Go Back  PPRuNe Forums > Flight Deck Forums > Tech Log
Reload this Page >

Airbus crash/training flight

Tech Log The very best in practical technical discussion on the web

Airbus crash/training flight

Old 18th Sep 2010, 18:01
  #1261 (permalink)  
PBL
 
Join Date: Sep 2000
Location: Bielefeld, Germany
Posts: 955
A lot of comment here about detection of incorrect data from multiple sensors; voting algorithms and the like. This is a serious and involved technical topic involving considerable insight and expertise in algorithm design. It is not easy.

Can you algorithmically detect two out of three incorrect sensors? Well, it depends on what fault detection and tolerance algorithms you have decided to implement, and it has a lot to do with whether you think the HW and SW needed for implementing those algorithms is more reliable than a simple system which doesn't detect such anomalies but is rarely subject to such failures.

SPA83 thinks that failure to detect the sensor-anomaly situation on the accident aircraft is a
Originally Posted by SPA83
serious breach of Airbus in the certification standards
No, it's not. You can't condemn a manufacturer for not solving a problem that is generally insoluble without considerable trade-offs (and even then only part-soluble). Maybe SPA83 would like to propose his own solution to the problem and write it out here. That would at least ensure that heshe understands the problem before waggin the finger at someone for not solving it.

BOAC said:
Originally Posted by BOAC
I would have expected an aircraft, which is supposed to be all things to all pilots, to know when 2 of its 3 PRIMARY sensors have 'failed' and therefore disagreed with the third.
No one who works in this area knows of any reliable way of accomplishing this feat in general, the way it is stated here. Specific sorts of failures can be detected and accomodated: in this particular case, of course, putting a water-detector in each instrument would have sufficed, but it is (I hope, obviously) impractical in general to think of every specific possible anomaly and put in a circuit to detect exactly that condition.

None of the general methods are oriented towards common-cause failures such as happened to the accident aircraft.

Just to be clear, the sensor failures on the accident aircraft were not Byzantine faults. I also find the Wikipedia article on Byzantine faults to be confusing and generally poorly written. There will shortly appear a set of slides from a brilliant keynote talk last Thursday by Kevin Driscoll at SAFECOMP 2010 on instances of Byzantine failures in aerospace.

PBL
PBL is offline  
Old 18th Sep 2010, 18:10
  #1262 (permalink)  
 
Join Date: Jan 2008
Location: Scandinavia
Posts: 98
PBL: agree that the wikipedia article is not great - however for those talking about sensor failure, voting and detection it is the best starting place to understand this topic. Maybe I should have written my reply better...

fc101
E145 Driver
fc101 is offline  
Old 18th Sep 2010, 18:12
  #1263 (permalink)  
 
Join Date: Aug 2005
Location: London
Posts: 78
The ATC contribution

alemaobaiano - Neither XL crew were 'playing games' as you put it, they were just trying to do a job. They clearly expected to be able to use a block of airspace, as one would in the UK, well away from any airway hotspot. They had discussed this with the ATC unit at Perpignan, who could see no problem with the plan, and the subsequent refusal left them baffled, as noted in the report. Apparently no explanation or alternative area was offered, I call that unhelpful, what would you call it? I don't know why the words 'Test flight' weren't used, but the patterns they wanted to fly would have been identical to any general handling detail, so what's in a name?

As for the A330 accident, the trigger was the ATC request to alter the level off from 6000ft (from memory) to 2000ft; I didn't say or imply or mean this was in some way a piece of deliberate sabotage, merely that it is very easy for the (very) best laid plans to get screwed up by ATC inputs. The fact that both incidents happened in France is mere coincidence, I've nothing against French ATC.
gonebutnotforgotten is offline  
Old 18th Sep 2010, 18:13
  #1264 (permalink)  
 
Join Date: Jan 2001
Location: UK
Posts: 2,044
BOAC...

