Airbus crash/training flight
Join Date: Sep 2000
Location: Bielefeld, Germany
Posts: 955
Likes: 0
Received 0 Likes
on
0 Posts
A lot of comment here about detection of incorrect data from multiple sensors; voting algorithms and the like. This is a serious and involved technical topic involving considerable insight and expertise in algorithm design. It is not easy.
Can you algorithmically detect two out of three incorrect sensors? Well, it depends on what fault detection and tolerance algorithms you have decided to implement, and it has a lot to do with whether you think the HW and SW needed for implementing those algorithms is more reliable than a simple system which doesn't detect such anomalies but is rarely subject to such failures.
SPA83 thinks that failure to detect the sensor-anomaly situation on the accident aircraft is a
No, it's not. You can't condemn a manufacturer for not solving a problem that is generally insoluble without considerable trade-offs (and even then only part-soluble). Maybe SPA83 would like to propose his own solution to the problem and write it out here. That would at least ensure that heshe understands the problem before waggin the finger at someone for not solving it.
BOAC said:
No one who works in this area knows of any reliable way of accomplishing this feat in general, the way it is stated here. Specific sorts of failures can be detected and accomodated: in this particular case, of course, putting a water-detector in each instrument would have sufficed, but it is (I hope, obviously) impractical in general to think of every specific possible anomaly and put in a circuit to detect exactly that condition.
None of the general methods are oriented towards common-cause failures such as happened to the accident aircraft.
Just to be clear, the sensor failures on the accident aircraft were not Byzantine faults. I also find the Wikipedia article on Byzantine faults to be confusing and generally poorly written. There will shortly appear a set of slides from a brilliant keynote talk last Thursday by Kevin Driscoll at SAFECOMP 2010 on instances of Byzantine failures in aerospace.
PBL
Can you algorithmically detect two out of three incorrect sensors? Well, it depends on what fault detection and tolerance algorithms you have decided to implement, and it has a lot to do with whether you think the HW and SW needed for implementing those algorithms is more reliable than a simple system which doesn't detect such anomalies but is rarely subject to such failures.
SPA83 thinks that failure to detect the sensor-anomaly situation on the accident aircraft is a
Originally Posted by SPA83
serious breach of Airbus in the certification standards
BOAC said:
Originally Posted by BOAC
I would have expected an aircraft, which is supposed to be all things to all pilots, to know when 2 of its 3 PRIMARY sensors have 'failed' and therefore disagreed with the third.
None of the general methods are oriented towards common-cause failures such as happened to the accident aircraft.
Just to be clear, the sensor failures on the accident aircraft were not Byzantine faults. I also find the Wikipedia article on Byzantine faults to be confusing and generally poorly written. There will shortly appear a set of slides from a brilliant keynote talk last Thursday by Kevin Driscoll at SAFECOMP 2010 on instances of Byzantine failures in aerospace.
PBL
Join Date: Jan 2008
Location: Scandinavia
Posts: 98
Likes: 0
Received 0 Likes
on
0 Posts
PBL: agree that the wikipedia article is not great - however for those talking about sensor failure, voting and detection it is the best starting place to understand this topic. Maybe I should have written my reply better...
fc101
E145 Driver
fc101
E145 Driver
Join Date: Aug 2005
Location: London
Posts: 78
Likes: 0
Received 0 Likes
on
0 Posts
The ATC contribution
alemaobaiano - Neither XL crew were 'playing games' as you put it, they were just trying to do a job. They clearly expected to be able to use a block of airspace, as one would in the UK, well away from any airway hotspot. They had discussed this with the ATC unit at Perpignan, who could see no problem with the plan, and the subsequent refusal left them baffled, as noted in the report. Apparently no explanation or alternative area was offered, I call that unhelpful, what would you call it? I don't know why the words 'Test flight' weren't used, but the patterns they wanted to fly would have been identical to any general handling detail, so what's in a name?
As for the A330 accident, the trigger was the ATC request to alter the level off from 6000ft (from memory) to 2000ft; I didn't say or imply or mean this was in some way a piece of deliberate sabotage, merely that it is very easy for the (very) best laid plans to get screwed up by ATC inputs. The fact that both incidents happened in France is mere coincidence, I've nothing against French ATC.
As for the A330 accident, the trigger was the ATC request to alter the level off from 6000ft (from memory) to 2000ft; I didn't say or imply or mean this was in some way a piece of deliberate sabotage, merely that it is very easy for the (very) best laid plans to get screwed up by ATC inputs. The fact that both incidents happened in France is mere coincidence, I've nothing against French ATC.
Join Date: Jan 2001
Location: UK
Posts: 2,044
Likes: 0
Received 0 Likes
on
0 Posts
BOAC...
