Today, they released a second interinm report on the progress of their
investigation.
http://www.bea.aero/docspa/2009/f-cp090601e2.en/pdf/f-cp090601e2.en.pdf
for those who are interested.
One area of focus is the air data probes that are used to measure
altitide, airspeed, angle of attack.
The A330 is a highly computerized aircraft. The report explains many of
the logic used between the multiple computers and sensors. This has
interesting associations with clustering issues.
For instance, they have 3 computers that calculate air parameters from
the air probbes. If the parameters of one are too different, then those
values are kicked out and unused. The average of the 2 others is used.
If, of the 2 remaining probes, the differences are too great, then the
flight computers declare both to be invalid (which one would be correct ?)
BUT, they found cases where 2 probes failed at the same time and by the
same magnitude. This caused the remaining one to be kicked out despite
being correct, and the 2 errorneous ones to be used because the
differences between them are within bounds. As a result, the aircraft
used very wrong values for the air sensors.
Sort of interesrting because I guess when they designed the aircraft,
they had not considered cases where 2 failures would happen at same time
and with the same amount of error, causing the one remaining valid
sensor to be kicked off and the erroneous values to be used since their
have "quorum" betwen themselves.
Generally tripple redundancy is used in cases where human life is
being protected. During design and implementation the possibility
of double failures is investigated and the causes are worked on to
bring the likelyhood to a very small value. It is often impossible
to eliminiate.
With tripple redundancy there is always the possibility of system
failure due to double faults.
You want to fly in a nice, safe airplane? Make sure it has exactly
one engine, make sure it's a piston engine, and make sure there's
a real human being in control, with no electronic gadgets between
him/her and the control surfaces. And fly within gliding distance of
land, or make sure it's a seaplane.
Why not two engines? Light twins are the most dangerous airplanes
in the sky, they're very hard to operate on one engine and the accident
rate while trying to continue on one engine is very high. In theory
they can be flow on one engine so pilots will try to fly to an
airport, but they don't always have enough practice to succeed.
Since there are two of them, the engines don't have to be as reliable
as the engine in a single engine aircraft, although they tend to be
built in a similar manner. By comparison, on the exceedingly rare
failure of a the only engine every pilot will look for a safe place
to glide to, and success rates are quite high.
Why a piston engine? When you need power they rspond, while
turbines take time to spool up.
Oh, yes, I have hundreds of hours piloting those safe little airplanes!
And I still feel safer in a Boeing than an Airbus.
Me too. Too many Airbus issues.
--
VAXman- A Bored Certified VMS Kernel Mode Hacker VAXman(at)TMESIS(dot)ORG
http://www.quirkfactory.com/popart/asskey/eqn2.png
"Well my son, life is like a beanstalk, isn't it?"
> BUT, they found cases where 2 probes failed at the same time and by the
> same magnitude. This caused the remaining one to be kicked out despite
> being correct, and the 2 errorneous ones to be used because the
> differences between them are within bounds. As a result, the aircraft
> used very wrong values for the air sensors.
This could happen if the most common tube failure mode was to take the
output voltage to ground or supply voltage. Then if two failed in the
way they are most likely to they will read exactly the same thing.
Presumably the software should reject readings in these failure mode
voltage ranges out of hand, but it might not.
Regards,
David Mathog
No voltage necessary in the case at hand. At least in light aircraft
the pitot (impact) pressure is used, in conjunction with the static
pressure, to determine the airspeed. It can be done with nothing but
plumbing and a pressure gage. AFAIK this approach is used in most aircraft.
The pitot tube and the static pressure port are both things the the wise
pilot checks as part of his preflight inspection.
> This could happen if the most common tube failure mode was to take the
> output voltage to ground or supply voltage. Then if two failed in the
> way they are most likely to they will read exactly the same thing.
> Presumably the software should reject readings in these failure mode
> voltage ranges out of hand, but it might not.