I would have expected an aircraft, which is supposed to be all things to all pilots, to know when 2 of its 3 PRIMARY sensors have 'failed' and therefore disagreed with the third.
I am not sure they are "primary sensors"? The fact is the aircraft flew nigh on normally with 2 of them failed / stuck. The report at some point discussed them as "stall warning devices" in certificaiton terms... and they are "triple redundancy" in this, in that with only 1 working, they still got a (correct) stall warning.

We must understand that in normal ops, it would take an <10-6 scenario to replicate this as an accident. It would require a multiple AoA failure (improbable), followed by a crew flying at Vref-20K or less, with all the characteristics of an approaching stall (low IAS, high nose attitude). Therefore to relate the design in this area to normal ops is stretching things. I suspect the AoA probes would "report" themselves as faulty in the PFR, so again, for an accident to occur in normal ops, the low speed scenario would have to occur on the 1st flight post the common maint error.

I cannot get away form the fact this was an HF accident - and those factors are not confined to the pilots, but also to the airlines who "tasked" them. It is a bit much to blame the aircraft design for "not saving" such reckless and ill thought out testing of those very AoA system(s).

For those who say "but the pilots should have been told the AoAs disagreed"... Why? We don't fly the Airbus on AoA! The only people who "need to know" the AoAs are dodgy are those who fly the test profiles... who it might be assumed know what to look for (as the report says, it was patently obvious the AoA info was faulty by the Alpha Max/Prot indications).

NoD
NigelOnDraft is offline  
Old 18th Sep 2010, 18:18
  #1265 (permalink)  
PBL
 
Join Date: Sep 2000
Location: Bielefeld, Germany
Posts: 955
fc101,

Originally Posted by fc101
agree that the wikipedia article is not great - however for those talking about sensor failure, voting and detection it is the best starting place to understand this topic
I don't agree. For example, This article by Driscoll et al. from SAFECOMP 2003 is a much more understandable article which talks about Byzantine failures as they actually occur in aeronautics.

PBL
PBL is offline  
Old 19th Sep 2010, 07:19
  #1266 (permalink)  
Per Ardua ad Astraeus
 
Join Date: Mar 2000
Location: UK
Posts: 18,582
Originally Posted by Nod
I am not sure they are "primary sensors"?
- hang on a moment - shall we all take a breath? I thought the brilliance of the AB technology was sold (for the 'concierge', of course) on the fact that it was 'unstallable' in normal flight? Unless I have this wrong, is this protection not based primarily on AoA readings?

It is not beyond the bounds of your HF arena for a 'normal' crew to screw up the speeds with 2 out of 3 sensors screwed. What then? 'Check GW?. I'm not sure many of us would have reacted correctly to that warning

No, as long as sentient beings remain in the cockpit there should be as many clear indications of which bricks have fallen from the castle walls as possible. At least (hopefully) an 'AoA disagree' or similar warning might have made an average crew stop and think about testing the AoA protection.
Therefore to relate the design in this area to normal ops is stretching things.
- agreed, but AB are hung on the scaffold of the sales brochures, I'm afraid. How many other little glitches are there lurking in the wires? We are still groping in the dark on the Air France Airbus crash. Was that another one? As I said in post #1 on my other thread
One (task) is for the manufacturer/regulators/operators to ensure something usable remains, and not to be seduced into glittery-eyed fascination with how clever everything is.
- I don't think we are there yet. Where is the warning that tail trim is 'excessive'? Where is 'Hey fellow, this is 'Hal' - I am not sure what is happening with the AoA probes - please check for me - I may be confused'?

Give a crew the necessary information. Let's make sure EVERYONE understands the system is not 'perfect'.

This goes for all 'modern' aviation technology, by the way.
BOAC is offline  
Old 19th Sep 2010, 07:39
  #1267 (permalink)  
 
Join Date: Jan 2001
Location: UK
Posts: 2,044
I thought the brilliance of the AB technology was sold (for the 'concierge', of course) on the fact that it was 'unstallable' in normal flight?
???? Not seen that anywhere? It has some "protections", but it is not flown in an everyday manner so as to get anywhere near them.