I am not sure they are "primary sensors"? The fact is the aircraft flew nigh on normally with 2 of them failed / stuck. The report at some point discussed them as "stall warning devices" in certificaiton terms... and they are "triple redundancy" in this, in that with only 1 working, they still got a (correct) stall warning.
We must understand that in normal ops, it would take an <10-6 scenario to replicate this as an accident. It would require a multiple AoA failure (improbable), followed by a crew flying at Vref-20K or less, with all the characteristics of an approaching stall (low IAS, high nose attitude). Therefore to relate the design in this area to normal ops is stretching things. I suspect the AoA probes would "report" themselves as faulty in the PFR, so again, for an accident to occur in normal ops, the low speed scenario would have to occur on the 1st flight post the common maint error.
I cannot get away form the fact this was an HF accident - and those factors are not confined to the pilots, but also to the airlines who "tasked" them. It is a bit much to blame the aircraft design for "not saving" such reckless and ill thought out testing of those very AoA system(s).
For those who say "but the pilots should have been told the AoAs disagreed"... Why? We don't fly the Airbus on AoA! The only people who "need to know" the AoAs are dodgy are those who fly the test profiles... who it might be assumed know what to look for (as the report says, it was patently obvious the AoA info was faulty by the Alpha Max/Prot indications).
NoD
I would have expected an aircraft, which is supposed to be all things to all pilots, to know when 2 of its 3 PRIMARY sensors have 'failed' and therefore disagreed with the third.
We must understand that in normal ops, it would take an <10-6 scenario to replicate this as an accident. It would require a multiple AoA failure (improbable), followed by a crew flying at Vref-20K or less, with all the characteristics of an approaching stall (low IAS, high nose attitude). Therefore to relate the design in this area to normal ops is stretching things. I suspect the AoA probes would "report" themselves as faulty in the PFR, so again, for an accident to occur in normal ops, the low speed scenario would have to occur on the 1st flight post the common maint error.
I cannot get away form the fact this was an HF accident - and those factors are not confined to the pilots, but also to the airlines who "tasked" them. It is a bit much to blame the aircraft design for "not saving" such reckless and ill thought out testing of those very AoA system(s).
For those who say "but the pilots should have been told the AoAs disagreed"... Why? We don't fly the Airbus on AoA! The only people who "need to know" the AoAs are dodgy are those who fly the test profiles... who it might be assumed know what to look for (as the report says, it was patently obvious the AoA info was faulty by the Alpha Max/Prot indications).
NoD
Join Date: Sep 2000
Location: Bielefeld, Germany
Posts: 955
Likes: 0
Received 0 Likes
on
0 Posts
fc101,
I don't agree. For example, This article by Driscoll et al. from SAFECOMP 2003 is a much more understandable article which talks about Byzantine failures as they actually occur in aeronautics.
PBL
Originally Posted by fc101
agree that the wikipedia article is not great - however for those talking about sensor failure, voting and detection it is the best starting place to understand this topic
PBL
Per Ardua ad Astraeus
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by Nod
I am not sure they are "primary sensors"?
It is not beyond the bounds of your HF arena for a 'normal' crew to screw up the speeds with 2 out of 3 sensors screwed. What then? 'Check GW?. I'm not sure many of us would have reacted correctly to that warning
No, as long as sentient beings remain in the cockpit there should be as many clear indications of which bricks have fallen from the castle walls as possible. At least (hopefully) an 'AoA disagree' or similar warning might have made an average crew stop and think about testing the AoA protection.
Therefore to relate the design in this area to normal ops is stretching things.
One (task) is for the manufacturer/regulators/operators to ensure something usable remains, and not to be seduced into glittery-eyed fascination with how clever everything is.
Give a crew the necessary information. Let's make sure EVERYONE understands the system is not 'perfect'.
This goes for all 'modern' aviation technology, by the way.
Join Date: Jan 2001
Location: UK
Posts: 2,044
Likes: 0
Received 0 Likes
on
0 Posts
I thought the brilliance of the AB technology was sold (for the 'concierge', of course) on the fact that it was 'unstallable' in normal flight?
It is not beyond the bounds of your HF arena for a 'normal' crew to screw up the speeds with 2 out of 3 sensors screwed
What then? 'Check GW?. I'm not sure many of us would have reacted correctly to that warning
Give a crew the necessary information
- Do not perform this Test unless you are Qualified e.g. Test Crew.
- Do not perform this test below 12000'
- The speed output of this test is in the table below. Do not go below it - if the desired result is not occurring, recover to normal flight and consider what is happening.
- Consider what you are testing, why you are testing it, and what will happen if it goes wrong...
Let's make sure EVERYONE understands the system is not 'perfect'.
