The ATSB has found a dormant fault in the software installed on all Airbus A330s sent a Qantas flight berserk in a set of dives that injured 119 people in 2008.
After considering everything from electromagnetic interference from a defence signalling facility at Exmouth to cosmic ray damage, the air safety investigator found that Qantas flight QF72, an A330-300, dived out of control on a flight from Singapore to Perth on 7 October 2008 after a software fault in its flight control primary computers was triggered by their being fed false flight parameters from another device.
The two upsets or losses of control that resulted were promptly brought under control by the pilots, but threw many passengers who were not wearing seat belts about the cabin, some smashing through overhead panels with their heads. QF72 then made an emergency landing at Learmonth, where it was found that 119 out of the 315 passengers and crew on board had suffering injuries, 12 of them having been seriously injured and a further 39 requiring hospital treatment.
In a highly technical report, the ATSB says:
In essence a design limitation with the flight control primary computers software combined with an air data inertial reference unit failure to falsely activate the corrective mechanisms and produce the pitch downs. The subsequent vertical accelerations led to a large number of injuries to the aircraft’s occupants, with the number and extent of these injuries being exacerbated by many of the occupants not wearing seat belts.
The ATSB says the potential but highly improbable fault in computer software had been present in all Airbus A340/A330 airliners since the family first went into service in 1992. Its triggering involved a scenario that had not been envisaged by the designers.
While the aircraft was in cruise at 37,000 ft, one of the aircraft’s three air data inertial reference units (ADIRUs) started outputting intermittent, incorrect values (spikes) on all flight parameters to other aircraft systems. Two minutes later, in response to spikes in angle of attack (AOA) data, the aircraft’s flight control primary computers (FCPCs) commanded the aircraft to pitch down. At least 110 of the 303 passengers and nine of the 12 crew members were injured; 12 of the occupants were seriously injured and another 39 received hospital medical treatment.
Although the FCPC algorithm for processing AOA data was generally very effective, it could not manage a scenario where there were multiple spikes in AOA from one ADIRU that were 1.2 seconds apart. The occurrence was the only known example where this design limitation led to a pitch-down command in over 28 million flight hours on A330/A340 aircraft, and the aircraft manufacturer subsequently redesigned the AOA algorithm to prevent the same type of accident from occurring again.
Each of the intermittent data spikes was probably generated when the LTN-101 ADIRU’s central processor unit (CPU) module combined the data value from one parameter with the label for another parameter. The failure mode was probably initiated by a single, rare type of internal or external trigger event combined with a marginal susceptibility to that type of event within a hardware component. There were only three known occasions of the failure mode in over 128 million hours of unit operation. At the aircraft manufacturer’s request, the ADIRU manufacturer has modified the LTN-101 ADIRU to improve its ability to detect data transmission failures.
In its analysis of the accident the ATSB says that the sequence of events that occurred during cruise could not have been replicated when the A330 was close to the ground approaching or departing from a runway because of the different way its computer based control systems operated at those stages of a flight.
It also says it seemed ‘very unlikely’ that the two pitch-downs that occurred before QF72 landed at Learmonth could have led to the loss of the aircraft or a large number of fatalities.
However on a reading of the full report, it is made abundantly clear that the skill, experience and training of the Qantas pilots were absolutely critical to the safe outcome. If that jet had been flown the way two Jetstar flights were flown this year, the lack of experience or outright incompetence of the junior pilots on each of those flights would have confronted the experienced captain on QF72 with an exceedingly demanding challenge.
In fact in the case of a 3 November Jetstar incident, which the ATSB has refused to investigate, the inexperienced and possibly poorly trained junior pilot twice pulled the wrong lever when commanded to alter the flap setting.
(How this person was ever accepted by an Australian airline to be properly trained to fly as a first officer, or take over from an incapacitated captain, will not therefore be investigated by an impartial outside party charged with issuing public reports.)
There is what is believed to be a very good animation of the QF72 in-flight upset on the ATSB site where the full report can be downloaded here, however some Macintosh users, including the writer, could not make the link work.
According to the ATSB the video was encoded with the MPEG-4 XVID codec, which if you go to that link, is described as being ‘predominantly for PC’s and ‘not well supported for Macs’, including iPads. A multi-platform HD You Tube rendering would be much better solution than leaving some of those accessing the ATSB web site to perform software surgery.
Nothing as complex, however, as the software surgery that this ATSB report has instigated for A330s and A340s, for which all air travellers should be most grateful.