One of the instances as I recall was that 2 of the speed computers
dropped their readings to about 60 knots (while at cruise speed). The
computer accepted those values because 2 or the 3 sensors provided
values that were close to each other, and then declared the plane was
stalling because it wasn't going fast enough. Pilots knew better and
just kept level flight. A few minutes later, readings became normal
again and autopilot could be re-engaged. (autopilots are programmed to
disengage when they no longaer have sufficient validated inputs).
The problem is that there is no window/camera that gives pilot a view of
the pitot tubes during flight, so when those shenenigans happen, it is
hard to know exactly what has happened. The working theory is that ice
builds up to a point where they start to block the air inlet. (the
pitot tube has an air inlet at one end, and a pressure sensor at the
other. The greater the airspeed, the greater the pressure measured by
the pitot tube. A computer then converts this analogue measurement to a
aiurspeed based also on current altitude (measured by a static pressure
sensor that is not affected by the airspeed). (as aircraft goes up, the
air becomes thinner, so the pressure exerted on the pitot sensor decreases).
The working theory is ice build up on the pitot tubes. Those are heated
to prevent this from happening.
This accident is interesting from a "debugging" point of view because
during a couple of minutes, the aircraft,s computer did begin to emit
warnings to the maintenance centre (via satellite). And That dozen
messages is all they have to work with unless they recover the black
boxes. (The also know that the aircraft hit the water in one piece with
significant vertical speed, based on some of therecovered debris, that
the aircraft did not depressurize at altitude (masks did not deploy) and
that flight attendants did not all retur to their seats.
But, with those messages that they did receive, they are going through
the source code to find every possible code branch that could have
generated that message. For instance, they have found that one message
would have been followed by a message one minute later, and that second
message was not received, indicating that the link/aircraft stopped
functioning between those 2 messages.
For those who prefer Boeing over Airbus, you should know that the 2 new
aircraft Boeing came out with since the early 1990s are also FBW, fully
computer driven. (the 777 which came out in 1995 and now the 787). The
737 and 747 predate computers and in order to have their looser
regulations grandfathered, Boeing did not make significant changes to
the way the aircraft functions). The 737 is, in many ways, not as safe
as the younger A320 because the A320 has to abide by newer, stricter,
regulations while the 737 doesn't.
The succesful ditching of the A320 in the Hudson river earlier this year
validates the concept of computer assisted flying. The pilot did not
have to worry about the perfect angle for the aircraft after it lost
both engines, the computer did that, including the maximum lifting of
the nose before impact with water without inducing a stall. (The A320
interestingly has a "ditch" button on the console which, with one
button, causes all orifices to close to help make the aircraft more
watertight and prevent water ingested by engines from being sents into
the cabin via the air inlets. (This is often used during de-icing
operations).
Well, you might hope that they check for that one.
But say two filled with ice at about the same rate, while the
other didn't. (I think I remembered ice being part of the problem.)
It is a problem of statisical independence. If there are things
that statistically could happen to both at the same time, then the
test doesn't work.
-- glen
> But say two filled with ice at about the same rate, while the
> other didn't. (I think I remembered ice being part of the problem.)
> It is a problem of statisical independence. If there are things
> that statistically could happen to both at the same time, then the
> test doesn't work.
Which is why there should be sources of speed which are independent from
air pressure. The problem is that other sources of speed (GPS which
gives ground speed, and inertial systems which calculate speed based on
acceleration) do not give "air speed".
Air speed is critical to determine if you are flying of falling out of
the sky.
If you go at 1000km/h ground speed and you have a 1000km/h tailwind,
your air speed is 0, and the aircraft will fall out of the sky since the
wings don't provide any lift.
However, groundspeed indicators would provide some sanity checks. If
your airspeed drops, but your ground speed remains constant, fingers
would point to faulty airspeed sensor.
(In a case where the wind shifts suddently and you have a strong tail
wind, your airspeed may drop at that time, but both airspeed and
groundspeed would befgin to increase as the engines accelerate the
aircraft to regain the airspeed it used to have (relative to wind).
If engines are able to give 500km/h airspeed, and you have 500km/h
tailwind, you will travel at 1000km/h ground speed.