This goes for all 'modern' aviation technology, by the way
This goes for all 'modern' aviation technology, by the way
Bottom line - see where the Report's Safety Recs lie. Largely HF. I still have trouble seeing this as an Airbus specific issue. It is so similar to the 2 EJ 737 incidents, where the outcome was different purely due to the adherence to basic safety precautions.
NoD
Join Date: Dec 2007
Location: france
Age: 75
Posts: 74
Likes: 0
Received 0 Likes
on
0 Posts
PBL. According to CS25, this is the responsibility of the manufacturer. If the manufacturer is not able to inform the pilots that an equipment is faulty that means he has serious shortcomings in the design of its systems
Join Date: Aug 2005
Location: London
Posts: 78
Likes: 0
Received 0 Likes
on
0 Posts
Can someone please provide a link to the Airbus Industrie A330 accident?
Join Date: Sep 2000
Location: Bielefeld, Germany
Posts: 955
Likes: 0
Received 0 Likes
on
0 Posts
gonebutnotforgotten,
for those who read French, the preliminary report of the 1994 A330 Test Flight accident is at this entry in the CRICA Compendium. I am not aware of an English version.
SPA83,
No one, least of all the certification authorities who issue CS 25, expect a manufacturer to solve algorithmic problems whose general solutions are known to no one. Even if it said in CS 25 that a manufacturer must solve the twin-primes problem, no sensible regulator would enforce that.
I think it is inappropriate for someone who neither understands the technology nor the issues involved, such as yourself apparently, to conclude there are "serious shortcomings" here in the system design.
It seems to me that the issue of testing AoA sensorics is adequately solved by the measures pointed out here by Nigel on Draft. The report points out that the indications of sensor error were indeed present on the cockpit indicators where they should appear, but were apparently not well interpreted.
PBL
for those who read French, the preliminary report of the 1994 A330 Test Flight accident is at this entry in the CRICA Compendium. I am not aware of an English version.
SPA83,
Originally Posted by SPA83
According to CS25, this is the responsibility of the manufacturer.
Originally Posted by SPA83
If the manufacturer is not able to inform the pilots that an equipment is faulty that means he has serious shortcomings in the design of its systems
It seems to me that the issue of testing AoA sensorics is adequately solved by the measures pointed out here by Nigel on Draft. The report points out that the indications of sensor error were indeed present on the cockpit indicators where they should appear, but were apparently not well interpreted.
PBL
Join Date: Dec 2007
Location: france
Age: 75
Posts: 74
Likes: 0
Received 0 Likes
on
0 Posts
PBL, just try again to read and understand the CS 25.1309 paragraph.
(c) Information concerning unsafe system operating conditions must be provided to the crew to enable them to take appropriate corrective action. A warning indication must be provided if immediate corrective action is required. Systems and controls, including indications and annunciations must be designed to minimise crew errors, which could create additional hazards
To help you…
Has the crew been warned about AoA probes failure ? : NO
Is this an anomaly according to CS 25 ? : YES
(c) Information concerning unsafe system operating conditions must be provided to the crew to enable them to take appropriate corrective action. A warning indication must be provided if immediate corrective action is required. Systems and controls, including indications and annunciations must be designed to minimise crew errors, which could create additional hazards
To help you…
Has the crew been warned about AoA probes failure ? : NO
Is this an anomaly according to CS 25 ? : YES
I would be careful about the rhetorical difference in an annomaly and a unsafe condition.
In my experience an unsafe condition is one that is likely to evolve to a specified level of hazard to the aircraft within a defined range of probability.
We could go into much greater detail about the defined level of hazards vs probailities that are considered in aircraft design but that would divert this thread.
A simple malfunction needs to be considered in combination as to whether it is likely to lead to failure to complete a safe flight and landing. The strongest argument that it is still safe is the redundancy within the system.
Thus let us not be too quick in judging that the design is faulty.
In my experience an unsafe condition is one that is likely to evolve to a specified level of hazard to the aircraft within a defined range of probability.
We could go into much greater detail about the defined level of hazards vs probailities that are considered in aircraft design but that would divert this thread.
A simple malfunction needs to be considered in combination as to whether it is likely to lead to failure to complete a safe flight and landing. The strongest argument that it is still safe is the redundancy within the system.
Thus let us not be too quick in judging that the design is faulty.
Join Date: Sep 2000
Location: Bielefeld, Germany
Posts: 955
Likes: 0
Received 0 Likes
on
0 Posts
SPA83,
I pointed out that that part of CS 25 isn't really meant to be read in the way in which you are reading it, and gave some indications why that is.
I don't care to indulge in a " 'tis ", " 'tisn't ", " 'tis" " 'tisn't" exchange, because I find it boring and I am here to entertain myself.
