A333, en-route, West of Learmonth Australia, 2008
From SKYbrary Wiki
|On 7 October 2008, an Airbus A330-300 aircraft experienced multiple system failure indications followed by uncommanded pitch-down events which resulted in serious injuries to passengers and cabin crew.|
|Actual or Potential
|Airworthiness, Loss of Control|
|Type of Flight||Public Transport (Passenger)|
|Origin||Singapore Changi Airport|
|Intended Destination||Perth International Airport|
|Take off Commenced||Yes|
|Origin||Singapore Changi Airport|
|Destination||Perth International Airport|
|Approx.||154km west of Learmonth WA, Australia|
|Tag(s)||Significant Systems or Systems Control Failure,|
Uncommanded AP disconnect,
Temporary Control Loss,
|Damage or injury||Yes|
|Causal Factor Group(s)|
On 7 October 2008, an Airbus A330-300 being operated by Qantas on a scheduled passenger flight from Singapore to Perth, Western Australia was in the cruise at FL370 with the AP engaged when one of the air data inertial reference units (ADIRUs) malfunctioned and two sudden uncommanded pitch downs followed. A PAN, later upgraded to a MAYDAY after the extent of occupant injuries became apparent, was declared to ATC and a diversion to Learmonth initiated with an approach and landing there about an hour later. Of the 315 occupants, 11 passengers and 1 cabin crew member were seriously injured and a further 99 passengers and 8 cabin crew received minor injuries.
An Investigation was carried out by the Australian Transport Safety Bureau (ATSB). Flight Data Recorder (FDR), Quick access recorder (QAR) and Cockpit Voice Recorder (CVR) data was all successfully replayed to support the Investigation. A Preliminary Report and two Interim Factual Reports were published whilst the Investigation was in progress.
The aircraft commander had been PF when, after a previously uneventful flight, an uncommanded AP1 disconnect occurred followed by a series of caution messages on the EICAM and transient activation of obviously false stall and over speed warnings. These cautions and warnings occurred frequently and continued for the remainder of the flight. The airspeed and altitude indications on the left main PFD (only) were also fluctuating. Although numerous ECAM caution messages were annunciated, none of them required urgent action, and none of them indicated any potential problems with the aircraft’s flight control system. Two minutes after the AP1 disconnect, the aircraft abruptly pitched nose down. FDR data showed that this was due to a sudden change in the position of the aircraft elevators, and that the aircraft reached a maximum nose-down pitch angle of 8.4°. The flight crew described the pitch-down movement as very abrupt, but smooth. It was considered not to be like turbulence-related movements and was solely in the pitching plane. Side stick back pressure to counteract the pitch was applied and after about 2 seconds the aircraft responded normally and recovery to the assigned altitude was accomplished. Overall, the aircraft descended 690 ft over a period of 23 seconds before regaining FL370.
During the upset, the FDR recorded a peak vertical acceleration of -0.8g and a significant number of occupants were thrown around the cabin, resulting in both personal injuries and damage to cabin overhead fittings. The operating co pilot switched on the seat belt signs soon after the upset and made a PA announcement for passengers and cabin crew to return to their seats and fasten their seat belts immediately.
Two and a half minutes after the first pitch down event, a second less severe one occurred while the crew were responding to the ECAM messages. The aircraft reached a maximum pitch angle of about 3.5° nose down and side stick back pressure to counter this was promptly applied. As with the first case, the action initially had no effect but soon afterwards, the aircraft responded normally. The aircraft descended 400 feet over a period of 15 seconds before regaining FL370.
The aircraft commander noted that the auto trim was no longer working and decided to fly the aircraft manually with both AP and A/T disconnected, believing the aircraft flight control system to have reverted to Direct Law. In fact, although absence of auto trim is a feature of Direct Law, in this case, it had been lost as a consequence of the specific sequence of fault messages associated with the Flight Control Primary Computer (FCPC) and only reversion to Alternate Law had occurred.
Soon after recovery from the second upset, the decision to make an en route diversion was made and a ‘PAN’ declared to ATC. The diversion to Learmonth was accomplished without further event other than the discovery that the extent of cabin injuries amongst unsecured passengers and crew was greater than had at first been appreciated. A descent was accomplished in the vicinity of the airfield before positioning for a visual approach and landing.
The Investigation concluded that a design limitation with the FCPC software had combined with an ADIRU failure to falsely activate corrective mechanisms and that this had caused the two uncommanded pitch-downs. It was considered that this design limitation had been a consequence of a failure scenario not being considered. It was noted that:
“The development process for a safety-critical system has many elements to minimise the risk (probability and consequences) of a design error. These include peer reviews of design requirements, and system safety assessment (SSA), testing and simulation activities that are done as part of the verification and validation processes. It is widely accepted that not all the potential failure modes and failure scenarios for complex systems can be identified in practice, and fault-tolerant design features are included in a system to reduce the risk of such problems.
The A330/A340 FCPC algorithm for processing AOA data was redesigned after a problem was found with the initial algorithm during flight testing that was conducted before the aircraft type was certified. The redesign unintentionally introduced the design limitation in the algorithm, and the fault-tolerant features of the system were not able to fully mitigate the problem. The design limitation was not identified during the redesign activities.”
It was noted that whilst the completed SSA had identified the failure that occurred (incorrect high AOA data leading to a pitch-down command) it had not identified the scenario that led to this condition on the investigated flight.
In respect if the ADIRU1 fault, it was found to have transmitted a significant amount of incorrect data on inertial reference parameters to other systems, almost all of this data being invalid. It was considered probable that the ADIRU data-spike failure mode involved a problem with the data packaging and queuing within the ADIRU CPU module. The fault had caused numerous data anomalies including air data reference parameters being intermittently transmitted with the data or label of another parameter.