Another example of a "bug": Airbus had added many "safety" features to
prevent deployment of thrust reversers in flight. (that had caused a
couple of crashes in the past). So, not only did they check for weight
being applied to the front landing gear, but also checked for wheel to
spin, just in case the weight switch was faulty).
BUT, there was an incident when the plane landed on a very wet runway
and pilot was unable to deploy thrust reversers right away. Why ? The
front wheel was hydroplaning and not spinning. Airbus changed the logic
after that.
Predicting all possible failure modes is an art. And often, you learn
from such incidents.
Had an incident once where the production node in a cluster lost its
ethernet completely. From the user's point of view, the node was down.
So they switched the backup node into production mode. But when try
tried to connect to SWIFT, they got the "you're already logged in". error.
Turns out that the original production node had quorum, so it continued
to merrily accept traffic from SWIFT on a decicated synchronous card
(independnet from ethernet).
That was a failure more that had not been contemplated in the past.
And in the case of the wet runway, the Airbus engineers saw a possible
failure more with the weight switch, so they added an additional check,
but in doing so, they introduced a new failure mode !
Having just spent 6 months that involved a lot of air travel I can
say that I feel the same way regarding Boeing and Airbus but I still
felt the safest in the back of a C130 with an Air Force pilot at the
controls.
bill
--
Bill Gunshannon | de-moc-ra-cy (di mok' ra see) n. Three wolves
bill...@cs.scranton.edu | and a sheep voting on what's for dinner.
University of Scranton |
Scranton, Pennsylvania | #include <std.disclaimer.h>
C130 are pretty damn good, and so are most Air Force pilots,
linesmen, and mechanics, but there are some situations where I
just don't want to wait for those four turboprops to spool up.
And if you loose redundant hydraulics (double fault), you may hope
your Air Force parachute was packed by one of thier best riggers.
Well, we had no problem getting in and out without taking any incoming
fire even though they did deploy countermeasures on one of my landings.
I don't think most people know just how quickly something that big
can not only get on the ground, but also get off the ground.
>
> And if you loose redundant hydraulics (double fault), you may hope
> your Air Force parachute was packed by one of thier best riggers.
I don't really think they carry enough for everyone but if they did I
wouldn't worry too much about who might have packed it.
>
> Which is why there should be sources of speed which are independent from
> air pressure. The problem is that other sources of speed (GPS which
> gives ground speed, and inertial systems which calculate speed based on
> acceleration) do not give "air speed".
>
> Air speed is critical to determine if you are flying of falling out of
> the sky.
>
And it just isn't air speed. It is air density as well. Lighter air gives
less lift. So altitude helps determine density but different air masses
have different densities at the same altitude. It all factors into the
pressure readings from the pitot tubes.
John
Way off topic, but;
I've ridden in the back of a lot of C130's and seen a lot on the ground. At
various airshows I heard people comment about how big the C130 is and I
always thought "Wait until you see a Galaxy or a Starlifter." Then one day a
few years ago I was flying in a Cherokee on the downwind leg at my local
airport and I heard a C130 call that they were 8 miles out. When I was on
very short final I looked up and saw it at mid-downwind. I never saw
anything look so big and I never felt so small. All I could think of was
getting down and off the runway before I became a smudge on one of its
wheels.
Peter Weaver
http://www.weaverconsulting.ca
Winner of the OpenVMS.org Readers' Choice Award for System
Management/Performance
http://www.linkedin.com/in/peterweaver
> I've ridden in the back of a lot of C130's and seen a lot on the ground. At
> various airshows I heard people comment about how big the C130 is and I
> always thought "Wait until you see a Galaxy or a Starlifter."
Wait till you see an Antonov 124. (I almost got to see a 125 a couple of
years ago when it came to Montreal.
The 124 was the final lair in "Die another Day" (korean diamond smuggler).
Comparision with C-130:
http://www.flickr.com/photos/bobolink/3289235338/sizes/o/
And to truly understand the scale of the Antonov, you need to see a
human on the "front porch" cleaning the cockpit windows.