It is not beyond the bounds of your HF arena for a 'normal' crew to screw up the speeds with 2 out of 3 sensors screwed
Please re-read my post. This takes a number of "improbable events" in sequence, much as most design decisions are based on. What use would a "AoA disagree" message have been (and difficult, since in fact the 2 main AoAs were frozen at ~the same value)? We don't fly on AoA. So the QRH/ECAM says "take care, do not stall". Errr... I don't tend to plan to anyway Yes - a consideration that perhaps it could have degraded to Altn Law, for a Direct Law landing, but if every little sensor reporting a problem gets this level of degradation, then few Airliners woudl despatch (B machines included).

What then? 'Check GW?. I'm not sure many of us would have reacted correctly to that warning
Please re-read the context of that. A Test Crew should have understood that a "Check GW" message, together with Alpha Displays being clearly incorrect.

Give a crew the necessary information
They had it:
  1. Do not perform this Test unless you are Qualified e.g. Test Crew.
  2. Do not perform this test below 12000'
  3. The speed output of this test is in the table below. Do not go below it - if the desired result is not occurring, recover to normal flight and consider what is happening.
  4. Consider what you are testing, why you are testing it, and what will happen if it goes wrong...
Let's make sure EVERYONE understands the system is not 'perfect'.
This goes for all 'modern' aviation technology, by the way
Exactly, and this applies to the Airbus as much as any aircraft. The approach and lead up to this accident shows exactly that... and I for one think in this accident Airbus (as a company) come out well... all the wanring signs were there (who could do the test, the altitude, the confidentiality agreements before handing over the schedules etc.)

Bottom line - see where the Report's Safety Recs lie. Largely HF. I still have trouble seeing this as an Airbus specific issue. It is so similar to the 2 EJ 737 incidents, where the outcome was different purely due to the adherence to basic safety precautions.

NoD
NigelOnDraft is offline  
Old 19th Sep 2010, 07:42
  #1268 (permalink)  
Per Ardua ad Astraeus
 
Join Date: Mar 2000
Location: UK
Posts: 18,582
Not seen that anywhere?
- where HAVE you been?
BOAC is offline  
Old 19th Sep 2010, 08:44
  #1269 (permalink)  
 
Join Date: Dec 2007
Location: france
Age: 71
Posts: 74
PBL. According to CS25, this is the responsibility of the manufacturer. If the manufacturer is not able to inform the pilots that an equipment is faulty that means he has serious shortcomings in the design of its systems
SPA83 is offline  
Old 19th Sep 2010, 09:10
  #1270 (permalink)  

Metrosexual
 
Join Date: May 2003
Location: Enroute
Posts: 624
Can someone please provide a link to the Airbus Industrie A330 accident?

I can't seem to find one anywhere.

Thanks.
Jet_A_Knight is offline  
Old 19th Sep 2010, 09:49
  #1271 (permalink)  
 
Join Date: Aug 2005
Location: London
Posts: 78
Can someone please provide a link to the Airbus Industrie A330 accident?
Jet_A_Knight - For some odd reason I cannot find the A330 Toulouse accident report on the BEA website either. There are others available, e.g. The Risks Digest Volume 16: Issue 39, a contribution from PPRuNe's own PBL. But none I have seen recently mention that the reason, as I recall it, for the low selected altitude on that test point was the request from ATC on the previous landing to restrict the next take-off to 2000ft instead of the 6000 called for in the test plan. As PBL notes, though, it took that sequence to show that the A330 at aft CG might not cope with TOGA and eng fail and low level off.
gonebutnotforgotten is offline  
Old 19th Sep 2010, 10:21
  #1272 (permalink)  
PBL
 
Join Date: Sep 2000
Location: Bielefeld, Germany
Posts: 955
gonebutnotforgotten,

for those who read French, the preliminary report of the 1994 A330 Test Flight accident is at this entry in the CRICA Compendium. I am not aware of an English version.