PBL
I pointed out that that part of CS 25 isn't really meant to be read in the way in which you are reading it, and gave some indications why that is.
I don't care to indulge in a " 'tis ", " 'tisn't ", " 'tis" " 'tisn't" exchange, because I find it boring and I am here to entertain myself.
PBL
Join Date: Dec 2007
Location: france
Age: 75
Posts: 74
Likes: 0
Received 0 Likes
on
0 Posts
PBL, I read it as a pilot does. I’m quite sure that people like you enjoy playing games with algorithms but pilots don’t fly airplanes with that sort of « bidule » (may be concierges do…). Pilots fly airplanes with their hands, their feet, their eyes, theirs ears, their mind and information they receive. The end.
Join Date: Jan 2005
Location: W of 30W
Posts: 1,916
Likes: 0
Received 0 Likes
on
0 Posts
PBL and NoD,
I’m not sure you realize the central position Airbus gave to the AoA data.
Pilots don’t fly the Airbus on AoA, BUT the AoA data are the core of the main protection features of the Airbus.
As soon as the AoA data show a discrepancy , it is a the most common sense duty for the manufacturer to clearly advise the crew. At this point the crew will proceed as politely as possible to the end of the flight.
Even better, the crew should be able by a single switch to disable all protection features, making sure they won’t interfere based on faulty information.
I’m not sure you realize the central position Airbus gave to the AoA data.
Pilots don’t fly the Airbus on AoA, BUT the AoA data are the core of the main protection features of the Airbus.
As soon as the AoA data show a discrepancy , it is a the most common sense duty for the manufacturer to clearly advise the crew. At this point the crew will proceed as politely as possible to the end of the flight.
Even better, the crew should be able by a single switch to disable all protection features, making sure they won’t interfere based on faulty information.
Join Date: Jan 2001
Location: UK
Posts: 2,044
Likes: 0
Received 0 Likes
on
0 Posts
Pilots don’t fly the Airbus on AoA, BUT the AoA data are the core of the main protection features of the Airbus
As soon as the AoA data show a discrepancy , it is a the most common sense duty for the manufacturer to clearly advise the crew
At this point the crew will proceed as politely as possible to the end of the flight
Even better, the crew should be able by a single switch to disable all protection features, making sure they won’t interfere based on faulty information
Summary: suggest we take a step back from all the theoretical angles above and review what happened. This is a public transport airliner, flown by well trained crews to fairly unadventurous SOPs. The design philosophy is to make that as safe as possible, within certification requirements. If you truly feel that this accident exposes a serious flaw in the design within that requirement, please post here an event sequence that leads to an accident.
Of course, when one ventures outside that requirement, the "design" features e.g. FBW / protections / auto trim, might start to make life harder. You do not design an aircraft to make test flying easier / safer, you rely on procedures / training to work out the hazards, and avoid / predict them.
SPA83:
CS 25.....
(c) ..... A warning indication must be provided if immediate corrective action is required....
(c) ..... A warning indication must be provided if immediate corrective action is required....
I might take you to task with
Has the crew been warned about AoA probes failure ? NO
Finally I go back the report:
Causes: Nothing to do with design.
4 recs. None querying the compliance with certification standards. Some tightning up of anomolies that were noted.
NoD
Join Date: Sep 2000
Location: Bielefeld, Germany
Posts: 955
Likes: 0
Received 0 Likes
on
0 Posts
Originally Posted by CONF_iture
I’m not sure you realize the central position Airbus gave to the AoA data.
PBL
Join Date: Jul 2002
Location: UK
Posts: 3,093
Likes: 0
Received 0 Likes
on
0 Posts
The crux of the matter to me appears to be that the AoA failure, while certainly a "hole in the cheese", was secondary to a failure on the part of the humans involved - from the hapless ground staff who used incorrect procedures to rinse the aircraft, to the crew who failed to plan their test cycles correctly and then carried them out in a haphazard manner.
Sensor failure is something that can trip a crew working to IFR up no matter what they are flying. I'm reminded of the BirgenAir accident where the cause of the crew's disorientation was undoubtedly a blocked pitot probe feeding the Captain's panel, but the fact remained that the crew should have aborted the flight and returned to land the second they saw a discrepancy in airspeed indication (which, as I recall, first manifested on the runway).
Sensor failure is something that can trip a crew working to IFR up no matter what they are flying. I'm reminded of the BirgenAir accident where the cause of the crew's disorientation was undoubtedly a blocked pitot probe feeding the Captain's panel, but the fact remained that the crew should have aborted the flight and returned to land the second they saw a discrepancy in airspeed indication (which, as I recall, first manifested on the runway).