The 124 has transported locomotives. And for Bombardier, during the
height of production of the 50 seat CRJ, it ferried fuselages from
Dublin to Montr�al because the ships couldn't carry enough of them and
had to be supplemented by antonov aircraft.
Not only can the nose open up like a cargo 747, but the landing gear
"kneels" so that trucks/tanks can roll on/off the aircraft with a simple
platform. They've also carried subway cars in the antonov.
images.google.com can find plenty of images of the antonov. And the 125
is even bigger (6 engines instead of 4).
I found out how big a "little" A-10 is one day when I taxied a
Tomahawk in front of one. He could have fired his gatling gun and
missed me because as a chin mount is was that much higher than my
tail.
Although it doesn't match any large cargo plane, I am always
impressed by the two canyons that make up the bomb bays of a B-52,
and the 15 degree nose down attitude they take to maintain level
flight when empty.
Yup, I've seen the 124 in London, Ontario. I was on the ground and saw it
from as it was coming in for a landing and I got a fairly close view after
it parked. But when a C130 is number 2 behind you as you are landing in a
four-seater they look awfully big :).
Even way more off topic, non-pilots can skip this one.
I have 86.8 hours in Tomahawks, they were the primary trainers when I
started flying but the club sold them off years ago because so many
instructors hated flying them. I'm sure that an A-10 would look huge if you
are in a plane next to them. Size is all a matter of perspective.
If you can then try to watch a Canadian Discovery Channel series call
"JetStream" (http://www.discoverychannel.ca/jetstream). There is one section
where the instructors are teaching the CF-18 students about formation flying
and one CF-18 banks off to the side. The instructor in the plane staying
straight said "Look at that, that plane is ** huge!"
I'm not one to watch any reality show and even when watching standard TV I
usually spend more time working on a computer and/or reading something. But
when JetStream started I was glued to the TV, my wife said that she never
saw me watch anything like that. One student described how he felt coming
out of GLOC and that was the first time I ever heard anyone else describe it
like that. His comments brought back a lot of memories since he described
exactly the way I felt when I messed up a slow roll and blacked out. It took
me a shakes of my head before I realized that I was flying an airplane.
A spurious false vote can occur under several different scenarios as has
been
pointed out. It would seem that an independent and differnet test ought to
be included as a sanity check, e.g., speed can be determined from satelite
data
and the approximate wind speed is known from meteorological data, but I
don't
know if that has adequate accuracy to disbelieve the two false positive
votes.
BTW, the IBM360/65 had triply redundant cpus and employed a similar
strategy, IIRC.
>
> -- glen
--
PL/I for OpenVMS
www.kednos.com
Nah, not good enough.
Surface winds can vary tremendously from winds even a few thousand
feet above the surface. A couple of months ago I was flying with a
friend and at anything over 2500 feet above the ground we had a 60+
knot headwind, but surface winds were only in the teens (and from a
different direction, which was a wind shear condition). We knew what
was happening, and other pilots were reporting the same problem when
landing, but there was no "official" source for wind data that showed
the same conditions.
> Surface winds can vary tremendously from winds even a few thousand
> feet above the surface.
So yes, winds make a huge difference. BUT, during flight, the systems
should know about both airspeed and ground speed because they also
calculate ETA at airport, and required fuel to destination. If you have
a tremendous headwind the pilots didn't know about, they may have to may
a pit stop to refuel because they wouldn't have enough fuel to make it
to destination.
So a computer should have sufficient information to question a changing
airspeed measurement that it still considers valid because 2 pitots are
exhibiting the same error.
Consider a case where a plane is flying through idle air. It's airspeed
would be about the same as ground speed. But all of a suddenm it gets
into a nice big tailwind. At that point, the aircraft's airspeed drops.
BUT, the aircrasft also starts to accelerate and the airspeed will begin
to rise again, as will groundspeed. Airspeed will return to "normal"
Similarly, when the aircraft leaves that area of tailwind, its airspeed
will increase significantly, and then decrease as the aircraft
physically decelerates without the favourable wind in its back.
