin (Score:5, Informative)
RTFA. The computer was being fed random and wildly varying attitude inputs. It first pitched up, then dived, presumable responding to different random attitude inputs.
Regarding the earlier point: ATC people say they regularly hear the distinctive "ditda ditda" of an active cellphone on their channel because the pilots haven't turned off their own cellphones. So (a) active cellphones are failing to crash planes, even on presumably the most sensitive part of the craft, the flight deck, and (b) pilots know it and don't care.
Re:Don't forget the spin (Score:2, Informative)
because a diving aircraft CAN stall; a stall occurs when the angle of attack ( the angle between the mean chord of the wing and the relative airflow past the wing) exceeds a critical value. A stall can occur at any airspeed and is not dependent on the aircraft attitude. A stall condition is effectively the loss of th ability of an airfoil to generate lift, and could for example prevent an aircraft from being able to pull out of a dive.
http://en.wikipedia.org/wiki/Stall_(flight) [wikipedia.org]
hmmm... my CAPTCHA is 'terrify'
Re:Don't forget the spin (Score:5, Informative)
Re:Questions: (Score:2, Informative)
Re:Questions: (Score:5, Informative)
The actual story turns out to be a lot more complicated than that. There is some evidence that Airbus didn't adequately warn pilots about two known problems: refusal of the engines to accelerate upon command, and an altimeter misreading problem (see http://www.airdisaster.com/investigations/af296/af296.shtml [airdisaster.com] for info).
What actually happened (the true data from the crash) may never be known, because there was an apparent attempt by Airbus to cover up the true cause, by faking the flight recorder data (see http://www.crashdehabsheim.net/CRenglish%20phot.pdf [crashdehabsheim.net] for info). I'm not generally a conspiracy theorist, but in this case there is a LOT of evidence that Airbus and many officials hid the truth, to protect the state-run company from the proper blame.
Aside from the controversy, it is widely accepted in the aviation community (my job, by the way) that the COMPUTER was the cause of the problems, not the engines or sensors.
Since that accident, I have heard of several other Airbus accidents related to flight control computer "fly-by-wire" anomalies, and a number of pilots with whom I work refuse to fly on any Airbus aircraft for this reason. It's not the fly-by-wire thing that bothers them - it's the Airbus way of doing things.
Re:Been there, done that (Score:4, Informative)
On what reference frame?
Re:Don't forget the spin (Score:5, Informative)
The A330 also has much more powerful engines but neither of those really matter. The reason the pilot controls didn't respond is a matter of fly-by-wire philosophy. Do you allow the pilot to put the plane is a situation that will stall the plane or worse break it, or do you prevent the pilot from flying outside the capabilities of the plane. Airbus's philosophy is the latter. The only problem is - what if the flight control computer is wrong.
You do *not* need an autopilot to fly at that altitude. And yes I am an autopilot engineer.
Re:Don't forget the spin (Score:5, Informative)
Nonsense. The air is thin but not THAT thin. B-29 Superfortresses routinely flew at that height, via human piloting. You don't "need" an autopilot.
Firstly, the B-29 had the wings of a glider and cruised at 220 knots. The Airbus by contrast has swept wings optimized for cruise at .82 mach. What makes you think your intuition about the B29 is worth anything given the differences between those aircraft?
Secondly, the B29 was flown by autopilot in cruise. Preview "Bringing the Thunder" on Google books, page 155, for the memoirs of a B-29 pilot.
That said, this is not even an autopilot issue. The true source of this problem is the flight control system of the Airbus, which features a "self protection" system that intends to prevent the aircraft from stalling at any expense, and in this case, actively threatens the safety of the aircraft itself.
The truly frightening thing about this is that the air data computer clearly resumed normal operation at some point during the dive, and the aircraft was recoverable. Had this been a permanent failure of the air data computer, an airbus pilot has no way to override the aircraft's intentions and recover from the dive. An airbus pilot can only watch, as the airplane says, "No, really, I'm stalling, I have to hold the nose down and pick up airspeed!". With a failed ADC computer constantly and erroneously telling flight controls that the aircraft is in stall, an Airbus would dive, trying to recover, until it impacts the ground.
By contrast, A pilot of a Boeing aircraft can tell his aircraft that it's worldview is wrong and fly it by hand in any circumstance.