SPA83,
Originally Posted by SPA83
According to CS25, this is the responsibility of the manufacturer.
No one, least of all the certification authorities who issue CS 25, expect a manufacturer to solve algorithmic problems whose general solutions are known to no one. Even if it said in CS 25 that a manufacturer must solve the twin-primes problem, no sensible regulator would enforce that.
Originally Posted by SPA83
If the manufacturer is not able to inform the pilots that an equipment is faulty that means he has serious shortcomings in the design of its systems
I think it is inappropriate for someone who neither understands the technology nor the issues involved, such as yourself apparently, to conclude there are "serious shortcomings" here in the system design.

It seems to me that the issue of testing AoA sensorics is adequately solved by the measures pointed out here by Nigel on Draft. The report points out that the indications of sensor error were indeed present on the cockpit indicators where they should appear, but were apparently not well interpreted.

PBL
PBL is offline  
Old 19th Sep 2010, 11:31
  #1273 (permalink)  
 
Join Date: Dec 2007
Location: france
Age: 71
Posts: 74
PBL, just try again to read and understand the CS 25.1309 paragraph.

(c) Information concerning unsafe system operating conditions must be provided to the crew to enable them to take appropriate corrective action. A warning indication must be provided if immediate corrective action is required. Systems and controls, including indications and annunciations must be designed to minimise crew errors, which could create additional hazards

To help youÖ
Has the crew been warned about AoA probes failure ? : NO
Is this an anomaly according to CS 25 ? : YES
SPA83 is offline  
Old 19th Sep 2010, 11:48
  #1274 (permalink)  
 
Join Date: Mar 2002
Location: Florida
Posts: 5,300
I would be careful about the rhetorical difference in an annomaly and a unsafe condition.

In my experience an unsafe condition is one that is likely to evolve to a specified level of hazard to the aircraft within a defined range of probability.

We could go into much greater detail about the defined level of hazards vs probailities that are considered in aircraft design but that would divert this thread.

A simple malfunction needs to be considered in combination as to whether it is likely to lead to failure to complete a safe flight and landing. The strongest argument that it is still safe is the redundancy within the system.

Thus let us not be too quick in judging that the design is faulty.
lomapaseo is offline  
Old 19th Sep 2010, 12:13
  #1275 (permalink)  
PBL
 
Join Date: Sep 2000
Location: Bielefeld, Germany
Posts: 955
SPA83,

I pointed out that that part of CS 25 isn't really meant to be read in the way in which you are reading it, and gave some indications why that is.

I don't care to indulge in a " 'tis ", " 'tisn't ", " 'tis" " 'tisn't" exchange, because I find it boring and I am here to entertain myself.

PBL
PBL is offline  
Old 19th Sep 2010, 13:29
  #1276 (permalink)  
 
Join Date: Dec 2007
Location: france
Age: 71
Posts: 74
PBL, I read it as a pilot does. Iím quite sure that people like you enjoy playing games with algorithms but pilots donít fly airplanes with that sort of ę bidule Ľ (may be concierges doÖ). Pilots fly airplanes with their hands, their feet, their eyes, theirs ears, their mind and information they receive. The end.
SPA83 is offline  
Old 19th Sep 2010, 13:37
  #1277 (permalink)  
 
Join Date: Jan 2005
Location: W of 30W
Posts: 1,939
PBL and NoD,

Iím not sure you realize the central position Airbus gave to the AoA data.
Pilots donít fly the Airbus on AoA, BUT the AoA data are the core of the main protection features of the Airbus.

As soon as the AoA data show a discrepancy , it is a the most common sense duty for the manufacturer to clearly advise the crew. At this point the crew will proceed as politely as possible to the end of the flight.