So, if airspeed decreases to stall speed, but groundspeed does not
change, the computers could signal that there is an error, because a
change in wind should only cause temporary change in airspeed intil
aircraft accelerate/decelerate until airspeed becomes normal again.
(aka: with a certain amount of thrust, the aircraft will stay around the
same airspeed for its weight).
This is something computers could deal with. Whether aircraft computers
are programmed to look at trends over the last 5 minutes to do sanity
checks is the question. Perhaps they are programmed only to look at real
time data and react instantly to changes.
Airspeed can be cross-checked by power setting, attitude, and
vertical speed. Not as accurate, but good enough to get me through
my "emergency", landing without an airspeed indicator, in my
checkride. And something I cross checked when I got ice on my pitot,
while I was waiting for the heater to catch up.
Sure, for a human looking at the gauge, if it's pinned, he'll ignore it.
But JF was talking about an automated flight control system, which means
the purely mechanical instrument needs to be digitized, which means
electronics...
--
John Santos
Evans Griffiths & Hart, Inc.
> But JF was talking about an automated flight control system, which means
> the purely mechanical instrument needs to be digitized, which means
> electronics...
Are there any cars still built with purely mechanical speedometres ?
Facts is that electronics are prevalent everywhere.
The problem isn't the electronics, it is how electronics can detect and
handle mechanical failures (such as icing of airspeed sensors).
The computer should check that, too. It isn't hard and just about
everyone knows it needs to be done.
The question, then, is failure modes that result in two giving close
to the same (wrong) value while not pinned. It seems to me that
isn't hard to do in the case of ice. If the heaters failed, that
could cause icing, or it was colder than the heaters were designed for.
I might suggest different heat values for different ones, such that
equal icing isn't likely to happen. Also, make sure that there
are no common points of failure between the two heater circuits.
-- glen
One of the most frightening documentaries I have seen was on the subject
of wind shear.
--
Paul Sture
> If you can then try to watch a Canadian Discovery Channel series call
> "JetStream" (http://www.discoverychannel.ca/jetstream). There is one section
> where the instructors are teaching the CF-18 students about formation flying
> and one CF-18 banks off to the side. The instructor in the plane staying
> straight said "Look at that, that plane is ** huge!"
Many years ago I was sitting in the co-pilot's seat of a 6 seater (can't
remember what specific plane it was) when we had a near miss with a
Jumbo which was climbing steeply from take off, right across our path.
Neither the pilot nor I actually recognised it as a Jumbo. It all
happened so fast.
--
Paul Sture
Yep. On a trip to a small airstrip (well a football field really - they
took the goalposts down for us) in Africa we waited until it got dark
and therefore cooler before attempting a take off. I could have sworn we
brushed the tree tops on the way up.
--
Paul Sture
When my pitot was iced up, it was not pinned. Read lower than it
should have which could have lead to dangerously high airpspeed
on approach and landing. But I could tell by all else that it was
low.
Of course, I'm not electronic.
Toured an AN-124 on static display at the Rockford, IL, Airfest a few
years back. HUGE! There's only one AN-225 AFAIK and I'd love to see
that monster.
The Blue Angels' Fat Albert is a must-see for any C-130 fan. Beautiful
plane and JATO (Jet Assisted TakeOff) is awesome.
I had over 1000 hrs P-3 Orion aircrew flight time and C-130's were
always around the bases. They did use JATO occasionally for training
and when they were heavy or on a shorter runway. When I went on or
returned from leave I sometimes managed to hitch a C-130 ride as
cargo, I mean passenger. Not exactly comfortable accommodations but
the price was right.
I remember asking a pilot friend, who had a single engine plane whether he considered a twin to be
safer. His reply was that "the second engine only takes you to the scene of the accident".
So how often is one computer voted out? How often do these double
faults arise? Please feel free to specify what ensembles (or
categories, if you will, such as one or more of the following: small
planes, jet planes, manned spacecraft, etc.) or just a rough estimate
covering all if such a number is meaningful.
TIA.
[...]
AEF
If you want to go off and collect that data, be my guest. I'm
familiar with the design and the reasoning behind the design, not
the operational statistics.