Ben Sandilands quotes from the ATSB in his blog that in-flight control excursion of QF72 was “a unique incident”. The ATSB is wrong, this is not unique — it has happened before.
On the 1 August, 2005 Malaysian Airlines flight MH124 was flying from Perth to Kuala Lumpur. It left Perth at 4:30pm as scheduled. The early part of the flight went smoothly, but about 30 minutes after take off, the plane suddenly pitched up steeply, climbed 3000ft and started to stall (the stick shaker activated).
The pilots took manual flight control and recovered the aircraft to normal flight. They re-engaged the auto-pilot and the aircraft immediately performed an uncommanded 2000ft climb. Subsequent tests showed that the fault occurred with both auto-pilot systems. The captain contacted air traffic control and reported that he could not maintain altitude and requested an immediate return to Perth.
Subsequently, during landing, the wind shear system falsely activated and attempted to increase thrust. The aircraft landed successfully without further incident.
The investigation traced the failure to a faulty Air Data Inertial Reference Unit (ADIRU), exactly the same failure as is suspected with QF72. What had happened was the result of a series of failures.
The ADIRU contains six accelerometers — a primary and a backup for each of the three dimensions (pitch, roll and yaw) it is measuring. One of the accelerometers failed, however due to a software bug, the failure was detected but it was not reported. The unit continued to operate, apparently normally, for over a year using the backup accelerometer.
Murphy’s Law ensured that the next accelerometer to fail (accelerometers are mechanical devices which can be expected to fail every few thousand hours of operation) was the backup. The ADIRU then started to generate anomalous data for the motion of the aircraft pitching and the auto-pilot attempted to respond and — due to the garbage data from the ADIRU — got it terribly wrong.
Although MH124 originated from Perth, the incident occurred in international airspace. The investigation was performed by a team made up of Malaysian (the aircraft registrar) and American (the aircraft manufacturer) authorities. The Australian ATSB was not involved, and so they would have no special knowledge of this particular occurrence.
The significance of this failure is difficult to understate. The ADIRU is one of the critical flight sensors. The FAA in its report stated “could result in anomalies of the fly-by-wire primary flight control, autopilot, auto-throttle, pilot display, and auto-brake systems, which could result in high pilot workload, deviation from the intended flight path, and possible loss of control of the airplane.” That’s engineer-speak for an aircraft which is flying normally one second then wildly gyrating and breaking up the next.
The problem here is not just a few faulty parts and buggy software. It’s far, far deeper than that. Modern passenger aircraft are all fly-by-wire (FBW). There are many reasons for this including cost (we all want cheap flights) and safety — FBW-controlled aircraft are significantly, measurably safer than aircraft with mechanical controls. However, FBW is complex — it made up of many sub-components, with the failure of any being potentially catastrophic.
This is a deep problem. Mathematicians have had a look at this problem — how do you make a critical decision if it may be based on lies, because that is the problem for the flight control system and ADIRU. Mathematicians call the sort of problem faced by QF72 and MH172 a Byzantine fault. The name comes from the idea of a group of Byzantine generals who have to reach an agreement when some of them may not be telling the truth. The mathematics indicates only partial solutions, and those solutions are resource intensive. Byzantine faults are rare (more frequent than one per billion flight hours), but they tend to bypass all the checks and balances within the systems which are meant to detect faults.
The ATSB may have been wrong about the QF72 incident being unique, but Sandilands is dead right when he says it “has all the hallmarks of becoming a landmark investigation, possibly the most important for airlines world wide of any ever undertaken by the ATSB.”
Crikey is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while we review, but we’re working as fast as we can to keep the conversation rolling.
The Crikey comment section is members-only content. Please subscribe to leave a comment.
The Crikey comment section is members-only content. Please login to leave a comment.