Australian investigators have cited a flight-control computer design limitation, and a rare air-data signal spike, as the triggers for the mysterious in-flight upset to a Qantas Airbus A330 three years ago.
Inquiries into the upset involving flight QF72 during high-altitude cruise to Perth, which injured 119 of the 315 occupants, have resulted in improvement of flight-computer algorithms processing angle-of-attack data.
"As a result of this redesign, passengers, crew and operators can be confident that the same type of accident will not reoccur," said the Australian Transport Safety Bureau.
While in cruise at flight level 370, one of the A330's three air data inertial reference units began transmitting incorrect data spikes, including spurious information on angle of attack, which prompted the flight-control computer to command a pitch-down response.
"Although the pitch-down command lasted less than 2s, the resulting forces were sufficient for almost all the unrestrained occupants to be thrown to the aircraft's ceiling," said the ATSB in its final report into the 7 October 2008 incident. There was a second, less-severe, pitch-down nearly 3min later.
While it examined several possibilities for the cause of the failure in the Northrop Grumman air-data unit - even considering a cosmic particle strike - the inquiry could not establish a reason. It said the failure was "probably not triggered" by a software or hardware fault, environmental factors, or electromagnetic interference.
"Despite extensive testing and analysis the exact origins of the failure mode could not be determined," the ATSB stated. The problem "very likely" centred on data packaging and queuing in the central processing unit, resulting in numerous anomalies including certain air data parameters being transmitted with the label of other parameters.
But the ATSB found that the failure mode had been observed only three times in 128 million hours of operation - twice with the same specific unit, the one fitted on the Qantas A330. The investigation concluded that the failure was probably initiated by a "single, rare type of trigger event" combined with a "marginal susceptibility" to such an event within the hardware of the central processing unit.
The A330's flight-control computer normally compares the angle-of-attack values received from all three air-data units, to check for validity and consistency.
If there was a significant deviation in these values, the computer would memorise the most recent valid one for a period of 1.2s.
But the ATSB said that although the flight-control computer algorithm was "very effective", it could not correctly manage a scenario in which the air-data computer generated multiple spikes, 1.2s apart, in its angle-of-attack channel.
This limitation of the algorithm effectively meant a spike occurring after the memorisation period expired was treated as valid data, and the flight-control system responded by suddenly pitching the aircraft nose-down.
Source: Air Transport Intelligence news