In-flight upset - 154 km west of Learmonth, WA, 7 October 2008,

More documents

Recommendations

Info

$a947-1 flexplate fracture forward flexible coupling main rotor drive ...$

FCPC design limitationAOA is a critically important flight parameter, and full-authority flight controlsystems such as those equipping A330/A340 aircraft require accurate AOA data tofunction properly. The aircraft was fitted with three ADIRUs to provide redundancyand enable fault tolerance, and the FCPCs used the three independent AOA valuesto check their consistency. In the usual case, when all three AOA values were validand consistent, the average value of AOA 1 and AOA 2 was used by the FCPCs fortheir computations. If either AOA 1 or AOA 2 significantly deviated from the othertwo values, the FCPCs used a memorised value for 1.2 seconds. The FCPCalgorithm was very effective, but it could not correctly manage a scenario wherethere were multiple spikes in either AOA 1 or AOA 2 that were 1.2 seconds apart.Although there were many injuries on the 7 October 2008 flight, it is very unlikelythat the FCPC design limitation could have been associated with a more adverseoutcome. Accordingly, the occurrence fitted the classification of a ‘hazardous’effect rather than a ‘catastrophic’ effect as described by the relevant certificationrequirements. As the occurrence was the only known case of the design limitationaffecting an aircraft’s flightpath in over 28 million flight hours on A330/A340aircraft, the limitation was within the acceptable probability range defined in thecertification requirements for a hazardous effect.As with other safety-critical systems, the development of the A330/A340 flightcontrol system during 1991 and 1992 had many elements to minimise the risk of adesign error. These included peer reviews, a system safety assessment (SSA), andtesting and simulations to verify and validate the system requirements. None ofthese activities identified the design limitation in the FCPC’s AOA algorithm.The ADIRU failure mode had not been previously encountered, or identified by theADIRU manufacturer in its safety analysis activities. Overall, the design,verification and validation processes used by the aircraft manufacturer did not fullyconsider the potential effects of frequent spikes in data from an ADIRU.ADIRU data-spike failure modeThe data-spike failure mode on the LTN-101 model ADIRU involved intermittentspikes (incorrect values) on air data parameters such as airspeed and AOA beingsent to other systems as valid data without a relevant fault message being displayedto the crew. The inertial reference parameters (such as pitch attitude) containedmore systematic errors as well as data spikes, and the ADIRU generated a faultmessage and flagged the output data as invalid. Once the failure mode started, theADIRU’s abnormal behaviour continued until the unit was shut down. After itspower was cycled (turned OFF and ON), the unit performed normally.There were three known occurrences of the data-spike failure mode. In addition tothe 7 October 2008 occurrence, there was an occurrence on 12 September 2006involving the same ADIRU (serial number 4167) and the same aircraft. The otheroccurrence on 27 December 2008 involved another of the same operator’s A330aircraft (VH-QPG) but a different ADIRU (serial number 4122). However, nofactors related to the operator’s aircraft configuration, operating practices ormaintenance practices were found to be associated with the failure mode.Many of the data spikes were generated when the ADIRU’s central processor unit(CPU) module intermittently combined the data value from one parameter with thelabel for another parameter. The exact mechanism that produced this problem could- xvi -
not be determined. However, the failure mode was probably initiated by a single,rare type of trigger event combined with a marginal susceptibility to that type ofevent within the CPU module’s hardware. The key components of the two affectedunits were very similar, and overall it was considered likely that only a smallnumber of units exhibited a similar susceptibility.Some of the potential triggering events examined by the investigation included asoftware ‘bug’, software corruption, a hardware fault, physical environment factors(such as temperature or vibration), and electromagnetic interference (EMI) fromother aircraft systems, other on-board sources, or external sources (such as a navalcommunication station located near Learmonth). Each of these possibilities wasfound to be unlikely based on multiple sources of evidence. The other potentialtriggering event was a single event effect (SEE) resulting from a high-energyatmospheric particle striking one of the integrated circuits within the CPU module.There was insufficient evidence available to determine if an SEE was involved, butthe investigation identified SEE as an ongoing risk for airborne equipment.The LTN-101 had built-in test equipment (BITE) to detect almost all