Algorithmic error led to an aircraft crash
Recently, on December 19, 2011, the Australian Bureau of Transport Safety issued a report on the accident with an A-330 aircraft (b / n VH-QPA) of Qantas, which occurred on October 7, 2008.
(photo by Stefan Roesh planepictures.net)
The unusual thing about this incident is that not only the equipment failure, but also an error in the system's data processing algorithm led to it. That's what I want to tell the habrasoobschestvu.
October 7, 2008 the plane with 303 passengers on board operated a flight Qantas72 Singapore - Perth, Western Australia. The flight took place in the daytime, in clear weather.
')
3 hours after takeoff, when the plane was in cruise flight, the autopilot turned off automatically, various alarm messages began to appear on the board, simultaneously stalling and speeding sirens were triggered, unrealistic flight parameters began to appear on the captain's screen.
5 minutes after the autopilot was turned off, when the captain tried to deal with the situation, the plane suddenly went into a dive, reaching a pitch value of 8.4 degrees. The pilot immediately pulled the handle towards himself to correct the situation. The vertical overload at the same time reached 1.5g in both directions. Many passengers at this moment were not fastened, and they were thrown at the ceiling. After another 3 minutes, the situation repeated itself, but with a smaller amplitude.
The commander decided to land the plane at the nearest airport. It was not possible to determine the cause of failures on board; the rest of the flight was commanded by the commander of the aircraft in alternate law, guided by reserve indicators. A further flight took place without incident, the plane landed at the airport Learmonth.
As a result of the incident, 119 passengers / crew members were injured, 12 of them severe.
event animation
damage in the cabin
Airplane A-330, like any other modern liner, has an electric remote control system. Direct control is carried out by the on-board computer, which receives signals through wires. To ensure the proper level of security, three computers (FCPC) are installed on the aircraft. Computers, in turn, receive data from three inertial navigation systems (ADIRU).
To prevent the aircraft from going out for critical flight modes, it has automatic protection against reaching the critical angles of attack, as well as protection against aerodynamic tailing at high Mach numbers. When they are triggered, the aircraft is automatically transferred to a dive and does not obey the control knob for 2s. The operation of one of these defenses and became the direct cause of a sharp decrease in pitch in flight. As a result, ADIRU LTN-101 modules from Northrop Grumman Corporation and FCPC modules manufactured by Airbus were dismantled and studied.
As a result of studying the information from the flight recorders, it was found that one of the ADIRU periodically gave out sharp jumps in several parameters, in particular, the angle of attack and the number M. After the tests, it was found out that the ADIRU had a hardware failure in the Intel processor, most likely because of a manufacturing defect. The failure was expressed in the fact that instead of, for example, the angle of attack, the height value was given, etc. More precisely, the nature of the failure could not be determined.
However, according to current standards, a failure in one of the aircraft’s systems should in no way lead to accidental consequences. How did it happen that the on-board computer “swallowed” the wrong value of the angle of attack and issued a command to dive?
Below is a block diagram of the processing angle of attack (AOA) algorithm:
To calculate the angle of attack, the average value from the two sensors AOA1 and AOA2 is used. If the value is very different from the average, the algorithm uses the most valid value for 1.2 seconds. If during a second the situation does not change - this input is disabled and is no longer used. The following shows possible scenarios with parameter deviations.
In our case, the D option was obtained. A second after the jump, the value was correct, but after 1.2 seconds a jump occurred again and this value was marked as valid (I personally did not understand why this difference of 0.2 seconds was invented).
Later, in the new version of the firmware, this problem was eliminated, but the sediment, as they say, remained.
In conclusion, I want to note that, despite occasional errors in the design of systems and hardware failures of electronics, computer control is still more reliable than man. Disasters due to the human factor occur much more often than due to technical ones, therefore in the future aviation will develop further and further in the direction of automatic flight control.
(photo by Stefan Roesh planepictures.net)
The unusual thing about this incident is that not only the equipment failure, but also an error in the system's data processing algorithm led to it. That's what I want to tell the habrasoobschestvu.
Flight history
October 7, 2008 the plane with 303 passengers on board operated a flight Qantas72 Singapore - Perth, Western Australia. The flight took place in the daytime, in clear weather.
')
3 hours after takeoff, when the plane was in cruise flight, the autopilot turned off automatically, various alarm messages began to appear on the board, simultaneously stalling and speeding sirens were triggered, unrealistic flight parameters began to appear on the captain's screen.
5 minutes after the autopilot was turned off, when the captain tried to deal with the situation, the plane suddenly went into a dive, reaching a pitch value of 8.4 degrees. The pilot immediately pulled the handle towards himself to correct the situation. The vertical overload at the same time reached 1.5g in both directions. Many passengers at this moment were not fastened, and they were thrown at the ceiling. After another 3 minutes, the situation repeated itself, but with a smaller amplitude.
The commander decided to land the plane at the nearest airport. It was not possible to determine the cause of failures on board; the rest of the flight was commanded by the commander of the aircraft in alternate law, guided by reserve indicators. A further flight took place without incident, the plane landed at the airport Learmonth.
As a result of the incident, 119 passengers / crew members were injured, 12 of them severe.
event animation
damage in the cabin
Investigation
Airplane A-330, like any other modern liner, has an electric remote control system. Direct control is carried out by the on-board computer, which receives signals through wires. To ensure the proper level of security, three computers (FCPC) are installed on the aircraft. Computers, in turn, receive data from three inertial navigation systems (ADIRU).
To prevent the aircraft from going out for critical flight modes, it has automatic protection against reaching the critical angles of attack, as well as protection against aerodynamic tailing at high Mach numbers. When they are triggered, the aircraft is automatically transferred to a dive and does not obey the control knob for 2s. The operation of one of these defenses and became the direct cause of a sharp decrease in pitch in flight. As a result, ADIRU LTN-101 modules from Northrop Grumman Corporation and FCPC modules manufactured by Airbus were dismantled and studied.
As a result of studying the information from the flight recorders, it was found that one of the ADIRU periodically gave out sharp jumps in several parameters, in particular, the angle of attack and the number M. After the tests, it was found out that the ADIRU had a hardware failure in the Intel processor, most likely because of a manufacturing defect. The failure was expressed in the fact that instead of, for example, the angle of attack, the height value was given, etc. More precisely, the nature of the failure could not be determined.
However, according to current standards, a failure in one of the aircraft’s systems should in no way lead to accidental consequences. How did it happen that the on-board computer “swallowed” the wrong value of the angle of attack and issued a command to dive?
Below is a block diagram of the processing angle of attack (AOA) algorithm:
To calculate the angle of attack, the average value from the two sensors AOA1 and AOA2 is used. If the value is very different from the average, the algorithm uses the most valid value for 1.2 seconds. If during a second the situation does not change - this input is disabled and is no longer used. The following shows possible scenarios with parameter deviations.
In our case, the D option was obtained. A second after the jump, the value was correct, but after 1.2 seconds a jump occurred again and this value was marked as valid (I personally did not understand why this difference of 0.2 seconds was invented).
Later, in the new version of the firmware, this problem was eliminated, but the sediment, as they say, remained.
In conclusion, I want to note that, despite occasional errors in the design of systems and hardware failures of electronics, computer control is still more reliable than man. Disasters due to the human factor occur much more often than due to technical ones, therefore in the future aviation will develop further and further in the direction of automatic flight control.
Source: https://habr.com/ru/post/139199/
All Articles