Even better, the crew should be able by a single switch to disable all protection features, making sure they wonít interfere based on faulty information.
CONF iture is offline  
Old 19th Sep 2010, 15:37
  #1278 (permalink)  
 
Join Date: Jan 2001
Location: UK
Posts: 2,044
Pilots donít fly the Airbus on AoA, BUT the AoA data are the core of the main protection features of the Airbus
We could debate the semantics, but yes, they are at the core of some of the protections (Alpha Prot, Max AoA). I am not sure that AoA has much to do with Max AoB / Max/Min Pitch / Max/Min 'g' but I am sure you know better

As soon as the AoA data show a discrepancy , it is a the most common sense duty for the manufacturer to clearly advise the crew
Disagree to an extent, and did they show a "discrepency"? They froze pretty much at the same value. I would guess, but am not sure, the system would not adversely react to a single excessive AoA value. Low AoA values (as here) are hard to detect, and not in themselves hazardous.

At this point the crew will proceed as politely as possible to the end of the flight
Really? Where does this come from?

Even better, the crew should be able by a single switch to disable all protection features, making sure they wonít interfere based on faulty information
I am sure the Certification Authorities will fairly quickly act on your advice.

Summary: suggest we take a step back from all the theoretical angles above and review what happened. This is a public transport airliner, flown by well trained crews to fairly unadventurous SOPs. The design philosophy is to make that as safe as possible, within certification requirements. If you truly feel that this accident exposes a serious flaw in the design within that requirement, please post here an event sequence that leads to an accident.

Of course, when one ventures outside that requirement, the "design" features e.g. FBW / protections / auto trim, might start to make life harder. You do not design an aircraft to make test flying easier / safer, you rely on procedures / training to work out the hazards, and avoid / predict them.

SPA83:
CS 25.....

(c) ..... A warning indication must be provided if immediate corrective action is required....
What "immediate corrective action" is required? None at all in normal operations. So I disagree.

I might take you to task with
Has the crew been warned about AoA probes failure ? NO
They had been to an extent - the clearly incorrect Alpha Max/Prot displays - as discussed in the report.

Finally I go back the report:
Causes: Nothing to do with design.
4 recs. None querying the compliance with certification standards. Some tightning up of anomolies that were noted.

NoD
NigelOnDraft is offline  
Old 19th Sep 2010, 15:48
  #1279 (permalink)  
PBL
 
Join Date: Sep 2000
Location: Bielefeld, Germany
Posts: 955
Originally Posted by CONF_iture
Iím not sure you realize the central position Airbus gave to the AoA data.
Personally, I think I know comparatively quite a lot about these systems. I just wish we could have a reasonable technical discussion about them, as the Concorde people seem able to discuss their favorite airplane on Tech Log, rather than a discussion in which people use their untutored personal philosophies of airplane design to impose requirements on system manufacturers which are currently infeasible.

PBL
PBL is offline  
Old 19th Sep 2010, 17:43
  #1280 (permalink)  
 
Join Date: Jul 2002
Location: UK
Posts: 3,182
The crux of the matter to me appears to be that the AoA failure, while certainly a "hole in the cheese", was secondary to a failure on the part of the humans involved - from the hapless ground staff who used incorrect procedures to rinse the aircraft, to the crew who failed to plan their test cycles correctly and then carried them out in a haphazard manner.

Sensor failure is something that can trip a crew working to IFR up no matter what they are flying. I'm reminded of the BirgenAir accident where the cause of the crew's disorientation was undoubtedly a blocked pitot probe feeding the Captain's panel, but the fact remained that the crew should have aborted the flight and returned to land the second they saw a discrepancy in airspeed indication (which, as I recall, first manifested on the runway).
DozyWannabe is offline  

Thread Tools
Search this Thread

Contact Us - Archive - Advertising - Cookie Policy - Privacy Statement - Terms of Service - Do Not Sell My Personal Information

Copyright © 2018 MH Sub I, LLC dba Internet Brands. All rights reserved. Use of this site indicates your consent to the Terms of Use.