potentialproblems that could occur with the ADIRU, including potential failure modesidentified by the aircraft manufacturer. However, none of the BITE tests weredesigned to detect the type of problem that occurred with the air data parameters.The failure mode has only been observed three times in over 128 million hours ofunit operation, and the unit met the aircraft manufacturer’s specifications forreliability and undetected failure rates. Without knowing the exact failuremechanism, there was limited potential for the ADIRU manufacturer to redesignunits to prevent the failure mode. However, it will develop a modification to theBITE to improve the probability of detecting the failure mode if it occurs onanother unit.Use of seat beltsAt least 60 of the aircraft’s passengers were seated without their seat belts fastenedat the time of the first pitch-down. Consistent with previous in-flight upsetaccidents, the injury rate, and injury severity, was substantially greater for thosewho were not seated or seated without their seat belts fastened.Passengers are routinely reminded every flight to keep their seat belts fastenedduring flight whenever they are seated, but it appears some passengers routinely donot follow this advice. This investigation provided some insights into the types ofpassengers who may be more likely not to wear seat belts, but it also identified thatthere has been very little research conducted into this topic by the aviation industry.Investigation processThe Australian Transport Safety Bureau investigation covered a range of complexissues, including some that had rarely been considered in depth by previous aviationinvestigations. To do this, the investigation required the expertise and cooperationof several external organisations, including the French Bureau d’Enquêtes etd’Analyses pour la sécurité de l’aviation civile, US National Transportation SafetyBoard, the aircraft and FCPC manufacturer (Airbus), the ADIRU manufacturer(Northrop Grumman Corporation), and the operator.- xvii -
Page 1: ATSB TRANSPORT SAFETY REPORTAviatio
Page 4 and 5: Published by: Australian Transport
Page 6 and 7: 3 FACTUAL INFORMATION: AIR DATA INE
Page 9 and 10: DOCUMENT RETRIEVAL INFORMATIONRepor
Page 11: TERMINOLOGY USED IN THIS REPORTOccu
Page 14 and 15: CSMCSSCVRDADSDCDGACDMCDMUEASAECAMED
Page 16 and 17: RAMRTCASATCOMSAESAOSDSECSEESEUSSASS
Page 20 and 21: - xviii -
Page 22 and 23: associated with a master caution ch
Page 24 and 25: Figure 2: Aircraft track and key ev
Page 26 and 27: The crew decided that they needed t
Page 28 and 29: 1.3 Damage to aircraftThere was sig
Page 30 and 31: • The flight crew provided inputs
Page 32 and 33: exceeding a predefined safe flight
Page 34 and 35: Table 1: Examples of ADIRU flight d
Page 36 and 37: Inertial reference partThe IR part
Page 38 and 39: ADIRS switching controlsIn normal o
Page 40 and 41: Processing by ADIRUs and FCPCsEach
Page 42 and 43: The information presented on the fl
Page 44 and 45: A system could flag its output data
Page 46 and 47: Table 4: Summary of indications for
Page 48 and 49: Figure 17: ECAM engine / warning di
Page 50 and 51: Table 6: Required actions associate
Page 52 and 53: For internal aircraft communication
Page 54 and 55: Table 7: Sequence of events (from t
Page 56 and 57: In summary, the source of most of t
Page 58 and 59: Summary of IR data for the occurren
Page 60 and 61: Figure 22: QAR plot showing oscilla
Page 62 and 63: QAR dataOverall, the QAR recorded 4
Page 64 and 65: Flight crew pitch inputsDuring manu
Page 66 and 67: They provided information for maint
Page 68 and 69:
Table 11: Cockpit effect messages d
Page 70 and 71:
Table 13: Troubleshooting data rela
Page 72 and 73:
position 1 on QPA. Further details
Page 74 and 75:
class 1 fault messages shown in Tab
Page 76 and 77:
If there was a discrepancy between
Page 78 and 79:
1.15 Survival aspectsInformation on
Page 80 and 81:
did not identify any faults. The BI
Page 82 and 83:
Comparison of the three occurrences
Page 84 and 85:
1.17.2 Processes for reporting and
Page 87 and 88:
2 FACTUAL INFORMATION: ELECTRICAL F
Page 89 and 90:
monitored external systems that pro
Page 91 and 92:
Each FCPC used a number of paramete
Page 93 and 94:
AOA computation logicThe FCPC softw
Page 95 and 96:
Figure 29: FCPC processing of sever
Page 97 and 98:
Table 19: Characteristics of elevat
Page 99 and 100:
Simulation of AOA values for the fi
Page 101 and 102:
2.2.2 Review of recorded flight con
Page 103 and 104:
second PRIM 3 FAULT. The role of ma
Page 105 and 106:
The ACJ was built around the princi
Page 107 and 108:
• It stated that the identificati
Page 109 and 110:
The second part of the V-cycle invo
Page 111 and 112:
• Functional requirements. These
Page 113 and 114:
2.4.5 Safety assessment activitiesG
Page 115 and 116:
equipment software and aircraft ins
Page 117 and 118:
2.5.4 Factors associated with the i
Page 119 and 120:
it is very difficult if not impossi
Page 121 and 122:
applicable to highly-integrated or
Page 123 and 124:
Ongoing developmentsA range of rese
Page 125 and 126:
To conduct an effective fault tree
Page 127 and 128:
According to this model, accidents
Page 129 and 130:
3 FACTUAL INFORMATION: AIR DATA INE
Page 131 and 132:
• inertial reference input/output
Page 133 and 134:
3.3 Examination of data-spike patte
Page 135 and 136:
Figure 38: ARINC 429 word for an AO
Page 137 and 138:
3.3.4 Data-spike patterns for the 7
Page 139 and 140:
Figure 43: Qualitative correlation
Page 141 and 142:
etween the values of any of the fou
Page 143 and 144:
3.4.3 Calculating parameter valuesA
Page 145 and 146:
3.4.5 Packaging the ARINC 429 wordT
Page 147 and 148:
3.4.8 Transmitting data to other sy
Page 149 and 150:
ARINC 429 packaging analysisThe ADI
Page 151 and 152:
component configurations of differe
Page 153 and 154:
manufacturer reported such BITE dat
Page 155 and 156:
3.6 Potential trigger types3.6.1 Ba
Page 157 and 158:
such as liquids or small loose frag
Page 159 and 160:
wires). The electric 144 field stre
Page 161 and 162:
Although the investigation could no
Page 163 and 164:
3.6.6 Single event effectsBackgroun
Page 165 and 166:
until a few years ago, were not dir
Page 167 and 168:
Unit testingIn 2005, as part of the
Page 169 and 170:
that involved a NAV IR and/or NAV A
Page 171 and 172:
EMI from other aircraft systems (su
Page 173 and 174:
from ADIRU 1 was not correctly reco
Page 175 and 176:
• Detected failure. Any failure w
Page 177 and 178:
The ADIRU manufacturer’s analysis
Page 179 and 180:
the aircraft and ADIRU manufacturer
Page 181 and 182:
4 FACTUAL INFORMATION: CABIN SAFETY
Page 183 and 184:
Summary details of the cabin crew
Page 185 and 186:
section, and the ninth flight atten
Page 187 and 188:
Table 29: Significant cabin communi
Page 189 and 190:
Figure 48: Example of damage to the
Page 191 and 192:
4.3.2 Seat belt examinationsSix pas
Page 193 and 194:
The flight crew’s procedures requ
Page 195 and 196:
takeoff, landing or when the seat-b
Page 197 and 198:
Table 31: Levels of injuryInjury le
Page 199 and 200:
4.6.4 Injuries to seated occupants
Page 201 and 202:
The percentage of occupants who wer
Page 203 and 204:
Statistical analyses 197 were done
Page 205 and 206:
passengers reported that they had h
Page 207 and 208:
that seat belts should be worn only
Page 209:
4.8.2 Handholds in the cabinThe FAA
Page 212 and 213:
Figure 53: Overview of the 7 Octobe
Page 214 and 215:
process needs to ensure that there
Page 216 and 217:
and determine whether they could le
Page 218 and 219:
useful in this case. If the EFCS sp
Page 220 and 221:
5.3.2 Risk associated with the fail
Page 222 and 223:
• All three events occurred in a
Page 224 and 225:
place. Although aviation manufactur
Page 226 and 227:
equiring cabin crew to enforce the
Page 228 and 229:
With the information available to t
Page 230 and 231:
ADIRU 1 affected the operation of a
Page 233 and 234:
6 FINDINGSFrom the evidence availab
Page 235:
• As of April 2010, the LTN-101 a
Page 238 and 239:
did not illuminate. The new OEB (A3
Page 240 and 241:
modifications were made to its guid
Page 242 and 243:
this advice. At the time of the fir
Page 245 and 246:
APPENDIX A: VERTICAL ACCELERATIONST
Page 247 and 248:
APPENDIX B: FLIGHT RECORDER INFORMA
Page 249 and 250:
APPENDIX C: POST-FLIGHT REPORTThe f
Page 251 and 252:
- 231 -
Page 253 and 254:
- 233 -
Page 255 and 256:
APPENDIX D: OTHER DATA-SPIKE OCCURR
Page 257 and 258:
Occurrence on 27 December 2008Overv
Page 259 and 260:
Figure D2: FDR data for the 27 Dece
Page 261 and 262:
ADIRU informationADIRU 1 was the sa
Page 263 and 264:
APPENDIX E: ADIRU TESTINGTest plan
Page 265 and 266:
Visual inspectionsExternal visual i
Page 267 and 268:
(ADR) output databuses. Loading on
Page 269 and 270:
Unit 4167 passed 2,223 of 2,272 tes
Page 271 and 272:
dwells (sustained testing at a fixe
Page 273 and 274:
APPENDIX F: AIRCRAFT LEVEL TESTINGI
Page 275 and 276:
APPENDIX G: ELECTROMAGNETIC RADIATI
Page 277 and 278:
cannot be ‘decoded’ by the rece
Page 279 and 280:
APPENDIX H: SINGLE EVENT EFFECTSNot
Page 281 and 282:
Factors affecting SEE exposureAn ai
Page 283 and 284:
portions of memory are constantly b
Page 285:
Depending on the form of EDAC, sing
Page 288 and 289:
• crew actions: the passenger’s
Page 290 and 291:
The questionnaire respondents were
Page 292 and 293:
was centred across the passenger’
Page 294 and 295:
Previous occurrencesThe seat belt m
Page 296 and 297:
Australian turbulence eventsThe mos
Page 299 and 300:
APPENDIX L: SEAT BELT USE IN ROAD V
Page 301:
Table L1: Recent seat belt use rate
Page 304 and 305:
US Federal Aviation AdministrationT
Page 307 and 308:
APPENDIX N: SOURCES AND SUBMISSIONS
Page 309 and 310:
Hanson, RJ 1987, Conducted electrom
Page 311 and 312:
Tvaryanas, AP 2003, ‘Epidemiology
Page 313:
In-flight upset - 154 km west of Le
show all

In-flight upset - 154 km west of Learmonth, WA, 7 October 2008,

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?