This represents a fundamental difference in philosophy. Airbus trusts the computer and the system more than it trusts the pilot -- It says that the probability of a systems failure causing incorrect control commands and threatening the aircraft is less than the probability of a confused, tired, or impaired pilot losing control of the aircraft. Boeing, by contrast, trusts the pilot more than it trusts the system.
There have been aircraft accidents where an Airbus aircraft has crashed in situations where a Boeing aircraft would have been flyable by a human pilot.
There have also been aircraft accidents where a Boeing aircraft has crashed due to incorrect pilot procedures which could have been overridden by an Airbus aircraft's flight control system.
Each philosophy has its risks and rewards.
Re:Don't forget the spin (Score:5, Informative)
Typically, recent civilian and many military aircraft are "three dimensionally stable". The only exceptions to this are stunt planes and fighter aircraft. For pretty much everything else, the airplane will not only continue to fly straight and level once trimmed but will even return to straight and level after a control is deflected. That is, push the yoke forward and the increased speed causes additional lift and the plane returns to level flight. Deflect the yoke the other direction, the rudder or the ailerons and the same sort of "counter force" does the same thing; the plane returns to level flight. It just won't necessarily be on the same course as before. This is something that is typically demonstrated to a student pilot on their first flight with an instructor.
The old inertial autopilots kept a plane on the same course based on the directional gyro, turn and bank and rate of climb devices. Good enough to give the pilot a break but they only kept the plane headed in the direction originally input. Modern autopilots tie into the global positioning system and on-board navigation computers to allow things like a great circle route to be flown under autopilot that also corrects for changes in wind.
Only a very few recent fighter planes are so unstable that they require the on-board computer to keep the plane flying. The F-117 was the first such aircraft deployed. The idea is that making a fighter plane unstable means that it has no inherent preference as to which way to fly thus making it more maneuverable. On the other hand, there is no incentive to design such instability into an airliner and lots of reasons not to (like what happens when the autopilot fails).
Cheers,
Dave
Re:Don't forget the spin (Score:3, Informative)
It would be more accurate to say that stall is a function of airspeed and attitude. It's not dependent ONLY on airspeed or attitude, but you can induce stall by varying either.
Re:Don't forget the spin (Score:1, Informative)
You have a sort of twisted concept of what a stall is. A wing does not cease to generate lift in a stall. In fact, when a wing stalls, it is at the point where it is generating the maximum lift for a given airspeed. A stall is simply the point where, as angle of attack increases (the angle at which the wing meets the oncoming air), lift decreases. In normal flight, increasing angle of attack generates increased lift which allows for stable flight. When stalling, the airplane does begin to fall, but not nearly as fast as it would fall if the wing were producing no lift at all.
Re:Don't forget the spin (Score:3, Informative)
And my understanding is that Boeing does it the other way, where it allows the human pilot to override the computer, correct? Funny, I always figured that doing it the airbus way would get someone into trouble some day...
But, then again, how many times have pilots/pilot error brought down aircraft? Maybe we should let the machines be the last line of defense =)
Re:irrelevant and incorrect (Score:4, Informative)
With an aerodynamically stable airplane, if the attitude control computer fails, it's still may be possible to fly it "by hand." With an unstable airplane, the only thing the pilot can do is punch out under the same circumstances. Fly by wire (and lots of computing power) makes it possible to control an airplane that is aerodynamically unstable; it does not require that the plane be unstable. That's a design decision. Hopefully Airbus, etc. still provide the equivalent of a turn and bank indicator, rate of climb indicator, and gyro-compass so the pilot has a chance of flying the plane even if the attitude control computer goes wonky (and a way to take the attitude control compuer off-line).
Your second example is very bogus. As an example, a flying wing such as the B-2 will make a very poor Styrofoam glider but the origins of the flying wing goes back to WWII. Quite obviously, the B-35, N9M, etc. didn't have a flight control computers but were controllable none the less. The problem with your example is that modeling things like the effect of a wing's dihedral on Styrofoam glider scales and speeds is difficult to do. This is primarily a result of the simple fact that lots of effects such as boundary layer conditions are not linear. It takes a huge amount of effort to craft an aerodynamic replica of a full size airplane that allows wind tunnel tests to be run on scale models and still get valid results. Just because a styrofoam model doesn't glide says little or nothing about the stability of the full size airplane.
Cheers,
Dave