Despite extensive testing and analysis, the Investigation was unable to establish the precise origins of the ADIRU1 failure but it was concluded that the ADIRU1 data-spike was probably not triggered by a software bug, a software corruption, a hardware fault, physical environmental factors (such as temperature or vibration), neither had it been due to electromagnetic interference. It was noted that the false AOA data had been able to confuse the FCPC processing algorithm which was unable to respond to a scenario where there were multiple spikes in AOA from a single ADIRU at the elapsed time intervals which occurred. It was considered likely that each of the intermittent data spikes had been generated when the faulty ADIRU CPU combined the data value from one parameter with the label for a different parameter. The failure mode was probably initiated by a single, rare type of internal or external trigger event combined with a marginal susceptibility to that type of event within a hardware component.
The investigated occurrence was identified as the only known case where this design fault had led to a pitch-down command in over 28 million flight hours on A330/A340 aircraft. However, although all three known occurrences of ADIRU data-spike failure were found to have occurred on two A330 aircraft also operated by Qantas, no contributory factors related to operator-specific aircraft configuration, operating practices, or maintenance practices had been identified.
It was considered that the flight crew response to what happened had demonstrated both “sound judgment and a professional approach”.
In respect of the injuries to passengers, it was noted that at least 23 passengers were not seated at the time of the first in-flight upset but that there were also more than 60 other passengers who were seated without their seat belts fastened. Whilst it was accepted that a few of these had been in the process of getting into or out of their seats, it was concluded that the majority had not appeared to have a “valid” reason for not wearing their seat belts.
Eleven Safety Issues, one categorised as ‘Significant’ and ten as ‘Minor’, were identified by the Investigation as follows:
- There was a limitation in the algorithm used by the A330/A340 flight control primary computers for processing angle of attack (AOA) data. This limitation meant that, in a very specific situation, multiple AOA spikes from only one of the three air data inertial reference units could result in a nose-down elevator command. [Significant safety issue]
- When developing the A330/A340 flight control primary computer software in the early 1990s, the aircraft manufacturer’s system safety assessment and other development processes did not fully consider the potential effects of frequent spikes in the data from an air data inertial reference unit. [Minor safety issue]
- One of the aircraft’s three air data inertial reference units (ADIRU 1) exhibited a data-spike failure mode, during which it transmitted a significant amount of incorrect data on air data parameters to other aircraft systems, without flagging that this data was invalid. The invalid data included frequent spikes in angle of attack data. Including the 7 October 2008 occurrence, there have been three occurrences of the same failure mode on LTN-101 ADIRUs, all on A330 aircraft. [Minor safety issue]
- For the data-spike failure mode, the built-in test equipment of the LTN-101 air data inertial reference unit was not effective, for air data parameters, in detecting the problem, communicating appropriate fault information, and flagging affected data as invalid. [Minor safety issue]
- Although passengers are routinely reminded to keep their seat belts fastened during flight whenever they are seated, a significant number of passengers have not followed this advice. At the time of the first in-flight upset, more than 60 of the 303 passengers were seated without their seat belts fastened. [Minor safety issue]
- In recent years there have been developments in guidance materials for system development processes and research into new approaches for system safety assessments. However, there has been limited research that has systematically evaluated how design engineers and safety analysts conduct their evaluations of systems, and how the design of their tasks, tools, training and guidance material can be improved so that the likelihood of design errors is minimised. [Minor safety issue]
- Single event effects (SEE) have the potential to adversely affect avionics systems that have not been specifically designed to be resilient to this hazard. There were no specific certification requirements for SEE, and until recently there was no formal guidance material available for addressing SEE during the design process. [Minor safety issue]
- The LTN-101 air data inertial reference unit (ADIRU) model had a demonstrated susceptibility to single event effects (SEE). The consideration of SEE during the design process was consistent with industry practice at the time the unit was developed, and the overall fault rates of the ADIRU were within the relevant design objectives. [Minor safety issue]
- Industry practices for tracking faults or performance problems with line-replaceable units were limited, unless the units are removed for examination. Consequently, the manufacturers of aircraft equipment have incomplete information for identifying patterns or trends that can be used to improve the safety, availability or reliability of the units. [Minor safety issue]
- There has been very little research conducted into the factors influencing passengers’ use of seat belts when the seat-belt sign is not illuminated, and the effectiveness of different techniques to increase the use of seat belts. [Minor safety issue]
- Although passengers are routinely advised after takeoff to wear their seat belts when seated, this advice typically does not reinforce how the seat belts should be worn. [Minor safety issue]
Safety Action in respect of the identified safety issues was noted. In respect of the single ‘Significant Safety Issue’, the Airbus response was noted to have commenced a week after the event with the issue of temporary revisions to flight crew procedures for all A330 and A340 aircraft fitted with the incident ADIRUs. These required that in the event of a NAV IR fault or red ATT flag on either PFD, the ADR part of the relevant ADIRU should be selected OFF and then the relevant IR part of the relevant ADIRU should also be selected OFF. An associated temporary revision to the MMML was also issued. All revised temporary procedures for both aircraft types were mandated by certification authority European Aviation Safety Agency (EASA), as were two subsequent modifications to the initial procedure changes. Subsequently, Airbus issued SBs for fitment of replacement FCPCs and once this retrofit has been completed, the temporary procedure revisions will be withdrawn
The Final Report of the Investigation Aviation Occurrence Investigation AO-2008-070 Final was released on 19 December 2011.